[Senate Report 118-96]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 204
118th Congress    }                                     {       Report
                                 SENATE
 1st Session      }                                     {       118-96
_______________________________________________________________________

                                     


   DEPARTMENT OF HOMELAND SECURITY CIVILIAN CYBERSECURITY RESERVE ACT

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                 S. 885

            TO ESTABLISH A CIVILIAN CYBERSECURITY RESERVE IN
             THE DEPARTMENT OF HOMELAND SECURITY AS A PILOT
           PROJECT TO ADDRESS THE CYBERSECURITY NEEDS OF THE
UNITED STATES WITH RESPECT TO NATIONAL SECURITY, AND FOR OTHER PURPOSES








[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








               September 11, 2023.--Ordered to be printed  
               
               
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
39-010                   WASHINGTON : 2023 


               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
ALEX PADILLA, California             RICK SCOTT, Florida
JON OSSOFF, Georgia                  JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut      ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
            Lena C. Chang, Director of Governmental Affairs
              Devin M. Parsons, Professional Staff Member
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
          Kendal B. Tigner, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk

















                                                      Calendar No. 204
118th Congress    }                                     {       Report
                                 SENATE
 1st Session      }                                     {       118-96

======================================================================



 
   DEPARTMENT OF HOMELAND SECURITY CIVILIAN CYBERSECURITY RESERVE ACT

                                _______
                                

               September 11, 2023.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 885]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 885), to establish 
a Civilian Cybersecurity Reserve in the Department of Homeland 
Security as a pilot project to address the cybersecurity needs 
of the United States with respect to national security, and for 
other purposes, having considered the same, reports favorably 
thereon with an amendment, in the nature of a substitute, and 
recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                    Page
  I. Purpose and Summary.............................................. 1
 II. Background and Need for the Legislation.......................... 2
III. Legislative History.............................................. 4
 IV. Section-by-Section Analysis of Bill, as Reported................. 5
  V. Evaluation of Regulatory Impact.................................. 6
 VI. Congressional Budget Office Cost Estimate........................ 7
VII. Changes in Existing Law Made by the Bill, as Reported............ 9

                         I. PURPOSE AND SUMMARY

    S. 885, the Department of Homeland Security (DHS) Civilian 
Cybersecurity Reserve Act, establishes a Civilian Cybersecurity 
Reserve as a four-year pilot project to provide the 
Cybersecurity and Infrastructure Security Agency (CISA) with 
qualified civilian personnel to respond to significant cyber 
incidents. When a significant incident occurs, the Director of 
CISA may activate reservists by appointing up to 30 individuals 
to temporary positions for up to six months, and they must 
notify Congress whenever a reservist is activated. The bill 
also directs CISA to begin a study within 60 days after 
enactment on the design and implementation of the pilot 
project, present an implementation plan to Congress within one 
year of beginning the study, and provide an annual briefing on 
the pilot project. Finally, the bill directs the Government 
Accountability Office (GAO) to evaluate the pilot project 
within three years after the pilot is established.\1\
---------------------------------------------------------------------------
    \1\On July 14, 2021, the Committee approved S. 1324, the Civilian 
Cybersecurity Reserve Act, with an amendment in the nature of a 
substitute. That bill, as reported, is substantially similar to S. 885. 
Accordingly, this committee report is, in many respects, similar to the 
committee report for S. 1324. See S. Rept. 117-97.
---------------------------------------------------------------------------

