[Senate Report 116-265] [From the U.S. Government Publishing Office] Calendar No. 528 116th Congress } { Report SENATE 2d Session } { 116-265 ====================================================================== CYBERSECURITY ADVISORY COMMITTEE AUTHORIZATION ACT OF 2020 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 4024 TO ESTABLISH IN THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY OF THE DEPARTMENT OF HOMELAND SECURITY A CYBERSECURITY ADVISORY COMMITTEE [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] September 9, 2020.--Ordered to be printed __________ U.S. GOVERNMENT PUBLISHING OFFICE 99-010 WASHINGTON : 2020 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman ROB PORTMAN, Ohio GARY C. PETERS, Michigan RAND PAUL, Kentucky THOMAS R. CARPER, Delaware JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire MITT ROMNEY, Utah KAMALA D. HARRIS, California RICK SCOTT, Florida KYRSTEN SINEMA, Arizona MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada JOSH HAWLEY, Missouri Gabrielle D'Adamo Singer, Staff Director Joseph C. Folio III, Chief Counsel Michael J.R. Flynn, Senior Counsel Andrew J. Timm, Professional Staff Member David M. Weinberg, Minority Staff Director Zachary I. Schram, Minority Chief Counsel Jeffrey D. Rothblum, Minority Senior Professional Staff Member Laura W. Kilbride, Chief Clerk Calendar No. 528 116th Congress } { Report SENATE 2d Session } { 116-265 ====================================================================== CYBERSECURITY ADVISORY COMMITTEE AUTHORIZATION ACT OF 2020 _______ September 9, 2020.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 4024] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 4024) to establish in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security a Cybersecurity Advisory Committee, and for other purposes, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Legislative History..............................................3 IV. Section-by-Section Analysis......................................3 V. Evaluation of Regulatory Impact..................................5 VI. Congressional Budget Office Cost Estimate........................6 VII. Changes in Existing Law Made by the Bill, as Reported............7 I. Purpose and Summary The purpose of S. 4024, the Cybersecurity Advisory Committee Authorization Act of 2020, is to amend the Homeland Security Act of 2002 to establish a Cybersecurity Advisory Committee (Advisory Committee) within the Department of Homeland Security's (DHS or the Department) Cybersecurity and Infrastructure Security Agency (CISA). The Advisory Committee is to be comprised of representatives of state and local governments as well as cybersecurity subject matter experts who would report to the Director of CISA. The Advisory Committee would be tasked to assist CISA in the execution of its cybersecurity mission by advising, consulting with, and making recommendations to the Director of CISA concerning the development, refinement, and implementation of CISA's cybersecurity policies, programs, planning, and training. This bill will better position CISA to effectively execute its cyber mission. II. Background and the Need for Legislation In September 2018, the Trump Administration released the National Cybersecurity Strategy, which underscores the Federal Government's intent to strengthen its collaboration with the private sector and non-Federal entities to combat cyber threats and secure critical infrastructure.\1\ Additionally, the 2018 DHS Cybersecurity Strategy recognized the need to ``partner with key stakeholders, including sector specific agencies and the private sector, to drive better cybersecurity.''\2\ --------------------------------------------------------------------------- \1\The White House, National Cybersecurity Strategy 8, (2018), available at https://www.whitehouse.gov/wp-content/uploads/2018/09/ National-Cyber-Strategy.pdf. \2\U.S. Department of Homeland Security, U.S. Department of Homeland Security Cybersecurity Strategy 11 (2018), available at https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity- Strategy_1.pdf. --------------------------------------------------------------------------- To better position DHS to carry out its cybersecurity and infrastructure protection mission, Congress re-designated and restructured the Department's National Protection and Programs Directorate as CISA through the Cybersecurity and Infrastructure Security Agency Act of 2018.\3\ More specifically, Congress established CISA to, among other things, lead DHS's coordination ``with partners at all levels of government, and from the private and non-profit sectors, to share information and build greater trust in order to make our cyber and physical infrastructure more secure.''