Sec. 101. Establishment of the National Cyber Resilience Assistance Fund

2,553 words·~12 min read·/bill/117/s/2491/rs/section-101

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

It is the sense of Congress that— the United States now operates in a cyber landscape that requires a level of data security, resilience, and trustworthiness that neither the United States Government nor the private sector alone is currently equipped to provide; the United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to the disadvantage of the United States, and at little cost to themselves; this new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem; reducing the vulnerabilities adversaries can target denies them opportunities to attack the interests of the United States through cyberspace; the public and private sectors struggle to coordinate cyber defenses, leaving gaps that decrease national resilience and create systemic risk; new technology continues to emerge that further compounds these challenges; while the Homeland Security Grant Program and resourcing for national preparedness under the Federal Emergency Management Agency are well-established, the United States Government has no equivalent for cybersecurity preparation or prevention; the lack of a consistent, resourced fund for investing in resilience in key areas inhibits the United States Government from conveying its understanding of risk into strategy, planning, and action in furtherance of core objectives for the security and resilience of critical infrastructure;

Congress has worked diligently to establish the Cybersecurity and Infrastructure Security Agency, creating a new agency that can leverage broad authorities to receive and share information, provide technical assistance to operators, and partner with stakeholders across the executive branch, State and local communities, and the private sector; the Cybersecurity and Infrastructure Security Agency requires strengthening in its mission to ensure the national resilience of critical infrastructure, promote a more secure cyber ecosystem, and serve as the central coordinating element to support and integrate Federal, State, local, and private-sector cybersecurity efforts; and the Cybersecurity and Infrastructure Security Agency requires further resource investment and clear authorities to realize its full potential.

Subtitle A of title XXII of the Homeland Security Act of 2002 ( 6 U.S.C. 651 et seq. ) is amended— in section 2202(c) ( 6 U.S.C. 652(c) )— in paragraph (11), by striking and at the end; in the first paragraph designated as paragraph (12), relating to the Cybersecurity State Coordinator— by striking section 2215 and inserting section 2217 ; and by striking and at the end; and by redesignating the second and third paragraphs designated as paragraph

(12)as paragraphs

(13)and (14), respectively; by redesignating section 2217 ( 6 U.S.C. 665f ) as section 2220; by redesignating section 2216 ( 6 U.S.C. 665e ) as section 2219; by redesignating the fourth section 2215 (relating to Sector Risk Management Agencies) ( 6 U.S.C. 665d ) as section 2218; by redesignating the third section 2215 (relating to the Cybersecurity State Coordinator) ( 6 U.S.C. 665c ) as section 2217; by redesignating the second section 2215 (relating to the Joint Cyber Planning Office) ( 6 U.S.C. 665b ) as section 2216; and by adding at the end the following: In this section: The term cybersecurity risk has the meaning given that term in section 2209. The term eligible entity means an entity that meets the guidelines and requirements for eligible entities established by the Secretary under subsection (d)(4). The term Fund means the National Cyber Resilience Assistance Fund established under subsection (c). The term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The Secretary, acting through the Director, shall establish a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences. In establishing the process required under subparagraph (A), the Secretary shall consult with Sector Risk Management Agencies, critical infrastructure owners and operators, and the National Cyber Director. Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A). Not later than 1 year after the date of enactment of this section, the Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A). Not later than 1 year after the date on which the Secretary delivers the report required under paragraph (1)(D), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary. In the strategy delivered under subparagraph (A), the President shall— identify, assess, and prioritize areas of risk to critical infrastructure that would compromise, disrupt, or impede the ability of the critical infrastructure to support the national critical functions of national security, economic security, or public health and safety; identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified; identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each; outline the budget plan required to provide sufficient resources to successfully execute the full range of activities proposed or described by the strategy; and request any additional authorities or resources necessary to successfully execute the strategy. The strategy delivered under subparagraph

(A)shall be unclassified, but may contain a classified annex. Not later than 1 year after the date on which the President delivers the strategy under subparagraph (A), and every year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the appropriate congressional committees on the national risk management cycle activities undertaken pursuant to the strategy. Under procedures established by the Secretary, the Secretary shall repeat the conducting and reporting of the risk identification and assessment required under paragraph (1), in accordance with the requirements in paragraph (1), every 5 years. Under procedures established by the President, the President shall repeat the preparation and delivery of the critical infrastructure resilience strategy required under paragraph (2), in accordance with the requirements in paragraph (2), every 5 years, which shall also include assessing the implementation of the previous national critical infrastructure resilience strategy. There is established in the Treasury of the United States a fund, to be known as the National Cyber Resilience Assistance Fund , which shall be available for the cost of risk-based grant programs focused on systematically increasing the resilience of public and private critical infrastructure against cybersecurity risk, thereby increasing the overall resilience of the United States. In accordance with this section, the Secretary, acting through the Administrator of the Federal Emergency Management Agency and the Director, shall develop and administer processes to— establish focused grant programs to address identified areas of cybersecurity risk to, and bolster the resilience of, critical infrastructure; accept and evaluate applications for each such grant program; award grants under each such grant program; and disburse amounts from the Fund. The Secretary, acting through the Director and the Administrator of the Federal Emergency Management Agency, may establish not less than 1 grant program focused on mitigating an identified category of cybersecurity risk identified under the national risk management cycle and critical infrastructure resilience strategy under subsection

(b)in order to bolster the resilience of critical infrastructure within the United States. Before selecting a focus area for a grant program pursuant to this subparagraph, the Director shall ensure— there is a clearly defined cybersecurity risk identified through the national risk management cycle and critical infrastructure resilience strategy under subsection

