[Senate Report 115-410]
[From the U.S. Government Publishing Office]
Calendar No. 714
115th Congress } } Report
SENATE
2d Session } } 115-410
_______________________________________________________________________
NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM ACT OF 2017
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 594
TO AUTHORIZE THE SECRETARY OF HOMELAND SECURITY
TO WORK WITH CYBERSECURITY CONSORTIA FOR TRAINING, AND FOR OTHER
PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 4, 2018.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana KAMALA D. HARRIS, California
JON KYL, Arizona DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Michelle D. Woods, Senior Professional Staff Member
Margaret E. Daum, Minority Staff Director
Charles A. Moskowitz, Minority Senior Legislative Counsel
Julie G. Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 714
115th Congress } } Report
SENATE
2d Session } } 115-410
======================================================================
NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM ACT OF 2017
_______
December 4, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 594]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 594), to authorize
the Secretary of Homeland Security to work with cybersecurity
consortia for training, and for other purposes, having
considered the same, reports favorably thereon with an
amendment in the nature of a substitute and recommends that the
bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
IV. Section-by-Section Analysis......................................3
V. Evaluation of Regulatory Impact..................................4
VI. Congressional Budget Office Cost Estimate........................4
VII. Changes in Existing Law Made by the Bill, as Reported............5
I. PURPOSE AND SUMMARY
The purpose of S. 594, the National Cybersecurity
Preparedness Consortium Act of 2018, is to codify the Secretary
of Homeland Security's existing authority to work with
consortia, primarily composed of academic institutions and
nonprofit entities with expertise in cybersecurity, to address
cybersecurity risks and incidents. The Secretary may work with
a consortium to provide assistance to the National
Cybersecurity and Communications Integration Center (NCCIC)
within the Department of Homeland Security (DHS or the
Department) to provide cybersecurity related training and
expertise to state and local first responders and critical
infrastructure owners and operators.
II. BACKGROUND AND THE NEED FOR LEGISLATION
The Committee recognizes the challenges DHS faces in
fulfilling its cyber mission and implementing timely and
effective measures to mitigate the security risks posed by
nefarious cyber incidents.\1\ Specifically, DHS is responsible
for coordinating the Federal Government's efforts to protect
the nation's critical infrastructure.\2\ In April 2018, the
Committee held a hearing entitled, Mitigating America's
Cybersecurity Risks, to discuss the risks posed by malicious
cyber incidents and to assess how DHS is using its existing
authorities and cyber capabilities to minimize security
risks.\3\ During the hearing, Ranking Member Claire McCaskill
said ``DHS's responsibility also included coordinating critical
infrastructure protection. But the majority of the critical
infrastructure is not federally owned or operated.''\4\
Currently, 85 percent of the United States' national critical
infrastructure is owned by private entities.\5\
---------------------------------------------------------------------------
\1\Hearing on Mitigating America's Cybersecurity Risks Before the
S. Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2018)
(statement of Sen. Ron Johnson, R-WI., Chairman), available at https://
www.hsgac.senate.gov/imo/media/doc/Opening%20Statement-Johnson-2018-04-
24.pdf.
\2\Press Release, Dep't of Homeland Sec., The Department's Five
Responsibilities (June 8, 2009), https://www.dhs.gov/blog/2009/06/08/
departments-five-responsibilities.
\3\See generally Hearing on Mitigating America's Cybersecurity
Risks Before the S. Comm. on Homeland Sec. & Governmental Affairs,
115th Cong. (2018).
\4\Hearing on Mitigating America's Cybersecurity Risks Before the
S. Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2018)
(statement of Sen. Claire McCaskill, D-MO., Ranking Member), available
at http://www.cq.com/doc/congressionaltranscripts-5304955?0.
\5\Ann M. Beauchesne & Matthew J. Eggers, Critical Infrastructure
Protection, Information Sharing and Cyber Security, U.S. Chamber of
Commerce, (last accessed Nov. 6, 2018), https://www.uschamber.com/
issue-brief/critical-infrastructure-protection-information-sharing-and-
cyber-security.
---------------------------------------------------------------------------
The combination of the cybersecurity manpower shortage and
the majority of our nation's critical infrastructure being in
private hands has created a unique public-private environment
for DHS to operate in.\6\ The Committee held a hearing in June
2017 entitled, Cybersecurity Regulation Harmonization, where
the importance of public-private partnerships in combating
cyber challenges facing DHS was highlighted. Dean Garfield, an
expert witness, provided written testimony that stated:
``[c]ongress should consider the public and private sectors'
ongoing collaboration and efforts to implement pre-existing
regulations before further legislating on cybersecurity so that
Members may arrive at a holistic, federal cybersecurity
strategy approach.''\7\
---------------------------------------------------------------------------
\6\Id.; see also U.S. Gov't Accountability Office, GAO-18-466,
Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments
and Procedures for Coding Positions (2018), available at https://
www.gao.gov/assets/700/692498.pdf.
\7\Hearing on Cybersecurity Regulation Harmonization Before the S.
Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2017)
(statement of Dean Garfield, Pres. and CEO of Info. Tech. Indus.