              II. BACKGROUND AND NEED FOR THE LEGISLATION

    Federal agencies are experiencing a significant shortage of 
cybersecurity talent. According to CISA's September 2022 State 
of the Federal Cyber Workforce report, CISA has concluded: 
``[s]ystemic changes to the development of our cyber workforce 
are vital for our nation to sufficiently govern and maintain 
our critical infrastructures and data security.'' The report 
also notes that ``cyber attacks and a heightened talent 
shortage serves as a wake-up call that the federal government 
must reenergize and promote how it is a premier place of 
employment for cyber professionals.''\2\
---------------------------------------------------------------------------
    \2\Cybersecurity and Infrastructure Security Agency, Federal Cyber 
Workforce Management and Coordinating Working Group, State of the 
Federal Cyber Workforce: A Call for Collective Action (Sept. 2022) 
(www.cisa.gov/sites/default/files/publications/
State_of_the_Federal_Cyber_
Workforce_Report_09.14.2022.pdf).
---------------------------------------------------------------------------
    The consistent shortage of cybersecurity personnel 
represents a high risk to national security. Federal cyber 
workforce management challenges have been on the GAO High-Risk 
List since 2003.\3\ In that report, GAO stated:
---------------------------------------------------------------------------
    \3\Government Accountability Office, High-Risk Series: Protecting 
Information Systems Supporting the Federal Government and the Nation's 
Critical Infrastructures (GAO-03-121) (Jan. 2003) (www.gao.gov/assets/
gao-03-121.pdf).
---------------------------------------------------------------------------
          [A]gencies must have the technical expertise they 
        need to select, implement, and maintain controls that 
        protect their information systems. Similarly, the 
        federal government must maximize the value of its 
        technical staff by sharing expertise and information. . 
        . .  [T]he availability of adequate technical and audit 
        expertise is a continuing concern to agencies.\4\
---------------------------------------------------------------------------
    \4\Id.
---------------------------------------------------------------------------
    Since 2003, the need for a developed cyber workforce has 
continued to grow. As GAO Director of Information Security 
Issues, Gregory C. Wilshusen, stated in a March 2018 testimony 
report:
          The Office of Management and Budget has noted that 
        the federal government and private industry face a 
        persistent shortage of cybersecurity and IT talent to 
        implement and oversee information security protections. 
        This shortage may leave federal IT systems vulnerable 
        to malicious attacks. Experienced and qualified 
        cybersecurity professionals are essential in performing 
        DHS's work to mitigate vulnerabilities in its own and 
        other agencies' computer systems and to defend against 
        cyber threats.\5\
---------------------------------------------------------------------------
    \5\Government Accountability Office, Cybersecurity Workforce: DHS 
Needs to Take Urgent Action to Identify Its Position and Critical 
Skills Requirements (GAO-18-430T) (Mar. 2018) (www.gao.gov/assets/gao-
18-430t.pdf).
---------------------------------------------------------------------------
    In an April 2023 High-Risk Series report, GAO stated that 
``federal agencies need to take additional actions to address 
the federal cybersecurity workforce shortage'' and that the 
Office of Management and Budget needs to develop a 
governmentwide workforce plan to address the issues facing the 
cyber workforce.\6\
---------------------------------------------------------------------------
    \6\Government Accountability Office, High-Risk Series: Efforts Made 
to Achieve Progress Need to Be Maintained and Expanded to Fully Address 
All Areas (GAO-23-106203) (Apr. 2023) (www.gao.gov/assets/gao-23-
106203.pdf).
---------------------------------------------------------------------------
    The problem of cybersecurity workforce shortages has taken 
on increased urgency as the United States faces escalating 
threats from hostile cyber actors. In 2021, multiple high-
profile cybersecurity incidents, including SolarWinds, 
Microsoft Exchange, and Colonial Pipeline, prompted President 
Biden to issue an Executive Order aimed at improving the 
nation's cybersecurity preparedness systems.\7\ In March of 
2023, the Biden Administration continued its efforts to expand 
the cyber workforce through release of a National Cybersecurity 
Strategy. The National Cyber Workforce and Education Strategy 
recognizes ``the need for cybersecurity expertise across all 
sectors of the economy'' and seeks to ``strengthen and 
diversify the Federal cyber workforce, addressing the unique 
challenges the public sector faces in recruiting, retaining, 
and developing the talent and capacity needed to protect 
Federal data and IT infrastructure.''\8\
---------------------------------------------------------------------------
    \7\Executive Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021).
    \8\The White House, National Cybersecurity Strategy (Mar. 2023) 
(www.whitehouse.gov/wp-
content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf).
---------------------------------------------------------------------------
    Furthermore, critical infrastructure, like healthcare 
systems, face an ever-growing threat from cyber incidents that 
affect operations and patient care, illustrated by recent 
attacks in early 2023 on Tallahassee Memorial HealthCare in 
Florida and the University of Michigan Health System.\9\ This 
Committee held multiple hearings in the wake of cybersecurity 
attacks to address the government's preparedness, response, and 
recovery efforts.\10\ These cyber attacks further underscore 
the urgent need to advance skills of the nation's cybersecurity 
workforce.
---------------------------------------------------------------------------
    \9\Senate Committee on Homeland Security and Governmental Affairs, 
Opening Statement of Chairman Gary Peters, Hearing on In Need of a 
Checkup: Examining the Cybersecurity Risks to the Healthcare Sector, 
118th Cong. (Mar. 16, 2023).
    \10\See Senate Committee on Homeland Security and Governmental 
Affairs, Hearing on Prevention, Response and Recovery: Improving 
Federal Cybersecurity Post-SolarWinds, 117th Cong. (May 11, 2021) (S. 
Hrg. 117-XX); Senate Committee on Homeland Security and Governmental 
Affairs, Hearing on Threats to Critical Infrastructure: Examining the 
Colonial Pipeline Cyber Attack, 117th Cong. (June 8, 2021) (S. Hrg. 
117-XX); Senate Committee on Homeland Security and Governmental 
Affairs, Hearing on In Need of a Checkup: Examining the Cybersecurity 
Risks to the Healthcare Sector, 118th Cong. (Mar. 16, 2023) (S. Hrg. 
118-XX).
---------------------------------------------------------------------------
    The DHS Civilian Cybersecurity Reserve Act attempts to 
address the continued federal cyber personnel shortages by 
establishing a surge capacity to better ensure the U.S. is 
well-positioned to respond to significant cyber attacks. This 
bill authorizes civilian cybersecurity personnel to serve in 
temporary positions, for up to six months, as federal civil 
service employees to supplement CISA's cybersecurity personnel. 
Participation in the DHS Civilian Cybersecurity Reserve would 
be voluntary and by invitation. CISA is authorized to activate 
up to 30 reserve personnel at a time.
    The DHS Civilian Cybersecurity Reserve Act is modeled after 
recommendations from the National Commission on Military, 
National, and Public Service as well as the Cyberspace Solarium 
Commission. In March 2020, the National Commission on Military, 
National, and Public Service released a Final Report 
recommending that Congress authorize a pilot program to create 
a ``Federal Civilian Cybersecurity Reserve.''\11\ The report 
states:
---------------------------------------------------------------------------
    \11\National Commission on Military, National, and Public Service, 
Inspired to Serve: The Final Report of the National Commission on 
Military, National, and Public Service (Mar. 2020).