\4\ --------------------------------------------------------------------------- \3\H. Rept. 115-454 at 2 (2017), available at https:// www.congress.gov/115/crpt/hrpt454/CRPT-115hrpt454.pdf. \4\Id. --------------------------------------------------------------------------- CISA has demonstrated its commitment to improving its partnerships with non-Federal entities. For example, in October 2019, CISA Director Chris Krebs testified before the Committee at a hearing entitled, ``Supply Chain Security, Global Competitiveness, and 5G.''\5\ When asked by Chairman Ron Johnson what Congress could do to assist CISA in achieving its goals and priorities, Director Krebs said that Congress should ``[m]ake it easier for [CISA] to be able to convene groups to develop frameworks, to share more broadly.''\6\ Additionally, at a Committee hearing held in February 2020, Director Krebs testified that CISA's goal is to work with government and industry partners in order to create ``a more strategic and unified approach towards improving our nation's overall defensive posture against malicious cyber activity.''\7\ At the same hearing, Director Krebs stated that as an agency, CISA's pathway to providing more value to its partners requires ``listening and learning what [its non-Federal partners] actually need.''\8\ --------------------------------------------------------------------------- \5\Supply Chain Security, Global Competitiveness, and 5G: Hearing Before the S. Comm. on Homeland Sec. & Governmental Affairs, 116th Cong. (Oct. 19, 2019), available at https://www.govinfo.gov/content/ pkg/CHRG-116shrg40385/pdf/CHRG-116shrg40385.pdf. \6\Id. (testimony of CISA Director Chris Krebs). \7\What States, Locals and the Business Community Should Know and Do: A Roadmap for Effective Cybersecurity: Hearing Before the S. Comm. on Homeland Sec. & Governmental Affairs, 116th Cong. (Feb. 11, 2020) (testimony of CISA Director Chris Krebs). \8\Id. --------------------------------------------------------------------------- Additionally, the Cyberspace Solarium Commission (CSC), a bipartisan, bicameral commission, was established in the John S. McCain National Defense Authorization Act of 2019 to ``develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequence.''\9\ In March 2020, the CSC published its final report, which included a broad recommendation to strengthen CISA ``to promote a more secure cyber ecosystem, and to serve as the central civilian cybersecurity authority to support federal, state and local, and private sector cybersecurity efforts.''\10\ Specifically, the CSC recommended including a cybersecurity advisory committee for CISA to better account for non-Federal interests.\11\ --------------------------------------------------------------------------- \9\Pub. L. No. 115-232, 115th Cong. (2018). \10\Cyberspace Solarium Commission 3 (Mar. 2020), available at https://www.solarium.gov/report. \11\Id. at 41. --------------------------------------------------------------------------- S. 4024 formally establishes an advisory body comprised of a diverse set of experts representing the private and non- Federal public sector within CISA. The bill also establishes a process to provide direct input to CISA on policies, programs, planning, and training to account for non-Federal interests, thereby enhancing CISA's ability to engage with both public and private sector partners. The legislation should facilitate stakeholder engagement and ensure that a wide variety of views are represented, including through a geographically diverse membership. III. Legislative History Senator David Perdue (R-GA) introduced S. 4024, the Cybersecurity Advisory Committee Authorization Act of 2020, on June 22, 2020, with Senator Kyrsten Sinema (D-AZ). The bill was referred to the Committee on Homeland Security and Governmental Affairs. The Committee considered S. 4024 at a business meeting on July 22, 2020. During the business meeting, Chairman Johnson and Senator Sinema offered a substitute amendment. The amendment provided additional oversight authorities to the Director, clarified the structure and composition of the Advisory Committee and its membership, and included measures to increase transparency of the Advisory Committee and its work. The Johnson-Sinema substitute amendment was adopted by voice vote en bloc. The bill, as amended, was reported favorably by voice vote en bloc. Senators present for both the vote on the amendment and on final passage were Johnson, Portman, Paul, Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan, Harris, and Rosen. IV. Section-by-Section Analysis of the Bill, as Reported Section 1. Short title This section names the bill the ``Cybersecurity Advisory Committee Authorization Act of 2020.'' Section 2. Cybersecurity Advisory Committee Section 2, subsection (a) adds a new section, section 2215, to the Homeland Security Act of 2002 to establish the Advisory Committee within CISA. New section 2215 subsection (a) establishes the Advisory Committee. Subsection (b)(1) lays out the duties of the Advisory Committee. Specifically, this subsection requires that the Advisory Committee advise, consult