“TEXT OF AMENDMENTS” published by the Congressional Record in the Senate section on Nov. 18

Volume 167, No. 201 covering the 1st Session of the 117th Congress (2021 - 2022) was published by the Congressional Record.

The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.

“TEXT OF AMENDMENTS” mentioning the Department of Interior was published in the in the Senate section section on pages S8456-S8540 on Nov. 18.

The Department oversees more than 500 million acres of land. Downsizing the Federal Government, a project aimed at lowering taxes and boosting federal efficiency, said the department has contributed to a growing water crisis and holds many lands which could be better managed.

The publication is reproduced in full below:

TEXT OF AMENDMENTS

SA 4783. Mr. HAGERTY submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle G of title XII, add the following:

SEC. 1283. AUTHORIZATION FOR USE OF UNITED STATES ARMED

FORCES AGAINST ISIS AND ASSOCIATED FORCES IN

IRAQ.

The President is authorized to use the Armed Forces of the United States as the President determines to be necessary and appropriate in order to defend the national security of the United States against the threat posed by the Islamic State of Iraq and Syria (ISIS) and associated forces in Iraq.

SEC. 1284. AUTHORIZATION FOR USE OF UNITED STATES ARMED

FORCES TO PROTECT UNITED STATES DIPLOMATS AND

UNITED STATES DIPLOMATIC FACILITIES IN IRAQ

AGAINST TERRORIST ATTACKS.

The President is authorized to use the Armed Forces of the United States as the President determines to be necessary and appropriate in order to protect United States diplomats and United States diplomatic facilities in Iraq against terrorist attacks.

SEC. 1285. RULE OF CONSTRUCTION REGARDING THE CONSTITUTIONAL

POWERS OF THE PRESIDENT AS COMMANDER-IN-CHIEF.

Nothing in this Act shall be construed to infringe upon the constitutional powers of the President as Commander-in-Chief under Article II of the Constitution of the United States.

______

SA 4784. Mr. KING (for himself, Mr. Rounds, Mr. Sasse, Ms. Rosen, Ms. Hassan, and Mr. Ossoff) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end, add the following:

DIVISION E--DEFENSE OF UNITED STATES INFRASTRUCTURE

SEC. 5001. SHORT TITLE.

This division may be cited as the ``Defense of United States Infrastructure Act of 2021''.

SEC. 5002. DEFINITIONS.

In this division:

(1) Critical infrastructure.--The term ``critical infrastructure'' has the meaning given such term in section 1016(e) of the Critical Infrastructure Protection Act of 2001

(42 U.S.C. 5195c(e)).

(2) Cybersecurity risk.--The term ``cybersecurity risk'' has the meaning given such term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).

(3) Department.--The term ``Department'' means the Department of Homeland Security.

(4) Secretary.--The term ``Secretary'' means the Secretary of Homeland Security.

TITLE LI--INVESTING IN CYBER RESILIENCY IN CRITICAL INFRASTRUCTURE

SEC. 5101. NATIONAL RISK MANAGEMENT CYCLE.

(a) Amendments.--Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--

(1) in section 2202(c) (6 U.S.C. 652(c))--

(A) in paragraph (11), by striking ``and'' at the end;

(B) in the first paragraph designated as paragraph (12), relating to the Cybersecurity State Coordinator--

(i) by striking ``section 2215'' and inserting ``section 2217''; and

(ii) by striking ``and'' at the end; and

(C) by redesignating the second and third paragraphs designated as paragraph (12) as paragraphs (13) and (14), respectively;

(2) by redesignating section 2217 (6 U.S.C. 665f) as section 2220;

(3) by redesignating section 2216 (6 U.S.C. 665e) as section 2219;

(4) by redesignating the fourth section 2215 (relating to Sector Risk Management Agencies) (6 U.S.C. 665d) as section 2218;

(5) by redesignating the third section 2215 (relating to the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section 2217;

(6) by redesignating the second section 2215 (relating to the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 2216; and

(7) by adding at the end the following:

``SEC. 2220A. NATIONAL RISK MANAGEMENT CYCLE.

``(a) National Critical Functions Defined.--In this section, the term `national critical functions' means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

``(b) National Risk Management Cycle.--

``(1) Risk identification and assessment.--

``(A) In general.--The Secretary, acting through the Director, shall establish a recurring process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, the associated likelihoods, vulnerabilities, and consequences, and the resources necessary to address them.

``(B) Consultation.--In establishing the process required under subparagraph (A), the Secretary shall consult with, and request and collect information to support analysis from, Sector Risk Management Agencies, critical infrastructure owners and operators, the Assistant to the President for National Security Affairs, the Assistant to the President for Homeland Security, and the National Cyber Director.

``(C) Publication.--Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A), subject to any redactions the Secretary determines are necessary to protect classified or other sensitive information.

``(D) Report.--The Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)--

``(i) not later than 1 year after the date of enactment of this section; and

``(ii) not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116-283).

``(2) National critical infrastructure resilience strategy.--

``(A) In general.--Not later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary.

``(B) Elements.--Each strategy delivered under subparagraph

(A) shall--

``(i) identify, assess, and prioritize areas of risk to critical infrastructure that would compromise or disrupt national critical functions impacting national security, economic security, or public health and safety;

``(ii) assess the implementation of the previous national critical infrastructure resilience strategy, as applicable;

``(iii) identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified;

``(iv) identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each; and

``(v) request any additional authorities necessary to successfully execute the strategy.

``(C) Form.--Each strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex.

``(3) Congressional briefing.--Not later than 1 year after the date on which the President delivers a strategy under this section, and every year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the appropriate committees of Congress on--

``(A) the national risk management cycle activities undertaken pursuant to the strategy; and

``(B) the amounts and timeline for funding that the Secretary has determined would be necessary to address risks and successfully execute the full range of activities proposed by the strategy.''.

(b) Technical and Conforming Amendments.--

(1) Table of contents.--The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135) is amended by striking the item relating to section 2214 and all that follows through the item relating to section 2217 and inserting the following:

``Sec. 2214. National Asset Database.

``Sec. 2215. Duties and authorities relating to .gov internet domain.

``Sec. 2216. Joint Cyber Planning Office.

``Sec. 2217. Cybersecurity State Coordinator.

``Sec. 2218. Sector Risk Management Agencies.

``Sec. 2219. Cybersecurity Advisory Committee.

``Sec. 2220. Cybersecurity education and training programs.

``Sec. 2220A. National risk management cycle.''.

(2) Additional technical amendment.--

(A) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020

(title IX of division U of Public Law 116-260) is amended, in the matter preceding subparagraph (A), by striking ``Homeland Security Act'' and inserting ``Homeland Security Act of 2002''.

(B) Effective date.--The amendment made by subparagraph (A) shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116-260).

TITLE LII--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN

ENHANCING CRITICAL INFRASTRUCTURE CYBER RESILIENCE

SEC. 5201. INSTITUTE A 5-YEAR TERM FOR THE DIRECTOR OF THE

CYBERSECURITY AND INFRASTRUCTURE SECURITY

AGENCY.

(a) In General.--Subsection (b)(1) of section 2202 of the Homeland Security Act of 2002 (6 U.S.C. 652), is amended by inserting ``The term of office of an individual serving as Director shall be 5 years.'' after ``who shall report to the Secretary.''.

(b) Transition Rules.--The amendment made by subsection (a) shall take effect on the first appointment of an individual to the position of Director of the Cybersecurity and Infrastructure Security Agency, by and with the advice and consent of the Senate, that is made on or after the date of enactment of this Act.

SEC. 5202. CYBER THREAT INFORMATION COLLABORATION ENVIRONMENT

PROGRAM.

(a) Definitions.--In this section:

(1) Critical infrastructure information.--The term

``critical infrastructure information'' has the meaning given such term in section 2222 of the Homeland Security Act of 2002 (6 U.S.C. 671).

(2) Cyber threat indicator.--The term ``cyber threat indicator'' has the meaning given such term in section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).

(3) Cybersecurity threat.--The term ``cybersecurity threat'' has the meaning given such term in section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).

(4) Environment.--The term ``environment'' means the information collaboration environment established under subsection (b).

(5) Information sharing and analysis organization.--The term ``information sharing and analysis organization'' has the meaning given such term in section 2222 of the Homeland Security Act of 2002 (6 U.S.C. 671).

(6) Non-federal entity.--The term ``non-Federal entity'' has the meaning given such term in section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).

(b) Program.--The Secretary, in consultation with the Secretary of Defense, the Director of National Intelligence, and the Attorney General, shall carry out a program under which the Secretary shall develop an information collaboration environment consisting of a digital environment containing technical tools for information analytics and a portal through which relevant parties may submit and automate information inputs and access the environment in order to enable interoperable data flow that enable Federal and non-Federal entities to identify, mitigate, and prevent malicious cyber activity to--

(1) provide limited access to appropriate and operationally relevant data from unclassified and classified intelligence about cybersecurity risks and cybersecurity threats, as well as malware forensics and data from network sensor programs, on a platform that enables query and analysis;

(2) enable cross-correlation of data on cybersecurity risks and cybersecurity threats at the speed and scale necessary for rapid detection and identification;

(3) facilitate a comprehensive understanding of cybersecurity risks and cybersecurity threats; and

(4) facilitate collaborative analysis between the Federal Government and public and private sector critical infrastructure entities and information and analysis organizations.

(1) Evaluation.--Not later than 180 days after the date of enactment of this Act, the Secretary, acting through the Director of the Cybersecurity and Infrastructure Security Agency, and in coordination with the Secretary of Defense, the Director of National Intelligence, and the Attorney General, shall--

(A) identify, inventory, and evaluate existing Federal sources of classified and unclassified information on cybersecurity threats;

(B) evaluate current programs, applications, or platforms intended to detect, identify, analyze, and monitor cybersecurity risks and cybersecurity threats;

(C) consult with public and private sector critical infrastructure entities to identify public and private critical infrastructure cyber threat capabilities, needs, and gaps; and

(D) identify existing tools, capabilities, and systems that may be adapted to achieve the purposes of the environment in order to maximize return on investment and minimize cost.

(2) Implementation.--

(A) In general.--Not later than 1 year after completing the evaluation required under paragraph (1)(B), the Secretary, acting through the Director of the Cybersecurity and Infrastructure Security Agency, and in consultation with the Secretary of Defense, the Director of National Intelligence, and the Attorney General, shall begin implementation of the environment to enable participants in the environment to develop and run analytic tools referred to in subsection (b) on specified data sets for the purpose of identifying, mitigating, and preventing malicious cyber activity that is a threat to public and private critical infrastructure.

(B) Requirements.--The environment and the use of analytic tools referred to in subsection (b) shall--

(i) operate in a manner consistent with relevant privacy, civil rights, and civil liberties policies and protections, including such policies and protections established pursuant to section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485);

(ii) account for appropriate data interoperability requirements;

(iii) enable integration of current applications, platforms, data, and information, including classified information, in a manner that supports the voluntary integration of unclassified and classified information on cybersecurity risks and cybersecurity threats;

(iv) incorporate tools to manage access to classified and unclassified data, as appropriate;

(v) ensure accessibility by entities the Secretary, in consultation with the Secretary of Defense, the Director of National Intelligence, and the Attorney General, determines appropriate;

(vi) allow for access by critical infrastructure stakeholders and other private sector partners, at the discretion of the Secretary, in consultation with the Secretary of Defense, the Director of National Intelligence, and the Attorney General;

(vii) deploy analytic tools across classification levels to leverage all relevant data sets, as appropriate;

(viii) identify tools and analytical software that can be applied and shared to manipulate, transform, and display data and other identified needs; and

(ix) anticipate the integration of new technologies and data streams, including data from government-sponsored network sensors or network-monitoring programs deployed in support of non-Federal entities.

(3) Annual report requirement on the implementation, execution, and effectiveness of the program.--Not later than 1 year after the date of enactment of this Act, and every year thereafter until the date that is 1 year after the program under this section terminates under subsection (g), the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Committee on Armed Services, and the Select Committee on Intelligence of the Senate and the Committee on Homeland Security, the Committee on the Judiciary, the Committee on Armed Services, and the Permanent Select Committee on Intelligence of the House of Representatives a report that details--

(A) Federal Government participation in the environment, including the Federal entities participating in the environment and the volume of information shared by Federal entities into the environment;

(B) non-Federal entities' participation in the environment, including the non-Federal entities participating in the environment and the volume of information shared by non-Federal entities into the environment;

(D) barriers identified to fully realizing the benefit of the environment both for the Federal Government and non-Federal entities;

(E) additional authorities or resources necessary to successfully execute the environment; and

(F) identified shortcomings or risks to data security and privacy, and the steps necessary to improve the mitigation of the shortcomings or risks.

(d) Cyber Threat Data Interoperability Requirements.--

(1) Establishment.--The Secretary, in coordination with the Secretary of Defense, the Director of National Intelligence, and the Attorney General, shall identify or establish data interoperability requirements for non-Federal entities to participate in the environment.

(2) Data streams.--The Secretary, in coordination with the heads of appropriate departments and agencies, shall identify, designate, and periodically update programs that shall participate in or be interoperable with the environment, in a manner consistent with data security standards under Federal law, which may include--

(A) network-monitoring and intrusion detection programs;

(B) cyber threat indicator sharing programs;

(D) incident response and cybersecurity technical assistance programs; or

(E) malware forensics and reverse-engineering programs.

(3) Data governance.--The Secretary, in coordination with the Secretary of Defense, the Director of National Intelligence, and the Attorney General, shall establish procedures and data governance structures, as necessary, to protect data shared in the environment, comply with Federal regulations and statutes, and respect existing consent agreements with private sector critical infrastructure entities that apply to critical infrastructure information.

(4) Rule of construction.--Nothing in this subsection shall change existing ownership or protection of, or policies and processes for access to, agency data.

(e) National Security Systems.--Nothing in this section shall apply to national security systems, as defined in section 3552 of title 44, United States Code, or to cybersecurity threat intelligence related to such systems, without the consent of the relevant element of the intelligence community, as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).

(f) Protection of Intelligence Sources and Methods.--The Director of National Intelligence shall ensure that any information sharing conducted under this section shall protect intelligence sources and methods from unauthorized disclosure in accordance with section 102A(i) of the National Security Act (50 U.S.C. 3024(i)).

(g) Duration.--The program under this section shall terminate on the date that is 5 years after the date of enactment of this Act.

TITLE LIII--ENABLING THE NATIONAL CYBER DIRECTOR

SEC. 5401. ESTABLISHMENT OF HIRING AUTHORITIES FOR THE OFFICE

OF THE NATIONAL CYBER DIRECTOR.

(a) Definitions.--In this section:

(1) Director.--The term ``Director'' means the National Cyber Director.

(2) Excepted service.--The term ``excepted service'' has the meaning given such term in section 2103 of title 5, United States Code.

(3) Office.--The term ``Office'' means the Office of the National Cyber Director.

(4) Qualified position.--The term ``qualified position'' means a position identified by the Director under subsection

(b)(1)(A), in which the individual occupying such position performs, manages, or supervises functions that execute the responsibilities of the Office.

(b) Hiring Plan.--The Director shall, for purposes of carrying out the functions of the Office--

(1) craft an implementation plan for positions in the excepted service in the Office, which shall propose--

(A) qualified positions in the Office, as the Director determines necessary to carry out the responsibilities of the Office; and

(B) subject to the requirements of paragraph (2), rates of compensation for an individual serving in a qualified position;

(2) propose rates of basic pay for qualified positions, which shall--

(A) be determined in relation to the rates of pay provided for employees in comparable positions in the Office, in which the employee occupying the comparable position performs, manages, or supervises functions that execute the mission of the Office; and

(B) subject to the same limitations on maximum rates of pay and consistent with section 5341 of title 5, United States Code, adopt such provisions of that title to provide for prevailing rate systems of basic pay and apply those provisions to qualified positions for employees in or under which the Office may employ individuals described by section 5342(a)(2)(A) of such title; and

(3) craft proposals to provide--

(A) employees in qualified positions compensation (in addition to basic pay), including benefits, incentives, and allowances, consistent with, and not in excess of the level authorized for, comparable positions authorized by title 5, United States Code; and

(B) employees in a qualified position for which the Director proposes a rate of basic pay under paragraph (2) an allowance under section 5941 of title 5, United States Code, on the same basis and to the same extent as if the employee was an employee covered by such section, including eligibility conditions, allowance rates, and all other terms and conditions in law or regulation.

______

SA 4785. Mr. OSSOFF (for himself, Mr. King, Ms. Cortez Masto, Mr. Rounds, and Mr. Kelly) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

SEC. __. DR. DAVID SATCHER CYBERSECURITY EDUCATION GRANT

PROGRAM.

(a) Short Title.--This section may be cited as the

``Cybersecurity Opportunity Act''.

(b) Definitions.--In this section:

(1) Director.--The term ``Director'' means the Director of the National Institute of Standards and Technology.

(2) Enrollment of needy students.--The term ``enrollment of needy students'' has the meaning given the term in section 312(d) of the Higher Education Act of 1965 (20 U.S.C. 1058(d)).

(3) Historically black college or university.--The term

``historically Black college or university'' has the meaning given the term ``part B institution'' as defined in section 322 of the Higher Education Act of 1965 (20 U.S.C. 1061).

(4) Institution of higher education.--The term

``institution of higher education'' has the meaning given the term in section 101(a) of the Higher Education Act of 1965

(20 U.S.C. 1001(a)).

(5) Minority-serving institution.--The term ``minority-serving institution'' means an institution listed in section 371(a) of the Higher Education Act of 1965 (20 U.S.C. 1067q(a)).

(1) In general.--Subject to the availability of appropriations, the Director shall carry out the Dr. David Satcher Cybersecurity Education Grant Program by--

(A) awarding grants to assist institutions of higher education that have an enrollment of needy students, historically Black colleges and universities, and minority-serving institutions, to establish or expand cybersecurity programs, to build and upgrade institutional capacity to better support new or existing cybersecurity programs, including cybersecurity partnerships with public and private entities, and to support such institutions on the path to producing qualified entrants in the cybersecurity workforce or becoming a National Center of Academic Excellence in Cybersecurity; and

(B) awarding grants to build capacity at institutions of higher education that have an enrollment of needy students, historically Black colleges and universities, and minority-serving institutions, to expand cybersecurity education opportunities, cybersecurity programs, cybersecurity research, and cybersecurity partnerships with public and private entities.

(2) Reservation.--The Director shall award not less than 50 percent of the amount available for grants under this section to historically Black colleges and universities and minority-serving institutions.

(3) Coordination.--The Director shall carry out this section in consultation with appropriate Federal agencies.

(4) Sunset.--The Director's authority to award grants under paragraph (1) shall terminate on the date that is 5 years after the date the Director first awards a grant under paragraph (1).

(d) Applications.--An eligible institution seeking a grant under subsection (a) shall submit an application to the Director at such time, in such manner, and containing such information as the Director may reasonably require, including a statement of how the institution will use the funds awarded through the grant to expand cybersecurity education opportunities at the eligible institution.

(e) Activities.--An eligible institution that receives a grant under this section may use the funds awarded through such grant for increasing research, education, technical, partnership, and innovation capacity, including for--

(1) building and upgrading institutional capacity to better support new or existing cybersecurity programs, including cybersecurity partnerships with public and private entities;

(2) building and upgrading institutional capacity to provide hands-on research and training experiences for undergraduate and graduate students; and

(3) outreach and recruitment to ensure students are aware of such new or existing cybersecurity programs, including cybersecurity partnerships with public and private entities.

(f) Reporting Requirements.--Not later than--

(1) 1 year after the effective date of this section, as provided in subsection (h), and annually thereafter until the Director submits the report under paragraph (2), the Director shall prepare and submit to Congress a report on the status and progress of implementation of the grant program under this section, including on the number and nature of institutions participating, the number and nature of students served by institutions receiving grants, the level of funding provided to grant recipients, the types of activities being funded by the grants program, and plans for future implementation and development; and

(2) 5 years after the effective date of this section, as provided in subsection (h), the Director shall prepare and submit to Congress a report on the status of cybersecurity education programming and capacity-building at institutions receiving grants under this section, including changes in the scale and scope of these programs, associated facilities, or in accreditation status, and on the educational and employment outcomes of students participating in cybersecurity programs that have received support under this section.

(g) Performance Metrics.--The Director shall establish performance metrics for grants awarded under this section.

(h) Effective Date.--This section shall take effect 1 year after the date of enactment of this Act.

______

SA 4786. Mr. MENENDEZ (for himself, Mr. Schumer, Mr. Booker, Mrs. Gillibrand, Mr. Blumenthal, and Mr. Murphy) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

SEC. _____. APPROPRIATIONS FOR CATCH-UP PAYMENTS.

Section 404(d)(4)(C) of the Justice for United States Victims of State Sponsored Terrorism Act (34 U.S.C. 20144(d)(4)(C)) is amended by adding at the end the following:

``(iv) Funding.--

``(I) Appropriations.--

``(aa) In general.--There are authorized to be appropriated and there are appropriated to the Fund such sums as may be necessary to carry out this subparagraph, to remain available until expended.

``(bb) Emergency designation.--The amounts provided under this subclause are designated as an emergency requirement pursuant to section 4(g) of the Statutory Pay-As-You-Go Act of 2010 (2 U.S.C. 933(g)).

``(cc) Designation in the house and senate.--This subclause is designated by the Congress as being for an emergency requirement pursuant to section 4001(a)(1) and section 4001(b) of S. Con. Res. 14 (117th Congress), the concurrent resolution on the budget for fiscal year 2022.

``(II) Limitation.--Amounts appropriated pursuant to subclause (I) may not be used for a purpose other than to make lump sum catch-up payments under this subparagraph.''.

______

SA 4787. Mrs. SHAHEEN (for herself and Ms. Collins) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of title VII, add the following:

Subtitle D--Access to Contraception

SEC. 761. SHORT TITLE.

This subtitle may be cited as the ``Access to Contraception for Servicemembers and Dependents Act of 2021''.

SEC. 762. FINDINGS.

Congress finds the following:

(1) Women are serving in the Armed Forces at increasing rates, playing a critical role in the national security of the United States. Women comprise more than 18 percent of members of the Armed Forces, and as of fiscal year 2019, more than 390,000 women serve on active duty in the Armed Forces or in the reserve components. An estimated several thousand transgender men also serve on active duty in the Armed Forces and in the reserve components, in addition to non-binary members and those who identify with a different gender.

(2) Ninety-five percent of women serving in the Armed Forces are of reproductive age and as of 2019, more than 700,000 female spouses and dependents of members of the Armed Forces on active duty are of reproductive age.

(3) The TRICARE program covered more than 1,570,000 women of reproductive age in 2019, including spouses and dependents of members of the Armed Forces on active duty. Additionally, thousands of transgender dependents of members of the Armed Forces are covered by the TRICARE program.

(4) The right to access contraception is grounded in the principle that contraception and the ability to determine if and when to have children are inextricably tied to one's wellbeing, equality, and ability to determine the course of one's life. These protections have helped access to contraception become a driving force in improving the health and financial security of individuals and their families.

(5) Access to contraception is critical to the health of every individual capable of becoming pregnant. This subtitle is intended to apply to all individuals with the capacity for pregnancy, including cisgender women, transgender men, non-binary individuals, those who identify with a different gender, and others.

(6) Studies have shown that when cost barriers to the full range of methods of contraception are eliminated, patients are more likely to use the contraceptive method that meets their needs, and therefore use contraception correctly and more consistently, reducing the risk of unintended pregnancy.

(7) Under the TRICARE program, members of the Armed Forces on active duty have full coverage of all prescription drugs, including contraception, without cost-sharing requirements, in line with the Patient Protection and Affordable Care Act

(Public Law 111-148), which requires coverage of all contraceptive methods approved by the Food and Drug Administration for women and related services and education and counseling. However, members not on active duty and dependents of members do not have similar coverage of all methods of contraception approved by the Food and Drug Administration without cost-sharing when they obtain the contraceptive outside of a military medical treatment facility.

(8) In order to fill gaps in coverage and access to preventive care critical for women's health, the Patient Protection and Affordable Care Act

(Public Law 111-148) requires all non-grandfathered individual and group health plans to cover without cost-sharing preventive services, including a set of evidence-based preventive services for women supported by the Health Resources and Services Administration of the Department of Health and Human Services. These women's preventive services include the full range of female-controlled contraceptive methods, effective family planning practices, and sterilization procedures, approved by the Food and Drug Administration. The Health Resources and Services Administration has affirmed that contraceptive care includes contraceptive counseling, initiation of contraceptive use, and follow-up care (such as management, evaluation, and changes to and removal or discontinuation of the contraceptive method).

(9) The Defense Advisory Committee on Women in the Services has recommended that all the Armed Forces, to the extent that they have not already, implement initiatives that inform members of the Armed Forces of the importance of family planning, educate them on methods of contraception, and make various methods of contraception available, based on the finding that family planning can increase the overall readiness and quality of life of all members of the Armed Forces.

(10) The military departments received more than 7,800 reports of sexual assaults involving members of the Armed Forces as victims or subjects during fiscal year 2019. Through regulations, the Department of Defense already supports a policy of ensuring that members of the Armed Forces who are sexually assaulted have access to emergency contraception, and the initiation of contraception if desired and medically appropriate.

SEC. 763. CONTRACEPTION COVERAGE PARITY UNDER THE TRICARE

PROGRAM.

(a) Pharmacy Benefits Program.--Section 1074g(a)(6) of title 10, United States Code, is amended by adding at the end the following new subparagraph:

``(D) Notwithstanding subparagraphs (A), (B), and (C), cost-sharing requirements may not be imposed and cost-sharing amounts may not be collected with respect to any eligible covered beneficiary for any prescription contraceptive on the uniform formulary provided through a retail pharmacy described in paragraph (2)(E)(ii) or through the national mail-order pharmacy program.''.

(b) TRICARE Select.--Section 1075 of such title is amended--

(1) in subsection (c), by adding at the end the following new paragraph:

``(4)(A) Notwithstanding any other provision of this section, cost-sharing requirements may not be imposed and cost-sharing amounts may not be collected with respect to any beneficiary under this section for a service described in subparagraph (B) that is provided by a network provider.

``(B) A service described in this subparagraph is any method of contraception approved by the Food and Drug Administration, any contraceptive care (including with respect to insertion, removal, and follow up), any sterilization procedure, or any patient education or counseling service provided in connection with any such method, care, or procedure.''; and

(2) in subsection (f), by striking ``calculated as'' and inserting ``calculated (except as provided in subsection

(c)(4)) as''.

``(d) Prohibition on Cost-Sharing for Certain Services.--

(1) Notwithstanding subsections (a), (b), and (c), cost-sharing requirements may not be imposed and cost-sharing amounts may not be collected with respect to any beneficiary enrolled in TRICARE Prime for a service described in paragraph (2) that is provided under TRICARE Prime.

``(2) A service described in this paragraph is any method of contraception approved by the Food and Drug Administration, any contraceptive care (including with respect to insertion, removal, and follow up), any sterilization procedure, or any patient education or counseling service provided in connection with any such method, care, or procedure.''.

SEC. 764. PREGNANCY PREVENTION ASSISTANCE AT MILITARY MEDICAL

TREATMENT FACILITIES FOR SEXUAL ASSAULT

SURVIVORS.

(a) In General.--Chapter 55 of title 10, United States Code, is amended by inserting after section 1074o the following new section:

``Sec. 1074p. Provision of pregnancy prevention assistance at military medical treatment facilities

``(a) Information and Assistance.--The Secretary of Defense shall promptly furnish to sexual assault survivors at each military medical treatment facility the following:

``(1) Comprehensive, medically and factually accurate, and unbiased written and oral information about all methods of emergency contraception approved by the Food and Drug Administration.

``(2) Upon request by the sexual assault survivor, emergency contraception or, if applicable, a prescription for emergency contraception.

``(3) Notification of the right of the sexual assault survivor to confidentiality with respect to the information and care and services furnished under this section.

``(b) Information.--The Secretary shall ensure that information provided pursuant to subsection (a) is provided in language that--

``(1) is clear and concise;

``(2) is readily comprehensible; and

``(3) meets such conditions (including conditions regarding the provision of information in languages other than English) as the Secretary may prescribe in regulations to carry out this section.

``(c) Definitions.--In this section:

``(1) The term `sexual assault survivor' means any individual who presents at a military medical treatment facility and--

``(A) states to personnel of the facility that the individual experienced a sexual assault;

``(B) is accompanied by another person who states that the individual experienced a sexual assault; or

``(C) whom the personnel of the facility reasonably believes to be a survivor of sexual assault.

``(2) The term `sexual assault' means the conduct described in section 1565b(c) of this title that may result in pregnancy.''.

(b) Clerical Amendment.--The table of sections at the beginning of such chapter is amended by inserting after the item relating to section 1074o the following new item:

``1074p. Provision of pregnancy prevention assistance at military medical treatment facilities.''.

SEC. 765. EDUCATION ON FAMILY PLANNING FOR MEMBERS OF THE

ARMED FORCES.

(a) Education Programs.--

(1) In general.--Not later than one year after the date of the enactment of this Act, the Secretary of Defense shall establish a uniform standard curriculum to be used in education programs on family planning for all members of the Armed Forces, including both men and women members.

(2) Timing.--Education programs under paragraph (1) shall be provided to members of the Armed Forces as follows:

(A) During the first year of service of the member.

(B) At such other times as each Secretary of a military department determines appropriate with respect to members of the Armed Forces under the jurisdiction of such Secretary.

(3) Sense of congress.--It is the sense of Congress that the education programs under paragraph (1) should be evidence-informed and use the latest technology available to efficiently and effectively deliver information to members of the Armed Forces.

(b) Elements.--The uniform standard curriculum for education programs under subsection (a) shall include the following:

(1) Information for members of the Armed Forces on active duty to make informed decisions regarding family planning.

(2) Information about the prevention of unintended pregnancy and sexually transmitted infections, including human immunodeficiency virus (commonly known as ``HIV'').

(3) Information on--

(A) the importance of providing comprehensive family planning for members of the Armed Forces, including commanding officers; and

(B) the positive impact family planning can have on the health and readiness of the Armed Forces.

(4) Current, medically accurate information.

(5) Clear, user-friendly information on--

(A) the full range of methods of contraception approved by the Food and Drug Administration; and

(B) where members of the Armed Forces can access their chosen method of contraception.

(6) Information on all applicable laws and policies so that members of the Armed Forces are informed of their rights and obligations.

(7) Information on the rights of patients to confidentiality.

(8) Information on the unique circumstances encountered by members of the Armed Forces and the effects of such circumstances on the use of contraception.

______

SA 4788. Mr. LEE submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

On page 621, strike lines 14 through 24 and insert the following:

cross-strait relations;

(7) reinforcing the status of the Republic of Singapore as a Major Security Cooperation Partner of the United States and continuing to strengthen defense and security cooperation between the military forces of the Republic of Singapore and the Armed Forces of the United States, including through participation in combined exercises and training, including the use of the Foreign Military Sales Training Center at Ebbing Air National Guard Base in Fort Smith, Arkansas; and

(8) ensuring that the allies and partners referred to in paragraphs (1) through (7) contribute more than 50 percent of the total cost of mutual defense efforts in the Indo-Pacific region.

______

SA 4789. Mr. LEE submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

On page 578, strike lines 14 through 19 and insert the following:

(1) by striking ``fiscal year 2021'' and inserting ``fiscal year 2022''; and

(2) by striking ``, as specified in the funding tables in division D of this Act''.

______

SA 4790. Mr. LEE submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

Strike section 1061.

______

SA 4791. Mr. MORAN (for himself and Ms. Rosen) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle C of title VII, add the following:

SEC. 744. GRANT PROGRAM FOR INCREASED COOPERATION ON POST-

TRAUMATIC STRESS DISORDER RESEARCH BETWEEN

UNITED STATES AND ISRAEL.

(a) Findings and Sense of Congress.--

(1) Findings.--Congress makes the following findings:

(A) The Department of Veterans Affairs reports that between 11 and 20 percent of veterans who served in Operation Iraqi Freedom and Operation Enduring Freedom have post-traumatic stress disorder (in this paragraph referred to as ``PTSD'') in a given year. In addition, that figure amounts to about 12 percent of Gulf War veterans and up to 30 percent of Vietnam veterans.

(B) The Department of Veterans Affairs reports that among women veterans of the conflicts in Iraq and Afghanistan, almost 20 percent have been diagnosed with PTSD.

(C) It is thought that 70 percent of individuals in the United States have experienced at least one traumatic event in their lifetime, and approximately 20 percent of those individuals have struggled or continue to struggle with symptoms of PTSD.

(D) Studies show that PTSD has links to homelessness and substance abuse in the United States. The Department of Veterans Affairs estimates that approximately 11 percent of the homeless population are veterans and the Substance Abuse and Mental Health Services Administration estimates that about seven percent of veterans have a substance abuse disorder.

(E) Our ally Israel, under constant attack from terrorist groups, experiences similar issues with Israeli veterans facing symptoms of PTSD. The National Center for Traumatic Stress and Resilience at Tel Aviv University found that five to eight percent of combat soldiers experience some form of PTSD, and during wartime, that figure rises to 15 to 20 percent.

(F) Current treatment options in the United States focus on cognitive therapy, exposure therapy, or eye movement desensitization and reprocessing, but the United States must continue to look for more effective treatments. Several leading hospitals, academic institutions, and nonprofit organizations in Israel dedicate research and services to treating PTSD.

(2) Sense of congress.--It is the sense of Congress that the Secretary of Defense, acting through the Psychological Health and Traumatic Brain Injury Research Program, should seek to explore scientific collaboration between academic institutions and nonprofit research entities in the United States and institutions in Israel with expertise in researching, diagnosing, and treating post-traumatic stress disorder.

(b) Grant Program.--

(1) In general.--The Secretary of Defense, in coordination with the Secretary of Veterans Affairs and the Secretary of State, shall award grants to eligible entities to carry out collaborative research between the United States and Israel with respect to post-traumatic stress disorders.

(2) Agreement.--The Secretary of Defense shall carry out the grant program under this section in accordance with the Agreement on the United States-Israel binational science foundation with exchange of letters, signed at New York September 27, 1972, and entered into force on September 27, 1972.

(c) Eligible Entities.--To be eligible to receive a grant under this section, an entity shall be an academic institution or a nonprofit entity located in the United States.

(d) Award.--The Secretary shall award grants under this section to eligible entities that--

(1) carry out a research project that--

(A) addresses a requirement in the area of post-traumatic stress disorders that the Secretary determines appropriate to research using such grant; and

(B) is conducted by the eligible entity and an entity in Israel under a joint research agreement; and

(2) meet such other criteria that the Secretary may establish.

(e) Application.--To be eligible to receive a grant under this section, an eligible entity shall submit an application to the Secretary at such time, in such manner, and containing such commitments and information as the Secretary may require.

(f) Reports.--Not later than 180 days after the date on which an eligible entity completes a research project using a grant under this section, the Secretary shall submit to Congress a report that contains--

(1) a description of how the eligible entity used the grant; and

(2) an evaluation of the level of success of the research project.

(g) Termination.--The authority to award grants under this section shall terminate on the date that is seven years after the date on which the first such grant is awarded.

______

SA 4792. Mrs. MURRAY (for herself and Mr. Manchin) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of title XXXI, add the following:

Subtitle F--Toxic Exposure Safety

SEC. 3161. SHORT TITLE.

This subtitle may be cited as the ``Toxic Exposure Safety Act of 2021''.

SEC. 3162. PROVIDING INFORMATION REGARDING DEPARTMENT OF

ENERGY FACILITIES.

Subtitle E of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7385s et seq.) is amended by inserting after section 3681 the following:

``SEC. 3681A. COMPLETION AND UPDATES OF SITE EXPOSURE

MATRICES.

``(a) Definition.--In this section, the term `site exposure matrices' means an exposure assessment of a Department of Energy facility that identifies the toxic substances or processes that were used in each building or process of the facility, including the trade name (if any) of the substance.

``(b) In General.--Not later than 180 days after the date of enactment of the Toxic Exposure Safety Act of 2021, the Secretary of Labor shall, in coordination with the Secretary of Energy, create or update site exposure matrices for each Department of Energy facility based on the records, files, and other data provided by the Secretary of Energy and such other information as is available, including information available from the former worker medical screening programs of the Department of Energy.

``(c) Periodic Update.--Beginning 90 days after the initial creation or update described in subsection (b), and each 90 days thereafter, the Secretary shall update the site exposure matrices with all information available as of such time from the Secretary of Energy.

``(d) Information.--The Secretary of Energy shall furnish to the Secretary of Labor any information that the Secretary of Labor finds necessary or useful for the production of the site exposure matrices under this section, including records from the Department of Energy former worker medical screening program.