          A reserve program that permits agencies to call up 
        cybersecurity experts could ensure additional cyber 
        capacity at times of greatest need. By building the 
        reserve program around cybersecurity experts who have 
        left Government service for other opportunities, the 
        program would also help the Government to maximize the 
        value of taxpayer investment in developing their 
        expertise.\12\
---------------------------------------------------------------------------
    \12\Id.

    A report by the Cyberspace Solarium Commission, also 
released in March 2020, similarly recommends that Congress 
assess the need for a military cyber reserve to ``play a 
central role in mobilizing a surge capacity'' while utilizing 
preexisting links with the private sector.\13\ The Cyberspace 
Solarium Commission released an updated report in August 2021 
about the initiatives laid out in its previous report, and 
recognized ``a great deal of progress in implementing the 
original 82 recommendations'' but noted there is ``monumental 
work still ahead.''\14\ The DHS Civilian Cybersecurity Reserve 
Act would help bring these expert recommendations to fruition 
and improve our national security by bolstering the federal 
cybersecurity workforce.
---------------------------------------------------------------------------
    \13\Cyberspace Solarium Commission (Mar. 2020) (drive.google.com/
file/d/1ryMCIL_dZ30QyjFq
Fkkf10MxIXJGT4yv/view).
    \14\Cyberspace Solarium Commission (Aug. 2021) (drive.google.com/
file/d/19V7Yfc5fvEE6dGIoU
_7bidLRf5OvV2__/view).
---------------------------------------------------------------------------