with, report and make recommendations to the Director of CISA on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the Agency's cybersecurity mission. Subsection (b)(2) requires the Advisory Committee, at the Director's request, to develop recommendations regarding improving and advancing CISA's cybersecurity mission and strengthening the United States' cybersecurity. Recommendations made by the Advisory Committee must be approved by the Committee before the submission of an annual report. New section 2215, subsection (b)(3) requires the Advisory Committee to submit periodic reports on matters identified by the Director as well as matters identified by a majority of the members of the Advisory Committee. New section 2215, subsection (b)(4) requires the Advisory Committee to submit an annual report including the Advisory Committee's activities, findings, and recommendations, including those of any subcommittee established under this Act, for the preceding year. Not later than 180 days after the Director receives the Advisory Committee's annual report, the Director must publish a public version of the report. Subsection (b)(5) requires the Director of CISA to respond in writing not later than 90 days after receiving any recommendation from the Advisory Committee. If the Director concurs with the recommendation, the Director must also submit an action plan to implement the recommendation; if the Director does not concur with the recommendation, the Director must provide justification for why the recommendation will not be implemented. New section 2215, subsection (b)(6) lays out the congressional notification process. Specifically, this subsection requires the Director of CISA to provide the Committees on Homeland Security and Governmental Affairs and Appropriations of the Senate and the Committees on Homeland Security and Appropriations of the House of Representatives a briefing on feedback from the Advisory Committee. New section 2215, subsection (b)(7) requires the Director of CISA to establish structure and governance rules concerning the Advisory Committee and any subcommittee established under the legislation. New section 2215, subsection (c) outlines the membership of the Advisory Committee. The Director of CISA shall appoint up to 35 individuals to serve as members of the Advisory Committee, within 180 days of the bill's enactment. The bill requires that the membership consist of subject matter experts, be geographically balanced, and include representatives from state, local, and tribal governments and a broad range of industries such as defense, education, financial services and insurance, healthcare, manufacturing, and other relevant fields identified by the Director. At least one, but not more than three, members of the Advisory Committee may represent a private sector category identified in this bill. The membership of the Advisory Committee is required to be made available on a public website at least once a year and must be updated to reflect changes in membership when they occur. Members of the Advisory Committee are permitted to serve for a period of two years, but may also serve in a holdover capacity until a successor is appointed. The Director of CISA has the authority to remove participants at his or her discretion. Members of the Advisory Committee are prohibited from being compensated by the Federal Government for their participation. The Advisory Committee must meet at least semiannually and may convene additional meetings as necessary. At least one semiannual meeting must be open to the public, and attendance must be recorded at each meeting. Within 60 days of appointing a member to the Advisory Committee, the Director is required to determine whether that member should be restricted from reviewing, discussing, or possessing classified materials. Members of the Advisory Committee are required to protect all classified information in accordance with applicable requirements. The requirements under this bill concerning a member's access to classified materials are not to affect the security clearance held by said member. Finally, the members of the Advisory Committee are required to appoint an Advisory Committee chairperson as well as a chairperson for each subcommittee. New section 2215, subsection (d) requires the Director of CISA to establish subcommittees within the Advisory Committee to address cybersecurity security issues, such as information exchange, critical infrastructure, risk management, and public and private partnerships. The subcommittees are required to meet not less than semiannually, and submit to the Advisory Committee information concerning its activities, findings, recommendations related to the subject matter considered by the subcommittee. The chair of the Advisory Committee must appoint members to serve on subcommittees and ensure that the appointed member possesses expertise relevant to the subcommittee's focus. Subsection (b) of the bill adds a clerical amendment to modify the Homeland Security Act of 2002's table of contents consistent with the new section added by this legislation. V. Evaluation of Regulatory Impact Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. Congressional Budget Office Cost Estimate U.S. Congress, Congressional Budget Office, Washington, DC, August 5, 2020. Hon. Ron Johnson, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 4024, the Cybersecurity Advisory Committee Authorization Act of 2020. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Aldo Prosperi. Sincerely, Phillip L. Swagel, Director. Enclosure.S. 4024 would require the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to establish an advisory committee that would be composed of members from state and local governments and the private sector. The committee would provide CISA with recommendations on the implementation of cybersecurity policies and programs. Using information from the agency about the administrative costs of similar advisory committees, CBO estimates that staff salaries, travel costs, and other expenses would be less than $500,000 annually. In total, implementing S. 4024 would cost $2 million over the 2020-2025 period; such spending would be subject to the availability of appropriations. On October 11, 2019, CBO transmitted a cost estimate for H.R. 1975, the Cybersecurity Advisory Committee Authorization Act of 2019, as ordered reported by the House Committee on Homeland Security on September 25, 2019. The two pieces of legislation are similar, and CBO's estimate of their budgetary effects is the same. The CBO staff contact for this estimate is Aldo Prosperi. The estimate was reviewed by Leo Lex, Deputy Director of Budget Analysis. VII. Changes in Existing Law Made by the Bill, as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the following changes in existing law made by the bill, as reported, are shown as follows: (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 * * * * * * * SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) * * * (b) Table of Contents.--The table of contents for this Act is as follows: TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY Subtitle A--Cybersecurity and Infrastructure Security * * * * * * * SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE. * * * * * * * TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY * * * * * * * Subtitle A--Cybersecurity and Infrastructure Security * * * * * * * SEC. 2215. CYBERSECURITY ADVISORY COMMITTEE. (a) Establishment--.The Secretary shall establish within the Agency a Cybersecurity Advisory Committee (referred to in this section as the ``Advisory Committee''). (b) Duties.-- (1) In general.--The Advisory Committee shall advise, consult with, report to, and make recommendations to the Director, as appropriate, on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency. (2) Recommendations.-- (A) In general.--The Advisory Committee shall develop, at the request of the Director, recommendations for improvements to advance the cybersecurity mission of the Agency and strengthen the cybersecurity of the United States. (B) Recommendations of subcommittees.-- Recommendations agreed upon by subcommittees established under subsection (d) for any year shall be approved by the Advisory Committee before the Advisory Committee submits to the Director the annual report under paragraph (4) for that year. (3) Periodic reports.--The Advisory Committee shall periodically submit to the Director-- (A) reports on matters identified by the Director; and (B) reports on other matters identified by a majority of the members of the Advisory Committee. (4) Annual report.-- (A) In general.--The Advisory Committee shall submit to the Director an annual report providing information on the activities, findings, and recommendations of the Advisory Committee, including its subcommittees, for the preceding year. (B) Publication.--Not later than 180 days after the date on which the Director receives an annual report for a year under subparagraph (A), the Director shall publish a public version of the report describing the activities of the Advisory Committee and such related matters as would be informative to the public during that year, consistent with section 552(b) of title 5, United States Code. (5) Feedback.--Not later than 90 days after receiving any recommendation submitted by the Advisory Committee under paragraph (2), (3), or (4), the Director shall respond in writing to the Advisory Committee with feedback on the recommendation. Such a response shall include-- (A) with respect to any recommendation with which the Director concurs, an action plan to implement the recommendation; and (B) with respect to any recommendation with which the Director does not concur, a justification for why the Director does not plan to implement the recommendation. (6) Congressional notification.