``(e) Public Availability.--The Secretary of Labor shall make available to the public, on the primary website of the Department of Labor--

``(1) the site exposure matrices, as periodically updated under subsections (b) and (c);

``(2) each site profile prepared under section 3633(a);

``(3) any other database used by the Secretary of Labor to evaluate claims for compensation under this title; and

``(4) statistical data, in the aggregate and disaggregated by each Department of Energy facility, regarding--

``(A) the number of claims filed under this subtitle;

``(B) the types of illnesses claimed;

``(C) the number of claims filed for each type of illness and, for each claim, whether the claim was approved or denied;

``(D) the number of claimants receiving compensation; and

``(E) the length of time required to process each claim, as measured from the date on which the claim is filed to the final disposition of the claim.

``(f) Authorization of Appropriations.--There is authorized to be appropriated to the Secretary of Energy, for fiscal year 2022 and each succeeding year, such sums as may be necessary to support the Secretary of Labor in creating or updating the site exposure matrices.''.

SEC. 3163. ASSISTING CURRENT AND FORMER EMPLOYEES UNDER THE

EEOICPA.

(a) Providing Information and Outreach.--Subtitle A of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7384d et seq.) is amended--

(1) by redesignating section 3614 as section 3616; and

(2) by inserting after section 3613 the following:

``SEC. 3614. INFORMATION AND OUTREACH.

``(a) Establishment of Toll-free Information Phone Number.--By not later than January 1, 2023, the Secretary of Labor shall establish a toll-free phone number that current or former employees of the Department of Energy, or current or former Department of Energy contractor employees, may use in order to receive information regarding--

``(1) the compensation program under subtitle B or E;

``(2) information regarding the process of submitting a claim under either compensation program;

``(3) assistance in completing the occupational health questionnaire required as part of a claim under subtitle B or E;

``(4) the next steps to take if a claim under subtitle B or E is accepted or denied; and

``(5) such other information as the Secretary determines necessary to further the purposes of this title.

``(b) Establishment of Resource and Advocacy Centers.--

``(1) In general.--By not later than January 1, 2024, the Secretary of Energy, in coordination with the Secretary of Labor, shall establish a resource and advocacy center at each Department of Energy facility where cleanup operations are being carried out, or have been carried out, under the environmental management program of the Department of Energy. Each such resource and advocacy center shall assist current or former Department of Energy employees and current or former Department of Energy contractor employees, by enabling the employees and contractor employees to--

``(A) receive information regarding all related programs available to them relating to potential claims under this title, including--

``(i) programs under subtitles B and E; and

``(ii) the former worker medical screening program of the Department of Energy; and

``(B) navigate all such related programs.

``(2) Coordination.--The Secretary of Energy shall integrate other programs available to current and former employees, and current or former Department of Energy contractor employees, which are related to the purposes of this title, with the resource and advocacy centers established under paragraph (1), as appropriate.

``(c) Information.--The Secretary of Labor shall develop and distribute, through the resource and advocacy centers established under subsection (b) and other means, information

(which may include responses to frequently asked questions) for current or former employees or current or former Department of Energy contractor employees about the programs under subtitles B and E and the claims process under such programs.

``(d) Copy of Employee's Claims Records.--

``(1) In general.--The Secretary of Labor shall, upon the request of a current or former employee or Department of Energy contractor employee, provide the employee with a complete copy of all records or other materials held by the Department of Labor relating to the employee's claim under subtitle B or E.

``(2) Choice of format.--The Secretary of Labor shall provide the copy of records described in paragraph (1) to an employee in electronic or paper form, as selected by the employee.

``(e) Contact of Employees by Industrial Hygienists.--The Secretary of Labor shall allow industrial hygienists to contact and interview current or former employees or Department of Energy contractor employees regarding the employee's claim under subtitle B or E.''.

(b) Extending Appeal Period.--Section 3677(a) of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7385s-6(a)) is amended by striking ``60 days'' and inserting ``180 days''.

(c) Funding.--Section 3684 of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7385s-13) is amended--

(1) by striking ``There is authorized'' and inserting the following:

``(a) In General.--There is authorized'';

(2) by inserting before the period at the end the following: ``, including the amounts necessary to carry out the requirements of section 3681A''; and

(3) by adding at the end the following:

``(b) Administrative Costs for Department of Energy.--There is authorized to be appropriated to the Secretary of Energy for fiscal year 2022 and each succeeding year such sums as may be necessary to support the Secretary in carrying out the requirements of this title, including section 3681A.''.

(d) Advisory Board on Toxic Substances and Worker Health.--Section 3687 of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7385s-16) is amended--

(1) in subsection (b)--

(A) in paragraph (1)(F), by striking ``and'' after the semicolon;

(B) in paragraph (2), by striking the period at the end and inserting a semicolon; and

``(3) develop recommendations for the Secretary of Health and Human Services regarding whether there is a class of Department of Energy employees, Department of Energy contractor employees, or other employees at any Department of Energy facility who were at least as likely as not exposed to toxic substances at that facility but for whom it is not feasible to estimate with sufficient accuracy the dose they received; and

``(4) review all existing, as of the date of the review, rules and guidelines issued by the Secretary regarding presumption of causation and provide the Secretary with recommendations for new rules and guidelines regarding presumption of causation.'';

(2) in subsection (c)(3), by inserting ``or the Board'' after ``The Secretary'';

(3) by redesignating subsections (h), (i), and (j) as subsections (i), (j), and (k), respectively; and

(4) by inserting after subsection (g) the following:

``(h) Required Responses to Board Recommendations.--Not later than 90 days after the date on which the Secretary of Labor and the Secretary of Health and Human Services receive recommendations in accordance with paragraph (1), (3), or (4) of subsection (b), each such Secretary shall submit formal responses to each recommendation to the Board and Congress.''.

SEC. 3164. RESEARCH PROGRAM ON EPIDEMIOLOGICAL IMPACTS OF

TOXIC EXPOSURES.

(a) Definitions.--In this section--

(1) the term ``Department of Energy facility'' has the meaning given the term in section 3621 of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7384l);

(2) the term ``institution of higher education'' has the meaning given such term in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001); and

(3) the term ``Secretary'' means the Secretary of Health and Human Services.

(b) Establishment.--The Secretary, acting through the Director of the National Institute of Environmental Health Sciences and in collaboration with the Director of the Centers for Disease Control and Prevention, shall conduct or support research on the epidemiological impacts of exposures to toxic substances at Department of Energy facilities.

(c) Use of Funds.--Research under subsection (b) may include research on the epidemiological, clinical, or health impacts on individuals who were exposed to toxic substances in or near the tank or other storage farms and other relevant Department of Energy facilities through their work at such sites.

(d) Eligibility and Application.--Any institution of higher education or the National Academy of Sciences may apply for funding under this section by submitting to the Secretary an application at such time, in such manner, and containing or accompanied by such information as the Secretary may require.

(e) Research Coordination.--The Secretary shall coordinate activities under this section with similar activities conducted by the Department of Health and Human Services to the extent that other agencies have responsibilities that are related to the study of epidemiological, clinical, or health impacts of exposures to toxic substances.

(f) Health Studies Report to Secretary.--Not later than 1 year after the end of the funding period for research under this section, the funding recipient shall prepare and submit to the Secretary a final report that--

(1) summarizes the findings of the research;

(2) includes recommendations for any additional studies;

(3) describes any classes of employees that, based on the results of the report, could warrant the establishment of a Special Exposure Cohort under the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7384 et seq.) for toxic substances exposures; and

(4) describes any illnesses to be included as covered illnesses under such Act (42 U.S.C. 7384 et seq.).

(g) Report to Congress.--

(1) In general.--Not later than 120 days after the date on which the reports under subsection (f) are due, the Secretary shall--

(A) identify a list of cancers and other illnesses associated with toxic substances that pose, or posed, a hazard in the work environment at any Department of Energy facility; and

(B) prepare and submit to the relevant committees of Congress a report--

(i) summarizing the findings from the reports required under subsection (f);

(ii) identifying any new illnesses that, as a result of the study, will be included as covered illnesses, pursuant to subsection (f)(4) and section 3671(2) of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7385s(2)); and

(iii) including the Secretary's recommendations for additional health studies relating to toxic substances, if the Secretary determines it necessary.

(2) Relevant committees of congress defined.--In this subsection, the term ``relevant committees of Congress'' means--

(A) the Committee on Armed Services, Committee on Appropriations, Committee on Energy and Natural Resources, and Committee on Health, Education, Labor, and Pensions of the Senate; and

(B) the Committee on Armed Services, Committee on Appropriations, Committee on Energy and Commerce, and Committee on Education and Labor of the House of Representatives.

(h) Authorization of Appropriations.--There is authorized to be appropriated to carry out this section $3,000,000 for each of fiscal years 2022 through 2026.

SEC. 3165. NATIONAL ACADEMY OF SCIENCES REVIEW.

Subtitle A of the Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7384d et seq.), as amended by section 3163, is further amended by inserting after section 3614 the following:

``SEC. 3615. NATIONAL ACADEMY OF SCIENCES REVIEW.

``(a) Purpose.--The purpose of this section is to enable the National Academy of Sciences, a non-Federal entity with appropriate expertise, to review and evaluate the available scientific evidence regarding associations between diseases and exposure to toxic substances found at Department of Energy cleanup sites.

``(b) Definitions.--In this section:

``(1) Department of energy cleanup site.--The term

`Department of Energy cleanup site' means a Department of Energy facility where cleanup operations are being carried out, or have been carried out, under the environmental management program of the Department of Energy.

``(2) Health studies report.--The term `health studies report' means the report submitted under section 3164(f) of the Toxic Exposure Safety Act of 2021.

``(c) Agreement.--The Secretary of Health and Human Services shall seek to enter into an agreement with the National Academy of Sciences, not later than 60 days after the issuance of the health studies report, to carry out the requirements of this section.

``(d) Review of Scientific and Medical Evidence.--

``(1) In general.--Under the agreement described in subsection (c), the National Academy of Sciences shall, for the period of the agreement--

``(A) for each area recommended for additional study under the health studies report under section 3164(f)(2) of the Toxic Exposure Safety Act of 2021, review and summarize the scientific evidence relating to the area, including--

``(i) studies by the Department of Energy and Department of Labor; and

``(ii) any other available and relevant scientific studies, to the extent that such studies are relevant to the occupational exposures that have occurred at Department of Energy cleanup sites; and

``(B) review and summarize the scientific and medical evidence concerning the association between exposure to toxic substances found at Department of Energy cleanup sites and resultant diseases.

``(2) Scientific determinations concerning diseases.--In conducting each review of scientific evidence under subparagraphs (A) and (B) of paragraph (1), the National Academy of Sciences shall--

``(A) assess the strength of such evidence;

``(B) assess whether a statistical association between exposure to a toxic substance and a disease exists, taking into account the strength of the scientific evidence and the appropriateness of the statistical and epidemiological methods used to detect an association;

``(C) assess the increased risk of disease among those exposed to the toxic substance during service during the production and cleanup eras of the Department of Energy cleanup sites;

``(D) survey the impact to health of the toxic substance, focusing on hematologic, renal, urologic, hepatic, gastrointestinal, neurologic, dermatologic, respiratory, endocrine, ocular, ear, nasal, and oropharyngeal diseases, including dementia, leukemia, chemical sensitivities, and chronic obstructive pulmonary disease; and

``(E) determine whether a plausible biological mechanism or other evidence of a causal relationship exists between exposure to the toxic substance and disease.

``(e) Additional Scientific Studies.--If the National Academy of Sciences determines, in the course of conducting the studies under subsection (d), that additional studies are needed to resolve areas of continuing scientific uncertainty relating to toxic exposure at Department of Energy cleanup sites, the National Academy of Sciences shall include, in the next report submitted under subsection (f), recommendations for areas of additional study, consisting of--

``(1) a list of diseases and toxins that require further evaluation and study;

``(2) a review the current information available, as of the date of the report, relating to such diseases and toxins;

``(3) the value of the information that would result from the additional studies; and

``(4) the cost and feasibility of carrying out additional studies.

``(f) Reports.--

``(1) In general.--By not later than 18 months after the date of the agreement under subsection (c), and every 2 years thereafter, the National Academy of Sciences shall under such agreement prepare and submit a report to--

``(A) the Secretary;

``(B) the Committee on Health, Education, Labor, and Pensions and the Committee on Energy and Natural Resources of the Senate; and

``(C) the Committee on Natural Resources, the Committee on Education and Labor, and the Committee on Energy and Commerce of the House of Representatives.

``(2) Contents.--Each report submitted under paragraph (1) shall include, for the 18-month or 2-year period covered by the report--

``(A) a description of--

``(i) the reviews and studies conducted under this section;

``(ii) the determinations and conclusions of the National Academy of Sciences with respect to such reviews and studies; and

``(iii) the scientific evidence and reasoning that led to such conclusions;

``(B) the recommendations for further areas of study made under subsection (e) for the reporting period;

``(C) a description of any classes of employees that, based on the results of the reviews and studies, could qualify as a Special Exposure Cohort; and

``(D) the identification of any illness that the National Academy of Sciences has determined, as a result of the reviews and studies, should be a covered illness.

``(g) Limitation on Authority.--The authority to enter into agreements under this section shall be effective for a fiscal year to the extent that appropriations are available.

``(h) Sunset.--This section shall cease to be effective 10 years after the last day of the fiscal year in which the National Academy of Sciences transmits to the Secretary the first report under subsection (f).''.

SEC. 3166. CONFORMING AMENDMENTS.

The Energy Employees Occupational Illness Compensation Program Act of 2000 (42 U.S.C. 7384 et seq.) is amended--

(1) in the table of contents--

(A) by redesignating the item relating to section 3614 as the item relating to section 3616;

(B) by inserting after the item relating to section 3613 the following:

``Sec. 3614. Information and outreach.

``Sec. 3615. National Academy of Sciences review.'';and

``Sec. 3681A. Completion and updates of site exposure matrices.'';and

(2) in each of subsections (b)(1) and (c) of section 3612, by striking ``3614(b)'' and inserting ``3616(b)''.

______

SA 4793. Mr. LEE (for himself and Mr. Daines) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

In section 511, beginning in subsection (d)(4), strike the period at the end of subparagraph (B)(ii) and all that follows through subsection (g) and insert the following: ``; and

``(p) No person may be inducted for training and service under this title if such person--

``(1) has a dependent child and the other parent of the dependent child has been inducted for training or service under this title unless the person volunteers for such induction; or

``(2) has a dependent child who has no other living parent.''.

(5) Section 10(b)(3) (50 U.S.C. 3809(b)(3)) is amended by striking ``the President is requested'' and all that follows through ``race or national origin'' and inserting ``the President is requested to appoint the membership of each local board so that each board has both male and female members and, to the maximum extent practicable, it is proportionately representative of those registrants within its jurisdiction in each applicable basis set forth in section 703(a) of the Civil Rights Act of 1964 (42 U.S.C. 2002e-2(a)), but no action by any board shall be declared invalid on the ground that such board failed to conform to such representation quota''.

(6) Section 16(a) (50 U.S.C. 3814(a)) is amended by striking ``men'' and inserting ``persons''.

(e) Maintaining the Health of the Selective Service System.--Section 10(a) (50 U.S.C. 3809(a)) is amended by adding at the end the following new paragraph:

``(5) The Selective Service System shall conduct exercises periodically of all mobilization plans, systems, and processes to evaluate and test the effectiveness of such plans, systems, and processes. Once every 4 years, the exercise shall include the full range of internal and interagency procedures to ensure functionality and interoperability and may take place as part of the Department of Defense mobilization exercise under section 10208 of title 10, United States Code. The Selective Service System shall conduct a public awareness campaign in conjunction with each exercise to communicate the purpose of the exercise to the public.''.

(f) Technical and Conforming Amendments.--The Military Selective Service Act is amended--

(1) in section 4 (50 U.S.C. 3803)--

(A) in subsection (a) in the third undesignated paragraph--

(i) by striking ``his acceptability in all respects, including his'' and inserting ``such person's acceptability in all respects, including such person's''; and

(ii) by striking ``he may prescribe'' and inserting ``the President may prescribe'';

(B) in subsection (c)--

(i) in paragraph (2), by striking ``any enlisted member'' and inserting ``any person who is an enlisted member''; and

(ii) in paragraphs (3), (4), and (5), by striking ``in which he resides'' and inserting ``in which such person resides'';

(D) in subsection (k)(1), by striking ``finding by him'' and inserting ``finding by the President'';

(2) in section 5(d) (50 U.S.C. 3805(d)), by striking ``he may prescribe'' and inserting ``the President may prescribe'';

(3) in section 6 (50 U.S.C. 3806)--

(A) in subsection (c)(2)(D), by striking ``he may prescribe'' and inserting ``the President may prescribe'';

(B) in subsection (d)(3), by striking ``he may deem appropriate'' and inserting ``the President considers appropriate''; and

(C) in subsection (h), by striking ``he may prescribe'' each place it appears and inserting ``the President may prescribe'';

(4) in section 10 (50 U.S.C. 3809)--

(A) in subsection (b)--

(i) in paragraph (3)--

(I) by striking ``He shall create'' and inserting ``The President shall create''; and

(II) by striking ``upon his own motion'' and inserting

``upon the President's own motion'';

(ii) in paragraph (4), by striking ``his status'' and inserting ``such individual's status''; and

(iii) in paragraphs (4), (6), (8), and (9), by striking

``he may deem'' each place it appears and inserting ``the President considers''; and

(B) in subsection (c), by striking ``vested in him'' and inserting ``vested in the President'';

(5) in section 13(b) (50 U.S.C. 3812(b)), by striking

``regulation if he'' and inserting ``regulation if the President'';

(6) in section 15 (50 U.S.C. 3813)--

(A) in subsection (b), by striking ``his'' each place it appears and inserting ``the registrant's''; and

(B) in subsection (d), by striking ``he may deem'' and inserting ``the President considers'';

(7) in section 16(g) (50 U.S.C. 3814(g))--

(A) in paragraph (1), by striking ``who as his regular and customary vocation'' and inserting ``who, as such person's regular and customary vocation,''; and

(B) in paragraph (2)--

(i) by striking ``one who as his customary vocation'' and inserting ``a person who, as such person's customary vocation,''; and

(ii) by striking ``he is a member'' and inserting ``such person is a member'';

(8) in section 18(a) (50 U.S.C. 3816(a)), by striking ``he is authorized'' and inserting ``the President is authorized'';

(9) in section 21 (50 U.S.C. 3819)--

(A) by striking ``he is sooner'' and inserting ``sooner'';

(B) by striking ``he'' each subsequent place it appears and inserting ``such member''; and

(10) in section 22(b) (50 U.S.C. 3820(b)), in paragraphs

(1) and (2), by striking ``his'' each place it appears and inserting ``the registrant's''; and

(11) except as otherwise provided in this section--

(A) by striking ``he'' each place it appears and inserting

``such person'';

(B) by striking ``his'' each place it appears and inserting

``such person's'';

``such person''; and

(D) by striking ``present himself'' each place it appears in section 12 (50 U.S.C. 3811) and inserting ``appear''.

(g) Enactment of Authorization Required for Draft.--

(1) Findings.--Congress makes the following findings:

(A) Clause 12 of section 8 of article I of the Constitution of the United States empowers Congress with the responsibility to ``raise and support Armies''.

(B) The United States first required military conscription in the American Civil War under the Civil War Military Draft Act of 1863.

(C) The Selective Services Act of 1917 authorized the President to draft additional forces beyond the volunteer force to support exceedingly high demand for additional forces when the U.S. entered the first World War.

(D) The Selective Training and Service Act of 1940 was the first authorization by Congress for conscription in peacetime but limited the President's induction authority to ``no greater number of men than the Congress shall hereafter make specific appropriation for from time to time''.

(E) Congress allowed induction authority to lapse in 1947.

(F) Congress reinstated the President's induction authority under the Selective Service Act of 1948 to raise troops for United States participation in the Korean War.

(G) Congress maintained the President's induction authority under the Selective Service Act of 1948 through the beginning of the Vietnam War.

(H) Congress passed additional reforms to the draft under the Military Selective Service Act of 1967 in response to issues arising from United States engagement in the Vietnam War.

(I) Congress prohibited any further use of the draft after July 1, 1973.

(J) If a president seeks to reactivate the use of the draft, Congress would have to enact a law providing authorization for this purpose

(2) Amendment.--Section 17 of the Military Selective Service Act (50 U.S.C. 3815) is amended by adding at the end the following new subsection:

``(d) No person shall be inducted for training and service in the Armed Forces unless Congress first passes and there is enacted a law expressly authorizing such induction into service.''.

(h) Effective Date.--The amendments made by this section shall take effect on the date of the enactment of this Act, except that the amendments made by subsections (d) and (g) shall take effect 1 year after such date of enactment.

______

SA 4794. Mr. RISCH (for himself, Mr. Portman, Mr. Cruz, Mr. Barrasso, Mr. Johnson, Mr. Cotton, and Mr. Daines) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle D of title XII, add the following:

SEC. 1237. IMPOSITION OF SANCTIONS WITH RESPECT TO NORD

STREAM 2.

(a) In General.--Not later than 15 days after the date of the enactment of this Act, the President shall--

(1) impose sanctions under subsection (b) with respect to any corporate officer of an entity established for or responsible for the planning, construction, or operation of the Nord Stream 2 pipeline or a successor entity; and

(2) impose sanctions under subsection (c) with respect to any entity described in paragraph (1).

(b) Ineligibility for Visas, Admission, or Parole of Identified Persons and Corporate Officers.--

(1) In general.--

(A) Visas, admission, or parole.--An alien described in subsection (a)(1) is--

(i) inadmissible to the United States;

(ii) ineligible to receive a visa or other documentation to enter the United States; and

(iii) otherwise ineligible to be admitted or paroled into the United States or to receive any other benefit under the Immigration and Nationality Act (8 U.S.C. 1101 et seq.).

(B) Current visas revoked.--

(i) In general.--The visa or other entry documentation of an alien described in subsection (a)(1) shall be revoked, regardless of when such visa or other entry documentation is or was issued.

(ii) Immediate effect.--A revocation under clause (i) shall--

(I) take effect immediately; and

(II) automatically cancel any other valid visa or entry documentation that is in the alien's possession.

(c) Blocking of Property of Identified Persons.--The President shall exercise all powers granted to the President by the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) to the extent necessary to block and prohibit all transactions in all property and interests in property of an entity described in subsection (a)(1) if such property and interests in property are in the United States, come within the United States, or are or come within the possession or control of a United States person.

(d) Exceptions.--

(1) Exception for intelligence, law enforcement, and national security activities.--Sanctions under this section shall not apply to any authorized intelligence, law enforcement, or national security activities of the United States.

(2) Exception to comply with united nations headquarters agreement.--Sanctions under this section shall not apply with respect to the admission of an alien to the United States if the admission of the alien is necessary to permit the United States to comply with the Agreement regarding the Headquarters of the United Nations, signed at Lake Success June 26, 1947, and entered into force November 21, 1947, between the United Nations and the United States, the Convention on Consular Relations, done at Vienna April 24, 1963, and entered into force March 19, 1967, or other applicable international obligations.

(3) Exception relating to importation of goods.--

(A) In general.--Notwithstanding any other provision of this section, the authorities and requirements to impose sanctions under this section shall not include the authority or a requirement to impose sanctions on the importation of goods.

(B) Good defined.--In this paragraph, the term ``good'' means any article, natural or man-made substance, material, supply or manufactured product, including inspection and test equipment, and excluding technical data.

(e) Conditions for Removal of Sanctions.--Subject to review by Congress under section 216 of the Countering America's Adversaries Through Sanctions Act (22 U.S.C. 9511), the President may waive the application of sanctions under this section if the President--

(1) determines that the waiver is in the national security interest of the United States; and

(2) submits to the appropriate congressional committees a report on the waiver and the reason for the waiver.

(f) Implementation; Penalties.--

(1) Implementation.--The President may exercise all authorities provided to the President under sections 203 and 205 of the International Emergency Economic Powers Act (50 U.S.C. 1702 and 1704) to carry out this section.

(2) Penalties.--A person that violates, attempts to violate, conspires to violate, or causes a violation of this section or any regulation, license, or order issued to carry out this section shall be subject to the penalties set forth in subsections (b) and (c) of section 206 of the International Emergency Economic Powers Act (50 U.S.C. 1705) to the same extent as a person that commits an unlawful act described in subsection (a) of that section.

(g) Sunset.--The authority to impose sanctions under this section shall terminate on the date that is 5 years after the date of the enactment of this Act.

(h) Definitions.--In this section:

(1) Admission; admitted; alien.--The terms ``admission'' ,

``admitted'' , and ``alien'' have the meanings given those terms in section 101 of the Immigration and Nationality Act

(8 U.S.C. 1101).

(2) Appropriate congressional committees.--The term

``appropriate congressional committees'' means--

(A) the Committee on Foreign Relations and the Committee on Banking, Housing, and Urban Affairs of the Senate; and

(B) the Committee on Foreign Affairs and the Committee on Financial Services of the House of Representatives.

(3) United states person.--The term ``United States person'' means--

(A) a United States citizen or an alien lawfully admitted for permanent residence to the United States;

(B) an entity organized under the laws of the United States or any jurisdiction within the United States, including a foreign branch of such an entity; or

SEC. 1238. CONGRESSIONAL REVIEW OF WAIVER UNDER PROTECTING

EUROPE'S ENERGY SECURITY ACT OF 2019.

Section 7503(f) of the Protecting Europe's Energy Security Act of 2019 (title LXXV of Public Law 116-92; 22 U.S.C. 9526 note) is amended, in the matter preceding paragraph (1), by striking ``The President'' and inserting ``Subject to review by Congress under section 216 of the Countering America's Adversaries Through Sanctions Act (22 U.S.C. 9511), the President''.

SEC. 1239. APPLICATION OF CONGRESSIONAL REVIEW UNDER

COUNTERING AMERICA'S ADVERSARIES THROUGH

SANCTIONS ACT.

Section 216(a)(2) of the Countering America's Adversaries Through Sanctions Act (22 U.S.C. 9511(a)(2)) is amended--

(1) in subparagraph (A)--

(A) in clause (i), by inserting ``(other than sanctions described in clause (i)(IV) of that subparagraph)'' after

``subparagraph (B)''; and

(B) in clause (ii), by inserting ``or otherwise remove'' after ``waive''; and

(2) in subparagraph (B)(i)--

(A) in subclause (II), by striking ``; or'' and inserting a semicolon;

(B) in subclause (III), by striking ``; and'' and inserting a semicolon; and

``(IV) section 7503 of the Protecting Europe's Energy Security Act of 2019 (title LXXV of Public Law 116-92; 22 U.S.C. 9526 note); or

``(V) section 1237 of the National Defense Authorization Act for Fiscal Year 2022; and''.

SEC. 1240. INCLUSION OF MATTER RELATING TO NORD STREAM 2 IN

REPORT UNDER COUNTERING AMERICA'S ADVERSARIES

THROUGH SANCTIONS ACT.

Each report submitted under section 216(a)(1) of the Countering America's Adversaries Through Sanctions Act (22 U.S.C. 9511(a)(1)) relating to sanctions under section 1237 of this Act or section 7503 of the Protecting Europe's Energy Security Act of 2019 (title LXXV of Public Law 116-92; 22 U.S.C. 9526 note) shall include--

(1) an assessment of the security risks posed by Nord Stream 2, including--

(A) the presence along Nord Stream 2 or Nord Stream 1 infrastructure or pipeline corridors of undersea surveillance systems and sensors, fiber optic terminals, or other systems that are capable of conducting military or intelligence activities unrelated to civilian energy transmission, including those designed to enhance Russian Federation anti-submarine warfare, surveillance, espionage, or sabotage capabilities;

(B) the use of Nord Stream-affiliated infrastructure, equipment, personnel, vessels, financing, or other assets--

(i) to facilitate, carry out, or conceal Russian Federation maritime surveillance, espionage, or sabotage activities;

(ii) to justify the presence of Russian Federation naval vessels or military personnel or equipment in international waters or near North Atlantic Treaty Organization or partner countries;

(iii) to disrupt freedom of navigation; or

(iv) to pressure or intimidate countries in the Baltic Sea;

(C) the involvement in the Nord Stream 2 pipeline or its affiliated entities of current or former Russian, Soviet, or Warsaw Pact intelligence and military personnel and any business dealings between Nord Stream 2 and entities affiliated with the intelligence or defense sector of the Russian Federation; and

(D) malign influence activities of the Government of the Russian Federation, including strategic corruption and efforts to influence European decision-makers, supported or financed through the Nord Stream 2 pipeline;

(2) an assessment of whether the Russian Federation maintains gas transit through Ukraine at levels consistent with the volumes set forth in the Ukraine-Russian Federation gas transit agreement of December 2019 and continues to pay the transit fees specified in that agreement;

(3) an assessment of the status of negotiations between the Russian Federation and Ukraine to secure an agreement to extend gas transit through Ukraine beyond the expiration of the agreement described in paragraph (2); and

(4) an assessment of whether the United States and Germany have agreed on a common definition for energy

``weaponization'' and the associated triggers for sanctions and other enforcement actions, pursuant to the Joint Statement of the United States and Germany on support for Ukraine, European energy security, and our climate goals, dated July 21, 2021; and

(5) a description of the consultations with United States allies and partners in Europe, including Ukraine, Poland, and the countries in Central and Eastern Europe most impacted by the Nord Stream 2 pipeline concerning the matters agreed to as described in paragraph (4).

______

SA 4795. Mr. SHELBY (for himself, Mr. Inhofe, Mr. Wicker, Mr. Blunt, Mrs. Capito, Mrs. Hyde-Smith, Mr. Cotton, Mr. Boozman, Ms. Collins, Mr. Kennedy, Ms. Murkowski, Mr. Cramer, Mr. Tillis, and Mr. Hoeven) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

TITLE __--AUTHORIZATION OF AMOUNTS FOR DEPARTMENT OF DEFENSE

INFRASTRUCTURE

SEC. ___1. ESTABLISHMENT OF DEFENSE INFRASTRUCTURE FUND.

There is established in the general fund of the Treasury an account to be known as the ``Defense Infrastructure Fund'' for the deposit of amounts to be used for improvement of the infrastructure of the Department of Defense.

SEC. ___2. AUTHORIZATION OF AMOUNTS FOR REDUCTION OF BACKLOG

FOR FACILITY INFRASTRUCTURE PROJECTS.

(a) In General.--There is authorized to be appropriated to the Department of Defense $4,000,000,000 for the Defense Infrastructure Fund, of which $1,300,000,000 shall be available for each of the Departments of the Army, the Navy, and the Air Force, and $100,000,000 shall be for the Defense Health Agency, to reduce the backlog of facility infrastructure maintenance projects of the Department of Defense.

(b) Compliance With Repair Requirements.--Any project carried out with amounts authorized under subsection (a) shall comply with the requirements under section 2811 of title 10, United States Code.

(c) Availability of Amounts.--Amounts authorized under subsection (a) shall be available for obligation until September 30, 2026.

SEC. ___3. AUTHORIZATION OF AMOUNTS FOR MODERNIZATION OF TEST

AND TRAINING RANGES OF DEPARTMENT OF DEFENSE.

(a) In General.--There is authorized to be appropriated to the Department of Defense $2,800,000,000 for the Defense Infrastructure Fund to modernize the test and training ranges of the Department of Defense, including projects included in the report required under section 2806 of the Military Construction Authorization Act for Fiscal Year 2018

(Division B of Public Law 115-91; 10 U.S.C. 222a note) for test and evaluation activities.

(b) Availability of Amounts.--Amounts authorized under subsection (a) shall be available for obligation until September 30, 2032.

SEC. ___4. AUTHORIZATION OF AMOUNTS FOR REMEDIATION OF

PERFLUORALKYL SUBSTANCES AND POLYFLUOROALKYL

SUBSTANCES.

(a) In General.--There is authorized to be appropriated to the Department of Defense $700,000,000 for the Defense Infrastructure Fund to remediate perfluoralkyl substances and polyfluoroalkyl substances at installations owned by the Department of Defense.

(b) Availability of Amounts.--Amounts authorized under subsection (a) shall be available for obligation until September 30, 2026.

SEC. ___5. AUTHORIZATION OF AMOUNTS FOR DEPOT MODERNIZATION.

(a) In General.--There is authorized to be appropriated to the Department of Defense $4,325,000,000 for the Defense Infrastructure Fund for depot modernization.

(b) Availability of Amounts.--Amounts authorized under subsection (a) shall be available for obligation until September 30, 2032.

SEC. ___6. AUTHORIZATION OF AMOUNTS FOR AMMUNITION PLANT

MODERNIZATION.

(a) In General.--There is authorized to be appropriated to the Department of Defense $2,350,000,000 for the Defense Infrastructure Fund to modernize ammunition plants.

(b) Availability of Amounts.--Amounts authorized under subsection (a) shall be available for obligation until September 30, 2026.

SEC. ___7. AUTHORIZATION OF AMOUNTS FOR FIFTH-GENERATION

WIRELESS NETWORKING TECHNOLOGIES.

(a) In General.--There is authorized to be appropriated to the Department of Defense $2,500,000,000 for the Defense Infrastructure Fund to provide fifth-generation wireless networking technologies to installations owned by the Department of Defense.

(b) Availability of Amounts.--Amounts authorized under subsection (a) shall be available for obligation until September 30, 2026.

SEC. ___8. AUTHORIZATION OF AMOUNTS FOR NAVY SHIPYARD AND

INFRASTRUCTURE IMPROVEMENT.

(a) Authorization.--

(1) In general.--There is authorized to be appropriated to the Department of Defense $10,325,000,000 for the Defense Infrastructure Fund to improve, in accordance with subsection

(b), the Navy shipyard infrastructure of the United States.

(2) Availability of amounts.--Amounts authorized under paragraph (1) shall be available until expended.

(3) Supplement not supplant.--Amounts authorized under paragraph (1) shall supplement and not supplant other amounts appropriated or otherwise made available for the purpose described in paragraph (1).

(b) Use of Funds.--

(1) In general.--As soon as practicable after the date of the enactment of this Act, the Secretary of Defense shall make amounts appropriated pursuant to the authorization under subsection (a)(1) directly available to the Secretary of the Navy for obligation and expenditure for Navy public shipyard facilities, dock, dry dock, capital equipment improvements, and dredging efforts needed by such shipyards.

(2) Projects in addition to other construction projects.--Construction projects undertaken using amounts appropriated pursuant to the authorization under subsection (a)(1) shall be in addition to and separate from any military construction program authorized by any Act to authorize appropriations for a fiscal year for military activities of the Department of Defense and for military construction.

(1) The Norfolk Naval Shipyard, Virginia.

(2) The Pearl Harbor Naval Shipyard, Hawaii.

(3) The Portsmouth Naval Shipyard, Maine.

(4) The Puget Sound Naval Shipyard, Washington.

______

SA 4796. Mr. PAUL submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle C of title VII, add the following:

SEC. 744. PROHIBITION ON DISHONORABLE DISCHARGE OF MEMBERS OF

THE ARMED FORCES FOR REFUSING TO COMPLY WITH

COVID-19 VACCINE MANDATE.

The Secretary of Defense may not give a dishonorable discharge to a member of the Armed Forces solely on the basis of the refusal of the member, for religious, medical, or personal reasons, to comply with any requirement that the member receive a vaccination for coronavirus disease 2019

(commonly known as ``COVID-19'').

______

SA 4797. Mr. BENNET submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle D of title XXVIII, add the following:

SEC. 2836. PAYMENT TO ENVIRONMENTAL PROTECTION AGENCY FOR

CERTAIN COSTS IN CONNECTION WITH FORMER ROCKY

MOUNTAIN ARSENAL, COLORADO.

(a) Authority for Payment.--

(1) Transfer amount.--

(A) In general.--Notwithstanding section 2215 of title 10, United States Code, chapter 160 of such title, section 1367 of the National Defense Authorization Act for Fiscal Year 1987 (Public Law 99-661; 100 Stat. 4003), or any other provision of law, using funds described in subsection (b), the Secretary of Defense may transfer to the Administrator of the Environmental Protection Agency for use at the former Rocky Mountain Arsenal, Colorado--

(i) in fiscal year 2022, $4,805,000 for costs associated with the involvement of the Environmental Protection Agency with the cleanup by the Department of the Army of the former Rocky Mountain Arsenal from fiscal years 2015 through 2020, after a specific accounting is provided in accordance with subparagraph (B); and

(ii) in each of fiscal years 2022, 2023, and 2024, to account for costs incurred by the Environmental Protection Agency for such cleanup in fiscal years 2021, 2022, and 2023, an amount not to exceed $600,000, after a specific accounting is provided in accordance with subparagraph (B).

(B) Accounting.--Prior to the payment of amounts under subparagraph (A), the Administrator of the Environmental Protection Agency shall furnish to the Secretary of Defense a specific accounting of costs for which payment is requested.