(b)to be mitigated; market forces do not provide sufficient private-sector incentives to mitigate the risk without Government investment; and there is clear Federal need, role, and responsibility to mitigate the risk in order to bolster the resilience of critical infrastructure. Beginning in the first fiscal year following the establishment of the Fund and each fiscal year thereafter, the Director shall— assess the funds available in the Fund for the fiscal year; and recommend to the Secretary the total amount to be made available from the Fund under each grant program established under this subsection. After considering the recommendations made by the Director under clause

(i)for a fiscal year, the Director shall allocate amounts from the Fund to each active grant program established under this subsection for the fiscal year. Amounts in the Fund shall be used to mitigate risks identified through the national risk management cycle and critical infrastructure resilience strategy under subsection (b). In accordance with clause (ii), the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives a set of guidelines and requirements for determining the entities that are eligible entities. The Secretary shall submit the guidelines and requirements under clause (i)— not later than 180 days after the date of enactment of this section, and every 2 years thereafter; and not later than 30 days before the date on which the Secretary implements the guidelines and requirements. In developing guidelines and requirements for eligible entities under subparagraph (A), the Secretary shall consider— number of employees; annual revenue; existing entity cybersecurity spending; current cyber risk assessments, including credible threats, vulnerabilities, and consequences; and entity capacity to invest in mitigating cybersecurity risk absent assistance from the Federal Government. For any fiscal year, an eligible entity may not receive more than 1 grant from each grant program established under this subsection. The Secretary, acting through the Administrator of the Federal Emergency Management Agency, shall require the submission of such information as the Secretary determines is necessary to— evaluate a grant application against the criteria established under this section; disburse grant funds; provide oversight of disbursed grant funds; and evaluate the effectiveness of the funded project in increasing the overall resilience of the United States with respect to cybersecurity risks. For each grant program established under this subsection, the Director, in coordination with the Administrator of the Federal Emergency Management Agency, shall develop and publish criteria for evaluating applications for funding, which shall include— whether the application identifies a clearly defined cybersecurity risk; whether the cybersecurity risk identified in the grant application poses a substantial threat to critical infrastructure; whether the application identifies a program or project clearly designed to mitigate a cybersecurity risk; the potential consequences of leaving the identified cybersecurity risk unmitigated, including the potential impact to the critical functions and overall resilience of the nation; and other appropriate factors identified by the Director. Utilizing the criteria established under paragraph (7), the Director, in coordination with the Administrator of the Federal Emergency Management Agency, shall evaluate grant applications made under each grant program established under this subsection. Following the evaluations required under subparagraph (A), the Director shall recommend to the Secretary applications for approval, including the amount of funding recommended for each such approval. The Secretary shall— review the recommendations of the Director prepared pursuant to paragraph (8); and provide a final determination of grant awards to the Administrator of the Federal Emergency Management Agency to be disbursed and administered under the process established under paragraph (6). The Secretary shall establish a process to evaluate the effectiveness and efficiency of grants distributed under this section and develop appropriate updates, as needed, to the grant programs. Not later than 180 days after the conclusion of the first fiscal year in which grants are awarded under this section, and every fiscal year thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives a report detailing the grants awarded from the Fund, the status of projects undertaken with the grant funds, any planned changes to the disbursement methodology of the Fund, measurements of success, and total outlays from the Fund. Before the start of the second fiscal year in which grants are awarded under this section, and every fiscal year thereafter, the Director shall assess the grant programs established under this section and determine— for the coming fiscal year— whether new grant programs with additional focus areas should be created; whether any existing grant program should be discontinued; and whether the scope of any existing grant program should be modified; and the success of the grant programs in the prior fiscal year. Not later than 90 days before the start of the second fiscal year in which grants are awarded under this section, and every fiscal year thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives the assessment conducted pursuant to subparagraph

(A)and any planned alterations to the grant program for the coming fiscal year. Funds awarded pursuant to this section— shall supplement and not supplant State or local funds or, as applicable, funds supplied by the Bureau of Indian Affairs; and may not be used— to provide any Federal cost-sharing contribution on behalf of a State or local government; to pay a ransom; by or for a non-United States entity; or for any recreational or social purpose. There are authorized to be appropriated to carry out this section $75,000,000 for each of fiscal years 2022 through 2026. During a fiscal year, the Secretary or the head of any component of the Department that administers the State and Local Cybersecurity Grant Program may transfer not more than 5 percent of the amounts appropriated pursuant to subsection

(g)or other amounts appropriated to carry out the National Cyber Resilience Assistance Fund for that fiscal year to an account of the Department for salaries, expenses, and other administrative costs incurred for the management, administration, or evaluation of this section. . The table of contents in section 1(b) of the Homeland Security Act of 2002 ( Public Law 107–296 ; 116 Stat. 2135) is amended by striking the item relating to section 2214 and all that follows through the item relating to section 2217 and inserting the following: Sec. 2214. National Asset Database. Sec. 2215. Duties and authorities relating to .gov internet domain. Sec. 2216. Joint Cyber Planning Office. Sec. 2217. Cybersecurity State Coordinator. Sec. 2218. Sector Risk Management Agencies. Sec. 2219. Cybersecurity Advisory Committee. Sec. 2220. Cybersecurity education and training programs. Sec. 2220A. National Cyber Resilience Assistance Fund. . Section 904(b)(1) of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260 ) is amended, in the matter preceding subparagraph (A), by striking Homeland Security Act and inserting Homeland Security Act of 2002 . The amendment made by subparagraph

(A)shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116–260 ).

Connectionstraces to 8

Traces to 8 documents

U.S. Code