Council), available at https://www.hsgac.senate.gov/imo/media/doc/
Testimony-Garfield-2017-06-21-REVISED.pdf.
---------------------------------------------------------------------------
During the Committee's April 2018 hearing on mitigating
cybersecurity risks, the DHS Assistant Secretary for
Cybersecurity and Communications, Janette Manfra, testified
that DHS has ``taken steps to empower public and private
partners to defend against many of these threats by publicly
attributing state-sponsored activity, issuing technical
indicators and providing mitigation guidance.''\8\ For example,
DHS has partnered with universities to aid in cyber security
training.\9\ In 2004, DHS began partnering with the National
Cybersecurity Preparedness Consortium.\10\ This consortium
consists of five university partners from across the United
States.\11\
---------------------------------------------------------------------------
\8\Hearing on Mitigating America's Cybersecurity Risks, supra note
1 (statement of Janette Manfra, Assistant Sec'y, Office of
Cybersecurity & Communications, Nat'l Programs Directorate, U.S. Dept.
of Homeland Sec.).
\9\National Cyber Security Preparedness Consortium, About, (last
accessed Nov. 20, 2018), http://nationalcpc.org/index.html.
\10\Id.
\11\Id.
---------------------------------------------------------------------------
By leveraging the expertise of consortia, DHS can better
ensure that its partners in the private sector and state and
local governments are prepared to assist the Federal Government
in its efforts to combat cyber threats. S. 594 codifies an
existing DHS practice and helps strengthen the Department's
efforts to partner with the private sector and academia to
secure our nation's cyber infrastructure.
III. LEGISLATIVE HISTORY
Senator John Cornyn, (R-TX) introduced S. 594 on March 9,
2017, with Senator Ted Cruz (R-TX) and Senator Patrick Leahy
(D-VT). Senators John Boozman (R-AR) and Tom Cotton (R-AR)
joined as cosponsors on April 6, 2017. The bill was referred to
the Committee on March 9, 2017.
The Committee considered S. 594 at a business meeting on
September 26, 2018. During the business meeting, Senator
Johnson offered a substitute amendment that was accepted by
unanimous consent. The substitute amendment narrowed the focus
of the collaborative efforts between the Department and a
consortium to cybersecurity risks and incidents. It also
removed three provisions: a provision that required DHS to work
with a specific consortium, a prohibition on duplication of
existing program efforts, and the five-year sunset.
The bill, as amended, was ordered reported favorably by
voice vote en bloc. The Senators present for the voice vote
were Johnson, Portman, Lankford, Enzi, Hoeven, McCaskill,
Carper, Heitkamp, Peters, Hassan, Harris, and Jones.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section established that the bill may be cited as the
``National Cybersecurity Preparedness Consortium Act of 2018.''
Section 2. Definitions
This section includes definitions of the terms
``consortium,'' ``cybersecurity risk,'' ``incident,''
``Department,'' and ``Secretary.''
Section 3. National Cybersecurity Preparedness Consortium
Subsection (a) gives the Secretary the authority to work
with a consortium on cyber related issues.
Subsection (b) gives the Secretary guidance on the type of
assistance consortia may provide the NCCIC. Under this
subsection, consortia may be used to assist in the training of
state and local first responders and private industry actors in
addressing cybersecurity threats and risks. DHS may also work
with consortia to develop and update cybersecurity related
emergency plans and to provide technical assistance related to
cybersecurity risks and incidents. DHS may also work with the
consortia to incorporate cybersecurity incident prevention,
risk, and response in existing state and local emergency plans.
Subsection (c) requires the Secretary to consider prior
cybersecurity training experience and geographic diversity when
selecting consortium participants.
Subsection (d) requires the Secretary to establish metrics
for effectiveness of consortium activities.
Subsection (e) requires the Secretary to inform minority-
serving institutions of their ability to participate in
consortia and support the Department's cybersecurity efforts.
Section 4. Rule of construction
This section prohibits the consortium from commanding any
law enforcement agency or agents.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform bill (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 9, 2018.
Hon. Ron Johnson, Chairman,
Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 594, the National
Cybersecurity Preparedness Consortium Act of 2017.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is William Ma.
Sincerely,
Keith Hall,
Director.
Enclosure.
S. 594--National Cybersecurity Preparedness Consortium Act of 2017
S. 594 would authorize the Department of Homeland Security
(DHS) to work with a consortium to assist state and local
governments to prepare for and respond to cybersecurity risks
and incidents. Since 2014, the department has awarded $13
million in grants to members of the National Cybersecurity
Preparedness Consortium to deliver cybersecurity training and
technical assistance to state and local governments. CBO
expects that DHS would continue to provide a similar level of
support under S. 594. CBO estimates that DHS would provide $3
million in new grant funding each year, assuming appropriation
of the estimated amounts. In total, implementing S. 594 would
cost $15 million over the 2019-2023 period.
Enacting S. 594 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting S. 594 would not increase net
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
S. 594 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is William Ma. The
estimate was reviewed by Leo Lex, Deputy Assistant Director for
Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because this legislation would not repeal or amend any
provision of current law, it would not make changes in existing
law within the meaning of clauses (a) and (b) of paragraph 12
of rule XXVI of the Standing Rules of the Senate.
[all]