(C) Authorized costs.--Payment of amounts under subparagraph (A) may be made only for those costs incurred by the Environmental Protection Agency for fiscal years 2015 through 2023--

(i) for providing technical assistance in accordance with the document entitled ``Settlement Agreement Between the United States and Shell Oil Company Concerning the Rocky Mountain Arsenal'', effective February 17, 1989, as incorporated into the consent decree entered by the United States District Court for the District of Colorado in United States v. Shell Oil Co., Civil Action No. 83-C-2379, dated February 12, 1992 (referred to in this section as the

``Settlement Agreement''); and

(ii) that are not inconsistent with the National Oil and Hazardous Substances Pollution Contingency Plan described in part 300 of title 40, Code of Federal Regulations (or successor regulations).

(2) Purpose of payment.--The amounts authorized to be transferred under paragraph (1)(A) are--

(A) for payment to the Environmental Protection Agency for all costs that may be owed by the Department of the Army to the Environmental Protection Agency pursuant to the Settlement Agreement; and

(B) for use at the former Rocky Mountain Arsenal to allow the Environmental Protection Agency to proceed with review of cleanup documents that the Agency had suspended.

(b) Source of Funds.--The transfer authorized under subsection (a)(1)(A) shall be made using funds authorized to be appropriated for fiscal years 2022, 2023, and 2024 for Operation and Maintenance, Army for Environmental Restoration.

(c) Finality of Payments.--The transfer authorized under subsection (a)(1)(A) constitutes final and complete payment for all costs borne by the Environmental Protection Agency arising from the Settlement Agreement for fiscal years 2015 through 2023.

______

SA 4798. Mr. CASSIDY (for himself, Mr. Whitehouse, and Ms. Warren) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle G of title X, add the following:

SEC. ___. POSTSECONDARY STUDENT DATA SYSTEM.

(a) Short Title.--This section may be cited as the

``College Transparency Act''.

(b) Postsecondary Student Data System.--Section 132 of the Higher Education Act of 1965 (20 U.S.C. 1015a) is amended--

(1) by redesignating subsection (l) as subsection (m); and

(2) by inserting after subsection (k) the following:

``(l) Postsecondary Student Data System.--

``(1) In general.--

``(A) Establishment of system.--Not later than 4 years after the date of enactment of the College Transparency Act, the Commissioner of the National Center for Education Statistics (referred to in this subsection as the

`Commissioner') shall develop and maintain a secure, privacy-protected postsecondary student-level data system in order to--

``(i) accurately evaluate student enrollment patterns, progression, completion, and postcollegiate outcomes, and higher education costs and financial aid;

``(ii) assist with transparency, institutional improvement, and analysis of Federal aid programs;

``(iii) provide accurate, complete, and customizable information for students and families making decisions about postsecondary education; and

``(iv) reduce the reporting burden on institutions of higher education, in accordance with section 5(b) of the College Transparency Act.

``(B) Avoiding duplicated reporting.--Notwithstanding any other provision of this section, to the extent that another provision of this section requires the same reporting or collection of data that is required under this subsection, an institution of higher education, or the Secretary or Commissioner, may use the reporting or data required for the postsecondary student data system under this subsection to satisfy both requirements.

``(C) Development process.--In developing the postsecondary student data system described in this subsection, the Commissioner shall--

``(i) focus on the needs of--

``(I) users of the data system; and

``(II) entities, including institutions of higher education, reporting to the data system;

``(ii) take into consideration, to the extent practicable--

``(I) the guidelines outlined in the U.S. Web Design Standards maintained by the General Services Administration and the Digital Services Playbook and TechFAR Handbook for Procuring Digital Services Using Agile Processes of the U.S. Digital Service; and

``(II) the relevant successor documents or recommendations of such guidelines;

``(iii) use modern, relevant privacy- and security-enhancing technology, and enhance and update the data system as necessary to carry out the purpose of this subsection;

``(iv) ensure data privacy and security is consistent with any Federal law relating to privacy or data security, including--

``(I) the requirements of subchapter II of chapter 35 of title 44, United States Code, specifying security categorization under the Federal Information Processing Standards or any relevant successor of such standards;

``(II) security requirements that are consistent with the Federal agency responsibilities in section 3554 of title 44, United States Code, or any relevant successor of such responsibilities; and

``(III) security requirements, guidelines, and controls consistent with cybersecurity standards and best practices developed by the National Institute of Standards and Technology, including frameworks, consistent with section 2(c) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)), or any relevant successor of such frameworks;

``(v) follow Federal data minimization practices to ensure only the minimum amount of data is collected to meet the system's goals, in accordance with Federal data minimization standards and guidelines developed by the National Institute of Standards and Technology; and

``(vi) provide notice to students outlining the data included in the system and how the data are used.

``(2) Data elements.--

``(A) In general.--Not later than 4 years after the date of enactment of the College Transparency Act, the Commissioner, in consultation with the Postsecondary Student Data System Advisory Committee established under subparagraph (B), shall determine--

``(i) the data elements to be included in the postsecondary student data system, in accordance with subparagraphs (C) and

(D); and

``(ii) how to include the data elements required under subparagraph (C), and any additional data elements selected under subparagraph (D), in the postsecondary student data system.

``(B) Postsecondary student data system advisory committee.--

``(i) Establishment.--Not later than 2 years after the date of enactment of the College Transparency Act, the Commissioner shall establish a Postsecondary Student Data System Advisory Committee (referred to in this subsection as the `Advisory Committee'), whose members shall include--

``(I) the Chief Privacy Officer of the Department or an official of the Department delegated the duties of overseeing data privacy at the Department;

``(II) the Chief Security Officer of the Department or an official of the Department delegated the duties of overseeing data security at the Department;

``(III) representatives of diverse institutions of higher education, which shall include equal representation between 2-year and 4-year institutions of higher education, and from public, nonprofit, and proprietary institutions of higher education, including minority-serving institutions;

``(IV) representatives from State higher education agencies, entities, bodies, or boards;

``(V) representatives of postsecondary students;

``(VI) representatives from relevant Federal agencies; and

``(VII) other stakeholders (including individuals with expertise in data privacy and security, consumer protection, and postsecondary education research).

``(ii) Requirements.--The Commissioner shall ensure that the Advisory Committee--

``(I) adheres to all requirements under the Federal Advisory Committee Act (5 U.S.C. App.);

``(II) establishes operating and meeting procedures and guidelines necessary to execute its advisory duties; and

``(III) is provided with appropriate staffing and resources to execute its advisory duties.

``(C) Required data elements.--The data elements in the postsecondary student data system shall include, at a minimum, the following:

``(i) Student-level data elements necessary to calculate the information within the surveys designated by the Commissioner as `student-related surveys' in the Integrated Postsecondary Education Data System (IPEDS), as such surveys are in effect on the day before the date of enactment of the College Transparency Act, except that in the case that collection of such elements would conflict with subparagraph

(F), such elements in conflict with subparagraph (F) shall be included in the aggregate instead of at the student level.

``(ii) Student-level data elements necessary to allow for reporting student enrollment, persistence, retention, transfer, and completion measures for all credential levels separately (including certificate, associate, baccalaureate, and advanced degree levels), within and across institutions of higher education (including across all categories of institution level, control, and predominant degree awarded). The data elements shall allow for reporting about all such data disaggregated by the following categories:

``(I) Enrollment status as a first-time student, recent transfer student, or other non-first-time student.

``(II) Attendance intensity, whether full-time or part-time.

``(III) Credential-seeking status, by credential level.

``(IV) Race or ethnicity, in a manner that captures all the racial groups specified in the most recent American Community Survey of the Bureau of the Census.

``(V) Age intervals.

``(VI) Gender.

``(VII) Program of study (as applicable).

``(VIII) Military or veteran benefit status (as determined based on receipt of veteran's education benefits, as defined in section 480(c)).

``(IX) Status as a distance education student, whether exclusively or partially enrolled in distance education.

``(X) Federal Pell Grant recipient status under section 401 and Federal loan recipient status under title IV, provided that the collection of such information complies with paragraph (1)(B).

``(D) Other data elements.--

``(i) In general.--The Commissioner may, after consultation with the Advisory Committee and provision of a public comment period, include additional data elements in the postsecondary student data system, such as those described in clause (ii), if those data elements--

``(I) are necessary to ensure that the postsecondary data system fulfills the purposes described in paragraph (1)(A); and

``(II) are consistent with data minimization principles, including the collection of only those additional elements that are necessary to ensure such purposes.

``(ii) Data elements.--The data elements described in clause (i) may include--

``(I) status as a first generation college student, as defined in section 402A(h);

``(II) economic status;

``(III) participation in postsecondary remedial coursework or gateway course completion; or

``(IV) other data elements that are necessary in accordance with clause (i).

``(E) Reevaluation.--Not less than once every 3 years after the implementation of the postsecondary student data system described in this subsection, the Commissioner, in consultation with the Advisory Committee described in subparagraph (B), shall review the data elements included in the postsecondary student data system and may revise the data elements to be included in such system.

``(F) Prohibitions.--The Commissioner shall not include individual health data (including data relating to physical health or mental health), student discipline records or data, elementary and secondary education data, an exact address, citizenship status, migrant status, or national origin status for students or their families, course grades, postsecondary entrance examination results, political affiliation, or religion in the postsecondary student data system under this subsection.

``(3) Periodic matching with other federal data systems.--

``(A) Data sharing agreements.--

``(i) The Commissioner shall ensure secure, periodic data matches by entering into data sharing agreements with each of the following Federal agencies and offices:

``(I) The Secretary of the Treasury and the Commissioner of the Internal Revenue Service, in order to calculate aggregate program- and institution-level earnings of postsecondary students.

``(II) The Secretary of Defense, in order to assess the use of postsecondary educational benefits and the outcomes of servicemembers.

``(III) The Secretary of Veterans Affairs, in order to assess the use of postsecondary educational benefits and outcomes of veterans.

``(IV) The Director of the Bureau of the Census, in order to assess the earnings outcomes of former postsecondary education students.

``(V) The Chief Operating Officer of the Office of Federal Student Aid, in order to analyze the use of postsecondary educational benefits provided under this Act.

``(VI) The Commissioner of the Social Security Administration, in order to evaluate labor market outcomes of former postsecondary education students.

``(VII) The Commissioner of the Bureau of Labor Statistics, in order to assess the wages of former postsecondary education students.

``(ii) The heads of Federal agencies and offices described under clause (i) shall enter into data sharing agreements with the Commissioner to ensure secure, periodic data matches as described in this paragraph.

``(B) Categories of data.--The Commissioner shall, at a minimum, seek to ensure that the secure periodic data system matches described in subparagraph (A) permit consistent reporting of the following categories of data for all postsecondary students:

``(i) Enrollment, retention, transfer, and completion outcomes for all postsecondary students.

``(ii) Financial indicators for postsecondary students receiving Federal grants and loans, including grant and loan aid by source, cumulative student debt, loan repayment status, and repayment plan.

``(iii) Post-completion outcomes for all postsecondary students, including earnings, employment, and further education, by program of study and credential level and as measured--

``(I) immediately after leaving postsecondary education; and

``(II) at time intervals appropriate to the credential sought and earned.

``(C) Periodic data match streamlining and confidentiality.--

``(i) Streamlining.--In carrying out the secure periodic data system matches under this paragraph, the Commissioner shall--

``(I) ensure that such matches are not continuous, but occur only periodically at appropriate intervals, as determined by the Commissioner to meet the goals of subparagraph (A); and

``(II) seek to--

``(aa) streamline the data collection and reporting requirements for institutions of higher education;

``(bb) minimize duplicative reporting across or within Federal agencies or departments, including reporting requirements applicable to institutions of higher education under the Workforce Innovation and Opportunity Act (29 U.S.C. 3101 et seq.) and the Carl D. Perkins Career and Technical Education Act of 2006;

``(cc) protect student privacy; and

``(dd) streamline the application process for student loan benefit programs available to borrowers based on data available from different Federal data systems.

``(ii) Review.--Not less often than once every 3 years after the establishment of the postsecondary student data system under this subsection, the Commissioner, in consultation with the Advisory Committee, shall review methods for streamlining data collection from institutions of higher education and minimizing duplicative reporting within the Department and across Federal agencies that provide data for the postsecondary student data system.

``(iii) Confidentiality.--The Commissioner shall ensure that any periodic matching or sharing of data through periodic data system matches established in accordance with this paragraph--

``(I) complies with the security and privacy protections described in paragraph (1)(C)(iv) and other Federal data protection protocols;

``(II) follows industry best practices commensurate with the sensitivity of specific data elements or metrics;

``(III) does not result in the creation of a single standing, linked Federal database at the Department that maintains the information reported across other Federal agencies; and

``(IV) discloses to postsecondary students what data are included in the data system and periodically matched and how the data are used.

``(iv) Correction.--The Commissioner, in consultation with the Advisory Committee, shall establish a process for students to request access to only their personal information for inspection and request corrections to inaccuracies in a manner that protects the student's personally identifiable information. The Commissioner shall respond in writing to every request for a correction from a student.

``(4) Publicly available information.--

``(A) In general.--The Commissioner shall make the summary aggregate information described in subparagraph (C), at a minimum, publicly available through a user-friendly consumer information website and analytic tool that--

``(i) provides appropriate mechanisms for users to customize and filter information by institutional and student characteristics;

``(ii) allows users to build summary aggregate reports of information, including reports that allow comparisons across multiple institutions and programs, subject to subparagraph

(B);

``(iii) uses appropriate statistical disclosure limitation techniques necessary to ensure that the data released to the public cannot be used to identify specific individuals; and

``(iv) provides users with appropriate contextual factors to make comparisons, which may include national median figures of the summary aggregate information described in subparagraph (C).

``(B) No personally identifiable information available.--The summary aggregate information described in this paragraph shall not include personally identifiable information.

``(C) Summary aggregate information available.--The summary aggregate information described in this paragraph shall, at a minimum, include each of the following for each institution of higher education:

``(i) Measures of student access, including--

``(I) admissions selectivity and yield; and

``(II) enrollment, disaggregated by each category described in paragraph (2)(C)(ii).

``(ii) Measures of student progression, including retention rates and persistence rates, disaggregated by each category described in paragraph (2)(C)(ii).

``(iii) Measures of student completion, including--

``(I) transfer rates and completion rates, disaggregated by each category described in paragraph (2)(C)(ii); and

``(II) number of completions, disaggregated by each category described in paragraph (2)(C)(ii).

``(iv) Measures of student costs, including--

``(I) tuition, required fees, total cost of attendance, and net price after total grant aid, disaggregated by in-State tuition or in-district tuition status (if applicable), program of study (if applicable), and credential level; and

``(II) typical grant amounts and loan amounts received by students reported separately from Federal, State, local, and institutional sources, and cumulative debt, disaggregated by each category described in paragraph (2)(C)(ii) and completion status.

``(v) Measures of postcollegiate student outcomes, including employment rates, mean and median earnings, loan repayment and default rates, and further education rates. These measures shall--

``(I) be disaggregated by each category described in paragraph (2)(C)(ii) and completion status; and

``(II) be measured immediately after leaving postsecondary education and at time intervals appropriate to the credential sought or earned.

``(D) Development criteria.--In developing the method and format of making the information described in this paragraph publicly available, the Commissioner shall--

``(i) focus on the needs of the users of the information, which will include students, families of students, potential students, researchers, and other consumers of education data;

``(ii) take into consideration, to the extent practicable, the guidelines described in paragraph (1)(C)(ii)(I), and relevant successor documents or recommendations of such guidelines;

``(iii) use modern, relevant technology and enhance and update the postsecondary student data system with information, as necessary to carry out the purpose of this paragraph;

``(iv) ensure data privacy and security in accordance with standards and guidelines developed by the National Institute of Standards and Technology, and in accordance with any other Federal law relating to privacy or security, including complying with the requirements of subchapter II of chapter 35 of title 44, United States Code, specifying security categorization under the Federal Information Processing Standards, and security requirements, and setting of National Institute of Standards and Technology security baseline controls at the appropriate level; and

``(v) conduct consumer testing to determine how to make the information as meaningful to users as possible.

``(5) Permissible disclosures of data.--

``(A) Data reports and queries.--

``(i) In general.--Not later than 4 years after the date of enactment of the College Transparency Act, the Commissioner shall develop and implement a secure process for making student-level, non-personally identifiable information, with direct identifiers removed, from the postsecondary student data system available for vetted research and evaluation purposes approved by the Commissioner in a manner compatible with practices for disclosing National Center for Education Statistics restricted-use survey data as in effect on the day before the date of enactment of the College Transparency Act, or by applying other research and disclosure restrictions to ensure data privacy and security. Such process shall be approved by the National Center for Education Statistics' Disclosure Review Board (or successor body).

``(ii) Providing data reports and queries to institutions and states.--

``(I) In general.--The Commissioner shall provide feedback reports, at least annually, to each institution of higher education, each postsecondary education system that fully participates in the postsecondary student data system, and each State higher education body as designated by the governor.

``(II) Feedback reports.--The feedback reports provided under this clause shall include program-level and institution-level information from the postsecondary student data system regarding students who are associated with the institution or, for State representatives, the institutions within that State, on or before the date of the report, on measures including student mobility and workforce outcomes, provided that the feedback aggregate summary reports protect the privacy of individuals.

``(III) Determination of content.--The content of the feedback reports shall be determined by the Commissioner in consultation with the Advisory Committee.

``(iii) Permitting state data queries.--The Commissioner shall, in consultation with the Advisory Committee and as soon as practicable, create a process through which States may submit lists of secondary school graduates within the State to receive summary aggregate outcomes for those students who enrolled at an institution of higher education, including postsecondary enrollment and college completion, provided that those data protect the privacy of individuals and that the State data submitted to the Commissioner are not stored in the postsecondary education system.

``(iv) Regulations.--The Commissioner shall promulgate regulations to ensure fair, secure, and equitable access to data reports and queries under this paragraph.

``(B) Disclosure limitations.--In carrying out the public reporting and disclosure requirements of this subsection, the Commissioner shall use appropriate statistical disclosure limitation techniques necessary to ensure that the data released to the public cannot include personally identifiable information or be used to identify specific individuals.

``(C) Sale of data prohibited.--Data collected under this subsection, including the public-use data set and data comprising the summary aggregate information available under paragraph (4), shall not be sold to any third party by the Commissioner, including any institution of higher education or any other entity.

``(D) Limitation on use by other federal agencies.--

``(i) In general.--The Commissioner shall not allow any other Federal agency to use data collected under this subsection for any purpose except--

``(I) for vetted research and evaluation conducted by the other Federal agency, as described in subparagraph (A)(i); or

``(II) for a purpose explicitly authorized by this Act.

``(ii) Prohibition on limitation of services.--The Secretary, or the head of any other Federal agency, shall not use data collected under this subsection to limit services to students.

``(E) Law enforcement.--Personally identifiable information collected under this subsection shall not be used for any Federal, State, or local law enforcement activity or any other activity that would result in adverse action against any student or a student's family, including debt collection activity or enforcement of immigration laws.

``(F) Limitation of use for federal rankings or summative rating system.--The comprehensive data collection and analysis necessary for the postsecondary student data system under this subsection shall not be used by the Secretary or any Federal entity to establish any Federal ranking system of institutions of higher education or a system that results in a summative Federal rating of institutions of higher education.

``(G) Rule of construction.--Nothing in this paragraph shall be construed to prevent the use of individual categories of aggregate information to be used for accountability purposes.

``(H) Rule of construction regarding commercial use of data.--Nothing in this paragraph shall be construed to prohibit third-party entities from using publicly available information in this data system for commercial use.

``(6) Submission of data.--

``(A) Required submission.--Each institution of higher education participating in a program under title IV, or the assigned agent of such institution, shall, for each eligible program, in accordance with section 487(a)(17), collect, and submit to the Commissioner, the data requested by the Commissioner to carry out this subsection.

``(B) Voluntary submission.--Any institution of higher education not participating in a program under title IV may voluntarily participate in the postsecondary student data system under this subsection by collecting and submitting data to the Commissioner, as the Commissioner may request to carry out this subsection.

``(C) Personally identifiable information.--In accordance with paragraph (2)(C)(i), if the submission of an element of student-level data is prohibited under paragraph (2)(F) (or otherwise prohibited by law), the institution of higher education shall submit that data to the Commissioner in the aggregate.

``(7) Unlawful willful disclosure.--

``(A) In general.--It shall be unlawful for any person who obtains or has access to personally identifiable information in connection with the postsecondary student data system described in this subsection to willfully disclose to any person (except as authorized in this Act or by any Federal law) such personally identifiable information.

``(B) Penalty.--Any person who violates subparagraph (A) shall be subject to a penalty described under section 3572(f) of title 44, United States Code, and section 183(d)(6) of the Education Sciences Reform Act of 2002 (20 U.S.C. 9573(d)(6)).

``(C) Employee or officer of the united states.--If a violation of subparagraph (A) is committed by any officer or employee of the United States, the officer or employee shall be dismissed from office or discharged from employment upon conviction for the violation.

``(8) Data security.--The Commissioner shall produce and update as needed guidance and regulations relating to privacy, security, and access which shall govern the use and disclosure of data collected in connection with the activities authorized in this subsection. The guidance and regulations developed and reviewed shall protect data from unauthorized access, use, and disclosure, and shall include--

``(A) an audit capability, including mandatory and regularly conducted audits;

``(B) access controls;

``(C) requirements to ensure sufficient data security, quality, validity, and reliability;

``(D) confidentiality protection in accordance with the applicable provisions of subchapter III of chapter 35 of title 44, United States Code;

``(E) appropriate and applicable privacy and security protection, including data retention and destruction protocols and data minimization, in accordance with the most recent Federal standards developed by the National Institute of Standards and Technology; and

``(F) protocols for managing a breach, including breach notifications, in accordance with the standards of National Center for Education Statistics.

``(9) Data collection.--The Commissioner shall ensure that data collection, maintenance, and use under this subsection complies with section 552a of title 5, United States Code.

``(10) Definitions.--In this subsection:

``(A) Institution of higher education.--The term

`institution of higher education' has the meaning given the term in section 102.

``(B) Minority-serving institution.--The term `minority-serving institution' means an institution of higher education listed in section 371(a).

``(C) Personally identifiable information.--The term

`personally identifiable information' means personally identifiable information within the meaning of section 444 of the General Education Provisions Act.''.

(c) Repeal of Prohibition on Student Data System.--Section 134 of the Higher Education Act of 1965 (20 U.S.C. 1015c) is repealed.

(d) Institutional Requirements.--

(1) In general.--Paragraph (17) of section 487(a) of the Higher Education Act of 1965 (20 U.S.C. 1094(a)) is amended to read as follows:

``(17) The institution or the assigned agent of the institution will collect and submit data to the Commissioner for Education Statistics in accordance with section 132(l), the nonstudent related surveys within the Integrated Postsecondary Education Data System (IPEDS), or any other Federal institution of higher education data collection effort (as designated by the Secretary), in a timely manner and to the satisfaction of the Secretary.''.

(2) Effective date.--The amendment made by paragraph (1) shall take effect on the date that is 4 years after the date of enactment of this Act.

(e) Transition Provisions.--The Secretary of Education and the Commissioner for Education Statistics shall take such steps as are necessary to ensure that the development and maintenance of the postsecondary student data system required under section 132(l) of the Higher Education Act of 1965, as added by subsection (b) of this section, occurs in a manner that reduces the reporting burden for entities that reported into the Integrated Postsecondary Education Data System

(IPEDS).

______

SA 4799. Mr. PETERS (for himself, Mr. Portman, Mr. Warner, Ms. Collins, Mr. King, Mr. Rubio, Mr. Risch, Ms. Rosen, Mr. Cornyn, and Mr. Burr) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end, add the following:

DIVISION E--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2021

SEC. 5101. SHORT TITLE.

This division may be cited as the ``Federal Information Security Modernization Act of 2021''.

SEC. 5102. DEFINITIONS.

In this division, unless otherwise specified:

(1) Additional cybersecurity procedure.--The term

``additional cybersecurity procedure'' has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this division.

(2) Agency.--The term ``agency'' has the meaning given the term in section 3502 of title 44, United States Code.

(3) Appropriate congressional committees.--The term

``appropriate congressional committees'' means--

(A) the Committee on Homeland Security and Governmental Affairs of the Senate;

(B) the Committee on Oversight and Reform of the House of Representatives; and

(4) Director.--The term ``Director'' means the Director of the Office of Management and Budget.

(5) Incident.--The term ``incident'' has the meaning given the term in section 3552(b) of title 44, United States Code.

(6) National security system.--The term ``national security system'' has the meaning given the term in section 3552(b) of title 44, United States Code.

(7) Penetration test.--The term ``penetration test'' has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this division.

(8) Threat hunting.--The term ``threat hunting'' means proactively and iteratively searching for threats to systems that evade detection by automated threat detection systems.

TITLE LI--UPDATES TO FISMA

SEC. 5121. TITLE 44 AMENDMENTS.

(a) Subchapter I Amendments.--Subchapter I of chapter 35 of title 44, United States Code, is amended--

(1) in section 3504--

(A) in subsection (a)(1)(B)--

(i) by striking clause (v) and inserting the following:

``(v) confidentiality, privacy, disclosure, and sharing of information;'';

(ii) by redesignating clause (vi) as clause (vii); and

(iii) by inserting after clause (v) the following:

``(vi) in consultation with the National Cyber Director and the Director of the Cybersecurity and Infrastructure Security Agency, security of information; and''; and

(B) in subsection (g), by striking paragraph (1) and inserting the following:

``(1) develop, and in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, security, disclosure and sharing of information collected or maintained by or for agencies; and'';

(2) in section 3505--

(A) in paragraph (3) of the first subsection designated as subsection (c)--

(i) in subparagraph (B)--

(I) by inserting ``the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and'' before ``the Comptroller General''; and

(II) by striking ``and'' at the end;

(ii) in subparagraph (C)(v), by striking the period at the end and inserting ``; and''; and

(iii) by adding at the end the following:

``(D) maintained on a continual basis through the use of automation, machine-readable data, and scanning.''; and

(B) by striking the second subsection designated as subsection (c);

(3) in section 3506--

(A) in subsection (b)(1)(C), by inserting ``, availability'' after ``integrity''; and

(B) in subsection (h)(3), by inserting ``security,'' after

``efficiency,''; and

(4) in section 3513--

(A) by redesignating subsection (c) as subsection (d); and

(B) by inserting after subsection (b) the following:

``(c) Each agency providing a written plan under subsection

(b) shall provide any portion of the written plan addressing information security or cybersecurity to the Director of the Cybersecurity and Infrastructure Security Agency.''.

(b) Subchapter II Definitions.--

(1) In general.--Section 3552(b) of title 44, United States Code, is amended--

(A) by redesignating paragraphs (1), (2), (3), (4), (5),

(6), and (7) as paragraphs (2), (3), (4), (5), (6), (9), and

(11), respectively;

(B) by inserting before paragraph (2), as so redesignated, the following:

``(1) The term `additional cybersecurity procedure' means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems.'';

``(7) The term `high value asset' means information or an information system that the head of an agency determines so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business.

``(8) The term `major incident' has the meaning given the term in guidance issued by the Director under section 3598(a).'';

(D) by inserting after paragraph (9), as so redesignated, the following:

``(10) The term `penetration test' means a specialized type of assessment that--

``(A) is conducted on an information system or a component of an information system; and

``(B) emulates an attack or other exploitation capability of a potential adversary, typically under specific constraints, in order to identify any vulnerabilities of an information system or a component of an information system that could be exploited.''; and

(E) by inserting after paragraph (11), as so redesignated, the following:

``(12) The term `shared service' means a centralized business or mission capability that is provided to multiple organizations within an agency or to multiple agencies.''.

(2) Conforming amendments.--

(A) Homeland security act of 2002.--Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking ``section 3552(b)(5)'' and inserting

``section 3552(b)''.

(B) Title 10.--

(i) Section 2222.--Section 2222(i)(8) of title 10, United States Code, is amended by striking ``section 3552(b)(6)(A)'' and inserting ``section 3552(b)(9)(A)''.

(ii) Section 2223.--Section 2223(c)(3) of title 10, United States Code, is amended by striking ``section 3552(b)(6)'' and inserting ``section 3552(b)''.

(iii) Section 2315.--Section 2315 of title 10, United States Code, is amended by striking ``section 3552(b)(6)'' and inserting ``section 3552(b)''.

(iv) Section 2339a.--Section 2339a(e)(5) of title 10, United States Code, is amended by striking ``section 3552(b)(6)'' and inserting ``section 3552(b)''.

(C) High-performance computing act of 1991.--Section 207(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5527(a)) is amended by striking ``section 3552(b)(6)(A)(i)'' and inserting ``section 3552(b)(9)(A)(i)''.

(D) Internet of things cybersecurity improvement act of 2020.--Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3a) is amended by striking ``section 3552(b)(6)'' and inserting ``section 3552(b)''.

(E) National defense authorization act for fiscal year 2013.--Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) is amended by striking ``section 3542(b)(2)'' and inserting

``section 3552(b)''.

(F) Ike skelton national defense authorization act for fiscal year 2011.--The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 (Public Law 111-383) is amended--

(i) in section 806(e)(5) (10 U.S.C. 2304 note), by striking

``section 3542(b)'' and inserting ``section 3552(b)'';

(ii) in section 931(b)(3) (10 U.S.C. 2223 note), by striking ``section 3542(b)(2)'' and inserting ``section 3552(b)''; and

(iii) in section 932(b)(2) (10 U.S.C. 2224 note), by striking ``section 3542(b)(2)'' and inserting ``section 3552(b)''.

(G) E-government act of 2002.--Section 301(c)(1)(A) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by striking ``section 3542(b)(2)'' and inserting ``section 3552(b)''.

(H) National institute of standards and technology act.--Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended--

(i) in subsection (a)(2), by striking ``section 3552(b)(5)'' and inserting ``section 3552(b)''; and

(ii) in subsection (f)--

(I) in paragraph (3), by striking ``section 3532(1)'' and inserting ``section 3552(b)''; and

(II) in paragraph (5), by striking ``section 3532(b)(2)'' and inserting ``section 3552(b)''.

(1) in section 3551--

(A) in paragraph (4), by striking ``diagnose and improve'' and inserting ``integrate, deliver, diagnose, and improve'';

(B) in paragraph (5), by striking ``and'' at the end;

(D) by adding at the end the following:

``(7) recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency;

``(8) recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and

``(9) recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies.'';

(2) in section 3553--

(A) by striking the section heading and inserting

``Authority and functions of the Director and the Director of the Cybersecurity and Infrastructure Security Agency''.

(B) in subsection (a)--

(i) in paragraph (1), by inserting ``, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director,'' before

``overseeing'';

(ii) in paragraph (5), by striking ``and'' at the end; and

(iii) by adding at the end the following:

``(8) promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Director of the National Institute of Standards and Technology--

``(A) the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and

``(B) the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal systems.'';

(i) by striking the subsection heading and inserting

``Cybersecurity and Infrastructure Security Agency'';

(ii) in the matter preceding paragraph (1), by striking

``The Secretary, in consultation with the Director'' and inserting ``The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director and the National Cyber Director'';

(iii) in paragraph (2)--

(I) in subparagraph (A), by inserting ``and reporting requirements under subchapter IV of this title'' after

``section 3556''; and

(II) in subparagraph (D), by striking ``the Director or Secretary'' and inserting ``the Director of the Cybersecurity and Infrastructure Security Agency'';

(iv) in paragraph (5), by striking ``coordinating'' and inserting ``leading the coordination of'';

(v) in paragraph (8), by striking ``the Secretary's discretion'' and inserting ``the Director of the Cybersecurity and Infrastructure Security Agency's discretion''; and

(vi) in paragraph (9), by striking ``as the Director or the Secretary, in consultation with the Director,'' and inserting

``as the Director of the Cybersecurity and Infrastructure Security Agency'';

(D) in subsection (c)--

(i) in the matter preceding paragraph (1), by striking

``each year'' and inserting ``each year during which agencies are required to submit reports under section 3554(c)'';

(ii) by striking paragraph (1);

(iii) by redesignating paragraphs (2), (3), and (4) as paragraphs (1), (2), and (3), respectively;

(iv) in paragraph (3), as so redesignated, by striking

``and'' at the end;

(v) by inserting after paragraph (3), as so redesignated the following:

``(4) a summary of each assessment of Federal risk posture performed under subsection (i);''; and

(vi) in paragraph (5), by striking the period at the end and inserting ``; and'';

(E) by redesignating subsections (i), (j), (k), and (l) as subsections (j), (k), (l), and (m) respectively;

(F) by inserting after subsection (h) the following:

``(i) Federal Risk Assessments.--On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall perform assessments of Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of those assessments including--

``(1) the status of agency cybersecurity remedial actions described in section 3554(b)(7);

``(2) any vulnerability information relating to the systems of an agency that is known by the agency;

``(3) analysis of incident information under section 3597;

``(4) evaluation of penetration testing performed under section 3559A;

``(5) evaluation of vulnerability disclosure program information under section 3559B;

``(6) evaluation of agency threat hunting results;

``(7) evaluation of Federal and non-Federal cyber threat intelligence;

``(8) data on agency compliance with standards issued under section 11331 of title 40;

``(9) agency system risk assessments performed under section 3554(a)(1)(A); and

``(10) any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant.''; and

(G) in subsection (j), as so redesignated--

(i) by striking ``regarding the specific'' and inserting

``that includes a summary of--

``(1) the specific'';

(ii) in paragraph (1), as so designated, by striking the period at the end and inserting ``; and'' and

(iii) by adding at the end the following:

``(2) the trends identified in the Federal risk assessment performed under subsection (i).''; and

(H) by adding at the end the following:

``(n) Binding Operational Directives.--If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under this section, not later than 2 days after the date on which the binding operational directive requires an agency to take an action, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate reporting entities the status of the implementation of the binding operational directive at the agency.'';

(3) in section 3554--

(A) in subsection (a)--

(i) in paragraph (1)--

(I) by redesignating subparagraphs (A), (B), and (C) as subparagraphs (B), (C), and (D), respectively;

(II) by inserting before subparagraph (B), as so redesignated, the following:

``(A) on an ongoing and continuous basis, performing agency system risk assessments that--

``(i) identify and document the high value assets of the agency using guidance from the Director;

``(ii) evaluate the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability;

``(iii) identify agency systems that have access to or hold the data assets inventoried under section 3511;

``(iv) evaluate the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available;

``(v) evaluate the vulnerability of agency systems and data, including high value assets, including by analyzing--

``(I) the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9);

``(II) the results of penetration testing performed under section 3559A;

``(III) information provided to the agency through the vulnerability disclosure program of the agency under section 3559B;

``(IV) incidents; and

``(V) any other vulnerability information relating to agency systems that is known to the agency;

``(vi) assess the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (iv) and the agency systems identified under clause (iii); and

``(vii) assess the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system;'';

(III) in subparagraph (B), as so redesignated, in the matter preceding clause (i), by striking ``providing information'' and inserting ``using information from the assessment conducted under subparagraph (A), providing, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, information'';

(IV) in subparagraph (C), as so redesignated--

(aa) in clause (ii) by inserting ``binding'' before

``operational''; and

(bb) in clause (vi), by striking ``and'' at the end; and

(V) by adding at the end the following:

``(E) providing an update on the ongoing and continuous assessment performed under subparagraph (A)--

``(i) upon request, to the inspector general of the agency or the Comptroller General of the United States; and

``(ii) on a periodic basis, as determined by guidance issued by the Director but not less frequently than annually, to--

``(I) the Director;

``(II) the Director of the Cybersecurity and Infrastructure Security Agency; and

``(III) the National Cyber Director;

``(F) in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than once every 3 years, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall--

``(i) be completed considering the agency system risk assessment performed under subparagraph (A); and

``(ii) include a specific evaluation for high value assets;

``(G) not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan, if applicable, for using additional cybersecurity procedures determined to be appropriate to--

``(i) the Director of the Cybersecurity and Infrastructure Security Agency;

``(ii) the Director; and

``(iii) the National Cyber Director; and

``(H) if the head of the agency determines there is need for additional cybersecurity procedures, ensuring that those additional cybersecurity procedures are reflected in the budget request of the agency in accordance with the risk-based cyber budget model developed pursuant to section 3553(a)(7);'';

(ii) in paragraph (2)--

(I) in subparagraph (A), by inserting ``in accordance with the agency system risk assessment performed under paragraph

(1)(A)'' after ``information systems'';

(II) in subparagraph (B)--

(aa) by striking ``in accordance with standards'' and inserting ``in accordance with--

``(i) standards''; and

(bb) by adding at the end the following:

``(ii) the evaluation performed under paragraph (1)(F); and

``(iii) the implementation plan described in paragraph

(1)(G);''; and

(III) in subparagraph (D), by inserting ``, through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means,'' after

``periodically'';

(iii) in paragraph (3)--

(I) in subparagraph (A)--

(aa) in clause (iii), by striking ``and'' at the end;

(bb) in clause (iv), by adding ``and'' at the end; and

(cc) by adding at the end the following:

``(v) ensure that--

``(I) senior agency information security officers of component agencies carry out responsibilities under this subchapter, as directed by the senior agency information security officer of the agency or an equivalent official; and

``(II) senior agency information security officers of component agencies report to--

``(aa) the senior information security officer of the agency or an equivalent official; and

``(bb) the Chief Information Officer of the component agency or an equivalent official;''; and

(iv) in paragraph (5), by inserting ``and the Director of the Cybersecurity and Infrastructure Security Agency'' before

``on the effectiveness'';

(B) in subsection (b)--

(i) by striking paragraph (1) and inserting the following:

``(1) pursuant to subsection (a)(1)(A), performing ongoing and continuous agency system risk assessments, which may include using guidelines and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable;'';

(ii) in paragraph (2)--

(I) by striking subparagraph (B) and inserting the following:

``(B) comply with the risk-based cyber budget model developed pursuant to section 3553(a)(7);''; and

(II) in subparagraph (D)--

(aa) by redesignating clauses (iii) and (iv) as clauses

(iv) and (v), respectively;

(bb) by inserting after clause (ii) the following:

``(iii) binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553;''; and

(cc) in clause (iv), as so redesignated, by striking ``as determined by the agency; and'' and inserting ``as determined by the agency, considering--

``(I) the agency risk assessment performed under subsection

(a)(1)(A); and

``(II) the determinations of applying more stringent standards and additional cybersecurity procedures pursuant to section 11331(c)(1) of title 40; and'';

(iii) in paragraph (5)(A), by inserting ``, including penetration testing, as appropriate,'' after ``shall include testing'';

(iv) in paragraph (6), by striking ``planning, implementing, evaluating, and documenting'' and inserting

``planning and implementing and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, evaluating and documenting'';

(v) by redesignating paragraphs (7) and (8) as paragraphs

(8) and (9), respectively;

(vi) by inserting after paragraph (6) the following:

``(7) a process for providing the status of every remedial action and known system vulnerability to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable;''; and

(vii) in paragraph (8)(C), as so redesignated--

(I) by striking clause (ii) and inserting the following:

``(ii) notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594;'';

(II) by redesignating clause (iii) as clause (iv);

(III) by inserting after clause (ii) the following:

``(iii) performing the notifications and other activities required under subchapter IV of this title; and''; and

(IV) in clause (iv), as so redesignated--

(aa) in subclause (I), by striking ``and relevant offices of inspectors general'';

(bb) in subclause (II), by adding ``and'' at the end;

(cc) by striking subclause (III); and

(dd) by redesignating subclause (IV) as subclause (III);

(i) by redesignating paragraph (2) as paragraph (5);

(ii) by striking paragraph (1) and inserting the following:

``(1) Biannual report.--Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2021 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment under subsection (a)(1)(A), the head of each agency shall submit to the Director, the Director of the Cybersecurity and Infrastructure Security Agency, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that--

``(A) summarizes the agency system risk assessment performed under subsection (a)(1)(A);

``(B) evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment performed under subsection (a)(1)(A), including an analysis of the agency's cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c));

``(C) summarizes the evaluation and implementation plans described in subparagraphs (F) and (G) of subsection (a)(1) and whether those evaluation and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency; and

``(D) summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency.