--Not less frequently than once per year after the date of enactment of this section, the Director shall provide to the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate and the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives a briefing on feedback from the Advisory Committee. (7) Governance rules.--The Director shall establish rules for the structure and governance of the Advisory Committee and all subcommittees established under subsection (d). (c) Membership.-- (1) Appointment.-- (A) In general.--Not later than 180 days after the date of enactment of the Cybersecurity Advisory Committee Authorization Act of 2020, the Director shall appoint the members of the Advisory Committee. (B) Composition.--The membership of the Advisory Committee shall consist of not more than 35 individuals. (C) Representation.-- (i) In general.--The membership of the Advisory Committee shall-- (I) consist of subject matter experts; (II) be geographically balanced; and (III) include representatives of State, local, and Tribal governments and of a broad range of industries, which may include the following: (aa) Defense. (bb) Education. (cc) Financial services and insurance. (dd) Healthcare. (ee) Manufacturing. (ff) Media and entertainment. (gg) Chemicals. (hh) Retail. (ii) Transportation. (jj) Energy. (kk) Information Technology. (ll) Communications. (mm) Other relevant fields identified by the Director. (ii) Prohibition.--Not less than 1 member nor more than 3 members may represent any 1 category under clause (i)(III). (iii) Publication of membership list.--The Advisory Committee shall publish its membership list on a publicly available website not less than once per fiscal year and shall update the membership list as changes occur. (2) Term of office.-- (A) Terms.--The term of each member of the Advisory Committee shall be 2 years, except that a member may continue to serve until a successor is appointed. (B) Removal.--The Director may review the participation of a member of the Advisory Committee and remove such member any time at the discretion of the Director. (C) Reappointment.--A member of the Advisory Committee may be reappointed for an unlimited number of terms. (3) Prohibition of compensation.--The members of the Advisory Committee may not receive pay or benefits from the United States Government by reason of their service on the Advisory Committee. (4) Meetings.-- (A) In general.--The Director shall require the Advisory Committee to meet not less frequently than semiannually, and may convene additional meetings as necessary. (B) Public meetings.--At least one of the meetings referred to in subparagraph (A) shall be open to the public. (C) Attendance.--The Advisory Committee shall maintain a record of the persons present at each meeting. (5) Member access to classified information.-- (A) In general.--Not later than 60 days after the date on which a member is first appointed to the Advisory Committee and before the member is granted access to any classified information, the Director shall determine, for the purposes of the Advisory Committee, if the member should be restricted from reviewing, discussing, or possessing classified information. (B) Access.--Access to classified materials shall be managed in accordance with Executive Order No. 13526 of December 29, 2009 (75 Fed. Reg. 707), or any subsequent corresponding Executive Order. (C) Protections.--A member of the Advisory Committee shall protect all classified information in accordance with the applicable requirements for the particular level of classification of such information. (D) Rule of construction.--Nothing in this paragraph shall be construed to affect the security clearance of a member of the Advisory Committee or the authority of a Federal agency to provide a member of the Advisory Committee access to classified information. (6) Chairperson.--The Advisory Committee shall select, from among the members of the Advisory Committee-- (A) a member to serve as chairperson of the Advisory Committee; and (B) a member to serve as chairperson of each subcommittee of the Advisory Committee established under subsection (d). (d) Subcommittees.-- (1) In general.--The Director shall establish subcommittees within the Advisory Committee to address cybersecurity issues, which may include the following: (A) Information exchange. (B) Critical infrastructure. (C) Risk management. (D) Public and private partnerships. (2) Meetings and reporting.--Each subcommittee shall meet not less frequently than semiannually, and submit to the Advisory Committee for inclusion in the annual report required under subsection (b)(4) information, including activities, findings, and recommendations, regarding subject matter considered by the subcommittee. (3) Subject matter experts.--The chairperson of the Advisory Committee shall appoint members to subcommittees and shall ensure that each member appointed to a subcommittee has subject matter expertise relevant to the subject matter of the subcommittee. [all]