107 S1350 RS: National Risk Management Act of 2021 U.S. Senate 2022-12-15 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

IICalendar No. 652117th CONGRESS2d SessionS. 1350[Report No. 117–261]IN THE SENATE OF THE UNITED STATESApril 22, 2021Ms. Hassan (for herself and Mr. Sasse) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsDecember 15, 2022Reported by Mr. Peters, with an amendmentStrike out all after the enacting clause and insert the part printed in italicA BILLTo require the Secretary of Homeland Security to establish a national risk management cycle, and for other purposes.

1.

Short title

This Act may be cited as the National Risk Management Act of 2021.

2.

National risk management cycle

(a)

In general

Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.), is amended by adding at the end the following:

2218.

National risk management cycle

(a)

Definitions

In this section:(1)

Critical infrastructure

The term critical infrastructure has the meaning given the term in section 1016(e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)).(2)

National critical functions

The term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.(b)

National risk management cycle

(1)

Risk identification and assessment

(A)

In general

The Secretary, acting through the Director, shall establish a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences.(B)

Consultation

In establishing the process required under subparagraph (A), the Secretary shall consult with Sector Risk Management Agencies, critical infrastructure owners and operators, and the National Cyber Director.(C)

Publication

Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A).(D)

Report

The Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)— (i)not later than 1 year after the date of enactment of this section; and(ii)not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283).(2)

National critical infrastructure resilience strategy

(A)

In general

Not later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary.(B)

Elements

In each strategy delivered under subparagraph (A), the President shall—(i)identify, assess, and prioritize areas of risk to critical infrastructure that would compromise, disrupt, or impede their ability to support the national critical functions of national security, economic security, or public health and safety;(ii)assess the implementation of the previous national critical infrastructure resilience strategy, as applicable;(iii)identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified;(iv)identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each;(v)outline the budget plan required to provide sufficient resources to successfully execute the full range of activities proposed or described by the strategy; and(vi)request any additional authorities or resources necessary to successfully execute the strategy.(C)

Form

Each strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex.(3)

Congressional briefing

Not later than 1 year after the date on which the President delivers a strategy under this section, and every year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the appropriate committees of Congress on the national risk management cycle activities undertaken pursuant to the strategy.

.(b)

Technical and conforming amendment

The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2217 the following:Sec. 2218. National risk management cycle..

1.

Short title

This Act may be cited as the National Risk Management Act of 2021.

2.

National risk management cycle

(a)

In general

Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following:

2218.

National risk management cycle

(a)

National critical functions defined

In this section, the term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.(b)

National risk management cycle

(1)

Risk identification and assessment

(A)

In general

The Secretary, acting through the Director, shall establish a recurring process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, the associated likelihoods, vulnerabilities, and consequences, and the resources necessary to address them.(B)

Consultation

In establishing the process required under subparagraph (A), the Secretary shall consult with, and request and collect information to support analysis from, Sector Risk Management Agencies, critical infrastructure owners and operators, the Assistant to the President for National Security Affairs, the Assistant to the President for Homeland Security, and the National Cyber Director.(C)

Publication

Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A), subject to any redactions the Secretary determines are necessary to protect classified or other sensitive information.(D)

Report

The Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)— (i)not later than 1 year after the date of enactment of this section; and(ii)not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283).(2)

National critical infrastructure resilience strategy

(A)

In general

Not later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary.(B)

Elements

Each strategy delivered under subparagraph (A) shall—(i)identify, assess, and prioritize areas of risk to critical infrastructure that would compromise or disrupt national critical functions impacting national security, economic security, or public health and safety;(ii)assess the implementation of the previous national critical infrastructure resilience strategy, as applicable;(iii)identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified;(iv)identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each; and(v)request any additional authorities necessary to successfully execute the strategy.(C)

Form

Each strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex.(3)

Congressional briefing

Not later than 1 year after the date on which the President delivers the first strategy required under paragraph (2)(A), and every year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the appropriate congressional committees on—(A)the national risk management cycle activities undertaken pursuant to the strategy; and(B)the amounts and timeline for funding that the Secretary has determined would be necessary to address risks and successfully execute the full range of activities proposed by the strategy.

.(b)

Technical and conforming amendment

The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2217 the following:Sec. 2218. National risk management cycle..

December 15, 2022Reported with an amendment