``(2) Unclassified reports.--Each report submitted under paragraph (1)--

``(A) shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and

``(B) may include a classified annex.

``(3) Access to information.--The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified form of the report submitted by the agency under paragraph (2)(A).

``(4) Briefings.--During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current agency and Federal risk postures.''; and

(iii) in paragraph (5), as so redesignated, by striking the period at the end and inserting ``, including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section.''; and

(D) in subsection (d)(1), in the matter preceding subparagraph (A), by inserting ``and the Director of the Cybersecurity and Infrastructure Security Agency'' after

``the Director''; and

(4) in section 3555--

(A) in the section heading, by striking ``annual independent'' and inserting ``independent'';

(B) in subsection (a)--

(i) in paragraph (1), by inserting ``during which a report is required to be submitted under section 3553(c),'' after

``Each year'';

(ii) in paragraph (2)(A), by inserting ``, including by penetration testing and analyzing the vulnerability disclosure program of the agency'' after ``information systems''; and

(iii) by adding at the end the following:

``(3) An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency.'';

(D) in subsection (e)(1), by inserting ``during which a report is required to be submitted under section 3553(c)'' after ``Each year'';

(E) by striking subsection (f) and inserting the following:

``(f) Protection of Information.--(1) Agencies, evaluators, and other recipients of information that, if disclosed, may cause grave harm to the efforts of Federal information security officers shall take appropriate steps to ensure the protection of that information, including safeguarding the information from public disclosure.

``(2) The protections required under paragraph (1) shall be commensurate with the risk and comply with all applicable laws and regulations.

``(3) With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify--

``(A) specific information system incidents; or

``(B) specific information system vulnerabilities.'';

(F) in subsection (g)(2)--

(i) by striking ``this subsection shall'' and inserting

``this subsection--

``(A) shall'';

(ii) in subparagraph (A), as so designated, by striking the period at the end and inserting ``; and''; and

(iii) by adding at the end the following:

``(B) identify any entity that performs an independent evaluation under subsection (b).''; and

(G) by striking subsection (j) and inserting the following:

``(j) Guidance.--

``(1) In general.--The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of guidance for evaluating the effectiveness of an information security program and practices

``(2) Priorities.--The guidance developed under paragraph

(1) shall prioritize the identification of--

``(A) the most common threat patterns experienced by each agency;

``(B) the security controls that address the threat patterns described in subparagraph (A); and

``(C) any other security risks unique to the networks of each agency.''; and

(5) in section 3556(a)--

(A) in the matter preceding paragraph (1), by inserting

``within the Cybersecurity and Infrastructure Security Agency'' after ``incident center''; and

(B) in paragraph (4), by striking ``3554(b)'' and inserting

``3554(a)(1)(A)''.

(d) Conforming Amendments.--

(1) Table of sections.--The table of sections for chapter 35 of title 44, United States Code, is amended--

(A) by striking the item relating to section 3553 and inserting the following:

``3553. Authority and functions of the Director and the Director of the

Cybersecurity and Infrastructure Security Agency.''; and

(B) by striking the item relating to section 3555 and inserting the following:

``3555. Independent evaluation.''.

(2) OMB reports.--Section 226(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1524(c)) is amended--

(A) in paragraph (1)(B), in the matter preceding clause

(i), by striking ``annually thereafter'' and inserting

``thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code''; and

(B) in paragraph (2)(B), in the matter preceding clause

(i)--

(i) by striking ``annually thereafter'' and inserting

``thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code''; and

(ii) by striking ``the report required under section 3553(c) of title 44, United States Code'' and inserting

``that report''.

(3) NIST responsibilities.--Section 20(d)(3)(B) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)(3)(B)) is amended by striking ``annual''.

(e) Federal System Incident Response.--

(1) In general.--Chapter 35 of title 44, United States Code, is amended by adding at the end the following:

``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

``Sec. 3591. Definitions

``(a) In General.--Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter.

``(b) Additional Definitions.--As used in this subchapter:

``(1) Appropriate reporting entities.--The term

`appropriate reporting entities' means--

``(A) the majority and minority leaders of the Senate;

``(B) the Speaker and minority leader of the House of Representatives;

``(C) the Committee on Homeland Security and Governmental Affairs of the Senate;

``(D) the Committee on Oversight and Reform of the House of Representatives;

``(E) the Committee on Homeland Security of the House of Representatives;

``(F) the appropriate authorization and appropriations committees of Congress;

``(G) the Director;

``(H) the Director of the Cybersecurity and Infrastructure Security Agency;

``(I) the National Cyber Director;

``(J) the Comptroller General of the United States; and

``(K) the inspector general of any impacted agency.

``(2) Awardee.--The term `awardee'--

``(A) means a person, business, or other entity that receives a grant from, or is a party to a cooperative agreement or an other transaction agreement with, an agency; and

``(B) includes any subgrantee of a person, business, or other entity described in subparagraph (A).

``(3) Breach.--The term `breach' means--

``(A) a compromise of the security, confidentiality, or integrity of data in electronic form that results in unauthorized access to, or an acquisition of, personal information; or

``(B) a loss of data in electronic form that results in unauthorized access to, or an acquisition of, personal information.

``(4) Contractor.--The term `contractor' means--

``(A) a prime contractor of an agency or a subcontractor of a prime contractor of an agency; and

``(B) any person or business that collects or maintains information, including personally identifiable information, on behalf of an agency.

``(5) Federal information.--The term `Federal information' means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form.

``(6) Federal information system.--The term `Federal information system' means an information system used or operated by an agency, a contractor, an awardee, or another organization on behalf of an agency.

``(7) Intelligence community.--The term `intelligence community' has the meaning given the term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).

``(8) Nationwide consumer reporting agency.--The term

`nationwide consumer reporting agency' means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

``(9) Vulnerability disclosure.--The term `vulnerability disclosure' means a vulnerability identified under section 3559B.

``Sec. 3592. Notification of breach

``(a) Notification.--As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with a senior privacy officer of the agency, shall--

``(1) determine whether notice to any individual potentially affected by the breach is appropriate based on an assessment of the risk of harm to the individual that considers--

``(A) the nature and sensitivity of the personally identifiable information affected by the breach;

``(B) the likelihood of access to and use of the personally identifiable information affected by the breach;

``(C) the type of breach; and

``(D) any other factors determined by the Director; and

``(2) as appropriate, provide written notice in accordance with subsection (b) to each individual potentially affected by the breach--

``(A) to the last known mailing address of the individual; or

``(B) through an appropriate alternative method of notification that the head of the agency or a designated senior-level individual of the agency selects based on factors determined by the Director.

``(b) Contents of Notice.--Each notice of a breach provided to an individual under subsection (a)(2) shall include--

``(1) a brief description of the rationale for the determination that notice should be provided under subsection

(a);

``(2) if possible, a description of the types of personally identifiable information affected by the breach;

``(3) contact information of the agency that may be used to ask questions of the agency, which--

``(A) shall include an e-mail address or another digital contact mechanism; and

``(B) may include a telephone number or a website;

``(4) information on any remedy being offered by the agency;

``(5) any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for Federal law enforcement agencies and each nationwide consumer reporting agency; and

``(6) any other appropriate information, as determined by the head of the agency or established in guidance by the Director.

``(c) Delay of Notification.--

``(1) In general.--The Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may delay a notification required under subsection (a) if the notification would--

``(A) impede a criminal investigation or a national security activity;

``(B) reveal sensitive sources and methods;

``(C) cause damage to national security; or

``(D) hamper security remediation actions.

``(2) Documentation.--

``(A) In general.--Any delay under paragraph (1) shall be reported in writing to the Director, the Attorney General, the Director of National Intelligence, the Secretary of Homeland Security, the Director of the Cybersecurity and Infrastructure Security Agency, and the head of the agency and the inspector general of the agency that experienced the breach.

``(B) Contents.--A report required under subparagraph (A) shall include a written statement from the entity that delayed the notification explaining the need for the delay.

``(C) Form.--The report required under subparagraph (A) shall be unclassified but may include a classified annex.

``(3) Renewal.--A delay under paragraph (1) shall be for a period of 60 days and may be renewed.

``(d) Update Notification.--If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (a)(1), or that it is necessary to update the details of the information provided to impacted individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (a) of those changes.

``(e) Exemption From Notification.--

``(1) In general.--The head of an agency, in consultation with the inspector general of the agency, may request an exemption from the Director from complying with the notification requirements under subsection (a) if the information affected by the breach is determined by an independent evaluation to be unreadable, including, as appropriate, instances in which the information is--

``(A) encrypted; and

``(B) determined by the Director of the Cybersecurity and Infrastructure Security Agency to be of sufficiently low risk of exposure.

``(2) Approval.--The Director shall determine whether to grant an exemption requested under paragraph (1) in consultation with--

``(A) the Director of the Cybersecurity and Infrastructure Security Agency; and

``(B) the Attorney General.

``(3) Documentation.--Any exemption granted by the Director under paragraph (1) shall be reported in writing to the head of the agency and the inspector general of the agency that experienced the breach and the Director of the Cybersecurity and Infrastructure Security Agency.

``(f) Rule of Construction.--Nothing in this section shall be construed to limit--

``(1) the Director from issuing guidance relating to notifications or the head of an agency from notifying individuals potentially affected by breaches that are not determined to be major incidents; or

``(2) the Director from issuing guidance relating to notifications of major incidents or the head of an agency from providing more information than described in subsection

(b) when notifying individuals potentially affected by breaches.

``Sec. 3593. Congressional and Executive Branch reports

``(a) Initial Report.--

``(1) In general.--Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written report and, to the extent practicable, provide a briefing to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the appropriate authorization and appropriations committees of Congress, taking into account--

``(A) the information known at the time of the report;

``(B) the sensitivity of the details associated with the major incident; and

``(C) the classification level of the information contained in the report.

``(2) Contents.--A report required under paragraph (1) shall include, in a manner that excludes or otherwise reasonably protects personally identifiable information and to the extent permitted by applicable law, including privacy and statistical laws--

``(A) a summary of the information available about the major incident, including how the major incident occurred, information indicating that the major incident may be a breach, and information relating to the major incident as a breach, based on information available to agency officials as of the date on which the agency submits the report;

``(B) if applicable, a description and any associated documentation of any circumstances necessitating a delay in or exemption to notification to individuals potentially affected by the major incident under subsection (c) or (e) of section 3592; and

``(C) if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States, based on information available to agency officials on the date on which the agency submits the report.

``(b) Supplemental Report.--Within a reasonable amount of time, but not later than 30 days after the date on which an agency submits a written report under subsection (a), the head of the agency shall provide to the appropriate reporting entities written updates on the major incident and, to the extent practicable, provide a briefing to the congressional committees described in subsection (a)(1), including summaries of--

``(1) vulnerabilities, means by which the major incident occurred, and impacts to the agency relating to the major incident;

``(2) any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the major incident occurred;

``(3) the status of compliance of the affected information system with applicable security requirements at the time of the major incident;

``(4) an estimate of the number of individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;

``(5) an assessment of the risk of harm to individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;

``(6) an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; and

``(7) the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay or exemption described in subsection (c) or (e), respectively, of section 3592, if applicable.

``(c) Update Report.--If the agency determines that there is any significant change in the understanding of the agency of the scope, scale, or consequence of a major incident for which an agency submitted a written report under subsection

(a), the agency shall provide an updated report to the appropriate reporting entities that includes information relating to the change in understanding.

``(d) Annual Report.--Each agency shall submit as part of the annual report required under section 3554(c)(1) of this title a description of each major incident that occurred during the 1-year period preceding the date on which the report is submitted.

``(e) Delay and Exemption Report.--

``(1) In general.--The Director shall submit to the appropriate notification entities an annual report on all notification delays and exemptions granted pursuant to subsections (c) and (d) of section 3592.

``(2) Component of other report.--The Director may submit the report required under paragraph (1) as a component of the annual report submitted under section 3597(b).

``(f) Report Delivery.--Any written report required to be submitted under this section may be submitted in a paper or electronic format.

``(g) Threat Briefing.--

``(1) In general.--Not later than 7 days after the date on which an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency, jointly with the National Cyber Director and any other Federal entity determined appropriate by the National Cyber Director, shall provide a briefing to the congressional committees described in subsection (a)(1) on the threat causing the major incident.

``(2) Components.--The briefing required under paragraph

(1)--

``(A) shall, to the greatest extent practicable, include an unclassified component; and

``(B) may include a classified component.

``(h) Rule of Construction.--Nothing in this section shall be construed to limit--

``(1) the ability of an agency to provide additional reports or briefings to Congress; or

``(2) Congress from requesting additional information from agencies through reports, briefings, or other means.

``Sec. 3594. Government information sharing and incident response

``(a) In General.--

``(1) Incident reporting.--The head of each agency shall provide any information relating to any incident, whether the information is obtained by the Federal Government directly or indirectly, to the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget.

``(2) Contents.--A provision of information relating to an incident made by the head of an agency under paragraph (1) shall--

``(A) include detailed information about the safeguards that were in place when the incident occurred;

``(B) whether the agency implemented the safeguards described in subparagraph (A) correctly;

``(C) in order to protect against a similar incident, identify--

``(i) how the safeguards described in subparagraph (A) should be implemented differently; and

``(ii) additional necessary safeguards; and

``(D) include information to aid in incident response, such as--

``(i) a description of the affected systems or networks;

``(ii) the estimated dates of when the incident occurred; and

``(iii) information that could reasonably help identify the party that conducted the incident.

``(3) Information sharing.--To the greatest extent practicable, the Director of the Cybersecurity and Infrastructure Security Agency shall share information relating to an incident with any agencies that may be impacted by the incident.

``(4) National security systems.--Each agency operating or exercising control of a national security system shall share information about incidents that occur on national security systems with the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President.

``(b) Compliance.--The information provided under subsection (a) shall take into account the level of classification of the information and any information sharing limitations and protections, such as limitations and protections relating to law enforcement, national security, privacy, statistical confidentiality, or other factors determined by the Director

``(c) Incident Response.--Each agency that has a reasonable basis to conclude that a major incident occurred involving Federal information in electronic medium or form, as defined by the Director and not involving a national security system, regardless of delays from notification granted for a major incident, shall coordinate with the Cybersecurity and Infrastructure Security Agency regarding--

``(1) incident response and recovery; and

``(2) recommendations for mitigating future incidents.

``Sec. 3595. Responsibilities of contractors and awardees

``(a) Notification.--

``(1) In general.--Unless otherwise specified in a contract, grant, cooperative agreement, or an other transaction agreement, any contractor or awardee of an agency shall report to the agency within the same amount of time such agency is required to report an incident to the Cybersecurity and Infrastructure Security Agency, if the contractor or awardee has a reasonable basis to conclude that--

``(A) an incident or breach has occurred with respect to Federal information collected, used, or maintained by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee;

``(B) an incident or breach has occurred with respect to a Federal information system used or operated by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee; or

``(C) the contractor or awardee has received information from the agency that the contractor or awardee is not authorized to receive in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee.

``(2) Procedures.--

``(A) Major incident.--Following a report of a breach or major incident by a contractor or awardee under paragraph

(1), the agency, in consultation with the contractor or awardee, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the major incident.

``(B) Incident.--Following a report of an incident by a contractor or awardee under paragraph (1), an agency, in consultation with the contractor or awardee, shall carry out the requirements under section 3594 with respect to the incident.

``(b) Effective Date.--This section shall apply on and after the date that is 1 year after the date of enactment of the Federal Information Security Modernization Act of 2021.

``Sec. 3596. Training

``(a) Covered Individual Defined.--In this section, the term `covered individual' means an individual who obtains access to Federal information or Federal information systems because of the status of the individual as an employee, contractor, awardee, volunteer, or intern of an agency.

``(b) Requirement.--The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including--

``(1) the internal process of the agency for reporting an incident; and

``(2) the obligation of a covered individual to report to the agency a confirmed major incident and any suspected incident involving information in any medium or form, including paper, oral, and electronic.

``(c) Inclusion in Annual Training.--The training developed under subsection (b) may be included as part of an annual privacy or security awareness training of an agency.

``Sec. 3597. Analysis and report on Federal incidents

``(a) Analysis of Federal Incidents.--

``(1) Quantitative and qualitative analyses.--The Director of the Cybersecurity and Infrastructure Security Agency shall develop, in consultation with the Director and the National Cyber Director, and perform continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including--

``(A) the causes of incidents, including--

``(i) attacker tactics, techniques, and procedures; and

``(ii) system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations;

``(B) the scope and scale of incidents at agencies;

``(C) cross Federal Government root causes of incidents at agencies;

``(D) agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable;

``(E) lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and

``(F) trends in cross-Federal Government cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).

``(2) Automated analysis.--The analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes.

``(3) Sharing of data and analysis.--

``(A) In general.--The Director shall share on an ongoing basis the analyses required under this subsection with agencies and the National Cyber Director to--

``(i) improve the understanding of cybersecurity risk of agencies; and

``(ii) support the cybersecurity improvement efforts of agencies.

``(B) Format.--In carrying out subparagraph (A), the Director shall share the analyses--

``(i) in human-readable written products; and

``(ii) to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies.

``(b) Annual Report on Federal Incidents.--Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director and other Federal agencies as appropriate, shall submit to the appropriate notification entities a report that includes--

``(1) a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents;

``(2) the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including--

``(A) a specific analysis of breaches; and

``(B) an analysis of the Federal Government's performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and

``(3) an annex for each agency that includes--

``(A) a description of each major incident;

``(B) the total number of compromises of the agency; and

``(C) an analysis of the agency's performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).

``(c) Publication.--A version of each report submitted under subsection (b) shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted.

``(d) Information Provided by Agencies.--

``(1) In general.--The analysis required under subsection

(a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a).

``(2) Noncompliance reports.--

``(A) In general.--Subject to subparagraph (B), during any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes--

``(i) data for the incident; and

``(ii) the information described in subsection (b) with respect to the agency.

``(B) Exception for national security systems.--The head of an agency that owns or exercises control of a national security system shall not include data for an incident that occurs on a national security system in any report submitted under subparagraph (A).

``(3) National security system reports.--

``(A) In general.--Annually, the head of an agency that operates or exercises control of a national security system shall submit a report that includes the information described in subsection (b) with respect to the agency to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President to--

``(i) the majority and minority leaders of the Senate,

``(ii) the Speaker and minority leader of the House of Representatives;

``(iii) the Committee on Homeland Security and Governmental Affairs of the Senate;

``(iv) the Select Committee on Intelligence of the Senate;

``(v) the Committee on Armed Services of the Senate;

``(vi) the Committee on Appropriations of the Senate;

``(vii) the Committee on Oversight and Reform of the House of Representatives;

``(viii) the Committee on Homeland Security of the House of Representatives;

``(ix) the Permanent Select Committee on Intelligence of the House of Representatives;

``(x) the Committee on Armed Services of the House of Representatives; and

``(xi) the Committee on Appropriations of the House of Representatives.

``(B) Classified form.--A report required under subparagraph (A) may be submitted in a classified form.

``(e) Requirement for Compiling Information.--In publishing the public report required under subsection (c), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information such that no specific incident of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget and in consultation with the impacted agency.

``Sec. 3598. Major incident definition

``(a) In General.--Not later than 180 days after the date of enactment of the Federal Information Security Modernization Act of 2021, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, shall develop and promulgate guidance on the definition of the term `major incident' for the purposes of subchapter II and this subchapter.

``(b) Requirements.--With respect to the guidance issued under subsection (a), the definition of the term `major incident' shall--

``(1) include, with respect to any information collected or maintained by or on behalf of an agency or an information system used or operated by an agency or by a contractor of an agency or another organization on behalf of an agency--

``(A) any incident the head of the agency determines is likely to have an impact on--

``(i) the national security, homeland security, or economic security of the United States; or

``(ii) the civil liberties or public health and safety of the people of the United States;

``(B) any incident the head of the agency determines likely to result in an inability for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services;

``(C) any incident that the head of an agency, in consultation with a senior privacy officer of the agency, determines is likely to have a significant privacy impact on 1 or more individual;

``(D) any incident that the head of the agency, in consultation with a senior privacy official of the agency, determines is likely to have a substantial privacy impact on a significant number of individuals;

``(E) any incident the head of the agency determines impacts the operations of a high value asset owned or operated by the agency;

``(F) any incident involving the exposure of sensitive agency information to a foreign entity, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and

``(G) any other type of incident determined appropriate by the Director;

``(2) stipulate that the National Cyber Director shall declare a major incident at each agency impacted by an incident if the Director of the Cybersecurity and Infrastructure Security Agency determines that an incident--

``(A) occurs at not less than 2 agencies; and

``(B) is enabled by--

``(i) a common technical root cause, such as a supply chain compromise, a common software or hardware vulnerability; or

``(ii) the related activities of a common threat actor; and

``(3) stipulate that, in determining whether an incident constitutes a major incident because that incident--

``(A) is any incident described in paragraph (1), the head of an agency shall consult with the Director of the Cybersecurity and Infrastructure Security Agency;

``(B) is an incident described in paragraph (1)(A), the head of the agency shall consult with the National Cyber Director; and

``(C) is an incident described in subparagraph (C) or (D) of paragraph (1), the head of the agency shall consult with--

``(i) the Privacy and Civil Liberties Oversight Board; and

``(ii) the Chair of the Federal Trade Commission.

``(c) Significant Number of Individuals.--In determining what constitutes a significant number of individuals under subsection (b)(1)(D), the Director--

``(1) may determine a threshold for a minimum number of individuals that constitutes a significant amount; and

``(2) may not determine a threshold described in paragraph

(1) that exceeds 5,000 individuals.

``(d) Evaluation and Updates.--Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2021, and not less frequently than every 2 years thereafter, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives an evaluation, which shall include--

``(1) an update, if necessary, to the guidance issued under subsection (a);

``(2) the definition of the term `major incident' included in the guidance issued under subsection (a); and

``(3) an explanation of, and the analysis that led to, the definition described in paragraph (2).''.

(2) Clerical amendment.--The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following:

``subchapter iv--federal system incident response

``3591. Definitions.

``3592. Notification of breach.

``3593. Congressional and Executive Branch reports.

``3594. Government information sharing and incident response.

``3595. Responsibilities of contractors and awardees.

``3596. Training.

``3597. Analysis and report on Federal incidents.

``3598. Major incident definition.''.

SEC. 5122. AMENDMENTS TO SUBTITLE III OF TITLE 40.

(a) Modernizing Government Technology.--Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 (40 U.S.C. 11301 note) is amended--

(1) in section 1077(b)--

(A) in paragraph (5)(A), by inserting ``improving the cybersecurity of systems and'' before ``cost savings activities''; and

(B) in paragraph (7)--

(i) in the paragraph heading, by striking ``cio'' and inserting ``CIO'';

(ii) by striking ``In evaluating projects'' and inserting the following:

``(A) Consideration of guidance.--In evaluating projects'';

(iii) in subparagraph (A), as so designated, by striking

``under section 1094(b)(1)'' and inserting ``by the Director''; and

(iv) by adding at the end the following:

``(B) Consultation.--In using funds under paragraph (3)(A), the Chief Information Officer of the covered agency shall consult with the necessary stakeholders to ensure the project appropriately addresses cybersecurity risks, including the Director of the Cybersecurity and Infrastructure Security Agency, as appropriate.''; and

(2) in section 1078--

(A) by striking subsection (a) and inserting the following:

``(a) Definitions.--In this section:

``(1) Agency.--The term `agency' has the meaning given the term in section 551 of title 5, United States Code.

``(2) High value asset.--The term `high value asset' has the meaning given the term in section 3552 of title 44, United States Code.'';

(B) in subsection (b), by adding at the end the following:

``(8) Proposal evaluation.--The Director shall--

``(A) give consideration for the use of amounts in the Fund to improve the security of high value assets; and

``(B) require that any proposal for the use of amounts in the Fund includes a cybersecurity plan, including a supply chain risk management plan, to be reviewed by the member of the Technology Modernization Board described in subsection

(c)(5)(C).''; and

(i) in paragraph (2)(A)(i), by inserting ``, including a consideration of the impact on high value assets'' after

``operational risks'';

(ii) in paragraph (5)--

(I) in subparagraph (A), by striking ``and'' at the end;

(II) in subparagraph (B), by striking the period at the end and inserting ``and''; and

(III) by adding at the end the following:

``(C) a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director.''; and

(iii) in paragraph (6)(A), by striking ``shall be--'' and all that follows through ``4 employees'' and inserting

``shall be 4 employees''.

(b) Subchapter I.--Subchapter I of subtitle III of title 40, United States Code, is amended--

(1) in section 11302--

(A) in subsection (b), by striking ``use, security, and disposal of'' and inserting ``use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of,'';

(B) in subsection (c)--

(i) in paragraph (3)--

(I) in subparagraph (A)--

(aa) by striking ``including data'' and inserting ``which shall--

``(i) include data'';

(bb) in clause (i), as so designated, by striking ``, and performance'' and inserting ``security, and performance; and''; and

(cc) by adding at the end the following:

``(ii) specifically denote cybersecurity funding under the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44.''; and

(II) in subparagraph (B), adding at the end the following:

``(iii) The Director shall provide to the National Cyber Director any cybersecurity funding information described in subparagraph (A)(ii) that is provided to the Director under clause (ii) of this subparagraph.''; and

(ii) in paragraph (4)(B), in the matter preceding clause

(i), by inserting ``not later than 30 days after the date on which the review under subparagraph (A) is completed,'' before ``the Administrator'';

(i) by striking ``heads of executive agencies to develop'' and inserting ``heads of executive agencies to--

``(1) develop'';

(ii) in paragraph (1), as so designated, by striking the period at the end and inserting ``; and''; and

(iii) by adding at the end the following:

``(2) consult with the Director of the Cybersecurity and Infrastructure Security Agency for the development and use of supply chain security best practices.''; and

(D) in subsection (h), by inserting ``, including cybersecurity performances,'' after ``the performances''; and

(2) in section 11303(b)--

(A) in paragraph (2)(B)--

(i) in clause (i), by striking ``or'' at the end;

(ii) in clause (ii), by adding ``or'' at the end; and

(iii) by adding at the end the following:

``(iii) whether the function should be performed by a shared service offered by another executive agency;''; and

(B) in paragraph (5)(B)(i), by inserting ``, while taking into account the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44'' after ``title 31''.

(1) in section 11312(a), by inserting ``, including security risks'' after ``managing the risks'';

(2) in section 11313(1), by striking ``efficiency and effectiveness'' and inserting ``efficiency, security, and effectiveness'';

(3) in section 11315, by adding at the end the following:

``(d) Component Agency Chief Information Officers.--The Chief Information Officer or an equivalent official of a component agency shall report to--

``(1) the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and

``(2) the head of the component agency.'';

(4) in section 11317, by inserting ``security,'' before

``or schedule''; and

(5) in section 11319(b)(1), in the paragraph heading, by striking ``CIOS'' and inserting ``Chief information officers''.

(d) Subchapter III.--Section 11331 of title 40, United States Code, is amended--

(1) in subsection (a), by striking ``section 3532(b)(1)'' and inserting ``section 3552(b)'';

(2) in subsection (b)(1)(A), by striking ``the Secretary of Homeland Security'' and inserting ``the Director of the Cybersecurity and Infrastructure Security Agency'';

(3) by striking subsection (c) and inserting the following:

``(c) Application of More Stringent Standards.--

``(1) In general.--The head of an agency shall--

``(A) evaluate, in consultation with the senior agency information security officers, the need to employ standards for cost-effective, risk-based information security for all systems, operations, and assets within or under the supervision of the agency that are more stringent than the standards promulgated by the Director under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and

``(B) to the greatest extent practicable and if the head of the agency determines that the standards described in subparagraph (A) are necessary, employ those standards.

``(2) Evaluation of more stringent standards.--In evaluating the need to employ more stringent standards under paragraph (1), the head of an agency shall consider available risk information, such as--

``(A) the status of cybersecurity remedial actions of the agency;

``(B) any vulnerability information relating to agency systems that is known to the agency;

``(C) incident information of the agency;

``(D) information from--

``(i) penetration testing performed under section 3559A of title 44; and

``(ii) information from the vulnerability disclosure program established under section 3559B of title 44;

``(E) agency threat hunting results under section 5145 of the Federal Information Security Modernization Act of 2021;

``(F) Federal and non-Federal cyber threat intelligence;

``(G) data on compliance with standards issued under this section;

``(H) agency system risk assessments performed under section 3554(a)(1)(A) of title 44; and

``(I) any other information determined relevant by the head of the agency.'';

(4) in subsection (d)(2)--

(A) in the paragraph heading, by striking ``Notice and comment'' and inserting ``Consultation, notice, and comment'';

(B) by inserting ``promulgate,'' before ``significantly modify''; and

(C) by striking ``shall be made after the public is given an opportunity to comment on the Director's proposed decision.'' and inserting ``shall be made--

``(A) for a decision to significantly modify or not promulgate such a proposed standard, after the public is given an opportunity to comment on the Director's proposed decision;

``(B) in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency;

``(C) considering the Federal risk assessments performed under section 3553(i) of title 44; and

``(D) considering the extent to which the proposed standard reduces risk relative to the cost of implementation of the standard.''; and

(5) by adding at the end the following:

``(e) Review of Office of Management and Budget Guidance and Policy.--

``(1) Conduct of review.--

``(A) In general.--Not less frequently than once every 3 years, the Director of the Office of Management and Budget, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director, and determine whether any changes to that guidance or policy is appropriate.

``(B) Federal risk assessments.--In conducting the review described in subparagraph (A), the Director shall consider the Federal risk assessments performed under section 3553(i) of title 44.

``(2) Updated guidance.--Not later than 90 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review.

``(3) Public report.--Not later than 30 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall make publicly available a report that includes--

``(A) an overview of the guidance and policy promulgated under this section that is currently in effect;

``(B) the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy document described in subparagraph (A); and

``(C) a summary of the guidance or policy to which changes were determined appropriate during the review and what the changes are anticipated to include.

``(4) Congressional briefing.--Not later than 30 days after the date on which a review is completed under paragraph (1), the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review.

``(f) Automated Standard Implementation Verification.--When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs

(2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(a)), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of the controls within the standard.''.

SEC. 5123. ACTIONS TO ENHANCE FEDERAL INCIDENT RESPONSE.

(a) Responsibilities of the Cybersecurity and Infrastructure Security Agency.--

(1) In general.--Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall--

(A) develop a plan for the development of the analysis required under section 3597(a) of title 44, United States Code, as added by this division, and the report required under subsection (b) of that section that includes--

(i) a description of any challenges the Director anticipates encountering; and

(ii) the use of automation and machine-readable formats for collecting, compiling, monitoring, and analyzing data; and

(B) provide to the appropriate congressional committees a briefing on the plan developed under subparagraph (A).

(2) Briefing.--Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on--

(A) the execution of the plan required under paragraph

(1)(A); and

(B) the development of the report required under section 3597(b) of title 44, United States Code, as added by this division.

(b) Responsibilities of the Director of the Office of Management and Budget.--

(1) FISMA.--Section 2 of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--

(A) by striking subsection (b); and

(B) by redesignating subsections (c) through (f) as subsections (b) through (e), respectively.

(2) Incident data sharing.--

(A) In general.--The Director shall develop guidance, to be updated not less frequently than once every 2 years, on the content, timeliness, and format of the information provided by agencies under section 3594(a) of title 44, United States Code, as added by this division.

(B) Requirements.--The guidance developed under subparagraph (A) shall--

(i) prioritize the availability of data necessary to understand and analyze--

(I) the causes of incidents;

(II) the scope and scale of incidents within the environments and systems of an agency;

(III) a root cause analysis of incidents that--

(aa) are common across the Federal Government; or

(bb) have a Government-wide impact;

(IV) agency response, recovery, and remediation actions and the effectiveness of those actions; and

(V) the impact of incidents;

(ii) enable the efficient development of--

(I) lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and

(II) the report on Federal incidents required under section 3597(b) of title 44, United States Code, as added by this division;

(iii) include requirements for the timeliness of data production; and

(iv) include requirements for using automation and machine-readable data for data sharing and availability.

(3) Guidance on responding to information requests.--Not later than 1 year after the date of enactment of this Act, the Director shall develop guidance for agencies to implement the requirement under section 3594(c) of title 44, United States Code, as added by this division, to provide information to other agencies experiencing incidents.

(4) Standard guidance and templates.--Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop guidance and templates, to be reviewed and, if necessary, updated not less frequently than once every 2 years, for use by Federal agencies in the activities required under sections 3592, 3593, and 3596 of title 44, United States Code, as added by this division.

(5) Contractor and awardee guidance.--

(A) In general.--Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Administrator of General Services, and the heads of other agencies determined appropriate by the Director, shall issue guidance to Federal agencies on how to deconflict, to the greatest extent practicable, existing regulations, policies, and procedures relating to the responsibilities of contractors and awardees established under section 3595 of title 44, United States Code, as added by this division.

(B) Existing processes.--To the greatest extent practicable, the guidance issued under subparagraph (A) shall allow contractors and awardees to use existing processes for notifying Federal agencies of incidents involving information of the Federal Government.

(6) Updated briefings.--Not less frequently than once every 2 years, the Director shall provide to the appropriate congressional committees an update on the guidance and templates developed under paragraphs (2) through (4).

(c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5, United States Code (commonly known as the ``Privacy Act of 1974'') is amended--

(1) in paragraph (11), by striking ``or'' at the end;

(2) in paragraph (12), by striking the period at the end and inserting ``; or''; and

(3) by adding at the end the following:

``(13) to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44 if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought.''.

SEC. 5124. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance for agencies on--

(1) performing the ongoing and continuous agency system risk assessment required under section 3554(a)(1)(A) of title 44, United States Code, as amended by this division;

(2) implementing additional cybersecurity procedures, which shall include resources for shared services;

(3) establishing a process for providing the status of each remedial action under section 3554(b)(7) of title 44, United States Code, as amended by this division, to the Director and the Cybersecurity and Infrastructure Security Agency using automation and machine-readable data, as practicable, which shall include--

(A) specific guidance for the use of automation and machine-readable data; and

(B) templates for providing the status of the remedial action;

(4) interpreting the definition of ``high value asset'' under section 3552 of title 44, United States Code, as amended by this division; and

(5) a requirement to coordinate with inspectors general of agencies to ensure consistent understanding and application of agency policies for the purpose of evaluations by inspectors general.