                        III. LEGISLATIVE HISTORY

    Senator Jacky Rosen (D-NV) introduced S. 885, the DHS 
Civilian Cybersecurity Reserve Act, on March 21, 2023, with 
Senator Marsha Blackburn (R-TN). The bill was referred to the 
Committee on Homeland Security and Governmental Affairs.
    The Committee considered S. 885 at a business meeting on 
May 17, 2023. At the business meeting, Senator Rosen offered a 
substitute amendment that made technical edits regarding 
appointment terminology and added language to specify that when 
the pilot project sunsets, activated reserve members can serve 
to the end of their temporary appointment. In addition, the 
amendment struck language referencing existing appropriations. 
The substitute amendment was adopted by unanimous consent with 
Senators Peters, Hassan, Sinema, Rosen, Padilla, Ossoff, 
Blumenthal, Paul, Lankford, Romney, and Scott present. The 
bill, as amended, was ordered reported favorably by roll call 
vote of 10 yeas to 1 nay, with Senators Peters, Hassan, Sinema, 
Rosen, Padilla, Ossoff, Blumenthal, Lankford, Romney, Scott 
voting in the affirmative and Senator Paul voting in the 
negative. Senators Carper, Johnson, Hawley, and Marshall voted 
yea by proxy, for the record only.
    Consistent with Committee Rule 3(G), the Committee reports 
the bill with a technical amendment by mutual agreement of the 
Chairman and Ranking Member.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section establishes the short title of the bill as the 
``Department of Homeland Security Civilian Cybersecurity 
Reserve Act.''

Sec. 2. Civilian Cybersecurity Reserve pilot project

    Subsection (a) includes definitions of the terms 
``Agency,'' ``appropriate congressional committees,'' 
``competitive service,'' ``Director,'' ``excepted service,'' 
``significant incident,'' ``temporary position,'' and 
``uniformed services.''
    Subsection (b) authorizes the Director of CISA to establish 
a Civilian Cybersecurity Reserve pilot project for the purpose 
of effectively responding to significant incidents. When a 
significant incident occurs, the Director may activate 
reservists by appointing up to 30 individuals to temporary 
positions in the competitive service or excepted service for up 
to six months, notifying Congress whenever a reservist is 
activated. The reservists are considered federal civil service 
employees when deployed. This subsection directs the Department 
of Labor (DOL) to promulgate regulations related to job 
protections for reservists before and after a temporary 
appointment to the federal civil service.
    Subsection (c) instructs the Director of CISA to develop 
criteria for eligibility and the application and selection 
processes for the Civilian Cybersecurity Reserve. The 
eligibility requirements must include an individual's previous 
employment and cybersecurity expertise. This subsection also 
directs CISA to prioritize the appointment of individuals 
previously employed by the executive branch or within the 
uniformed services. Individuals who have worked for a federal 
contractor within the executive branch or for a state, local, 
tribal, or territorial government would also be eligible. If an 
individual has previously served in the Civilian Cybersecurity 
Reserve, at least 60 days must pass before a subsequent 
temporary appointment. Prior to being appointed, each 
individual will be screened for any topic or product that might 
create a conflict of interest. Appointed individuals must 
notify CISA if a potential conflict of interest arises during 
the appointment. An individual must enter into an agreement 
with CISA that sets forth the rights and obligations of the 
individual and agency in order to become a member of the 
Civilian Cybersecurity Reserve. A member of the Selected 
Reserve may not be a member of the Civilian Cybersecurity 
Reserve, nor can individuals who are currently employed by the 
executive branch.
    Subsection (d) instructs the Director of CISA to ensure 
that all members of the Civilian Cybersecurity Reserve undergo 
appropriate personnel vetting and adjudication commensurate 
with the duties of the position, including a determination of 
eligibility for access to classified information where a 
security clearance is needed. CISA will be responsible for any 
costs related to a member of the Civilian Cybersecurity Reserve 
obtaining their security clearance.
    Subsection (e) directs CISA to begin a study within 60 days 
after this bill's enactment on the design and implementation of 
the pilot project, including on the following: (1) compensation 
and benefits for members of the Civilian Cybersecurity Reserve; 
(2) activities that members may undertake as part of their 
duties; (3) methods for identifying and recruiting members; (4) 
methods for preventing conflicts of interest; (5) resources 
needed to carry out the pilot project; (6) possible penalties 
for individuals who fail to respond to activation; and (7) 
processes and requirements for training and onboarding members. 
Within one year after beginning the study, CISA must submit and 
provide a briefing on an implementation plan to the appropriate 
congressional committees.
    Subsection (f) instructs the Director of CISA to consult 
with the Office of Government Ethics and issue guidance on 
implementing the pilot project within two years after this 
bill's enactment.
    Subsection (g) directs CISA to provide a briefing on the 
pilot project to the appropriate congressional committees once 
per year starting within one year of the bill's enactment on 
subjects including: (1) participation in the Civilian 
Cybersecurity Reserve, including the number of participants, 
diversity of participants, and barriers to recruitment or 
retention; (2) an evaluation of the ethical requirements of the 
pilot project; (3) whether the Civilian Cybersecurity Reserve 
has been effective in providing additional capacity to CISA 
during significant incidents; and (4) an evaluation of 
eligibility requirements for the pilot project. Between six 
months to three months before the pilot project terminates, 
CISA must submit a report and provide a briefing to Congress on 
recommendations relating to the pilot project.
    Subsection (h) directs GAO to evaluate the pilot project 
within three years after the pilot project is established and 
submit a report to Congress.
    Subsection (i) states that the pilot project shall 
terminate four years after the date on which it is established. 
Upon the pilot project's termination, an activated member of 
the Civilian Cybersecurity Reserve may continue to serve until 
the end of that individual's temporary appointment.
    Subsection (j) states that no additional funds are 
authorized to be appropriated for the purpose of carrying out 
this bill.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have some regulatory impact within the 
meaning of the rules. The bill requires:

          DOL to prescribe antidiscrimination and employment 
        protections at least as stringent as those in the 
        Uniformed Services Employment and Reemployment Rights 
        Act. That act requires employers to provide employees 
        with the same benefits, pay, and seniority when 
        returning from deployment that they would have received 
        had they not been away. The act also requires employers 
        to treat workers on active military duty as furloughed 
        employees or as employees on a leave of absence, 
        entitling them to any compensation or benefits 
        otherwise available to them in that status.\15\
---------------------------------------------------------------------------
    \15\Congressional Budget Office, S. 1324, Civilian Cybersecurity 
Reserve Act Cost Estimate (Aug. 13, 2021) (https://www.cbo.gov/system/
files/2021-08/s1324.pdf).

    The Committee agrees with the Congressional Budget Office's 
statement that because the bill limits the Civilian 
Cybersecurity Reserve to 30 members at a time, the cost to 
employers would be small and well below the annual threshold 
established in Unfunded Mandates Reform Act (UMRA) for 
intergovernmental and private-sector mandates.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE



    Bill summary: S. 885 would authorize the Cybersecurity and 
Infrastructure Security Agency (CISA) to establish the Civilian 
Cybersecurity Reserve under a four-year pilot program. CISA 
would appoint cybersecurity professionals who are members of 
the reserve to temporary federal civilian positions within the 
agency to respond to significant national security threats. 
CISAwould be required to report regularly to the Congress on 
the program's effectiveness.
    Estimated Federal cost: For this estimate, CBO assumes that 
S. 885 will be enacted near the end of fiscal year 2023. The 
costs of the legislation, detailed in Table 1, fall within 
budget function 050 (national defense). Implementing the bill 
would cost $65 million over the 2023-2028 period, CBO 
estimates; such spending would be subject to the availability 
of appropriated funds.