SEC. 5125. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR

ENTITIES IMPACTED BY INCIDENTS.

(a) Definitions.--In this section:

(1) Reporting entity.--The term ``reporting entity'' means private organization or governmental unit that is required by statute or regulation to submit sensitive information to an agency.

(2) Sensitive information.--The term ``sensitive information'' has the meaning given the term by the Director in guidance issued under subsection (b).

(b) Guidance on Notification of Reporting Entities.--Not later than 180 days after the date of enactment of this Act, the Director shall issue guidance requiring the head of each agency to notify a reporting entity of an incident that is likely to substantially affect--

(1) the confidentiality or integrity of sensitive information submitted by the reporting entity to the agency pursuant to a statutory or regulatory requirement; or

(2) the agency information system or systems used in the transmission or storage of the sensitive information described in paragraph (1).

TITLE LII--IMPROVING FEDERAL CYBERSECURITY

SEC. 5141. MOBILE SECURITY STANDARDS.

(a) In General.--Not later than 1 year after the date of enactment of this Act, the Director shall--

(1) evaluate mobile application security guidance promulgated by the Director; and

(2) issue guidance to secure mobile devices, including for mobile applications, for every agency.

(b) Contents.--The guidance issued under subsection (a)(2) shall include--

(1) a requirement, pursuant to section 3506(b)(4) of title 44, United States Code, for every agency to maintain a continuous inventory of every--

(A) mobile device operated by or on behalf of the agency; and

(B) vulnerability identified by the agency associated with a mobile device; and

(2) a requirement for every agency to perform continuous evaluation of the vulnerabilities described in paragraph

(1)(B) and other risks associated with the use of applications on mobile devices.

(c) Information Sharing.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies for sharing the inventory of the agency required under subsection (b)(1) with the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable.

(d) Briefing.--Not later than 60 days after the date on which the Director issues guidance under subsection (a)(2), the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall provide to the appropriate congressional committees a briefing on the guidance.

SEC. 5142. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

(a) Recommendations.--Not later than 2 years after the date of enactment of this Act, and not less frequently than every 2 years thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Attorney General, shall submit to the Director recommendations on requirements for logging events on agency systems and retaining other relevant data within the systems and networks of an agency.

(b) Contents.--The recommendations provided under subsection (a) shall include--

(1) the types of logs to be maintained;

(2) the time periods to retain the logs and other relevant data;

(3) the time periods for agencies to enable recommended logging and security requirements;

(4) how to ensure the confidentiality, integrity, and availability of logs;

(5) requirements to ensure that, upon request, in a manner that excludes or otherwise reasonably protects personally identifiable information, and to the extent permitted by applicable law (including privacy and statistical laws), agencies provide logs to--

(A) the Director of the Cybersecurity and Infrastructure Security Agency for a cybersecurity purpose; and

(B) the Federal Bureau of Investigation to investigate potential criminal activity; and

(6) requirements to ensure that, subject to compliance with statistical laws and other relevant data protection requirements, the highest level security operations center of each agency has visibility into all agency logs.

(c) Guidance.--Not later than 90 days after receiving the recommendations submitted under subsection (a), the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Attorney General, shall, as determined to be appropriate by the Director, update guidance to agencies regarding requirements for logging, log retention, log management, sharing of log data with other appropriate agencies, or any other logging activity determined to be appropriate by the Director.

SEC. 5143. CISA AGENCY ADVISORS.

(a) In General.--Not later than 120 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall assign not less than 1 cybersecurity professional employed by the Cybersecurity and Infrastructure Security Agency to be the Cybersecurity and Infrastructure Security Agency advisor to the senior agency information security officer of each agency.

(b) Qualifications.--Each advisor assigned under subsection

(a) shall have knowledge of--

(1) cybersecurity threats facing agencies, including any specific threats to the assigned agency;

(2) performing risk assessments of agency systems; and

(3) other Federal cybersecurity initiatives.

(1) providing ongoing assistance and advice, as requested, to the agency Chief Information Officer;

(2) serving as an incident response point of contact between the assigned agency and the Cybersecurity and Infrastructure Security Agency; and

(3) familiarizing themselves with agency systems, processes, and procedures to better facilitate support to the agency in responding to incidents.

(d) Limitation.--An advisor assigned under subsection (a) shall not be a contractor.

(e) Multiple Assignments.--One individual advisor may be assigned to multiple agency Chief Information Officers under subsection (a).

SEC. 5144. FEDERAL PENETRATION TESTING POLICY.

(a) In General.--Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following:

``Sec. 3559A. Federal penetration testing

``(a) Definitions.--In this section:

``(1) Agency operational plan.--The term `agency operational plan' means a plan of an agency for the use of penetration testing.

``(2) Rules of engagement.--The term `rules of engagement' means a set of rules established by an agency for the use of penetration testing.

``(b) Guidance.--

``(1) In general.--The Director shall issue guidance that--

``(A) requires agencies to use, when and where appropriate, penetration testing on agency systems; and

``(B) requires agencies to develop an agency operational plan and rules of engagement that meet the requirements under subsection (c).

``(2) Penetration testing guidance.--The guidance issued under this section shall--

``(A) permit an agency to use, for the purpose of performing penetration testing--

``(i) a shared service of the agency or another agency; or

``(ii) an external entity, such as a vendor; and

``(B) require agencies to provide the rules of engagement and results of penetration testing to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, without regard to the status of the entity that performs the penetration testing.

``(c) Agency Plans and Rules of Engagement.--The agency operational plan and rules of engagement of an agency shall--

``(1) require the agency to--

``(A) perform penetration testing on the high value assets of the agency; or

``(B) coordinate with the Director of the Cybersecurity and Infrastructure Security Agency to ensure that penetration testing is being performed;

``(2) establish guidelines for avoiding, as a result of penetration testing--

``(A) adverse impacts to the operations of the agency;

``(B) adverse impacts to operational environments and systems of the agency; and

``(C) inappropriate access to data;

``(3) require the results of penetration testing to include feedback to improve the cybersecurity of the agency; and

``(4) include mechanisms for providing consistently formatted, and, if applicable, automated and machine-readable, data to the Director and the Director of the Cybersecurity and Infrastructure Security Agency.

``(d) Responsibilities of CISA.--The Director of the Cybersecurity and Infrastructure Security Agency shall--

``(1) establish a process to assess the performance of penetration testing by both Federal and non-Federal entities that establishes minimum quality controls for penetration testing;

``(2) develop operational guidance for instituting penetration testing programs at agencies;

``(3) develop and maintain a centralized capability to offer penetration testing as a service to Federal and non-Federal entities; and

``(4) provide guidance to agencies on the best use of penetration testing resources.

``(e) Responsibilities of OMB.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall--

``(1) not less frequently than annually, inventory all Federal penetration testing assets; and

``(2) develop and maintain a standardized process for the use of penetration testing.

``(f) Prioritization of Penetration Testing Resources.--

``(1) In general.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop a framework for prioritizing Federal penetration testing resources among agencies.

``(2) Considerations.--In developing the framework under this subsection, the Director shall consider--

``(A) agency system risk assessments performed under section 3554(a)(1)(A);

``(B) the Federal risk assessment performed under section 3553(i);

``(C) the analysis of Federal incident data performed under section 3597; and

``(D) any other information determined appropriate by the Director or the Director of the Cybersecurity and Infrastructure Security Agency.

``(g) Exception for National Security Systems.--The guidance issued under subsection (b) shall not apply to national security systems.

``(h) Delegation of Authority for Certain Systems.--The authorities of the Director described in subsection (b) shall be delegated--

``(1) to the Secretary of Defense in the case of systems described in section 3553(e)(2); and

``(2) to the Director of National Intelligence in the case of systems described in 3553(e)(3).''.

(b) Deadline for Guidance.--Not later than 180 days after the date of enactment of this Act, the Director shall issue the guidance required under section 3559A(b) of title 44, United States Code, as added by subsection (a).

(c) Clerical Amendment.--The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following:

``3559A. Federal penetration testing.''.

(d) Penetration Testing by the Secretary of Homeland Security.--Section 3553(b) of title 44, United States Code, as amended by section 5121, is further amended--

(1) in paragraph (8)(B), by striking ``and'' at the end;

(2) by redesignating paragraph (9) as paragraph (10); and

(3) by inserting after paragraph (8) the following:

``(9) performing penetration testing with or without advance notice to, or authorization from, agencies, to identify vulnerabilities within Federal information systems; and''.

SEC. 5145. ONGOING THREAT HUNTING PROGRAM.

(a) Threat Hunting Program.--

(1) In general.--Not later than 540 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency.

(2) Plan.--Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish the program required under paragraph (1) that describes how the Director of the Cybersecurity and Infrastructure Security Agency plans to--

(A) determine the method for collecting, storing, accessing, and analyzing appropriate agency data;

(B) provide on-premises support to agencies;

(D) allocate available human and financial resources to implement the plan; and

(E) provide input to the heads of agencies on the use of--

(i) more stringent standards under section 11331(c)(1) of title 40, United States Code; and

(ii) additional cybersecurity procedures under section 3554 of title 44, United States Code.

(b) Reports.--The Director of the Cybersecurity and Infrastructure Security Agency shall submit to the appropriate congressional committees--

(1) not later than 30 days after the date on which the Director of the Cybersecurity and Infrastructure Security Agency completes the plan required under subsection (a)(2), a report on the plan to provide threat hunting services to agencies;

(2) not less than 30 days before the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services under the program under subsection (a)(1), a report providing any updates to the plan developed under subsection (a)(2); and

(3) not later than 1 year after the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services to agencies other than the Cybersecurity and Infrastructure Security Agency, a report describing lessons learned from providing those services.

SEC. 5146. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.

(a) In General.--Chapter 35 of title 44, United States Code, is amended by inserting after section 3559A, as added by section 5144 of this division, the following:

``Sec. 3559B. Federal vulnerability disclosure programs

``(a) Definitions.--In this section:

``(1) Report.--The term `report' means a vulnerability disclosure made to an agency by a reporter.

``(2) Reporter.--The term `reporter' means an individual that submits a vulnerability report pursuant to the vulnerability disclosure process of an agency.

``(b) Responsibilities of OMB.--

``(1) Limitation on legal action.--The Director, in consultation with the Attorney General, shall issue guidance to agencies to not recommend or pursue legal action against a reporter or an individual that conducts a security research activity that the head of the agency determines--

``(A) represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (d)(2); and

``(B) is authorized under the vulnerability disclosure policy of the agency developed under subsection (d)(2).

``(2) Sharing information with cisa.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and in consultation with the National Cyber Director, shall issue guidance to agencies on sharing relevant information in a consistent, automated, and machine readable manner with the Cybersecurity and Infrastructure Security Agency, including--

``(A) any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on Federal information systems that use commercial software or services;

``(B) information relating to vulnerability disclosure, coordination, or remediation activities of an agency, particularly as those activities relate to outside organizations--

``(i) with which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency can assist; or

``(ii) about which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency should know; and

``(C) any other information with respect to which the head of the agency determines helpful or necessary to involve the Cybersecurity and Infrastructure Security Agency.

``(3) Agency vulnerability disclosure policies.--The Director shall issue guidance to agencies on the required minimum scope of agency systems covered by the vulnerability disclosure policy of an agency required under subsection

(d)(2).

``(c) Responsibilities of CISA.--The Director of the Cybersecurity and Infrastructure Security Agency shall--

``(1) provide support to agencies with respect to the implementation of the requirements of this section;

``(2) develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; and

``(3) upon a request by an agency, assist the agency in the disclosure to vendors of newly identified vulnerabilities in vendor products and services.

``(d) Responsibilities of Agencies.--

``(1) Public information.--The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system--

``(A) an appropriate security contact; and

``(B) the component of the agency that is responsible for the internet accessible services offered at the domain.

``(2) Vulnerability disclosure policy.--The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall--

``(A) describe--

``(i) the scope of the systems of the agency included in the vulnerability disclosure policy;

``(ii) the type of information system testing that is authorized by the agency;

``(iii) the type of information system testing that is not authorized by the agency; and

``(iv) the disclosure policy of the agency for sensitive information;

``(B) with respect to a report to an agency, describe--

``(i) how the reporter should submit the report; and

``(ii) if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency;

``(C) include any other relevant information; and

``(D) be mature in scope, to cover all Federal information systems used or operated by that agency or on behalf of that agency.

``(3) Identified vulnerabilities.--The head of each agency shall incorporate any vulnerabilities reported under paragraph (2) into the vulnerability management process of the agency in order to track and remediate the vulnerability.

``(e) Paperwork Reduction Act Exemption.--The requirements of subchapter I (commonly known as the `Paperwork Reduction Act') shall not apply to a vulnerability disclosure program established under this section.

``(f) Congressional Reporting.--Not later than 90 days after the date of enactment of the Federal Information Security Modernization Act of 2021, and annually thereafter for a 3-year period, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the status of the use of vulnerability disclosure policies under this section at agencies, including, with respect to the guidance issued under subsection (b)(3), an identification of the agencies that are compliant and not compliant.

``(g) Exemptions.--The authorities and functions of the Director and Director of the Cybersecurity and Infrastructure Security Agency under this section shall not apply to national security systems.

``(h) Delegation of Authority for Certain Systems.--The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated--

``(1) to the Secretary of Defense in the case of systems described in section 3553(e)(2); and

``(2) to the Director of National Intelligence in the case of systems described in section 3553(e)(3).''.

(b) Clerical Amendment.--The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559A, as added by section 204, the following:

``3559B. Federal vulnerability disclosure programs.''.

SEC. 5147. IMPLEMENTING PRESUMPTION OF COMPROMISE AND LEAST

PRIVILEGE PRINCIPLES.

(a) Guidance.--Not later than 1 year after the date of enactment of this Act, the Director shall provide an update to the appropriate congressional committees on progress in increasing the internal defenses of agency systems, including--

(1) shifting away from ``trusted networks'' to implement security controls based on a presumption of compromise;

(2) implementing principles of least privilege in administering information security programs;

(3) limiting the ability of entities that cause incidents to move laterally through or between agency systems;

(4) identifying incidents quickly;

(5) isolating and removing unauthorized entities from agency systems quickly;

(6) otherwise increasing the resource costs for entities that cause incidents to be successful; and

(7) a summary of the agency progress reports required under subsection (b).

(b) Agency Progress Reports.--Not later than 1 year after the date of enactment of this Act, the head of each agency shall submit to the Director a progress report on implementing an information security program based on the presumption of compromise and least privilege principles, which shall include--

(1) a description of any steps the agency has completed, including progress toward achieving requirements issued by the Director;

(2) an identification of activities that have not yet been completed and that would have the most immediate security impact; and

(3) a schedule to implement any planned activities.

SEC. 5148. AUTOMATION REPORTS.

(a) OMB Report.--Not later than 180 days after the date of enactment of this Act, the Director shall submit to the appropriate congressional committees a report on the use of automation under paragraphs (1), (5)(C) and (8)(B) of section 3554(b) of title 44, United States Code.

(b) GAO Report.--Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall perform a study on the use of automation and machine readable data across the Federal Government for cybersecurity purposes, including the automated updating of cybersecurity tools, sensors, or processes by agencies.

SEC. 5149. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL.

Section 1328 of title 41, United States Code, is amended by striking ``the date that'' and all that follows and inserting

``December 31, 2026.''.

SEC. 5150. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND

EFFICIENCY DASHBOARD.

(a) Dashboard Required.--Section 11(e)(2) of the Inspector General Act of 1978 (5 U.S.C. App.) is amended--

(1) in subparagraph (A), by striking ``and'' at the end;

(2) by redesignating subparagraph (B) as subparagraph (C); and

(3) by inserting after subparagraph (A) the following:

``(B) that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44, United States Code; and''.

SEC. 5151. QUANTITATIVE CYBERSECURITY METRICS.

(a) Definition of Covered Metrics.--In this section, the term ``covered metrics'' means the metrics established, reviewed, and updated under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).

(b) Updating and Establishing Metrics.--Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall--

(1) evaluate any covered metrics established as of the date of enactment of this Act; and

(2) as appropriate and pursuant to section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c))--

(A) update the covered metrics; and

(B) establish new covered metrics.

(1) In general.--Not later than 540 days after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires each agency to use covered metrics to track trends in the cybersecurity and incident response capabilities of the agency.

(2) Performance demonstration.--The guidance issued under paragraph (1) and any subsequent guidance shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency using the covered metrics included in the guidance.

(3) Penetration tests.--On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), the Director shall ensure that not less than 3 agencies are subjected to substantially similar penetration tests, as determined by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, in order to validate the utility of the covered metrics.

(4) Analysis capacity.--The Director of the Cybersecurity and Infrastructure Security Agency shall develop a capability that allows for the analysis of the covered metrics, including cross-agency performance of agency cybersecurity and incident response capability trends.

(d) Congressional Reports.--

(1) Utility of metrics.--Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the appropriate congressional committees a report on the utility of the covered metrics.

(2) Use of metrics.--Not later than 180 days after the date on which the Director promulgates guidance under subsection

(c)(1), the Director shall submit to the appropriate congressional committees a report on the results of the use of the covered metrics by agencies.

(e) Cybersecurity Act of 2015 Updates.--Section 224 of the Cybersecurity Act of 2015 (6 U.S.C. 1522) is amended--

(1) by striking subsection (c) and inserting the following:

``(c) Improved Metrics.--

``(1) In general.--The Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall establish, review, and update metrics to measure the cybersecurity and incident response capabilities of agencies in accordance with the responsibilities of agencies under section 3554 of title 44, United States Code.

``(2) Qualities.--With respect to the metrics established, reviewed, and updated under paragraph (1)--

``(A) not less than 2 of the metrics shall be time-based, such as a metric of--

``(i) the amount of time it takes for an agency to detect an incident; and

``(ii) the amount of time that passes between--

``(I) the detection of an incident and the remediation of the incident; and

``(II) the remediation of an incident and the recovery from the incident; and

``(B) the metrics may include other measurable outcomes.'';

(2) by striking subsection (e); and

(3) by redesignating subsection (f) as subsection (e).

TITLE LIII--RISK-BASED BUDGET MODEL

SEC. 5161. DEFINITIONS.

In this title:

(1) Appropriate congressional committees.--The term

``appropriate congressional committees'' means--

(A) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate; and

(B) the Committee on Homeland Security and the Committee on Appropriations of the House of Representatives.

(2) Covered agency.--The term ``covered agency'' has the meaning given the term ``executive agency'' in section 133 of title 41, United States Code.

(3) Director.--The term ``Director'' means the Director of the Office of Management and Budget.

(4) Information technology.--The term ``information technology''--

(A) has the meaning given the term in section 11101 of title 40, United States Code; and

(B) includes the hardware and software systems of a Federal agency that monitor and control physical equipment and processes of the Federal agency.

(5) Risk-based budget.--The term ``risk-based budget'' means a budget--

(A) developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and

(B) that allocates resources based on the risks identified and prioritized under subparagraph (A).

SEC. 5162. ESTABLISHMENT OF RISK-BASED BUDGET MODEL.

(a) In General.--

(1) Model.--Not later than 1 year after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director and in coordination with the Director of the National Institute of Standards and Technology, shall develop a standard model for creating a risk-based budget for cybersecurity spending.

(2) Responsibility of director.--Section 3553(a) of title 44, United States Code, as amended by section 5121 of this division, is further amended by inserting after paragraph (6) the following:

``(7) developing a standard risk-based budget model to inform Federal agency cybersecurity budget development; and''.

(3) Contents of model.--The model required to be developed under paragraph (1) shall--

(A) consider Federal and non-Federal cyber threat intelligence products, where available, to identify threats, vulnerabilities, and risks;

(B) consider the impact of agency operations of compromise of systems, including the interconnectivity to other agency systems and the operations of other agencies;

(C) indicate where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities;

(D) be used to inform acquisition and sustainment of--

(i) information technology and cybersecurity tools;

(ii) information technology and cybersecurity architectures;

(iii) information technology and cybersecurity personnel; and

(iv) cybersecurity and information technology concepts of operations; and

(E) be used to evaluate and inform Government-wide cybersecurity programs of the Department of Homeland Security.

(4) Required updates.--Not less frequently than once every 3 years, the Director shall review, and update as necessary, the model required to be developed under this subsection.

(5) Publication.--The Director shall publish the model required to be developed under this subsection, and any updates necessary under paragraph (4), on the public website of the Office of Management and Budget.

(6) Reports.--Not later than 1 year after the date of enactment of this Act, and annually thereafter for each of the 2 following fiscal years or until the date on which the model required to be developed under this subsection is completed, whichever is sooner, the Director shall submit a report to Congress on the development of the model.

(b) Required Use of Risk-based Budget Model.--

(1) In general.--Not later than 2 years after the date on which the model developed under subsection (a) is published, the head of each covered agency shall use the model to develop the annual cybersecurity and information technology budget requests of the agency.

(2) Agency performance plans.--Section 3554(d)(2) of title 44, United States Code, is amended by inserting ``and the risk-based budget model required under section 3553(a)(7)'' after ``paragraph (1)''.

(1) In general.--Section 1105(a)(35)(A)(i) of title 31, United States Code, is amended--

(A) in the matter preceding subclause (I), by striking ``by agency, and by initiative area (as determined by the administration)'' and inserting ``and by agency'';

(B) in subclause (III), by striking ``and'' at the end; and

``(V) a validation that the budgets submitted were developed using a risk-based methodology; and

``(VI) a report on the progress of each agency on closing recommendations identified under the independent evaluation required by section 3555(a)(1) of title 44.''.

(2) Effective date.--The amendments made by paragraph (1) shall take effect on the date that is 2 years after the date on which the model developed under subsection (a) is published.

(d) Reports.--

(1) Independent evaluation.--Section 3555(a)(2) of title 44, United States Code, is amended--

(A) in subparagraph (B), by striking ``and'' at the end;

(B) in subparagraph (C), by striking the period at the end and inserting ``; and''; and

``(D) an assessment of how the agency implemented the risk-based budget model required under section 3553(a)(7) and an evaluation of whether the model mitigates agency cyber vulnerabilities.''.

(2) Assessment.--Section 3553(c) of title 44, United States Code, as amended by section 5121, is further amended by inserting after paragraph (5) the following:

``(6) an assessment of--

``(A) Federal agency implementation of the model required under subsection (a)(7);

``(B) how cyber vulnerabilities of Federal agencies changed from the previous year; and

``(C) whether the model mitigates the cyber vulnerabilities of the Federal Government.''.

(e) GAO Report.--Not later than 3 years after the date on which the first budget of the President is submitted to Congress containing the validation required under section 1105(a)(35)(A)(i)(V) of title 31, United States Code, as amended by subsection (c), the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes--

(1) an evaluation of the success of covered agencies in developing risk-based budgets;

(2) an evaluation of the success of covered agencies in implementing risk-based budgets;

(3) an evaluation of whether the risk-based budgets developed by covered agencies mitigate cyber vulnerability, including the extent to which the risk-based budgets inform Federal Government-wide cybersecurity programs; and

(4) any other information relating to risk-based budgets the Comptroller General determines appropriate.

TITLE LIV--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

SEC. 5181. ACTIVE CYBER DEFENSIVE STUDY.

(a) Definition.--In this section, the term ``active defense technique''--

(1) means an action taken on the systems of an entity to increase the security of information on the network of an agency by misleading an adversary; and

(2) includes a honeypot, deception, or purposefully feeding false or misleading data to an adversary when the adversary is on the systems of the entity.

(b) Study.--Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall perform a study on the use of active defense techniques to enhance the security of agencies, which shall include--

(1) a review of legal restrictions on the use of different active cyber defense techniques in Federal environments, in consultation with the Department of Justice;

(2) an evaluation of--

(A) the efficacy of a selection of active defense techniques determined by the Director of the Cybersecurity and Infrastructure Security Agency; and

(B) factors that impact the efficacy of the active defense techniques evaluated under subparagraph (A);

(3) recommendations on safeguards and procedures that shall be established to require that active defense techniques are adequately coordinated to ensure that active defense techniques do not impede threat response efforts, criminal investigations, and national security activities, including intelligence collection; and

(4) the development of a framework for the use of different active defense techniques by agencies.

SEC. 5182. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.

(a) Purpose.--The purpose of this section is for the Cybersecurity and Infrastructure Security Agency to run a security operation center on behalf of another agency, alleviating the need to duplicate this function at every agency, and empowering a greater centralized cybersecurity capability.

(b) Plan.--Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish a centralized Federal security operations center shared service offering within the Cybersecurity and Infrastructure Security Agency.

(1) collecting, organizing, and analyzing agency information system data in real time;

(2) staffing and resources; and

(3) appropriate interagency agreements, concepts of operations, and governance plans.

(d) Pilot Program.--

(1) In general.--Not later than 180 days after the date on which the plan required under subsection (b) is developed, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall enter into a 1-year agreement with not less than 2 agencies to offer a security operations center as a shared service.

(2) Additional agreements.--After the date on which the briefing required under subsection (e)(1) is provided, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, may enter into additional 1-year agreements described in paragraph (1) with agencies.

(e) Briefing and Report.--

(1) Briefing.--Not later than 260 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a briefing on the parameters of any 1-year agreements entered into under subsection (d)(1).

(2) Report.--Not later than 90 days after the date on which the first 1-year agreement entered into under subsection (d) expires, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a report on--

(A) the agreement; and

(B) any additional agreements entered into with agencies under subsection (d).

DIVISION F--CYBER INCIDENT REPORTING ACT OF 2021 AND CISA TECHNICAL

CORRECTIONS AND IMPROVEMENTS ACT OF 2021

TITLE LXI--CYBER INCIDENT REPORTING ACT OF 2021

SEC. 6101. SHORT TITLE.

This title may be cited as the ``Cyber Incident Reporting Act of 2021''.

SEC. 6102. DEFINITIONS.

In this title:

(1) Covered cyber incident; covered entity; cyber incident.--The terms ``covered cyber incident'', ``covered entity'', and ``cyber incident'' have the meanings given those terms in section 2230 of the Homeland Security Act of 2002, as added by section 6103 of this title.

(2) Director.--The term ``Director'' means the Director of the Cybersecurity and Infrastructure Security Agency.

(3) Information system; ransom payment; ransomware attack; security vulnerability.--The terms ``information system'',

``ransom payment'', ``ransomware attack'', and ``security vulnerability'' have the meanings given those terms in section 2200 of the Homeland Security Act of 2002, as added by section 6203 of this division.

SEC. 6103. CYBER INCIDENT REPORTING.

(a) Cyber Incident Reporting.--Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--

(1) in section 2209(b) (6 U.S.C. 659(b)), as so redesignated by section 6203(b) of this division--

(A) in paragraph (11), by striking ``and'' at the end;

(B) in paragraph (12), by striking the period at the end and inserting ``; and''; and

``(13) receiving, aggregating, and analyzing reports related to covered cyber incidents (as defined in section 2230) submitted by covered entities (as defined in section 2230) and reports related to ransom payments submitted by entities in furtherance of the activities specified in sections 2202(e), 2203, and 2231, this subsection, and any other authorized activity of the Director, to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.''; and

(2) by adding at the end the following:

``Subtitle C--Cyber Incident Reporting

``SEC. 2230. DEFINITIONS.

``In this subtitle:

``(1) Center.--The term `Center' means the center established under section 2209.

``(2) Council.--The term `Council' means the Cyber Incident Reporting Council described in section 1752(c)(1)(H) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 1500(c)(1)(H)).

``(3) Covered cyber incident.--The term `covered cyber incident' means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2232(b).

``(4) Covered entity.--The term `covered entity' means--

``(A) any Federal contractor; or

``(B) an entity that owns or operates critical infrastructure that satisfies the definition established by the Director in the final rule issued pursuant to section 2232(b).

``(5) Cyber incident.--The term `cyber incident' has the meaning given the term `incident' in section 2200.

``(6) Cyber threat.--The term `cyber threat'--

``(A) has the meaning given the term `cybersecurity threat' in section 2200; and

``(B) does not include any activity related to good faith security research, including participation in a bug-bounty program or a vulnerability disclosure program.

``(7) Federal contractor.--The term `Federal contractor' means a business, nonprofit organization, or other private sector entity that holds a Federal Government contract or subcontract at any tier, grant, cooperative agreement, or other transaction agreement, unless that entity is a party only to--

``(A) a service contract to provide housekeeping or custodial services; or

``(B) a contract to provide products or services unrelated to information technology that is below the micro-purchase threshold, as defined in section 2.101 of title 48, Code of Federal Regulations, or any successor regulation.

``(8) Federal entity; information system; security control.--The terms `Federal entity', `information system', and `security control' have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).

``(9) Significant cyber incident.--The term `significant cyber incident' means a cybersecurity incident, or a group of related cybersecurity incidents, that the Secretary determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.

``(10) Small organization.--The term `small organization'--

``(A) means--

``(i) a small business concern, as defined in section 3 of the Small Business Act (15 U.S.C. 632); or

``(ii) any nonprofit organization, including faith-based organizations and houses of worship, or other private sector entity with fewer than 200 employees (determined on a full-time equivalent basis); and

``(B) does not include--

``(i) a business, nonprofit organization, or other private sector entity that is a covered entity; or

``(ii) a Federal contractor.

``SEC. 2231. CYBER INCIDENT REVIEW.

``(a) Activities.--The Center shall--

``(1) receive, aggregate, analyze, and secure, using processes consistent with the processes developed pursuant to the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.) reports from covered entities related to a covered cyber incident to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes, including to support law enforcement investigations, to assess potential impact of incidents on public health and safety, and to have a more accurate picture of the cyber threat to critical infrastructure and the people of the United States;

``(2) receive, aggregate, analyze, and secure reports to lead the identification of tactics, techniques, and procedures used to perpetuate cyber incidents and ransomware attacks;

``(3) coordinate and share information with appropriate Federal departments and agencies to identify and track ransom payments, including those utilizing virtual currencies;

``(4) leverage information gathered about cybersecurity incidents to--

``(A) enhance the quality and effectiveness of information sharing and coordination efforts with appropriate entities, including agencies, sector coordinating councils, information sharing and analysis organizations, technology providers, critical infrastructure owners and operators, cybersecurity and incident response firms, and security researchers; and

``(B) provide appropriate entities, including agencies, sector coordinating councils, information sharing and analysis organizations, technology providers, cybersecurity and incident response firms, and security researchers, with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures, pursuant to section 2235;

``(5) establish mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information;

``(6) facilitate the timely sharing, on a voluntary basis, between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar incidents in the future;

``(7) for a covered cyber incident, including a ransomware attack, that also satisfies the definition of a significant cyber incident, or is part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding the covered cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future;

``(8) with respect to covered cyber incident reports under section 2232(a) and 2233 involving an ongoing cyber threat or security vulnerability, immediately review those reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other divisions within the Agency, as appropriate;

``(9) publish quarterly unclassified, public reports that may be based on the unclassified information contained in the briefings required under subsection (c);

``(10) proactively identify opportunities and perform analyses, consistent with the protections in section 2235, to leverage and utilize data on ransomware attacks to support law enforcement operations to identify, track, and seize ransom payments utilizing virtual currencies, to the greatest extent practicable;

``(11) proactively identify opportunities, consistent with the protections in section 2235, to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable;

``(12) on a not less frequently than annual basis, analyze public disclosures made pursuant to parts 229 and 249 of title 17, Code of Federal Regulations, or any subsequent document submitted to the Securities and Exchange Commission by entities experiencing cyber incidents and compare such disclosures to reports received by the Center; and

``(13) in accordance with section 2235 and subsection (b) of this section, as soon as possible but not later than 24 hours after receiving a covered cyber incident report, ransom payment report, voluntarily submitted information pursuant to section 2233, or information received pursuant to a request for information or subpoena under section 2234, make available the information to appropriate Sector Risk Management Agencies and other appropriate Federal agencies.

``(b) Interagency Sharing.--The National Cyber Director, in consultation with the Director and the Director of the Office of Management and Budget--

``(1) may establish a specific time requirement for sharing information under subsection (a)(13); and

``(2) shall determine the appropriate Federal agencies under subsection (a)(13).

``(c) Periodic Briefing.--Not later than 60 days after the effective date of the final rule required under section 2232(b), and on the first day of each month thereafter, the Director, in consultation with the National Cyber Director, the Attorney General, and the Director of National Intelligence, shall provide to the majority leader of the Senate, the minority leader of the Senate, the Speaker of the House of Representatives, the minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a briefing that characterizes the national cyber threat landscape, including the threat facing Federal agencies and covered entities, and applicable intelligence and law enforcement information, covered cyber incidents, and ransomware attacks, as of the date of the briefing, which shall--

``(1) include the total number of reports submitted under sections 2232 and 2233 during the preceding month, including a breakdown of required and voluntary reports;

``(2) include any identified trends in covered cyber incidents and ransomware attacks over the course of the preceding month and as compared to previous reports, including any trends related to the information collected in the reports submitted under sections 2232 and 2233, including--

``(A) the infrastructure, tactics, and techniques malicious cyber actors commonly use; and

``(B) intelligence gaps that have impeded, or currently are impeding, the ability to counter covered cyber incidents and ransomware threats;

``(3) include a summary of the known uses of the information in reports submitted under sections 2232 and 2233; and

``(4) be unclassified, but may include a classified annex.

``SEC. 2232. REQUIRED REPORTING OF CERTAIN CYBER INCIDENTS.

``(a) In General.--

``(1) Covered cyber incident reports.--A covered entity that is a victim of a covered cyber incident shall report the covered cyber incident to the Director not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.

``(2) Ransom payment reports.--An entity, including a covered entity and except for an individual or a small organization, that makes a ransom payment as the result of a ransomware attack against the entity shall report the payment to the Director not later than 24 hours after the ransom payment has been made.

``(3) Supplemental reports.--A covered entity shall promptly submit to the Director an update or supplement to a previously submitted covered cyber incident report if new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report required under paragraph (1).

``(4) Preservation of information.--Any entity subject to requirements of paragraph (1), (2), or (3) shall preserve data relevant to the covered cyber incident or ransom payment in accordance with procedures established in the final rule issued pursuant to subsection (b).

``(5) Exceptions.--

``(A) Reporting of covered cyber incident with ransom payment.--If a covered cyber incident includes a ransom payment such that the reporting requirements under paragraphs

(1) and (2) apply, the covered entity may submit a single report to satisfy the requirements of both paragraphs in accordance with procedures established in the final rule issued pursuant to subsection (b).

``(B) Substantially similar reported information.--The requirements under paragraphs (1), (2), and (3) shall not apply to an entity required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe.

``(C) Domain name system.--The requirements under paragraphs (1), (2) and (3) shall not apply to an entity or the functions of an entity that the Director determines constitute critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System, such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority.

``(6) Manner, timing, and form of reports.--Reports made under paragraphs (1), (2), and (3) shall be made in the manner and form, and within the time period in the case of reports made under paragraph (3), prescribed in the final rule issued pursuant to subsection (b).

``(7) Effective date.--Paragraphs (1) through (4) shall take effect on the dates prescribed in the final rule issued pursuant to subsection (b).

``(b) Rulemaking.--

``(1) Notice of proposed rulemaking.--Not later than 2 years after the date of enactment of this section, the Director, in consultation with Sector Risk Management Agencies, the Department of Justice, and other Federal agencies, shall publish in the Federal Register a notice of proposed rulemaking to implement subsection (a).

``(2) Final rule.--Not later than 18 months after publication of the notice of proposed rulemaking under paragraph (1), the Director shall issue a final rule to implement subsection (a).

``(3) Subsequent rulemakings.--

``(A) In general.--The Director is authorized to issue regulations to amend or revise the final rule issued pursuant to paragraph (2).

``(B) Procedures.--Any subsequent rules issued under subparagraph (A) shall comply with the requirements under chapter 5 of title 5, United States Code, including the issuance of a notice of proposed rulemaking under section 553 of such title.

``(c) Elements.--The final rule issued pursuant to subsection (b) shall be composed of the following elements:

``(1) A clear description of the types of entities that constitute covered entities, based on--

``(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;

``(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and

``(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.

``(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall--

``(A) at a minimum, require the occurrence of--

``(i) the unauthorized access to an information system or network with a substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;

``(ii) a disruption of business or industrial operations due to a cyber incident; or

``(iii) an occurrence described in clause (i) or (ii) due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;

``(B) consider--

``(i) the sophistication or novelty of the tactics used to perpetrate such an incident, as well as the type, volume, and sensitivity of the data at issue;

``(ii) the number of individuals directly or indirectly affected or potentially affected by such an incident; and

``(iii) potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and

``(C) exclude--

``(i) any event where the cyber incident is perpetuated by good faith security research or in response to an invitation by the owner or operator of the information system for third parties to find vulnerabilities in the information system, such as through a vulnerability disclosure program or the use of authorized penetration testing services; and

``(ii) the threat of disruption as extortion, as described in section 2201(9)(A).

``(3) A requirement that, if a covered cyber incident or a ransom payment occurs following an exempted threat described in paragraph (2)(C)(ii), the entity shall comply with the requirements in this subtitle in reporting the covered cyber incident or ransom payment.

``(4) A clear description of the specific required contents of a report pursuant to subsection (a)(1), which shall include the following information, to the extent applicable and available, with respect to a covered cyber incident:

``(A) A description of the covered cyber incident, including--

``(i) identification and a description of the function of the affected information systems, networks, or devices that were, or are reasonably believed to have been, affected by such incident;

``(ii) a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations;

``(iii) the estimated date range of such incident; and

``(iv) the impact to the operations of the covered entity.

``(B) Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetuate the covered cyber incident.

``(C) Where applicable, any identifying or contact information related to each actor reasonably believed to be responsible for such incident.

``(D) Where applicable, identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.

``(E) The name and other information that clearly identifies the entity impacted by the covered cyber incident.

``(F) Contact information, such as telephone number or electronic mail address, that the Center may use to contact the covered entity or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, the covered entity to assist with compliance with the requirements of this subtitle.

``(5) A clear description of the specific required contents of a report pursuant to subsection (a)(2), which shall be the following information, to the extent applicable and available, with respect to a ransom payment:

``(A) A description of the ransomware attack, including the estimated date range of the attack.

``(B) Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetuate the ransomware attack.

``(C) Where applicable, any identifying or contact information related to the actor or actors reasonably believed to be responsible for the ransomware attack.

``(D) The name and other information that clearly identifies the entity that made the ransom payment.

``(E) Contact information, such as telephone number or electronic mail address, that the Center may use to contact the entity that made the ransom payment or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, that entity to assist with compliance with the requirements of this subtitle.

``(F) The date of the ransom payment.

``(G) The ransom payment demand, including the type of virtual currency or other commodity requested, if applicable.

``(H) The ransom payment instructions, including information regarding where to send the payment, such as the virtual currency address or physical address the funds were requested to be sent to, if applicable.

``(I) The amount of the ransom payment.

``(6) A clear description of the types of data required to be preserved pursuant to subsection (a)(4) and the period of time for which the data is required to be preserved.

``(7) Deadlines for submitting reports to the Director required under subsection (a)(3), which shall--

``(A) be established by the Director in consultation with the Council;

``(B) consider any existing regulatory reporting requirements similar in scope, purpose, and timing to the reporting requirements to which such a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable; and

``(C) balance the need for situational awareness with the ability of the covered entity to conduct incident response and investigations.

``(8) Procedures for--

``(A) entities to submit reports required by paragraphs

(1), (2), and (3) of subsection (a), including the manner and form thereof, which shall include, at a minimum, a concise, user-friendly web-based form;

``(B) the Agency to carry out the enforcement provisions of section 2233, including with respect to the issuance, service, withdrawal, and enforcement of subpoenas, appeals and due process procedures, the suspension and debarment provisions in section 2234(c), and other aspects of noncompliance;

``(C) implementing the exceptions provided in subsection

(a)(5); and

``(D) protecting privacy and civil liberties consistent with processes adopted pursuant to section 105(b) of the Cybersecurity Act of 2015 (6 U.S.C. 1504(b)) and anonymizing and safeguarding, or no longer retaining, information received and disclosed through covered cyber incident reports and ransom payment reports that is known to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat.

``(9) A clear description of the types of entities that constitute other private sector entities for purposes of section 2230(b)(7).

``(d) Third Party Report Submission and Ransom Payment.--

``(1) Report submission.--An entity, including a covered entity, that is required to submit a covered cyber incident report or a ransom payment report may use a third party, such as an incident response company, insurance provider, service provider, information sharing and analysis organization, or law firm, to submit the required report under subsection (a).

``(2) Ransom payment.--If an entity impacted by a ransomware attack uses a third party to make a ransom payment, the third party shall not be required to submit a ransom payment report for itself under subsection (a)(2).

``(3) Duty to report.--Third-party reporting under this subparagraph does not relieve a covered entity or an entity that makes a ransom payment from the duty to comply with the requirements for covered cyber incident report or ransom payment report submission.

``(4) Responsibility to advise.--Any third party used by an entity that knowingly makes a ransom payment on behalf of an entity impacted by a ransomware attack shall advise the impacted entity of the responsibilities of the impacted entity regarding reporting ransom payments under this section.

``(e) Outreach to Covered Entities.--

``(1) In general.--The Director shall conduct an outreach and education campaign to inform likely covered entities, entities that offer or advertise as a service to customers to make or facilitate ransom payments on behalf of entities impacted by ransomware attacks, potential ransomware attack victims, and other appropriate entities of the requirements of paragraphs (1), (2), and (3) of subsection (a).

``(2) Elements.--The outreach and education campaign under paragraph (1) shall include the following:

``(A) An overview of the final rule issued pursuant to subsection (b).

``(B) An overview of mechanisms to submit to the Center covered cyber incident reports and information relating to the disclosure, retention, and use of incident reports under this section.

``(C) An overview of the protections afforded to covered entities for complying with the requirements under paragraphs

(1), (2), and (3) of subsection (a).

``(D) An overview of the steps taken under section 2234 when a covered entity is not in compliance with the reporting requirements under subsection (a).

``(E) Specific outreach to cybersecurity vendors, incident response providers, cybersecurity insurance entities, and other entities that may support covered entities or ransomware attack victims.

``(F) An overview of the privacy and civil liberties requirements in this subtitle.

``(3) Coordination.--In conducting the outreach and education campaign required under paragraph (1), the Director may coordinate with--

``(A) the Critical Infrastructure Partnership Advisory Council established under section 871;

``(B) information sharing and analysis organizations;

``(C) trade associations;

``(D) information sharing and analysis centers;

``(E) sector coordinating councils; and

``(F) any other entity as determined appropriate by the Director.

``(f) Organization of Reports.--Notwithstanding chapter 35 of title 44, United States Code (commonly known as the

`Paperwork Reduction Act'), the Director may request information within the scope of the final rule issued under subsection (b) by the alteration of existing questions or response fields and the reorganization and reformatting of the means by which covered cyber incident reports, ransom payment reports, and any voluntarily offered information is submitted to the Center.

``SEC. 2233. VOLUNTARY REPORTING OF OTHER CYBER INCIDENTS.

``(a) In General.--Entities may voluntarily report incidents or ransom payments to the Director that are not required under paragraph (1), (2), or (3) of section 2232(a), but may enhance the situational awareness of cyber threats.

``(b) Voluntary Provision of Additional Information in Required Reports.--Entities may voluntarily include in reports required under paragraph (1), (2), or (3) of section 2232(a) information that is not required to be included, but may enhance the situational awareness of cyber threats.

``(c) Application of Protections.--The protections under section 2235 applicable to covered cyber incident reports shall apply in the same manner and to the same extent to reports and information submitted under subsections (a) and

(b).

``SEC. 2234. NONCOMPLIANCE WITH REQUIRED REPORTING.

``(a) Purpose.--In the event that an entity that is required to submit a report under section 2232(a) fails to comply with the requirement to report, the Director may obtain information about the incident or ransom payment by engaging the entity directly to request information about the incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred, and, if so, whether additional action is warranted pursuant to subsection (d).

``(b) Initial Request for Information.--

``(1) In general.--If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government, including through analysis performed pursuant to paragraph (1) or (2) of section 2231(a), that an entity has experienced a covered cyber incident or made a ransom payment but failed to report such incident or payment to the Center within 72 hours in accordance with section 2232(a), the Director shall request additional information from the entity to confirm whether or not a covered cyber incident or ransom payment has occurred.

``(2) Treatment.--Information provided to the Center in response to a request under paragraph (1) shall be treated as if it was submitted through the reporting procedures established in section 2232.

``(c) Authority to Issue Subpoenas and Debar.--

``(1) In general.--If, after the date that is 72 hours from the date on which the Director made the request for information in subsection (b), the Director has received no response from the entity from which such information was requested, or received an inadequate response, the Director may issue to such entity a subpoena to compel disclosure of information the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred and obtain the information required to be reported pursuant to section 2232 and any implementing regulations.

``(2) Civil action.--

``(A) In general.--If an entity fails to comply with a subpoena, the Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce such subpoena.

``(B) Venue.--An action under this paragraph may be brought in the judicial district in which the entity against which the action is brought resides, is found, or does business.

``(C) Contempt of court.--A court may punish a failure to comply with a subpoena issued under this subsection as contempt of court.

``(3) Non-delegation.--The authority of the Director to issue a subpoena under this subsection may not be delegated.

``(4) Debarment of federal contractors.--If a covered entity that is a Federal contractor fails to comply with a subpoena issued under this subsection--

``(A) the Director may refer the matter to the Administrator of General Services; and

``(B) upon receiving a referral from the Director, the Administrator of General Services may impose additional available penalties, including suspension or debarment.

``(5) Authentication.--

``(A) In general.--Any subpoena issued electronically pursuant to this subsection shall be authenticated with a cryptographic digital signature of an authorized representative of the Agency, or other comparable successor technology, that allows the Agency to demonstrate that such subpoena was issued by the Agency and has not been altered or modified since such issuance.

``(B) Invalid if not authenticated.--Any subpoena issued electronically pursuant to this subsection that is not authenticated in accordance with subparagraph (A) shall not be considered to be valid by the recipient of such subpoena.

``(d) Actions by Attorney General and Federal Regulatory Agencies.--

``(1) In general.--Notwithstanding section 2235(a) and subsection (b)(2) of this section, if the Attorney General or the appropriate Federal regulatory agency determines, based on information provided in response to a subpoena issued pursuant to subsection (c), that the facts relating to the covered cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution, the Attorney General or the appropriate Federal regulatory agency may use that information for a regulatory enforcement action or criminal prosecution.

``(2) Application to certain entities and third parties.--A covered cyber incident or ransom payment report submitted to the Center by an entity that makes a ransom payment or third party under section 2232 shall not be used by any Federal, State, Tribal, or local government to investigate or take another law enforcement action against the entity that makes a ransom payment or third party.

``(3) Rule of construction.--Nothing in this subtitle shall be construed to provide an entity that submits a covered cyber incident report or ransom payment report under section 2232 any immunity from law enforcement action for making a ransom payment otherwise prohibited by law.

``(e) Considerations.--When determining whether to exercise the authorities provided under this section, the Director shall take into consideration--

``(1) the size and complexity of the entity;

``(2) the complexity in determining if a covered cyber incident has occurred; and

``(3) prior interaction with the Agency or awareness of the entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.

``(f) Exclusions.--This section shall not apply to a State, local, Tribal, or territorial government entity.

``(g) Report to Congress.--The Director shall submit to Congress an annual report on the number of times the Director--

``(1) issued an initial request for information pursuant to subsection (b);

``(2) issued a subpoena pursuant to subsection (c); or

``(3) referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).

``(h) Publication of the Annual Report.--The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director--

``(1) issued an initial request for information pursuant to subsection (b); or

``(2) issued a subpoena pursuant to subsection (c).

``(i) Anonymization of Reports.--The Director shall ensure any victim information contained in a report required to be published under subsection (h) be anonymized before the report is published.

``SEC. 2235. INFORMATION SHARED WITH OR PROVIDED TO THE

FEDERAL GOVERNMENT.

``(a) Disclosure, Retention, and Use.--

``(1) Authorized activities.--Information provided to the Center or Agency pursuant to section 2232 or 2233 may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for--

``(A) a cybersecurity purpose;

``(B) the purpose of identifying--

``(i) a cyber threat, including the source of the cyber threat; or

``(ii) a security vulnerability;

``(C) the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or use of a weapon of mass destruction;

``(D) the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or

``(E) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a cyber incident reported pursuant to section 2232 or 2233 or any of the offenses listed in section 105(d)(5)(A)(v) of the Cybersecurity Act of 2015 (6 U.S.C. 1504(d)(5)(A)(v)).

``(2) Agency actions after receipt.--

``(A) Rapid, confidential sharing of cyber threat indicators.--Upon receiving a covered cyber incident or ransom payment report submitted pursuant to this section, the center shall immediately review the report to determine whether the incident that is the subject of the report is connected to an ongoing cyber threat or security vulnerability and where applicable, use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures.

``(B) Standards for sharing security vulnerabilities.--With respect to information in a covered cyber incident or ransom payment report regarding a security vulnerability referred to in paragraph (1)(B)(ii), the Director shall develop principles that govern the timing and manner in which information relating to security vulnerabilities may be shared, consistent with common industry best practices and United States and international standards.

``(3) Privacy and civil liberties.--Information contained in covered cyber incident and ransom payment reports submitted to the Center or the Agency pursuant to section 2232 shall be retained, used, and disseminated, where permissible and appropriate, by the Federal Government in accordance with processes to be developed for the protection of personal information consistent with processes adopted pursuant to section 105 of the Cybersecurity Act of 2015 (6 U.S.C. 1504) and in a manner that protects from unauthorized use or disclosure any information that may contain--

``(A) personal information of a specific individual; or

``(B) information that identifies a specific individual that is not directly related to a cybersecurity threat.

``(4) Digital security.--The Center and the Agency shall ensure that reports submitted to the Center or the Agency pursuant to section 2232, and any information contained in those reports, are collected, stored, and protected at a minimum in accordance with the requirements for moderate impact Federal information systems, as described in Federal Information Processing Standards Publication 199, or any successor document.

``(5) Prohibition on use of information in regulatory actions.--A Federal, State, local, or Tribal government shall not use information about a covered cyber incident or ransom payment obtained solely through reporting directly to the Center or the Agency in accordance with this subtitle to regulate, including through an enforcement action, the activities of the covered entity or entity that made a ransom payment.

``(b) No Waiver of Privilege or Protection.--The submission of a report to the Center or the Agency under section 2232 shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection and attorney-client privilege.

``(c) Exemption From Disclosure.--Information contained in a report submitted to the Office under section 2232 shall be exempt from disclosure under section 552(b)(3)(B) of title 5, United States Code (commonly known as the `Freedom of Information Act') and any State, Tribal, or local provision of law requiring disclosure of information or records.

``(d) Ex Parte Communications.--The submission of a report to the Agency under section 2232 shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.

``(e) Liability Protections.--

``(1) In general.--No cause of action shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed for the submission of a report pursuant to section 2232(a) that is submitted in conformance with this subtitle and the rule promulgated under section 2232(b), except that this subsection shall not apply with regard to an action by the Federal Government pursuant to section 2234(c)(2).

``(2) Scope.--The liability protections provided in subsection (e) shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the Center or the Agency.

``(3) Restrictions.--Notwithstanding paragraph (2), no report submitted to the Agency pursuant to this subtitle or any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report, may be received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the United States, a State, or a political subdivision thereof, provided that nothing in this subtitle shall create a defense to discovery or otherwise affect the discovery of any communication, document, material, or other record not created for the sole purpose of preparing, drafting, or submitting such report.

``(f) Sharing With Non-Federal Entities.--The Agency shall anonymize the victim who reported the information when making information provided in reports received under section 2232 available to critical infrastructure owners and operators and the general public.

``(g) Proprietary Information.--Information contained in a report submitted to the Agency under section 2232 shall be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity.

``(h) Stored Communications Act.--Nothing in this subtitle shall be construed to permit or require disclosure by a provider of a remote computing service or a provider of an electronic communication service to the public of information not otherwise permitted or required to be disclosed under chapter 121 of title 18, United States Code (commonly known as the `Stored Communications Act').''.

(b) Technical and Conforming Amendment.--The table of contents in section 1(b) of the Homeland Security Act of 2002

(Public Law 107-296; 116 Stat. 2135) is amended by inserting after the items relating to subtitle B of title XXII the following:

``Subtitle C--Cyber Incident Reporting

``Sec. 2230. Definitions.

``Sec. 2231. Cyber Incident Review.

``Sec. 2232. Required reporting of certain cyber incidents.

``Sec. 2233. Voluntary reporting of other cyber incidents.

``Sec. 2234. Noncompliance with required reporting.

``Sec. 2235. Information shared with or provided to the Federal

Government.''.

SEC. 6104. FEDERAL SHARING OF INCIDENT REPORTS.

(a) Cyber Incident Reporting Sharing.--

(1) In general.--Notwithstanding any other provision of law or regulation, any Federal agency, including any independent establishment (as defined in section 104 of title 5, United States Code), that receives a report from an entity of a cyber incident, including a ransomware attack, shall provide the report to the Director as soon as possible, but not later than 24 hours after receiving the report, unless a shorter period is required by an agreement made between the Cybersecurity Infrastructure Security Agency and the recipient Federal agency. The Director shall share and coordinate each report pursuant to section 2231(b) of the Homeland Security Act of 2002, as added by section 6103 of this title.

(2) Rule of construction.--The requirements described in paragraph (1) shall not be construed to be a violation of any provision of law or policy that would otherwise prohibit disclosure within the executive branch.

(3) Protection of information.--The Director shall comply with any obligations of the recipient Federal agency described in paragraph (1) to protect information, including with respect to privacy, confidentiality, or information security, if those obligations would impose greater protection requirements than this Act or the amendments made by this Act.

(4) FOIA exemption.--Any report received by the Director pursuant to paragraph (1) shall be exempt from disclosure under section 552(b)(3) of title 5, United States Code

(commonly known as the ``Freedom of Information Act'').

(b) Creation of Council.--Section 1752(c) of the William M.

(Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 1500(c)) is amended--

(1) in paragraph (1)--

(A) in subparagraph (G), by striking ``and'' at the end;

(B) by redesignating subparagraph (H) as subparagraph (I); and

``(H) lead an intergovernmental Cyber Incident Reporting Council, in coordination with the Director of the Office of Management and Budget, the Attorney General, and the Director of the Cybersecurity and Infrastructure Security Agency and in consultation with Sector Risk Management Agencies (as defined in section 2201 of the Homeland Security Act of 2002

(6 U.S.C. 651)) and other appropriate Federal agencies, to coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations, for covered entities (as defined in section 2230 of such Act) and entities that make a ransom payment (as defined in such section 2201 (6 U.S.C. 651)); and''; and

(2) by adding at the end the following:

``(3) Rule of construction.--Nothing in paragraph (1)(H) shall be construed to provide any additional regulatory authority to any Federal entity.''.

(c) Harmonizing Reporting Requirements.--The National Cyber Director shall, in consultation with the Director, the Attorney General, the Cyber Incident Reporting Council described in section 1752(c)(1)(H) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 1500(c)(1)(H)), and the Director of the Office of Management and Budget, to the maximum extent practicable--

(1) periodically review existing regulatory requirements, including the information required in such reports, to report cyber incidents and ensure that any such reporting requirements and procedures avoid conflicting, duplicative, or burdensome requirements; and

(2) coordinate with the Director, the Attorney General, and regulatory authorities that receive reports relating to cyber incidents to identify opportunities to streamline reporting processes, and where feasible, facilitate interagency agreements between such authorities to permit the sharing of such reports, consistent with applicable law and policy, without impacting the ability of such agencies to gain timely situational awareness of a covered cyber incident or ransom payment.

SEC. 6105. RANSOMWARE VULNERABILITY WARNING PILOT PROGRAM.

(a) Program.--Not later than 1 year after the date of enactment of this Act, the Director shall establish a ransomware vulnerability warning program to leverage existing authorities and technology to specifically develop processes and procedures for, and to dedicate resources to, identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.

(b) Identification of Vulnerable Systems.--The pilot program established under subsection (a) shall--

(1) identify the most common security vulnerabilities utilized in ransomware attacks and mitigation techniques; and

(2) utilize existing authorities to identify Federal and other relevant information systems that contain the security vulnerabilities identified in paragraph (1).

(1) Identification.--If the Director is able to identify the entity at risk that owns or operates a vulnerable information system identified in subsection (b), the Director may notify the owner of the information system.

(2) No identification.--If the Director is not able to identify the entity at risk that owns or operates a vulnerable information system identified in subsection (b), the Director may utilize the subpoena authority pursuant to section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659) to identify and notify the entity at risk pursuant to the procedures within that section.

(3) Required information.--A notification made under paragraph (1) shall include information on the identified security vulnerability and mitigation techniques.

(d) Prioritization of Notifications.--To the extent practicable, the Director shall prioritize covered entities for identification and notification activities under the pilot program established under this section.

(e) Limitation on Procedures.--No procedure, notification, or other authorities utilized in the execution of the pilot program established under subsection (a) shall require an owner or operator of a vulnerable information system to take any action as a result of a notice of a security vulnerability made pursuant to subsection (c).

(f) Rule of Construction.--Nothing in this section shall be construed to provide additional authorities to the Director to identify vulnerabilities or vulnerable systems.

(g) Termination.--The pilot program established under subsection (a) shall terminate on the date that is 4 years after the date of enactment of this Act.

SEC. 6106. RANSOMWARE THREAT MITIGATION ACTIVITIES.

(a) Joint Ransomware Task Force.--

(1) In general.--Not later than 180 days after the date of enactment of this Act, the National Cyber Director, in consultation with the Attorney General and the Director of the Federal Bureau of Investigation, shall establish and chair the Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.

(2) Composition.--The Joint Ransomware Task Force shall consist of participants from Federal agencies, as determined appropriate by the National Cyber Director in consultation with the Secretary of Homeland Security.

(3) Responsibilities.--The Joint Ransomware Task Force, utilizing only existing authorities of each participating agency, shall coordinate across the Federal Government the following activities:

(A) Prioritization of intelligence-driven operations to disrupt specific ransomware actors.

(B) Consult with relevant private sector, State, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms for providing input into the Task Force.

(C) Identifying, in consultation with relevant entities, a list of highest threat ransomware entities updated on an ongoing basis, in order to facilitate--

(i) prioritization for Federal action by appropriate Federal agencies; and

(ii) identify metrics for success of said actions.

(D) Disrupting ransomware criminal actors, associated infrastructure, and their finances.

(E) Facilitating coordination and collaboration between Federal entities and relevant entities, including the private sector, to improve Federal actions against ransomware threats.

(F) Collection, sharing, and analysis of ransomware trends to inform Federal actions.

(G) Creation of after-action reports and other lessons learned from Federal actions that identify successes and failures to improve subsequent actions.

(H) Any other activities determined appropriate by the task force to mitigate the threat of ransomware attacks against Federal and non-Federal entities.

(b) Clarifying Private Sector Lawful Defensive Measures.--Not later than 180 days after the date of enactment of this Act, the National Cyber Director, in coordination with the Secretary of Homeland Security and the Attorney General, shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on the Judiciary of the Senate and the Committee on Homeland Security, the Committee on the Judiciary, and the Committee on Oversight and Reform of the House of Representatives a report that describes defensive measures that private sector actors can take when countering ransomware attacks and what laws need to be clarified to enable that action.

(c) Rule of Construction.--Nothing in this section shall be construed to provide any additional authority to any Federal agency.

SEC. 6107. CONGRESSIONAL REPORTING.

(a) Report on Stakeholder Engagement.--Not later than 30 days after the date on which the Director issues the final rule under section 2232(b) of the Homeland Security Act of 2002, as added by section 6103(b) of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report that describes how the Director engaged stakeholders in the development of the final rule.

(b) Report on Opportunities to Strengthen Security Research.--Not later than 1 year after the date of enactment of this Act, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report describing how the National Cybersecurity and Communications Integration Center established under section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659) has carried out activities under section 2231(a)(9) of the Homeland Security Act of 2002, as added by section 6103(a) of this title, by proactively identifying opportunities to use cyber incident data to inform and enable cybersecurity research within the academic and private sector.

(c) Report on Ransomware Vulnerability Warning Pilot Program.--Not later than 1 year after the date of enactment of this Act, and annually thereafter for the duration of the pilot program established under section 6105, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report, which may include a classified annex, on the effectiveness of the pilot program, which shall include a discussion of the following:

(1) The effectiveness of the notifications under section 6105(c) in mitigating security vulnerabilities and the threat of ransomware.

(2) Identification of the most common vulnerabilities utilized in ransomware.

(3) The number of notifications issued during the preceding year.

(4) To the extent practicable, the number of vulnerable devices or systems mitigated under this pilot by the Agency during the preceding year.

(d) Report on Harmonization of Reporting Regulations.--

(1) In general.--Not later than 180 days after the date on which the National Cyber Director convenes the Council described in section 1752(c)(1)(H) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 1500(c)(1)(H)), the National Cyber Director shall submit to the appropriate congressional committees a report that includes--

(A) a list of duplicative Federal cyber incident reporting requirements on covered entities and entities that make a ransom payment;

(B) a description of any challenges in harmonizing the duplicative reporting requirements;

(C) any actions the National Cyber Director intends to take to facilitate harmonizing the duplicative reporting requirements; and

(D) any proposed legislative changes necessary to address the duplicative reporting.

(2) Rule of construction.--Nothing in paragraph (1) shall be construed to provide any additional regulatory authority to any Federal agency.

(e) GAO Reports.--

(1) Implementation of this act.--Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the implementation of this Act and the amendments made by this Act.

(2) Exemptions to reporting.--Not later than 1 year after the date on which the Director issues the final rule required under section 2232(b) of the Homeland Security Act of 2002, as added by section 6103 of this title, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the exemptions to reporting under paragraphs (2) and (5) of section 2232(a) of the Homeland Security Act of 2002, as added by section 6103 of this title, which shall include--

(A) to the extent practicable, an evaluation of the quantity of incidents not reported to the Federal Government;

(B) an evaluation of the impact on impacted entities, homeland security, and the national economy of the ransomware criminal ecosystem of incidents and ransom payments, including a discussion on the scope of impact of incidents that were not reported to the Federal Government;

(C) an evaluation of the burden, financial and otherwise, on entities required to report cyber incidents under this Act, including an analysis of entities that meet the definition of a small organization and would be exempt from ransom payment reporting but not for being a covered entity; and

(D) a description of the consequences and effects of the exemptions.

(f) Report on Effectiveness of Enforcement Mechanisms.--Not later than 1 year after the date on which the Director issues the final rule required under section 2232(b) of the Homeland Security Act of 2002, as added by section 6103 of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the effectiveness of the enforcement mechanisms within section 2234 of the Homeland Security Act of 2002, as added by section 6103 of this title.

TITLE LXII--CISA TECHNICAL CORRECTIONS AND IMPROVEMENTS ACT OF 2021

SEC. 6201. SHORT TITLE.

This title may be cited as the ``CISA Technical Corrections and Improvements Act of 2021''.

SEC. 6202. REDESIGNATIONS.

(a) In General.--Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--

(1) by redesignating section 2217 (6 U.S.C. 665f) as section 2220;

(2) by redesignating section 2216 (6 U.S.C. 665e) as section 2219;

(3) by redesignating the fourth section 2215 (relating to Sector Risk Management Agencies) (6 U.S.C. 665d) as section 2218;

(4) by redesignating the third section 2215 (relating to the Cybersecurity State Coordinator) (6 U.S.C. 665c) as section 2217; and

(5) by redesignating the second section 2215 (relating to the Joint Cyber Planning Office) (6 U.S.C. 665b) as section 2216.

(b) Technical and Conforming Amendments.--Section 2202(c) of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended--

(1) in paragraph (11), by striking ``and'' at the end;

(2) in the first paragraph (12)--

(A) by striking ``section 2215'' and inserting ``section 2217''; and

(B) by striking ``and'' at the end; and

(3) by redesignating the second and third paragraphs (12) as paragraphs (13) and (14), respectively.

(1) Amendment.--Section 904(b)(1) of the DOTGOV Act of 2020

(title IX of division U of Public Law 116-260) is amended, in the matter preceding subparagraph (A), by striking ``Homeland Security Act'' and inserting ``Homeland Security Act of 2002''.

(2) Effective date.--The amendment made by paragraph (1) shall take effect as if enacted as part of the DOTGOV Act of 2020 (title IX of division U of Public Law 116-260).

SEC. 6203. CONSOLIDATION OF DEFINITIONS.

(a) In General.--Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651) is amended by inserting before the subtitle A heading the following:

``SEC. 2200. DEFINITIONS.

``Except as otherwise specifically provided, in this title:

``(1) Agency.--The term `Agency' means the Cybersecurity and Infrastructure Security Agency.

``(2) Agency information.--The term `agency information' means information collected or maintained by or on behalf of an agency.

``(3) Agency information system.--The term `agency information system' means an information system used or operated by an agency or by another entity on behalf of an agency.

``(4) Appropriate congressional committees.--The term

`appropriate congressional committees' means--

``(A) the Committee on Homeland Security and Governmental Affairs of the Senate; and

``(B) the Committee on Homeland Security of the House of Representatives.

``(5) Cloud service provider.--The term `cloud service provider' means an entity offering products or services related to cloud computing, as defined by the National Institutes of Standards and Technology in NIST Special Publication 800-145 and any amendatory or superseding document relating thereto.

``(6) Critical infrastructure information.--The term

`critical infrastructure information' means information not customarily in the public domain and related to the security of critical infrastructure or protected systems, including--

``(A) actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates Federal, State, or local law, harms interstate commerce of the United States, or threatens public health or safety;

``(B) the ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or

``(C) any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.

``(7) Cyber threat indicator.--The term `cyber threat indicator' means information that is necessary to describe or identify--

``(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;

``(B) a method of defeating a security control or exploitation of a security vulnerability;

``(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;

``(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;

``(E) malicious cyber command and control;

``(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;

``(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or

``(H) any combination thereof.

``(8) Cybersecurity purpose.--The term `cybersecurity purpose' means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

``(9) Cybersecurity risk.--The term `cybersecurity risk'--

``(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and

``(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

``(10) Cybersecurity threat.--

``(A) In general.--Except as provided in subparagraph (B), the term `cybersecurity threat' means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

``(B) Exclusion.--The term `cybersecurity threat' does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

``(11) Defensive measure.--

``(A) In general.--Except as provided in subparagraph (B), the term `defensive measure' means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.

``(B) Exclusion.--The term `defensive measure' does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by--

``(i) the entity operating the measure; or

``(ii) another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.

``(12) Homeland security enterprise.--The term `Homeland Security Enterprise' means relevant governmental and nongovernmental entities involved in homeland security, including Federal, State, local, and Tribal government officials, private sector representatives, academics, and other policy experts.

``(13) Incident.--The term `incident' means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.

``(14) Information sharing and analysis organization.--The term `Information Sharing and Analysis Organization' means any formal or informal entity or collaboration created or employed by public or private sector organizations, for purposes of--

``(A) gathering and analyzing critical infrastructure information, including information related to cybersecurity risks and incidents, in order to better understand security problems and interdependencies related to critical infrastructure, including cybersecurity risks and incidents, and protected systems, so as to ensure the availability, integrity, and reliability thereof;

``(B) communicating or disclosing critical infrastructure information, including cybersecurity risks and incidents, to help prevent, detect, mitigate, or recover from the effects of a interference, compromise, or a incapacitation problem related to critical infrastructure, including cybersecurity risks and incidents, or protected systems; and

``(C) voluntarily disseminating critical infrastructure information, including cybersecurity risks and incidents, to its members, State, local, and Federal Governments, or any other entities that may be of assistance in carrying out the purposes specified in subparagraphs (A) and (B).

``(15) Information system.--The term `information system' has the meaning given the term in section 3502 of title 44, United States Code.

``(16) Intelligence community.--The term `intelligence community' has the meaning given the term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).

``(17) Managed service provider.--The term `managed service provider' means an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity

(such as hosting), or in a third party data center.

``(18) Monitor.--The term `monitor' means to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.

``(19) National cybersecurity asset response activities.--The term `national cybersecurity asset response activities' means--

``(A) furnishing cybersecurity technical assistance to entities affected by cybersecurity risks to protect assets, mitigate vulnerabilities, and reduce impacts of cyber incidents;

``(B) identifying other entities that may be at risk of an incident and assessing risk to the same or similar vulnerabilities;

``(C) assessing potential cybersecurity risks to a sector or region, including potential cascading effects, and developing courses of action to mitigate such risks;

``(D) facilitating information sharing and operational coordination with threat response; and

``(E) providing guidance on how best to utilize Federal resources and capabilities in a timely, effective manner to speed recovery from cybersecurity risks.

``(20) National security system.--The term `national security system' has the meaning given the term in section 11103 of title 40, United States Code.

``(21) Ransom payment.--The term `ransom payment' means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.

``(22) Ransomware attack.--The term `ransomware attack'--

``(A) means a cyber incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment; and

``(B) does not include any such event where the demand for payment is made by a Federal Government entity, good faith security research, or in response to an invitation by the owner or operator of the information system for third parties to identify vulnerabilities in the information system.

``(23) Sector risk management agency.--The term `Sector Risk Management Agency' means a Federal department or agency, designated by law or Presidential directive, with responsibility for providing institutional knowledge and specialized expertise of a sector, as well as leading, facilitating, or supporting programs and associated activities of its designated critical infrastructure sector in the all hazards environment in coordination with the Department.

``(24) Security control.--The term `security control' means the management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.

``(25) Security vulnerability.--The term `security vulnerability' means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.

``(26) Sharing.--The term `sharing' (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each such terms).

``(27) Supply chain compromise.--The term `supply chain compromise' means a cyber incident within the supply chain of an information system that an adversary can leverage to jeopardize the confidentiality, integrity, or availability of the information technology system or the information the system processes, stores, or transmits, and can occur at any point during the life cycle.

``(28) Virtual currency.--The term `virtual currency' means the digital representation of value that functions as a medium of exchange, a unit of account, or a store of value.

``(29) Virtual currency address.--The term `virtual currency address' means a unique public cryptographic key identifying the location to which a virtual currency payment can be made.''.

(b) Technical and Conforming Amendments.--The Homeland Security Act of 2002 (6 U.S.C. 101 et seq.) is amended--

(1) by amending section 2201 to read as follows:

``SEC. 2201. DEFINITION.

``In this subtitle, the term `Cybersecurity Advisory Committee' means the advisory committee established under section 2219(a).'';

(2) in section 2202--

(A) in subsection (a)(1), by striking ``(in this subtitle referred to as the Agency)'';

(B) in subsection (f)--

(i) in paragraph (1), by inserting ``Executive'' before

``Assistant Director''; and

(ii) in paragraph (2), by inserting ``Executive'' before

``Assistant Director'';

(3) in section 2203(a)(2), by striking ``as the `Assistant Director''' and inserting ``as the `Executive Assistant Director''';

(4) in section 2204(a)(2), by striking ``as the `Assistant Director''' and inserting ``as the `Executive Assistant Director''';

(5) in section 2209--

(A) by striking subsection (a);

(B) by redesignating subsections (b) through (o) as subsections (a) through (n), respectively;

(i) in subparagraph (A)(iii), as so redesignated, by striking ``, as that term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4))''; and

(ii) in subparagraph (B)(ii), by striking ``information sharing and analysis organizations'' and inserting

``Information Sharing and Analysis Organizations'';

(D) in subsection (d), as so redesignated--

(i) in the matter preceding paragraph (1), by striking

``subsection (c)'' and inserting ``subsection (b)''; and

(ii) in paragraph (1)(E)(ii)(II), by striking ``information sharing and analysis organizations'' and inserting

``Information Sharing and Analysis Organizations'';

(E) in subsection (j), as so redesignated, by striking

``subsection (c)(8)'' and inserting ``subsection (b)(8)''; and

(F) in subsection (n), as so redesignated--

(i) in paragraph (2)(A), by striking ``subsection (c)(12)'' and inserting ``subsection (b)(12)''; and

(ii) in paragraph (3)(B)(i), by striking ``subsection

(c)(12)'' and inserting ``subsection (b)(12)'';

(6) in section 2210--

(A) by striking subsection (a);

(B) by redesignating subsections (b) through (d) as subsections (a) through (c), respectively;

(i) by striking ``information sharing and analysis organizations (as defined in section 2222(5))'' and inserting

``Information Sharing and Analysis Organizations''; and

(ii) by striking ``(as defined in section 2209)''; and

(D) in subsection (c), as so redesignated, by striking

``subsection (c)'' and inserting ``subsection (b)'';

(7) in section 2211, by striking subsection (h);

(8) in section 2212, by striking ``information sharing and analysis organizations (as defined in section 2222(5))'' and inserting ``Information Sharing and Analysis Organizations'';

(9) in section 2213--

(A) by striking subsection (a);

(B) by redesignating subsections (b) through (f) as subsections (a) through (e); respectively;

``subsection (b)'' each place it appears and inserting

``subsection (a)'';

(D) in subsection (c), as so redesignated, in the matter preceding paragraph (1), by striking ``subsection (b)'' and inserting ``subsection (a)''; and

(E) in subsection (d), as so redesignated--

(i) in paragraph (1)--

(I) in the matter preceding subparagraph (A), by striking

``subsection (c)(2)'' and inserting ``subsection (b)(2)'';

(II) in subparagraph (A), by striking ``subsection (c)(1)'' and inserting ``subsection (b)(1)''; and

(III) in subparagraph (B), by striking ``subsection

(c)(2)'' and inserting ``subsection (b)(2)''; and

(ii) in paragraph (2), by striking ``subsection (c)(2)'' and inserting ``subsection (b)(2)'';

(10) in section 2216, as so redesignated--

(A) in subsection (d)(2), by striking ``information sharing and analysis organizations'' and inserting ``Information Sharing and Analysis Organizations''; and

(B) by striking subsection (f) and inserting the following:

``(f) Cyber Defense Operation Defined.--In this section, the term `cyber defense operation' means the use of a defensive measure.'';

(11) in section 2218(c)(4)(A), as so redesignated, by striking ``information sharing and analysis organizations'' and inserting ``Information Sharing and Analysis Organizations''; and

(12) in section 2222--

(A) by striking paragraphs (3), (5), and (8);

(B) by redesignating paragraph (4) as paragraph (3); and

(4) and (5), respectively.