                 TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 885
----------------------------------------------------------------------------------------------------------------
                                                        By fiscal year, millions of dollars--
                                    ----------------------------------------------------------------------------
                                        2023       2024       2025       2026       2027       2028    2023-2028
----------------------------------------------------------------------------------------------------------------
Civilian Cybersecurity Reserve:
    Estimated Authorization........          0          0          8         15         16         16         55
    Estimated Outlays..............          0          0          8         15         16         16         55
Program Management:
    Estimated Authorization........          0          1          2          2          2          3         10
    Estimated Outlays..............          0          1          2          2          2          3         10
Total Changes:
    Estimated Authorization........          0          1         10         17         18         19         65
    Estimated Outlays..............          0          1         10         17         18         19         65
----------------------------------------------------------------------------------------------------------------

    Under S. 885, CISA would recruit and train members of the 
reserve group and mobilize as many as 30 at a time to serve as 
federal civilian employees for up to six months within a year. 
Activated reservists would augment CISA's workforce by 
detecting and responding to malicious activity in federal and 
nonfederal information networks. The bill would require CISA to 
complete plans for the initiative within one year; CBO 
anticipates that the reserve would begin to operate in 2025.
    CBO expects that the costs to pay and equip the reservists 
would be comparable to the costs incurred for CISA's Cyber 
Defense Teams--about $440,000 annually per employee, on 
average. About half of that amount would cover salaries and 
benefits; the rest would pay for network sensors, other 
equipment, and software licenses. CBO expects that CISA would 
activate reservists at a rate sufficient to keep the 30 
authorized positions fully staffed each year. On that basis, 
CBO estimates, it would cost $55 million over the 2023-2028 
period to staff and operate the reserve.
    CBO also expects that a program management office would 
administer recruitment, training, logistics, and security 
clearances, and the office would ensure that a sufficient pool 
of reservists was available to maintain 30 activated reservists 
at all times. Using information about the costs of similar 
efforts, CBO estimates that CISA would hire 10 new employees to 
manage the program at a total cost of $10 million over the 
2023-2028 period.
    Uncertainty: Areas of uncertainty in this estimate include 
identifying the conditions under which CISA would activate the 
reserve. S. 885 would provide CISA broad latitude for making 
that determination. Although CBO expects that the agency would 
use the full number authorized under the bill, if fewer than 30 
reservists were activated at any time, the budgetary effects 
would be proportionately smaller than estimated.
    Mandates: S. 885 would impose intergovernmental and 
private-sector mandates as defined in the Unfunded Mandates 
Reform Act (UMRA) on public and private-sector employers of 
activated members of the Civilian Cybersecurity Reserve. The 
bill would require the Department of Labor (DOL) to prescribe 
antidiscrimination and employment protections at least as 
stringent as those in the Uniformed Services Employment and 
Reemployment Rights Act. That act requires employers to provide 
employees with the same benefits, pay, and seniority when 
returning from deployment that they would have received had 
they not been away. The act also requires employers to treat 
workers on active military duty as furloughed employees or as 
employees on a leave of absence, entitling them to any 
compensation or benefits otherwise available to them in that 
status.
    The cost of the mandate would be the cost to the employers 
that provide the benefits as well as the cost of any other 
protections DOL requires. Although the mandate's ultimate cost 
would depend on those regulations, the bill limits the number 
of activated reservists to 30 at a time. Therefore, CBO 
estimates, the cost to employers would be small and well below 
the annual thresholds established in UMRA for intergovernmental 
and private-sector mandates ($99 million and $198 million in 
2023, respectively, adjusted annually for inflation).
    Estimate prepared by: Federal Costs: Aldo Prosperi; 
Mandates: Brandon Lever.
    Estimate reviewed By: David Newman, Chief, Defense, 
International Affairs, and Veterans' Affairs Cost Estimates 
Unit; Kathleen FitzGerald, Chief, Public and Private Mandates 
Unit; Chad Chirico, Deputy Director of Budget Analysis.
    Estimate approved by: Phillip L. Swagel, Director, 
Congressional Budget Office.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because S. 885 would not repeal or amend any provision of 
current law, it would make no changes in existing law within 
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI 
of the Standing Rules of the Senate.

                                  [all]