(c) Table of Contents Amendments.--The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135) is amended--

(1) by inserting before the item relating to subtitle A of title XXII the following:

``Sec. 2200. Definitions.'';

(2) by striking the item relating to section 2201 and inserting the following:

``Sec. 2201. Definition.''; and

(3) by striking the item relating to section 2214 and all that follows through the item relating to section 2217 and inserting the following:

``Sec. 2214. National Asset Database.

``Sec. 2215. Duties and authorities relating to .gov internet domain.

``Sec. 2216. Joint Cyber Planning Office.

``Sec. 2217. Cybersecurity State Coordinator.

``Sec. 2218. Sector Risk Management Agencies.

``Sec. 2219. Cybersecurity Advisory Committee.

``Sec. 2220. Cybersecurity Education and Training Programs.''.

(d) Cybersecurity Act of 2015 Definitions.--Section 102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501) is amended--

(1) by striking paragraphs (4) through (7) and inserting the following:

``(4) Cybersecurity purpose.--The term `cybersecurity purpose' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

``(5) Cybersecurity threat.--The term `cybersecurity threat' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

``(6) Cyber threat indicator.--The term `cyber threat indicator' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

``(7) Defensive measure.--The term `defensive measure' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.'';

(2) by striking paragraph (13) and inserting the following:

``(13) Monitor.-- The term `monitor' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.''; and

(3) by striking paragraphs (16) and (17) and inserting the following:

``(16) Security control.--The term `security control' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.

``(17) Security vulnerability.--The term `security vulnerability' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.''.

SEC. 6204. ADDITIONAL TECHNICAL AND CONFORMING AMENDMENTS.

(a) Federal Cybersecurity Enhancement Act of 2015.--The Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) is amended--

(1) in section 222 (6 U.S.C. 1521)--

(A) in paragraph (2), by striking ``section 2210'' and inserting ``section 2200''; and

(B) in paragraph (4), by striking ``section 2209'' and inserting ``section 2200'';

(2) in section 223(b) (6 U.S.C. 151 note), by striking

``section 2213(b)(1)'' each place it appears and inserting

``section 2213(a)(1)'';

(3) in section 226 (6 U.S.C. 1524)--

(A) in subsection (a)--

(i) in paragraph (1), by striking ``section 2213'' and inserting ``section 2200'';

(ii) in paragraph (2), by striking ``section 102'' and inserting ``section 2200 of the Homeland Security Act of 2002'';

(iii) in paragraph (4), by striking ``section 2210(b)(1)'' and inserting ``section 2210(a)(1)''; and

(iv) in paragraph (5), by striking ``section 2213(b)'' and inserting ``section 2213(a)''; and

(B) in subsection (c)(1)(A)(vi), by striking ``section 2213(c)(5)'' and inserting ``section 2213(b)(5)''; and

(4) in section 227(b) (6 U.S.C. 1525(b)), by striking

``section 2213(d)(2)'' and inserting ``section 2213(c)(2)''.

(b) Public Health Service Act.--Section 2811(b)(4)(D) of the Public Health Service Act (42 U.S.C. 300hh-10(b)(4)(D)) is amended by striking ``section 228(c) of the Homeland Security Act of 2002 (6 U.S.C. 149(c))'' and inserting

``section 2210(b) of the Homeland Security Act of 2002 (6 U.S.C. 660(b))''.

(c) William M. (Mac) Thornberry National Defense Authorization Act of Fiscal Year 2021.--Section 9002 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a) is amended--

(1) in subsection (a)--

(A) in paragraph (5), by striking ``section 2222(5) of the Homeland Security Act of 2002 (6 U.S.C. 671(5))'' and inserting ``section 2200 of the Homeland Security Act of 2002''; and

(B) by amending paragraph (7) to read as follows:

``(7) Sector risk management agency.--The term `Sector Risk Management Agency' has the meaning given the term in section 2200 of the Homeland Security Act of 2002.'';

(2) in subsection (c)(3)(B), by striking ``section 2201(5)'' and inserting ``section 2200''; and

(3) in subsection (d)--

(A) by striking ``section 2215'' and inserting ``section 2218''; and

(B) by striking ``, as added by this section''.

(d) National Security Act of 1947.--Section 113B of the National Security Act of 1947 (50 U.S.C. 3049a(b)(4)) is amended by striking ``section 226 of the Homeland Security Act of 2002 (6 U.S.C. 147)'' and inserting ``section 2208 of the Homeland Security Act of 2002 (6 U.S.C. 658)''.

(e) IoT Cybersecurity Improvement Act of 2020.--Section 5(b)(3) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is amended by striking ``section 2209(m) of the Homeland Security Act of 2002 (6 U.S.C. 659(m))'' and inserting ``section 2209(l) of the Homeland Security Act of 2002 (6 U.S.C. 659(l))''.

(f) Small Business Act.--Section 21(a)(8)(B) of the Small Business Act (15 U.S.C. 648(a)(8)(B)) is amended by striking

``section 2209(a)'' and inserting ``section 2200''.

(g) Title 46.--Section 70101(2) of title 46, United States Code, is amended by striking ``section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)'' and inserting ``section 2200 of the Homeland Security Act of 2002''.

TITLE LXIII--FEDERAL CYBERSECURITY REQUIREMENTS

SEC. 6301. EXEMPTION FROM FEDERAL CYBERSECURITY REQUIREMENTS.

(a) In General.--Section 225(b)(2) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) is amended to read as follows:

``(2) Exception.--

``(A) In general.--A particular requirement under paragraph

(1) shall not apply to an agency information system of an agency if--

``(i) with respect to the agency information system, the head of the agency submits to the Director an application for an exemption from the particular requirement, in which the head of the agency personally certifies to the Director with particularity that--

``(I) operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the particular requirement;

``(II) the particular requirement is not necessary to secure the agency information system or agency information stored on or transiting the agency information system; and

``(III) the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting the agency information system;

``(ii) the head of the agency or the designee of the head of the agency has submitted the certification described in clause (i) to the appropriate congressional committees and any other congressional committee with jurisdiction over the agency; and

``(iii) the Director grants the exemption from the particular requirement.

``(B) Duration of exemption.--

``(i) In general.--An exemption granted under subparagraph

(A) shall expire on the date that is 1 year after the date on which the Director grants the exemption.

``(ii) Renewal.--Upon the expiration of an exemption granted to an agency under subparagraph (A), the head of the agency may apply for an additional exemption.''.

(b) Report on Exemptions.--Section 3554(c)(1) of title 44, United States Code, as amended by section 5121 of this Act, is further amended--

(1) in subparagraph (C), by striking ``and'' at the end;

(2) in subparagraph (D), by striking the period at the end and inserting ``; and''; and

(3) by adding at the end the following:

``(E) with respect to any exemptions the agency is granted by the Director of the Office of Management and Budget under section 225(b)(2) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the date of submission of the report, includes--

``(i) an identification of the particular requirements from which any agency information system (as defined in section 2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is exempted; and

``(ii) for each requirement identified under subclause

(I)--

``(I) an identification of the agency information system described in subclause (I) exempted from the requirement; and

``(II) an estimate of the date on which the agency will to be able to comply with the requirement.''.

(c) Effective Date.--This section and the amendments made by this section shall take effect on the date that is 1 year after the date of enactment of this Act.

______

SA 4800. Ms. KLOBUCHAR (for herself and Mr. Blunt) submitted an amendment intended to be proposed by her to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle A of title X, add the following:

SEC. 1004. AVAILABILITY OF TRAVEL PROMOTION FUND FOR BRAND

USA.

(a) Short Title.--This section may be cited as the

``Restoring Brand USA Act''.

(b) In General.--Not later than 30 days after the date of the enactment of this Act, the Secretary of the Treasury, subject to subsections (c) and (d), and notwithstanding any other provision of law, shall make available, from unobligated balances remaining available from fees collected before October 1, 2020, and credited to Travel Promotion Fund established under subsection (d) of the Travel Promotion Act of 2009 (22 U.S.C. 2131(d)), $250,000,000 for the Corporation for Travel Promotion (commonly known as ``Brand USA'').

(c) Inapplicability of Certain Requirements and Limitations.--The limitations in subsection (d)(2)(B) of the Travel Promotion Act of 2009 shall not apply to amounts made available under subsection (b), and the requirements in subsection (d)(3) of such Act shall not apply to more than

$50,000,000 of the amounts so available.

(d) Use of Funds.--Brand USA may only use funds provided under subsection (b) to promote travel from countries whose citizens and nationals are permitted to enter the United States.

(e) Report Required.--Not later than 60 days after the date of the enactment of this Act, Brand USA shall submit to Congress a plan for obligating and expending the amounts described in subsection (b).

______

SA 4801. Mr. KENNEDY submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

SEC. __. SBIR AND STTR PILOT PROGRAM FOR UNDERPERFORMING

STATES.

Section 9 of the Small Business Act (15 U.S.C. 638) is amended by adding at the end the following:

``(vv) Department of Defense Pilot Program for Underperforming States.--

``(1) Definitions.--In this section:

``(A) Department.--The term `Department' means the Department of Defense.

``(B) Underperforming state.--The term `underperforming State' means any State participating in the SBIR or STTR program that is in the bottom 68 percent of all States historically receiving SBIR or STTR program funding.

``(2) Establishment.--The Secretary of Defense shall establish a pilot program to provide small business concerns located in underperforming States an increased level of assistance under the SBIR and STTR programs of the Department.

``(3) Activities.--Under the pilot program, the Department, and any component agency thereof, may--

``(A) in any case in which the Department seeks to make a Phase II SBIR or STTR award to a small business concern based on the results of a Phase I award made to the small business concern by another agency, establish a streamlined transfer and fast track approval process for that Phase II award;

``(B) provide an additional Phase II SBIR or STTR award to a small business concern located in an underperforming State that received a Phase I SBIR or STTR award, subject to an increase in the allocation percentage;

``(C) establish a program to make Phase 1.5 SBIR or STTR awards to small business concerns located in underperforming States in order to provide funding for 12 to 24 months to continue the development of technology; and

``(D) carry out subparagraph (C) along with other mentorship programs.

``(4) Duration.--The pilot program established under this subsection shall terminate 5 years after the date on which the pilot program is established.

``(5) Report.--The Department shall submit to Congress an annual report on the status of the pilot program established under this subsection, including the improvement in funding under the SBIR and STTR programs of the Department provided to small business concerns located in underperforming States.''.

______

SA 4802. Mr. OSSOFF (for himself, Mr. Tillis, Mr. King, Ms. Cortez Masto, Mr. Rounds, Mr. Scott of South Carolina, and Mr. Kelly) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

SEC. __. DR. DAVID SATCHER CYBERSECURITY EDUCATION GRANT

PROGRAM.

(a) Short Title.--This section may be cited as the

``Cybersecurity Opportunity Act''.

(b) Definitions.--In this section:

(1) Director.--The term ``Director'' means the Director of the National Institute of Standards and Technology.

(2) Enrollment of needy students.--The term ``enrollment of needy students'' has the meaning given the term in section 312(d) of the Higher Education Act of 1965 (20 U.S.C. 1058(d)).

(3) Historically black college or university.--The term

``historically Black college or university'' has the meaning given the term ``part B institution'' as defined in section 322 of the Higher Education Act of 1965 (20 U.S.C. 1061).

(4) Institution of higher education.--The term

``institution of higher education'' has the meaning given the term in section 101(a) of the Higher Education Act of 1965

(20 U.S.C. 1001(a)).

(5) Minority-serving institution.--The term ``minority-serving institution'' means an institution listed in section 371(a) of the Higher Education Act of 1965 (20 U.S.C. 1067q(a)).

(1) In general.--Subject to the availability of appropriations, the Director shall carry out the Dr. David Satcher Cybersecurity Education Grant Program by--

(3) Coordination.--The Director shall carry out this section in coordination with appropriate Federal agencies, including the Department of Homeland Security.

(4) Sunset.--The Director's authority to award grants under paragraph (1) shall terminate on the date that is 5 years after the date the Director first awards a grant under paragraph (1).

(1) building and upgrading institutional capacity to better support new or existing cybersecurity programs, including cybersecurity partnerships with public and private entities;

(2) building and upgrading institutional capacity to provide hands-on research and training experiences for undergraduate and graduate students; and

(3) outreach and recruitment to ensure students are aware of such new or existing cybersecurity programs, including cybersecurity partnerships with public and private entities.

(f) Reporting Requirements.--Not later than--

(g) Performance Metrics.--The Director shall establish performance metrics for grants awarded under this section.

(h) Effective Date.--This section shall take effect 1 year after the date of enactment of this Act.

______

SA 4803. Ms. DUCKWORTH (for herself, Mr. Kelly, Ms. Hirono, Ms. Rosen, Mr. Bennet, Mr. Heinrich, Mr. Moran, Mr. Young, Mrs. Feinstein, Mrs. Gillibrand, Mr. King, Mrs. Shaheen, Ms. Klobuchar, Mr. Durbin, Mr. Peters, and Mr. Blumenthal) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle B of title XII, add the following:

SEC. 1216. AFGHANISTAN WAR COMMISSION ACT OF 2021.

(a) Short Title.--This section may be cited as the

``Afghanistan War Commission Act of 2021''.

(b) Definitions.--In this section:

(1) Applicable period.--The term ``applicable period'' means the period beginning June 1, 2001, and ending August 30, 2021.

(2) Appropriate congressional committees.--The term

``appropriate congressional committees'' means--

(A) the Committee on Armed Services of the Senate;

(B) the Committee on Foreign Relations of the Senate;

(D) the Committee on Appropriations of the Senate;

(E) the Committee on Armed Services of the House of Representatives;

(F) the Committee on Foreign Affairs of the House of Representatives;

(G) the Permanent Select Committee on Intelligence of the House of Representatives; and

(H) the Committee on Appropriations of the House of Representatives.

(3) Intelligence community.--The term ``intelligence community'' has the meaning given that term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).

(1) Establishment.--There is established in the legislative branch an independent commission to be known as the Afghanistan War Commission (in this section referred to as the ``Commission'').

(2) Membership.--

(A) Composition.--The Commission shall be composed of 16 members of whom--

(i) 1 shall be appointed by the Chairman of the Committee on Armed Services of the Senate;

(ii) 1 shall be appointed by the ranking member of the Committee on Armed Services of the Senate;

(iii) 1 shall be appointed by the Chairman of the Committee on Armed Services of the House of Representatives;

(iv) 1 shall be appointed by the ranking member of the Committee on Armed Services of the House of Representatives;

(v) 1 shall be appointed by the Chairman of the Committee on Foreign Relations of the Senate;

(vi) 1 shall be appointed by the ranking member of the Committee on Foreign Relations of the Senate;

(vii) 1 shall be appointed by the Chairman of the Committee on Foreign Affairs of the House of Representatives;

(viii) 1 shall be appointed by the ranking member of the Committee on Foreign Affairs of the House of Representatives;

(ix) 1 shall be appointed by the Chairman of the Select Committee on Intelligence of the Senate;

(x) 1 shall be appointed by the ranking member of the Select Committee on Intelligence of the Senate.

(xi) 1 shall be appointed by the Chairman of the Permanent Select Committee on Intelligence of the House of Representatives;

(xii) 1 shall be appointed by the ranking member of the Permanent Select Committee on Intelligence of the House of Representatives;

(xiii) 1 shall be appointed by the majority leader of the Senate;

(xiv) 1 shall be appointed by the minority leader of the Senate;

(xv) 1 shall be appointed by the Speaker of the House of Representatives; and

(xvi) 1 shall be appointed by the Minority Leader of the House of Representatives.

(B) Qualifications.--It is the sense of Congress that each member of the Commission appointed under subparagraph (A) should have significant professional experience in national security, such as a position in--

(i) the Department of Defense;

(ii) the Department of State;

(iii) the intelligence community;

(iv) the United States Agency for International Development; or

(v) an academic or scholarly institution.

(i) be a current member of Congress;

(ii) be a former member of Congress who served in Congress after January 3, 2001;

(iii) be a current or former registrant under the Foreign Agents Registration Act of 1938 (22 U.S.C. 611 et seq.);

(iv) have previously investigated Afghanistan policy or the war in Afghanistan through employment in the office of a relevant inspector general;

(v) have been the sole owner or had a majority stake in a company that held any United States or coalition defense contract providing goods or services to activities by the United States Government or coalition in Afghanistan during the applicable period; or

(vi) have served, with direct involvement in actions by the United States Government in Afghanistan during the time the relevant official served, as--

(I) a cabinet secretary or national security adviser to the President; or

(II) a four-star flag officer, Under Secretary, or more senior official in the Department of Defense or the Department of State.

(D) Date.--

(i) In general.--The appointments of the members of the Commission shall be made not later than 60 days after the date of enactment of this Act.

(ii) Failure to make appointment.--If an appointment under subparagraph (A) is not made by the appointment date specified in clause (i)--

(I) the authority to make such appointment shall expire; and

(II) the number of members of the Commission shall be reduced by the number equal to the number of appointments not made.

(3) Period of appointment; vacancies.--

(A) In general.--A member of the Commission shall be appointed for the life of the Commission.

(B) Vacancies.--A vacancy in the Commission--

(i) shall not affect the powers of the Commission; and

(ii) shall be filled in the same manner as the original appointment.

(4) Meetings.--

(A) Initial meeting.--Not later than 30 days after the date on which all members of the Commission have been appointed, the Commission shall hold the first meeting of the Commission.

(B) Frequency.--The Commission shall meet at the call of the Co-Chairpersons.

(C) Quorum.--A majority of the members of the Commission shall constitute a quorum, but a lesser number of members may hold hearings.

(5) Co-chairpersons.--The Commission shall select, by a simple majority vote--

(A) 1 Co-Chairperson from the members of the Commission appointed by chairpersons of the appropriate congressional committees; and

(B) 1 Co-Chairperson from the members of the Commission appointed by the ranking members of the appropriate congressional committees.

(d) Purpose of Commission.-- The purpose of the Commission is--

(1) to examine the key strategic, diplomatic, and operational decisions that pertain to the war in Afghanistan during the relevant period, including decisions, assessments, and events that preceded the war in Afghanistan; and

(2) to develop a series of lessons learned and recommendations for the way forward that will inform future decisions by Congress and policymakers throughout the United States Government.

(e) Duties of Commission.--

(1) Study.--

(A) In general.--The Commission shall conduct a thorough study of all matters relating to combat operations, reconstruction and security force assistance activities, intelligence operations, and diplomatic activities of the United States pertaining to the Afghanistan during the period beginning September 1, 1996, and ending August 30, 2021.

(B) Matters studied.--The matters studied by the Commission shall include--

(i) for the time period specified under subparagraph (A)--

(I) the policy objectives of the United States Government, including--

(aa) military objectives;

(bb) diplomatic objectives;

(cc) development objectives; and

(dd) intelligence objectives;

(II) significant decisions made by the United States, including the development of options presented to policymakers;

(III) the efficacy of efforts by the United States Government in meeting the objectives described in clause (i), including an analysis of --

(aa) military efforts;

(bb) diplomatic efforts;

(cc) development efforts; and

(dd) intelligence efforts; and

(IV) the efficacy of counterterrorism efforts against al Qaeda, the Islamic State Khorasan Province, and other foreign terrorist organizations in degrading the will and capabilities of such organizations--

(aa) to mount external attacks against the United States mainland or its allies and partners; or

(bb) to threaten regional stability in Afghanistan and neighboring countries.

(ii) the efficacy of metrics, measures of effectiveness, and milestones used to assess progress of diplomatic, military, and intelligence efforts;

(iii) the efficacy of interagency planning and execution process by the United States Government;

(iv) factors that led to the collapse of the Afghan National Defense Security Forces in 2021, including--

(I) training;

(II) assessment methodologies;

(III) building indigenous forces on western models;

(IV) reliance on technology and logistics support; and

(V) reliance on warfighting enablers provided by the United States;

(v) the efficacy of counter-corruption efforts to include linkages to diplomatic lines of effort, linkages to foreign and security assistance, and assessment methodologies;

(vi) the efficacy of counter-narcotic efforts to include alternative livelihoods, eradication, interdiction, and education efforts;

(vii) the role of countries neighboring Afghanistan in contributing to the instability of Afghanistan;

(viii) varying diplomatic approaches between Presidential administrations;

(ix) the extent to which the intelligence community did or did not fail to provide sufficient warning about the probable outcomes of a withdrawal of coalition military support from Afghanistan, including as it relates to--

(I) the capability and sustainability of the Afghanistan National Defense Security Forces;

(II) the sustainability of the Afghan central government, absent coalition support;

(III) the extent of Taliban control over Afghanistan over time with respect to geographic territory, governance, and influence; and

(IV) the likelihood of the Taliban regaining control of Afghanistan at various levels of United States and coalition support, including the withdrawal of most or all United States or coalition support;

(x) the extent to which intelligence products related to the state of the conflict in Afghanistan and the effectiveness of the Afghanistan National Defense Security Forces complied with intelligence community-wide analytic tradecraft standards and fully reflected the divergence of analytic views across the intelligence community;

(xi) an evaluation of whether any element of the United States Government inappropriately restricted access to data from elements of the intelligence community, Congress, or the Special Inspector General for Afghanistan Reconstruction

(SIGAR) or any other oversight body such as other inspectors general or the Gpvernment Accountability Office, including through the use of overclassification; and

(xii) the extent to which public representations of the situation in Afghanistan before Congress by United States Government officials were not consistent with the most recent formal assessment of the intelligence community at the time those representations were made.

(2) Report required.--

(A) In general.--

(i) Annual report.--

(I) In general.--Not later than 1 year after the date of the initial meeting of the Commission, and annually thereafter, the Commission shall submit to the appropriate congressional committees a report describing the progress of the activities of the Commission as of the date of such report, including any findings, recommendations, or lessons learned endorsed by the Commission.

(II) Addenda.--Any member of the Commission may submit an addendum to a report required under subclause (I) setting forth the separate views of such member with respect to any matter considered by the Commission.

(III) Briefing.--On the date of the submission of the first annual report, the Commission shall brief Congress.

(ii) Final report.--

(I) Submission.--Not later than 3 years after the date of the initial meeting of the Commission, the Commission shall submit to Congress a report that contains a detailed statement of the findings, recommendations, and lessons learned endorsed by the Commission.

(II) Addenda.--Any member of the Commission may submit an addendum to the report required under subclause (I) setting forth the separate views of such member with respect to any matter considered by the Commission.

(III) Extension.--The Commission may submit the report required under subclause (I) at a date that is not more than 1 year later than the date specified in such clause if agreed to by the chairperson and ranking member of each of the appropriate congressional committees.

(B) Form.--The report required by paragraph (1)(B) shall be submitted and publicly released on a Government website in unclassified form but may contain a classified annex.

(i) In general.--Not later than 4 years after the date that the report required by subparagraph (A)(ii) is submitted, each relevant agency of jurisdiction shall submit to the committee of jurisdiction a report on the efforts of such agency to declassify such annex.

(ii) Contents.--Each report required by clause (i) shall include--

(I) a list of the items in the classified annex that the agency is working to declassify at the time of the report and an estimate of the timeline for declassification of such items;

(II) a broad description of items in the annex that the agency is declining to declassify at the time of the report; and

(III) any justification for withholding declassification of certain items in the annex and an estimate of the timeline for declassification of such items.

(f) Powers of Commission.--

(1) Hearings.--The Commission may hold such hearings, take such testimony, and receive such evidence as the Commission considers necessary to carry out its purpose and functions under this section.

(2) Assistance from federal agencies.--

(A) Information.--

(i) In general.--The Commission may secure directly from a Federal department or agency such information as the Commission considers necessary to carry out this section.

(ii) Furnishing information.--Upon receipt of a written request by the Co-Chairpersons of the Commission, the head of the department or agency shall expeditiously furnish the information to the Commission.

(B) Space for commission.--Not later than 30 days after the date of the enactment of this Act, the Administrator of General Services, in consultation with the Commission, shall identify and make available suitable excess space within the Federal space inventory to house the operations of the Commission. If the Administrator of General Services is not able to make such suitable excess space available within such 30-day period, the Commission may lease space to the extent that funds are available for such purpose.

(3) Postal services.--The Commission may use the United States mails in the same manner and under the same conditions as other departments and agencies of the Federal Government.

(4) Gifts.--The Commission may accept, use, and dispose of gifts or donations of services, goods, and property from non-Federal entities for the purposes of aiding and facilitating the work of the Commission. The authority in this subsection does not extend to gifts of money. Gifts accepted under this authority shall be documented, and conflicts of interest or the appearance of conflicts of interest shall be avoided. Subject to the authority in this section, commissioners shall otherwise comply with rules set forth by the Select Committee on Ethics of the Senate and the Committee on Ethics of the House of Representatives governing employees of the Senate and the House of Representatives.

(5) Legislative advisory committee.--The Commission shall operate as a legislative advisory committee and shall not be subject to the provisions of the Federal Advisory Committee Act (Public Law 92-463; 5 U.S.C. App) or section 552b, United States Code (commonly known as the Government in the Sunshine Act).

(g) Commission Personnel Matters.--

(1) Compensation of members.--A member of the Commission who is not an officer or employee of the Federal Government shall be compensated at a rate equal to the daily equivalent of the annual rate of basic pay prescribed for level IV of the Executive Schedule under section 5315 of title 5, United States Code, for each day (including travel time) during which the member is engaged in the performance of the duties of the Commission.

(2) Travel expenses.--A member of the Commission shall be allowed travel expenses, including per diem in lieu of subsistence, at rates authorized for employees of agencies under subchapter I of chapter 57 of title 5, United States Code, while away from their homes or regular places of business in the performance of services for the Commission.

(3) Staff.--

(A) Status as federal employees.--Notwithstanding the requirements of section 2105 of title 5, United States Code, including the required supervision under subsection (a)(3) of such section, the members of the commission shall be deemed to be Federal employees.

(B) Executive director.--The Commission shall appoint and fix the rate of basic pay for an Executive Director in accordance with section 3161(d) of title 5, United States Code.

(C) Pay.--The Executive Director, with the approval of the Commission, may appoint and fix the rate of basic pay for additional personnel as staff of the Commission in accordance with section 3161(d) of title 5, United States Code.

(4) Detail of government employees.--A Federal Government employee may be detailed to the Commission without reimbursement, and such detail shall be without interruption or loss of civil service status or privilege.

(5) Procurement of temporary and intermittent services.--The Co-Chairpersons of the Commission may procure temporary and intermittent services under section 3109(b) of title 5, United States Code, at rates for individuals that do not exceed the daily equivalent of the annual rate of basic pay prescribed for level V of the Executive Schedule under section 5316 of that title.

(h) Termination of Commission.--The Commission shall terminate 90 days after the date on which the Commission submits the report required under subsection (e)(2)(A)(ii).

(i) Authorization of Appropriations.--

(1) Increase.--The amount authorized to be appropriated by section 4301 for Operation and Maintenance, Defense-wide, for the Office of the Secretary of Defense, is hereby increased by $3,000,000.

(2) Offset.--The amount authorized to be appropriated by section 4301 for Operation and Maintenance, Afghanistan Security Forces Fund, for Afghanistan Air Force, Line 090, is hereby reduced by $3,000,000.

______

SA 4804. Mr. YOUNG submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle E of title XII, add the following:

SEC. 1253. REPORT ON GEOSTRATEGIC INTERESTS AND NATIONAL

SECURITY IMPLICATIONS RELATED TO TRADE IN INDO-

PACIFIC REGION.

(a) In General.--Not later than 150 days after the date of the enactment of this Act, the United States Trade Representative, in coordination with the Secretary of Defense, the Secretary of State, the Secretary of Commerce, and the Secretary of Homeland Security, shall submit to Congress and make available to the public a report on geostrategic interests and national security implications related to trade in the Indo-Pacific region.

(b) Elements.--The report required by subsection (a) shall include an assessment of the following:

(1) How reductions in tariffs, revisions in government procurement rules, and other market access commitments by countries in the Indo-Pacific region could potentially affect United States producers and supply chains deemed critical for national security purposes.

(2) How agreements by those countries, including with respect to strengthening investment and intellectual property rights, could potentially affect the development by the United States of critical new technologies.

(3) How agreements by those countries relating to digital trade could potentially affect United States cybersecurity, including potential agreements entered into with the United States to promote cybersecurity and open data flows and to combat discriminatory practices and government censorship.

(4) How tariff and nontariff barriers imposed by those countries and trade agreements by those countries could broadly affect geostrategic United States interests, partnerships, and alliances.

(5) Current and predicted foreign direct investment in the Indo-Pacific region by the People's Republic of China.

(6) How agreements by those countries could counter the semiconductor policies of the Government of the People's Republic of China, particularly those policies that could lead to the transfer of intellectual property, research and development, and manufacturing to the People's Republic of China.

(c) Public Hearing.--The Trade Representative and the officials specified in subsection (a) shall jointly conduct a public hearing and invite witnesses to testify with respect to the elements described in subsection (b).

______

SA 4805. Ms. CORTEZ MASTO submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place in title X, insert the following:

Subtitle __--Veterans Matters

SEC. ___. EXTENSIONS OF CERTAIN PROVISIONS OF LAW RELATING TO

BENEFITS PROVIDED UNDER DEPARTMENT OF VETERANS

AFFAIRS EDUCATIONAL ASSISTANCE PROGRAMS DURING

COVID-19 PANDEMIC.

(a) Extension of Student Veteran Coronavirus Response Act of 2020.--Section 2 of the Student Veteran Coronavirus Response Act of 2020 (Public Law 116-140; 38 U.S.C. 3031 note), as amended by section 5202(a) of the Department of Veterans Affairs Expiring Authorities Act of 2020 (division E of Public Law 116-159), is further amended by striking

``December 21, 2021'' and inserting ``June 1, 2022''.

(b) Extension of Payment of Work-study Allowances During Emergency Situation.--Section 3 of the Student Veteran Coronavirus Response Act of 2020 (38 U.S.C. 3485 note) is amended by striking ``During the covered period'' and inserting ``During the period beginning on March 1, 2020, and ending on June 1, 2022''.

(c) Extension of Period for Continuation of Department of Veterans Affairs Educational Assistance Benefits for Certain Programs of Education Converted to Distance Learning by Reason of Emergencies and Health-related Situations.--Section 1(b) of Public Law 116-128 (38 U.S.C. 3001 note prec.), as amended by section 5202(b) of the Department of Veterans Affairs Expiring Authorities Act of 2020 (division E of Public Law 116-159), is further amended by striking

``December 21, 2021'' and inserting ``June 1, 2022''.

(d) Extension of Modification of Time Limitations on Use of Entitlement to Montgomery GI Bill and Vocational Rehabilitation and Training.--Section 1105 of the Johnny Isakson and David P. Roe, M.D. Veterans Health Care and Benefits Improvement Act of 2020 (Public Law 116-315) is amended by striking ``December 21, 2021'' each place it appears and inserting ``June 1, 2022''.

(e) Extension of Continuation of Department of Veterans Affairs Educational Assistance Benefits During COVID-19 Emergency.--Section 1102(e) of the Johnny Isakson and David P. Roe, M.D. Veterans Health Care and Benefits Improvement Act of 2020 (Public Law 116-315) is amended by striking

``December 21, 2021'' and inserting ``June 1, 2022''.

(f) Extension of Provisions Relating to Effects of Closure of Educational Institution and Modification of Courses by Reason of COVID-19 Emergency.--Section 1103(h) of such Act is amended by striking ``December 21, 2021'' and inserting

``June 1, 2022''.

(g) Extension of Provision Relating to Payment of Educational Assistance in Cases of Withdrawal.--Section 1104(a) of such Act is amended by striking ``December 21, 2021'' and inserting ``June 1, 2022''.

(h) Extension of Provision Relating to Apprenticeship or On-job Training Requirements.--Section 1106(b) of such Act is amended by striking ``December 21, 2021'' and inserting

``June 1, 2022''.

SEC. ___. MODIFICATIONS TO REQUIREMENTS FOR EDUCATIONAL

INSTITUTIONS PARTICIPATING IN THE EDUCATIONAL

ASSISTANCE PROGRAMS OF THE DEPARTMENT OF

VETERANS AFFAIRS.

(a) Waiver of Verification of Enrollment for Certain Educational Institutions.--Section 3313(l) of title 38, United States Code, is amended by adding at the end the following new paragraph:

``(4) Waiver.--The Secretary may waive the requirements of this subsection for an educational institution that the Secretary has determined uses a flat tuition and fee structure that would make the use of a second verification under this subsection unnecessary.''.

(b) Limitations on Authority to Disapprove of Courses.--

(1) In general.--Subsection (f) of section 3679 of title 38, United States Code, is amended--

(A) in paragraph (2)(B),

(i) by inserting ``, except for the recruitment of foreign students residing in foreign countries who are not eligible to receive Federal student assistance'' after ``assistance''; and

(ii) by adding at the end the following new subparagraph:

``(C) In determining whether a violation of subparagraph

(B) has occurred, the State approving agency, or the Secretary when acting in the place of the State approving agency, shall construe the requirements of this paragraph in accordance with the regulations and guidance prescribed by the Secretary of Education under section 487(a)(20) of the Higher Education Act of 1965 (20 U.S.C. 1094(a)(20)).'';

(B) by redesignating paragraph (7) as paragraph (8); and

``(7) This subsection shall not apply to an educational institution--

``(A) located in a foreign country; or

``(B) that provides to a covered individual consumer information regarding costs of the program of education

(including financial aid available to such covered individual) using a form or template developed by the Secretary of Education.''.

(2) Application date.--The Secretary of Veterans Affairs may not carry out subsection (f) of section 3679 of title 38, United States Code, until August 1, 2022, except that, beginning on June 15, 2022, an educational institution may submit an application for a waiver under paragraph (5) of such subsection.

(3) Conforming amendments.--Subsection (c) of section 3696 of such title is amended--

(A) by inserting ``(1)'' before ``An educational'';

(B) by inserting ``, except for the recruitment of foreign students residing in foreign countries who are not eligible to receive Federal student assistance'' after ``assistance''; and

``(2) In determining whether a violation of paragraph (1) has occurred, the Under Secretary for Benefits shall construe the requirements of this paragraph in accordance with the regulations and guidance prescribed by the Secretary of Education under section 487(a)(20) of the Higher Education Act of 1965 (20 U.S.C. 1094(a)(20)).''.

(1) Information relating to tests.--Section 3689(c) of title 38, United States Code, is amended by adding at the end the following new paragraph:

``(3) Subparagraph (G) of paragraph (1) shall not apply with respect to an educational institution located in a foreign country.''.

(2) Examination of records.--Section 3690(c) of title 38, United States Code, is amended--

(A) by striking ``Notwithstanding'' and inserting ``(1) Except as provided in paragraph (2), notwithstanding''; and

(B) by adding at the end the following new paragraph:

``(2) Paragraph (1) does not apply to the records and accounts--

``(A) of an educational institution located in a foreign country; and

``(B) that pertain to an individual who is not receiving educational assistance under this chapter.''.

SEC. ___. CONTINUATION OF DEPARTMENT OF VETERANS AFFAIRS

EDUCATIONAL ASSISTANCE BENEFITS FOR CERTAIN

PROGRAMS OF EDUCATION CONVERTED TO DISTANCE

LEARNING BY REASON OF EMERGENCIES AND HEALTH-

RELATED SITUATIONS.

(a) In General.--In the case of a program of education approved by a State approving agency, or the Secretary of Veterans Affairs when acting in the role of a State approving agency, that is converted from being offered on-site at an educational institution to being offered by distance learning by reason of an emergency or health-related situation, as determined by the Secretary, the Secretary may continue to provide educational assistance under the laws administered by the Secretary without regard to such conversion, including with respect to paying any--

(1) monthly housing stipends under chapter 33 of title 38, United States Code; or

(2) payments or subsistence allowances under chapters 30, 31, 32, and 35 of such title and chapters 1606 and 1607 of title 10, United States Code.

(b) Applicability Period.--Subsection (a) shall apply during the period beginning on December 21, 2021, and ending on June 1, 2022.

(1) Educational institution.--The term ``educational institution'' has the meaning given that term in section 3452 of title 38, United States Code, and includes an institution of higher learning (as defined in such section).

(2) Program of education.--The term ``program of education'' has the meaning given that term in section 3002 of title 38, United States Code.

(3) State approving agency.--The term ``State approving agency'' has the meaning given that term in section 3671 of title 38, United States Code.

SEC. ___. BUDGETARY EFFECTS.

(a) In General.--Amounts provided to carry out the amendments made by this subtitle are designated as an emergency requirement pursuant to section 4(g) of the Statutory Pay-As-You-Go Act of 2010 (2 U.S.C. 933(g)).

(b) Designation in Senate.--In the Senate, amounts provided to carry out the amendments made by this subtitle are designated as an emergency requirement pursuant to section 4112(a) of H. Con. Res. 71 (115th Congress), the concurrent resolution on the budget for fiscal year 2018.

______

SA 4806. Ms. SMITH (for herself and Mr. Young) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

TITLE __--EMERGENCY PREPAREDNESS

SEC. _01. SHORT TITLE.

This title may be cited as the ``Advancing Emergency Preparedness Through One Health Act of 2021''.

SEC. _02. FINDINGS.

Congress finds the following:

(1) The term ``One Health'' reflects the interconnectedness of human health, animal health, and the environment. As technology and population growth facilitates increased interaction of human settlements with wildlife habitats and as international travel and trade increases, the interface between these elements will also continue to rise.

(2) When zoonotic diseases spill over to humans, there are often enormous health and economic costs. The World Bank estimates that, between 1997 and 2009, the global costs from six zoonotic outbreaks exceeded $80,000,000,000 and the Centers for Disease Control and Prevention estimates that there are annually 2,500,000,000 cases of zoonotic infections globally, resulting in 2,700,000 deaths.

(3) There are also immense effects on the agriculture sector. In 2014 and 2015, a high pathogenic avian influenza

(HPAI) outbreak in the United States led to the cull of nearly 50,000,000 birds, and imposed up to approximately

$3,300,000,000 in losses for poultry and egg farmers, animal feed producers, baked good production, and other related industries.

(4) Public health preparedness depends on agriculture in a variety of ways. For example, a wide range of vaccines, including those for influenza, yellow fever, rabies, and measles-mumps-rubella (MMR), are primarily cultivated in poultry eggs. Egg shortages resulting from zoonotic disease outbreaks could impose serious risks to vaccine manufacturing efforts.

(5) It is estimated that approximately 80 percent of potential pathogens likely to be used in bioterrorism or biowarfare are common zoonotic pathogens.

(6) While existing Federal Government initiatives related to One Health span multiple agencies, including the Centers for Disease Control and Prevention One Health office and the Department of Agriculture Animal and Plant Health Inspection Services' One Health Coordination Center, additional interagency coordination is necessary to help better prevent, prepare for, and respond to zoonotic disease outbreaks.

SEC. _03. INTERAGENCY ONE HEALTH PROGRAM.

(a) In General.--The Secretary of the Interior, the Secretary of Health and Human Services, and the Secretary of Agriculture (referred to in this title as the

``Secretaries''), in coordination with the United States Agency for International Development, the Environmental Protection Agency, the Department of Homeland Security, the Department of Defense, the Department of Commerce, and other departments and agencies as appropriate, shall develop, publish, and submit to Congress a national One Health Framework (referred to in this title as the ``framework'') for coordinated Federal Activities under the One Health Program.

(b) National One Health Framework.--

(1) In general.--Not later than 1 year after the date of enactment of this Act, the Secretaries, in cooperation with the United States Agency for International Development, the Environmental Protection Agency, the Department of Homeland Security, the Department of Defense, the Department of Commerce, and other departments and agencies as appropriate, shall develop, publish, and submit to Congress a One Health Framework (referred to in this section as the ``framework'') for coordinated Federal activities under the One Health Program.

(2) Contents of framework.--The framework described in paragraph (1) shall describe existing efforts and contain recommendations for building upon and complementing the activities of the Department of the Interior, the Centers for Disease Control and Prevention, the Food and Drug Administration, the Office of the Assistant Secretary for Preparedness and Response, the Department of Agriculture, the United States Agency for International Development, the Environmental Protection Agency, the National Institutes of Health, the Department of Homeland Security, and other departments and agencies, as appropriate, and shall--

(A) assess, identify, and describe, as appropriate, existing activities of Federal agencies and departments under the One Health Program and consider whether all relevant agencies are adequately represented;

(B) for the 10-year period beginning in the year the framework is submitted, establish specific Federal goals and priorities that most effectively advance--

(i) scientific understanding of the connections between human, animal, and environmental health;

(ii) coordination and collaboration between agencies involved in the framework including sharing data and information, engaging in joint fieldwork, and engaging in joint laboratory studies related to One Health;

(iii) identification of priority zoonotic diseases and priority areas of study;

(iv) surveillance of priority zoonotic diseases and their transmission between animals and humans;

(v) prevention of priority zoonotic diseases and their transmission between animals and humans;

(vi) protocol development to improve joint outbreak response to and recovery from zoonotic disease outbreaks in animals and humans; and

(vii) workforce development to prevent and respond to zoonotic disease outbreaks in animals and humans;

(C) describe specific activities required to achieve the goals and priorities described in subparagraph (B), and propose a timeline for achieving these goals;

(D) identify and expand partnerships, as appropriate, among Federal agencies, States, Indian tribes, academic institutions, nongovernmental organizations, and private entities in order to develop new approaches for reducing hazards to human and animal health and to strengthen understanding of the value of an integrated approach under the One Health Program to addressing public health threats in a manner that prevents duplication;

(E) identify best practices related to State and local-level research coordination, field activities, and disease outbreak preparedness, response, and recovery related to One Health; and

(F) provide recommendations to Congress regarding additional action or legislation that may be required to assist in establishing the One Health Program.

(3) Addendum.--Not later than 3 years after the creation of the framework, the Secretaries, in coordination with the agencies described in paragraph (1), shall submit to Congress an addendum to the framework that describes the progress made in advancing the activities described in the framework.

(c) Authorization of Appropriations.--To carry out this section, there is authorized to be appropriated such sums as may be necessary.

SEC. _04. GAO REPORT.

Not later than 2 years after the date of the submission of the addendum under section _03(b)(3), the Comptroller General of the United States shall submit to Congress a report that--

(1) details existing collaborative efforts between the Department of the Interior, the Centers for Disease Control and Prevention, the Food and Drug Administration, the Department of Agriculture, the United States Agency for International Development, the Environmental Protection Agency, the National Institutes of Health, the Department of Homeland Security, and other departments and agencies to prevent and respond to zoonotic disease outbreaks in animals and humans; and

(2) contains an evaluation of the framework and the specific activities requested to achieve the framework.

______

SA 4807. Ms. SMITH (for herself, Mr. Cassidy, and Ms. Warren) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle G of title X, add the following:

SEC. 1064. STUDY AND REPORT ON THE REDISTRIBUTION OF COVID-19

VACCINE DOSES THAT WOULD OTHERWISE EXPIRE TO

FOREIGN COUNTRIES AND ECONOMIES.

(a) Study.--

(1) In general.--The Secretary of Health and Human Services, in consultation with the Secretary of State and the Administrator of the United States Agency for International Development, shall conduct a study to identify and analyze the logistical prerequisites for the collection of unused and unexpired doses of the COVID-19 vaccine in the United States and for the distribution of such doses to foreign countries and economies.

(2) Matters studied.--The matters studied by the Secretary of Health and Human Services under paragraph (1) shall include--

(A) options for the collection of unused and unexpired doses of the COVID-19 vaccine from entities in the United States;

(B) methods for the collection and shipment of such doses to foreign countries and economies;

(C) methods for ensuring the appropriate storage and handling of such doses during and following the distribution and delivery of the doses to such countries and economies;

(D) the capacity and capability of foreign countries and economies receiving such doses to distribute and administer the doses while assuring their safety and quality;

(E) the minimum supply of doses of the COVID-19 vaccine necessary to be retained within the United States; and

(F) other Federal agencies with which the heads of the relevant agencies should coordinate to accomplish the tasks described in subparagraphs (A) through (E) and the degree of coordination necessary between such agencies.

(b) Report Required.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Health and Human Services, in consultation with the other heads of the relevant agencies, shall submit to the appropriate congressional committees a report on the results of the study conducted under subsection (a).

(1) Appropriate congressional committees.--The term

``appropriate congressional committees'' means--

(A) the Committee on Health, Education, Labor, and Pensions, and the Committee on Foreign Relations of the Senate; and

(B) the Committee on Energy and Commerce, and the Committee on Foreign Affairs of the House of Representatives.

(2) Relevant agencies.--The term ``relevant agencies'' means--

(A) the Department of Health and Human Services;

(B) the Department of State; and

______

SA 4808. Mrs. FEINSTEIN (for herself, Ms. Ernst, Mr. Durbin, Ms. Collins, Ms. Hirono, Ms. Rosen, Mr. Peters, Mr. Cornyn, and Ms. Duckworth) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle B of title XII, add the following:

SEC. 1216. STATUS OF WOMEN AND GIRLS IN AFGHANISTAN.

(a) Findings.--Congress finds the following:

(1) Since May 2021, the escalation of violent conflict in Afghanistan has forcibly displaced an estimated 655,000 civilians, and 80 percent of those forced to flee are women and children.

(2) Since regaining control of Afghanistan in August 2021, the Taliban have taken actions reminiscent of their brutal rule in the late 1990s, including by cracking down on protesters, detaining and beating journalists, reestablishing the Ministry for the Promotion of Virtue and Prevention of Vice, and requiring women to study at universities in gender-segregated classrooms while wearing Islamic attire.

(3) Until the Taliban assumed control of the country in August 2021, the women and girls of Afghanistan had achieved much since 2001, even as insecurity, poverty, underdevelopment, and patriarchal norms continued to limit their rights and opportunities in much of Afghanistan.

(4) Through strong support from the United States and the international community--

(A) female enrollment in public schools in Afghanistan continued to increase through 2015, with an estimated high of 50 percent of school age girls attending; and

(B) by 2019--

(i) women held political leadership positions, and women served as ambassadors; and

(ii) women served as professors, judges, prosecutors, defense attorneys, police, military members, health professionals, journalists, humanitarian and developmental aid workers, and entrepreneurs.

(5) Efforts to empower women and girls in Afghanistan continue to serve the national interests of Afghanistan and the United States because women are sources of peace and economic progress.

(6) With the return of Taliban control, the United States has little ability to preserve the human rights of women and girls in Afghanistan, and those women and girls may again face the intimidation and marginalization they faced under the last Taliban regime.

(7) Women and girls in Afghanistan are again facing gender-based violence, including--

(A) forced marriage;

(B) intimate partner and domestic violence;

(D) sexual violence, including rape; and

(E) emotional and psychological violence.

(8) Gender-based violence has always been a significant problem in Afghanistan and is expected to become more widespread with the Taliban in control. In 2020, even before the Taliban assumed control of the country, some studies projected that 87 percent of Afghan women and girls will experience at least one form of gender-based violence in their lifetime, with 62 percent experiencing multiple incidents of such violence.

(9) Prior to the Taliban takeover in August 2021, approximately 7,000,000 people in Afghanistan lacked or had limited access to emergency and primary health services as a result of inadequate public health coverage, weak health systems, and conflict-related interruptions in care.

(10) Women and girls faced additional challenges, as their access to prenatal, childbirth, and postpartum care was limited due to a shortage of female medical staff, cultural barriers, stigma and fears of reprisals following sexual violence, or other barriers to mobility, including security fears.

(11) Only approximately 50 percent of pregnant women and girls in Afghanistan deliver their children in a health facility with a professional attendant, which increases the risk of complications in childbirth and preventable maternal mortality.

(12) Food insecurity in Afghanistan is also posing a variety of threats to women and girls, as malnutrition weakens their immune systems and makes them more susceptible to infections, complications during pregnancy, and risks during childbirth.

(13) With the combined impacts of ongoing conflict and COVID-19, Afghan households increasingly resort to child marriage, forced marriage, and child labor to address food insecurity and other effects of extreme poverty.

(14) In Afghanistan, the high prevalence of anemia among adolescent girls reduces their ability to survive childbirth, especially when coupled with high rates of child marriage and forced marriage and barriers to accessing prenatal and childbirth services.

(b) Sense of Congress.--It is the sense of Congress that--

(1) since 2001, organizations and networks promoting the empowerment of women and girls have been important engines of social, economic, and political development in Afghanistan;

(2) any future political order in Afghanistan should secure the political, economic, and social gains made by Afghan women and work to increase the equal treatment of women and girls;

(3) respecting the internationally recognized human rights of all people is essential to securing lasting peace and sustainable development in Afghanistan;

(4) in cooperation with international partners, the United States must endeavor to preserve the hard-won gains made in Afghanistan during the past two decades, particularly as related to the social, economic and political empowerment of women and girls in society;

(5) the continued provision of humanitarian assistance in Afghanistan should be targeted toward the most vulnerable, including for the protection, education, and well-being of women and girls;

(6) immediate and ongoing humanitarian needs in Afghanistan can only be met by a humanitarian response that includes formal agreements between local nongovernmental organizations and international partners that promotes the safe access and participation of female staff at all levels and across functional roles among all humanitarian actors; and

(7) a lack of aid would exacerbate the current humanitarian crisis and harm the well-being of women and girls in Afghanistan.

(1) In general.--It is the policy of the United States--

(A) to continue to support the internationally recognized human rights of women and girls in Afghanistan following the withdrawal of the United States Armed Forces from Afghanistan, including through mechanisms to hold all parties publicly accountable for violations of international humanitarian law and violations of such rights against women and girls;

(B) to strongly oppose any weakening of the political or economic rights of women and girls in Afghanistan;

(C) to use the voice and influence of the United States at the United Nations to promote, respect, and uphold the internationally recognized human rights of the women and girls of Afghanistan, including the right to safely work;

(D) to identify individuals who violate the internationally recognized human rights of women and girls in Afghanistan, such as by committing acts of murder, lynching, and grievous domestic violence against women, and to press for bringing those individuals to justice; and

(E) to systematically consult with Afghan women and girls on their needs and priorities in the development, implementation, and monitoring of humanitarian action, including women and girls who are part of the Afghan diaspora community.

(d) Humanitarian Assistance and Afghan Women.--The Administrator of the United States Agency for International Development should work to ensure that Afghan women are employed and enabled to work in the delivery of humanitarian assistance in Afghanistan, to the extent practicable.

(e) Report on Women and Girls in Afghanistan.--

(1) In general.--Not later than 180 days after the date of the enactment of this Act, and every 180 days thereafter through 2024, the Secretary of State shall submit to the appropriate committees of Congress, and make available to the public, a report that includes the following:

(A) An assessment of the status of women and girls in Afghanistan following the departure of United States and partner military forces, including with respect to access to primary and secondary education, jobs, primary and emergency health care, and legal protections and status.

(B) An assessment of the political and civic participation of women and girls in Afghanistan.

(D) A report on funds for United States foreign assistance obligated or expended during the period covered by the report to advance gender equality and the internationally recognized human rights of women and girls in Afghanistan, including funds directed toward local organizations promoting such rights of women and girls, that includes the following:

(i) The amounts awarded to principal recipients and sub-recipients for such purposes during the reporting period.

(ii) A description of each program for which such funds are used for such purposes.

(2) Assessment.--

(A) Input.--The assessment described in paragraph (1)(A) shall include the input of--

(i) Afghan women and girls;

(ii) organizations employing and working with Afghan women and girls; and

(iii) humanitarian organizations, including faith-based organizations, providing assistance in Afghanistan.

(B) Safety and confidentiality.--In carrying out the assessment described in paragraph (1)(A), the Secretary shall, to the maximum extent practicable, ensure the safety and confidentiality of personal information of each individual who provides information from within Afghanistan.

(3) Definition of appropriate committees of congress.--In this subsection, the term ``appropriate committees of Congress'' means--

(A) the Committee on Foreign Relations and the Committee on Appropriations of the Senate; and

(B) the Committee on Foreign Affairs and the Committee on Appropriations of the House of Representatives.

______

SA 4809. Mr. WARNER submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end of subtitle E of title V, add the following:

SEC. 576. COUNTERING EXTREMISM IN THE ARMED FORCES.

(a) In General.--The Secretary of Defense shall--

(1) promulgate policy that prohibits and defines participation in extremist activities;

(2) develop and implement programs, resources, and activities to counter extremism within the Armed Forces, including screening of publicly available information and Insider Threat Programs;

(3) collect and report data on incidents, allegations, investigations, disciplinary actions, and separations related to extremism, as well as publication of reports on these data in a regular, public, and transparent manner; and

(4) designate a senior official, to be known as the

``Senior Official for Countering Extremism'', within the Department of Defense as responsible for facilitation and coordination of the activities described in this subsection with personnel and readiness officials, law enforcement organizations, security organizations, insider threat programs, and watch lists related to extremism in the Armed Forces.

(b) Training and Education.--

(1) In general.--The Secretary of each military department, in coordination with the Senior Official for Countering Extremism, shall develop and implement training and education programs and related materials to assist members of the Armed Forces and civilian employees of the Department of Defense in identifying, preventing, responding to, reporting, and mitigating the risk of extremist activities.

(2) Content.--The training and education described in paragraph (1) shall include specific material for activities determined by the Senior Official for Countering Extremism as high risk for extremist activities, including recruitment activities and separating members of the Armed Forces.

(3) Requirements.--The Secretary of Defense, in consultation with the Secretary of Homeland Security, shall provide the training and education described paragraph (1)--

(A) to a member of the Armed Forces, civilian employee of the Department of Defense, or an individual in a pre-commissioning program no less than once a year;

(B) to a member of the Armed Forces whose discharge

(regardless of character of discharge) or release from active duty is anticipated as of a specific date within the time period specified under section 1142(a)(3) of title, United States Code;

(C) to a member of the Armed Forces performing recruitment activities within the 30 days prior to commencing such activities; and

(D) additionally as determined by the Secretary of Defense.

(c) Progress Report.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the Committees on Armed Services of the Senate and House of Representatives a report on the status of the implementation of this section.

______

SA 4810. Mrs. GILLIBRAND (for herself, Mr. Rubio, Mr. Heinrich, Mr. Blunt, and Mr. Graham) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place in title XV, insert the following:

SEC. ___. ESTABLISHMENT OF STRUCTURE AND AUTHORITIES TO

ADDRESS UNIDENTIFIED AERIAL PHENOMENA.

(a) Establishment of Anomaly Surveillance, Tracking, and Resolution Office.--

(1) In general.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall, in coordination with the Director of National Intelligence, establish an office within an appropriate component of the Department of Defense, or within a joint organization of the Department of Defense and the Office of the Director of National Intelligence, to assume--

(A) the duties of the Unidentified Aerial Phenomenon Task Force, as in effect on the day before the date of the enactment of this Act; and

(B) such other duties as are required by this section.

(2) Designation.--The office established under paragraph

(1) shall be known as the ``Anomaly Surveillance, Tracking, and Resolution Office'' (in this section referred to as the

``Office'').

(3) Termination or subordination of prior task force.--Upon the establishment of the Anomaly Surveillance, Tracking, and Resolution Office, the Secretary shall terminate the Unidentified Aerial Phenomenon Task Force or subordinate it to the Office.

(b) Facilitation of Reporting and Data Sharing.--The Director and the Secretary shall each, in coordination with each other, require that--

(1) each element of the intelligence community and the Department, with any data that may be relevant to the investigation of unidentified aerial phenomena, make such data available immediately to the Office; and

(2) military and civilian personnel employed by or under contract to the Department or an element of the intelligence community shall have access to procedures by which they shall report incidents or information, including adverse physiological effects, involving or associated with unidentified aerial phenomena directly to the Office.

(1) Developing procedures to synchronize and standardize the collection, reporting, and analysis of incidents, including adverse physiological effects, regarding unidentified aerial phenomena across the Department and in consultation with the intelligence community.

(2) Developing processes and procedures to ensure that such incidents from each component of the Department and each element of the intelligence community are reported and incorporated in a centralized repository.

(3) Establishing procedures to require the timely and consistent reporting of such incidents.

(4) Evaluating links between unidentified aerial phenomena and adversarial foreign governments, other foreign governments, or nonstate actors.

(5) Evaluating the threat that such incidents present to the United States.

(6) Consulting with other departments and agencies of the Federal Government, as appropriate, including the Federal Aviation Administration, the National Aeronautics and Space Administration, the Department of Homeland Security, the National Oceanic and Atmospheric Administration, and the Department of Energy.

(7) Consulting with allies and partners of the United States, as appropriate, to better assess the nature and extent of unidentified aerial phenomena.

(8) Preparing reports for Congress, in both classified and unclassified form, as required by subsections (h) and (i).

(d) Employment of Line Organizations for Field Investigations of Unidentified Aerial Phenomena.--

(1) In general.--The Secretary shall, in coordination with the Director, designate line organizations within the Department of Defense and the intelligence community that possess appropriate expertise, authorities, accesses, data, systems, platforms, and capabilities to rapidly respond to, and conduct field investigations of, incidents involving unidentified aerial phenomena under the direction of the Office.

(2) Personnel, equipment, and resources.--The Secretary, in coordination with the Director, shall take such actions as may be necessary to ensure that the designated organization or organizations have available adequate personnel with requisite expertise, equipment, transportation, and other resources necessary to respond rapidly to incidents or patterns of observations of unidentified aerial phenomena of which the Office becomes aware.

(e) Utilization of Line Organizations for Scientific, Technological, and Operational Analyses of Data on Unidentified Aerial Phenomena.--

(1) In general.--The Secretary, in coordination with the Director, shall designate one or more line organizations that will be primarily responsible for scientific, technical, and operational analysis of data gathered by field investigations conducted under subsection (d), or data from other sources, including testing of materials, medical studies, and development of theoretical models to better understand and explain unidentified aerial phenomena.

(2) Authority.--The Secretary and the Director shall promulgate such directives as necessary to ensure that the designated line organizations have authority to draw on special expertise of persons outside the Federal Government with appropriate security clearances.

(f) Intelligence Collection and Analysis Plan.--

(1) In general.--The head of the Office shall supervise the development and execution of an intelligence collection and analysis plan on behalf of the Secretary and the Director to gain as much knowledge as possible regarding the technical and operational characteristics, origins, and intentions of unidentified aerial phenomena, including the development, acquisition, deployment, and operation of technical collection capabilities necessary to detect, identify, and scientifically characterize unidentified aerial phenomena.

(2) Use of resources and capabilities.--In developing the plan required by paragraph (1), the head of the Office shall consider and propose, as appropriate, the use of any resource, capability, asset, or process of the Department and the intelligence community.

(g) Science Plan.--The head of the Office shall supervise the development and execution of a science plan on behalf of the Secretary and the Director to develop and test, as practicable, scientific theories to account for characteristics and performance of unidentified aerial phenomena that exceed the known state of the art in science or technology, including in the areas of propulsion, aerodynamic control, signatures, structures, materials, sensors, countermeasures, weapons, electronics, and power generation, and to provide the foundation for potential future investments to replicate any such advanced characteristics and performance.

(h) Assignment of Priority.--The Director, in consultation with, and with the recommendation of the Secretary, shall assign an appropriate level of priority within the National Intelligence Priorities Framework to the requirement to understand, characterize, and respond to unidentified aerial phenomena.

(i) Authorization of Appropriations.--There is authorized to be appropriated such sums as may be necessary to carry out the work of the Office, including--

(1) general intelligence gathering and intelligence analysis; and

(2) strategic defense, space defense, defense of controlled air space, defense of ground, air, or naval assets, and related purposes.

(j) Annual Report.--

(1) Requirement.--Not later than October 31, 2022, and annually thereafter until October 31, 2026, the Secretary in consultation with the Director, shall submit to the appropriate committees of Congress a report on unidentified aerial phenomena.

(2) Elements.--Each report under paragraph (1) shall include, with respect to the year covered by the report, the following information:

(A) An analysis of data and intelligence received through reports of unidentified aerial phenomena.

(B) An analysis of data relating to unidentified aerial phenomena collected through--

(i) geospatial intelligence

(ii) signals intelligence;

(iii) human intelligence; and

(iv) measurement and signals intelligence.

(D) An analysis of such incidents identified under subparagraph (C).

(E) Identification of potential aerospace or other threats posed by unidentified aerial phenomena to the national security of the United States.

(F) An assessment of any activity regarding unidentified aerial phenomena that can be attributed to one or more adversarial foreign governments.

(G) Identification of any incidents or patterns regarding unidentified aerial phenomena that indicate a potential adversarial foreign government may have achieved a breakthrough aerospace capability.

(H) An update on the coordination by the United States with allies and partners on efforts to track, understand, and address unidentified aerial phenomena.

(I) An update on any efforts to capture or exploit discovered unidentified aerial phenomena.

(J) An assessment of any health-related effects for individuals who have encountered unidentified aerial phenomena.

(K) The number of reported incidents, and descriptions thereof, of unidentified aerial phenomena associated with military nuclear assets, including strategic nuclear weapons and nuclear-powered ships and submarines.

(L) In consultation with the Administrator of the National Nuclear Security Administration, the number of reported incidents, and descriptions thereof, of unidentified aerial phenomena associated with facilities or assets associated with the production, transportation, or storage of nuclear weapons or components thereof.

(M) In consultation with the Chairman of the Nuclear Regulatory Commission, the number of reported incidents, and descriptions thereof, of unidentified aerial phenomena or drones of unknown origin associated with nuclear power generating stations, nuclear fuel storage sites, or other sites or facilities regulated by the Nuclear Regulatory Commission.

(N) The names of the line organizations that have been designated to perform the specific functions imposed by subsections (d) and (e) of this section, and the specific functions for which each such line organization has been assigned primary responsibility.

(3) Form.-- Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(k) Semiannual Briefings.--

(1) In general.--Not later than 90 days after the date of the enactment of this Act and not less frequently than semiannually thereafter until December 31, 2026, the head of the Office shall provide the classified briefings on unidentified aerial phenomena to--

(A) the Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Appropriations of the Senate; and

(B) the Committee on Armed Services, the Permanent Select Committee on Intelligence, and the Committee on Appropriations of the House of Representatives.

(2) First briefing.--The first briefing provided under paragraph (1) shall include all incidents involving unidentified aerial phenomena that were reported to the Unidentified Aerial Phenomena Task Force or to the Office after June 24, 2021, regardless of the date of occurrence of the incident.

(3) Subsequent briefings.--Each briefing provided subsequent to the first briefing described in paragraph (2) shall include, at a minimum, all events relating to unidentified aerial phenomena that occurred during the previous 180 days, and events relating to unidentified aerial phenomena that were not included in an earlier briefing due to delay in an incident reaching the reporting system or other such factors.

(4) Instances in which data was not shared.--For each briefing period, the Chairman and Vice Chairman or Ranking Member of the Committee on Armed Services and the Select Committee on Intelligence of the Senate and the Committee on Armed Services and the Permanent Select Committee on Intelligence of the House of Representatives shall receive an enumeration of any instances in which data related to unidentified aerial phenomena was denied to the Office because of classification restrictions on that data or for any other reason.

(l) Aerial and Transmedium Phenomena Advisory Committee.--

(1) Establishment.--(A) Not later than October 1, 2022, the Secretary and the Director shall establish an advisory committee for the purpose of--

(i) advising the Office in the execution of the duties of the Office as provided by this subsection; and

(ii) advising the Secretary and the Director regarding the gathering and analysis of data, and scientific research and development pertaining to unidentified aerial phenomena.

(B) The advisory committee established under subparagraph

(A) shall be known as the ``Aerial and Transmedium Phenomena Advisory Committee'' (in this subparagraph the

``Committee'').

(2) Membership.--(A) Subject to subparagraph (B), the Committee shall be composed of members as follows:

(i) 20 members selected by the Secretary as follows:

(I) Three members selected from among individuals recommended by the Administrator of the National Astronautics and Space Administration.

(II) Two members selected from among individuals recommended by the Administrator of the Federal Aviation Administration.

(III) Two members selected from among individuals recommended by the President of the National Academies of Sciences.

(IV) Two members selected from among individuals recommended by the President of the National Academy of Engineering.

(V) One member selected from among individuals recommended by the President of the National Academy of Medicine.

(VI) Three members selected from among individuals recommended by the Director of the Galileo Project at Harvard University.

(VII) Two members selected from among individuals recommended by the Board of Directors of the Scientific Coalition for Unidentified Aerospace Phenomena Studies.

(VIII) Two members selected from among individuals recommended by the President of the American Institute of Astronautics and Aeronautics.

(IX) Two members selected from among individuals recommended by the Director of the Optical Technology Center at Montana State University.

(X) One member selected from among individuals recommended by the president of the American Society for Photogrammetry and Remote Sensing.

(ii) Up to five additional members, as the Secretary, in consultation with the Director, considers appropriate, selected from among individuals with requisite expertise, at least 3 of whom shall not be employees of any Federal Government agency or Federal Government contractor.

(B) No individual may be appointed to the Committee under subparagraph (A) unless the Secretary and the Directly jointly determine that the individual--

(i) qualifies for a security clearance at the secret level or higher;

(ii) possesses scientific, medical, or technical expertise pertinent to some aspect of the investigation and analysis of unidentified aerial phenomena; and

(iii) has previously conducted research or writing that demonstrates scientific, technological, or operational knowledge regarding aspects of the subject matter, including propulsion, aerodynamic control, signatures, structures, materials, sensors, countermeasures, weapons, electronics, power generation, field investigations, forensic examination of particular cases, analysis of open source and classified information regarding domestic and foreign research and commentary, and historical information pertaining to unidentified aerial phenomena.

(C) The Secretary and Director may terminate the membership of any individual on the Committee upon a finding by the Secretary and the Director jointly that the member no longer meets the criteria specified in this subsection.

(3) Chairperson.--The Secretary shall, in coordination with the Director, designate a temporary Chairperson of the Committee, but at the earliest practicable date the Committee shall elect a Chairperson from among its members, who will serve a term of 2 years, and is eligible for re-election.

(4) Expert assistance, advice, and recommendations.--(A) The Committee may, upon invitation of the head of the Office, provide expert assistance or advice to any line organization designated to carry out field investigations or data analysis as authorized by subsections (d) and (e).

(B) The Committee, on its own initiative, or at the request of the Director, the Secretary, or the head of the Office, may provide advice and recommendations regarding best practices with respect to the gathering and analysis of data on unidentified aerial phenomena in general, or commentary regarding specific incidents, cases, or classes of unidentified aerial phenomena.

(5) Report.--Not later than December 31, 2022, and not later than December 31 of each year thereafter, the Committee shall submit a report summarizing its activities and recommendations to the following:

(A) The Secretary.

(B) The Director.

(D) The Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Appropriations of the Senate.

(E) The Committee on Armed Services, the Permanent Select Committee on Intelligence, and the Committee on Appropriations of the House of Representatives.

(6) Relation to faca.--For purposes of the Federal Advisory Committee Act (5 U.S.C. App.), the Committee shall be considered an advisory committee (as defined in section 3 of such Act, except as otherwise provided in the section or as jointly deemed warranted by the Secretary and the Director under section 4(b)(3) of such Act.

(7) Termination of committee.--The Committee shall terminate on the date that is six years after the date of the establishment of the Committee.

(m) Definitions.--In this section:

(1) The term ``appropriate committees of Congress'' means--

(A) the Committee on Armed Services, the Select Committee on Intelligence, the Committee on Foreign Relations, and the Committee on Appropriations of the Senate; and

(B) the Committee on Armed Services, the Permanent Select Committee on Intelligence, the Committee on Foreign Affairs, and the Committee on Appropriations of the House of Representatives.

(2) The term ``intelligence community'' has the meaning given such term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).

(3) The term ``transmedium objects or devices'' means objects or devices that are observed to transition between space and the atmosphere, or between the atmosphere and bodies of water, that are not immediately identifiable.

(4) The term ``unidentified aerial phenomena'' means--

(A) airborne objects that are not immediately identifiable;

(B) transmedium objects or devices; and

(C) submerged objects or devices that are not immediately identifiable and that display behavior or performance characteristics suggesting that they may be related to the subjects described in subparagraph (A) or (B).

______

SA 4811. Mr. TUBERVILLE (for himself and Mr. Braun) submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

SEC. ___. PROHIBITING THE INTERNAL REVENUE SERVICE FROM

REQUIRING FINANCIAL INSTITUTIONS TO REPORT ON

FINANCIAL TRANSACTIONS OF CUSTOMERS.

(a) In General.--Subject to subsection (b), the Internal Revenue Service shall not be permitted to create or implement any new financial account information reporting program that--

(1) was not in effect as of October 1, 2021, and

(2) would require financial institutions to report data on financial accounts in an information return listing balances, transactions, transfers, or inflows or outflows of any kind.

(b) Rule of Construction.--

(1) In general.--Nothing in this section shall preempt, limit, or supersede, or be construed to preempt, limit, or supersede, any provision of, or requirement under, the Bank Secrecy Act or any regulations promulgated under such Act.

(2) Definition.--For purposes of this subsection, the term

``Bank Secrecy Act'' means--

(A) section 21 of the Federal Deposit Insurance Act (12 U.S.C. 1829b),

(B) chapter 2 of title I of Public Law 91-508 (12 U.S.C. 1951 et seq.), and

______

SA 4812. Mr. TUBERVILLE submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the appropriate place, insert the following:

SEC. ____. PROHIBITING TSP INVESTMENT IN CHINA.

(a) Findings.--Congress finds the following:

(1) The Thrift Savings Fund invests more than

$700,000,000,000 on behalf of plan participants. As the guardian of the retirement funds of approximately 6,000,000 Federal civilian and military plan participants, it is critical that sums in the Thrift Savings Fund are not invested in securities linked to the economy of the People's Republic of China.

(2) Companies headquartered in the People's Republic of China have repeatedly committed corporate espionage, violated sanctions imposed by the United States, flouted international property laws, committed theft, and failed to comply with audit and regulatory standards designed to safeguard investors.

(3) The Thrift Savings Plan is known for its low management fees and comprehensive array of investment strategies. The provisions of this section, and the amendments made by this section, will not increase fees imposed on participants of the Thrift Savings Plan.

(4) The November 2017 selection of the MSCI ACWI Index by the Federal Retirement Thrift Investment Board, initially scheduled to be effective in 2020, would violate the terms of subsection (i) of section 8438 of title 5, United States Code, as added by subsection (b)(1) of this section.

(b) Prohibition on Any TSP Fund Investing in Entities Based in the People's Republic of China.--

(1) In general.--Section 8438 of title 5, United States Code, is amended by adding at the end the following:

``(i) Notwithstanding any other provision of this section, no fund established or overseen by the Board may include an investment in any security of--

``(1) an entity based in the People's Republic of China; or

``(2) any subsidiary that is owned or operated by an entity described in paragraph (1).''.

(2) Divestiture of assets.--Not later than 30 days after the date of enactment of this Act, the Federal Retirement Thrift Investment Board established under section 8472(a) of title 5, United States Code, shall--

(A) review whether any sums in the Thrift Savings Fund are invested in violation of subsection (i) of section 8438 of that title, as added by paragraph (1) of this subsection;

(B) if any sums are invested in the manner described in subparagraph (A), divest those sums in a manner that is consistent with the legal and fiduciary duties provided under chapter 84 of that title, or any other applicable provision of law; and

(C) reinvest any sums divested under subparagraph (B) in investments that do not violate subsection (i) of section 8438 of that title, as added by paragraph (1) of this subsection.

(c) Prohibition on Investment of TSP Funds in Entities Based in the People's Republic of China Through the TSP Mutual Fund Window.--Section 8438(b)(5) of title 5, United States Code, is amended by adding at the end the following:

``(E) A mutual fund accessible through a mutual fund window authorized under this paragraph may not include an investment in any security of--

``(i) an entity based in the People's Republic of China; or

``(ii) any subsidiary that is owned or operated by an entity described in clause (i).''.

______

SA 4813. Mr. SCOTT of Florida submitted an amendment intended to be proposed to amendment SA 3867 submitted by Mr. Reed and intended to be proposed to the bill H.R. 4350, to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes; which was ordered to lie on the table; as follows:

At the end, add the following:

DIVISION E--CYBER INCIDENT REPORTING ACT OF 2021 AND CISA TECHNICAL

CORRECTIONS AND IMPROVEMENTS ACT OF 2021

TITLE LI--CYBER INCIDENT REPORTING ACT OF 2021

SEC. 5101. SHORT TITLE.

This title may be cited as the ``Cyber Incident Reporting Act of 2021''.

SEC. 5102. DEFINITIONS.

In this title:

(2) Director.--The term ``Director'' means the Director of the Cybersecurity and Infrastructure Security Agency.

(3) Information system; ransom payment; ransomware attack; security vulnerability.--The terms ``information system'',

SEC. 5103. CYBER INCIDENT REPORTING.

(a) Cyber Incident Reporting.--Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--

(1) in section 2209(b) (6 U.S.C. 659(b)), as so redesignated by section 5203(b) of this division--