H. R. 945
IN THE HOUSE OF REPRESENTATIVES
February 7, 2017
Ms. Jackson Lee introduced the following bill; which was referred to the Committee on Homeland Security
To codify the objective of Presidential Policy Directive 21 to improve critical infrastructure security and resilience, and for other purposes.
This Act may be cited as the
Terrorism Prevention and Critical Infrastructure Protection Act of 2017.
The Congress finds the following:
The Nation’s critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure, including assets, networks, and systems, that are vital to public confidence and the Nation’s safety, prosperity, and well-being.
The Nation’s critical infrastructure is diverse and complex. It includes distributed networks, varied organizational structures and operating models (including multinational ownership), interdependent functions and systems in both the physical space and cyber space, and governance constructs that involve multilevel authorities, responsibilities, and regulations. Critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.
Critical infrastructure must be secured against terrorist attacks, and must be designed and maintained in such a way as to withstand and recover quickly in the event of an attack. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery efforts.
Security and resilience
The Secretary of Homeland Security shall work with critical infrastructure owners and operators and SLTTs to take proactive steps to manage risk and strengthen the security and resilience of the Nation’s critical infrastructure against terrorist attacks that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof. Such efforts shall seek to reduce vulnerabilities, minimize consequences, identify and disrupt terrorism threats, and hasten response and recovery efforts related to critical infrastructure.
The Secretary shall, in consultation with appropriate Federal agencies, establish terrorism prevention policy to engage with international partners to strengthen the security and resilience of domestic critical infrastructure and critical infrastructure located outside of the United States on which the Nation depends.
Integrated, holistic approach
Research task force
The Secretary shall establish a research task force to conduct research into the best means and methods to address the security and resilience of critical infrastructure in an integrated, holistic manner to reflect critical infrastructure’s interconnectedness and interdependency.
Duties of the research task force
The research task force shall provide the Secretary with—
a list of critical infrastructure;
the degree the critical infrastructure is reliant upon other infrastructure;
the cyber preparedness of suppliers, contractors, or service providers of critical infrastructure;
programs, projects, or professional development for persons responsible for the security and operation of critical infrastructure; and
vulnerabilities and threats that are found in software systems, firewalls, applications, and methods of accessing systems.
The research task force shall consist of 19 members appointed by the Secretary. The Secretary shall appoint one member to represent each of—
the National Institutes of Standards and Technology;
the Association of Computing Machinery;
IEEE (formerly the Institute of Electrical and Electronic Engineers);
Carnegie Mellon Cylabs;
the Edison Electric Institute;
the National Telecommunication and Information Administration;
the Utilities Telecom Council;
the US Oil and Gas Association;
the American Chemistry Council;
the American Fuel and Petrochemical Manufacturers;
the Pharmaceutical Research Manufacturers of America; and
the National Oceanic and Atmospheric Administration.
The research task force shall provide a research report to the Secretary on its findings and recommendations 180 days after its establishment.
Critical infrastructure defined
In this subsection, the term critical infrastructure means infrastructure of—
energy capture, refining, manufacturing, and delivery systems;
transportation and transportation systems;
water and sewer capture, processing, and delivery systems;
healthcare systems, with respect to preventing threats to the quality and safety of medicines, medical devices, and delivery of life-saving health care services;
food production, processing, and delivery systems;
virtual and physical communication systems;
financial systems; and
the electricity grid.
The Secretary shall establish the Strategic Research Imperatives Program, which shall have the responsibility of leading the Department of Homeland Security’s Federal civilian agency approach to strengthen critical infrastructure security and resilience.
The duties of the program are the following:
Collect data, refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure, terrorism prevention, security, and resilience.
Investigate effective measures that support information exchange by identifying baseline data and systems requirements for the Federal Government.
Recommend methods to implement an integration and analysis function to inform planning and operations decisions regarding the protection of critical infrastructure from terrorist threats.
The Secretary of Homeland Security shall make available research findings and guidance to Federal civilian department and agency heads (or their designees) for the identification, prioritization, assessment, remediation, and security of their respective internal critical infrastructure to assist in the prevention, mediation, and recovery from terrorism events.
Roles and responsibilities
Unity of effort
The Secretary shall establish and appoint a research working group that shall—
study and make recommendations on how best to achieve and implement national unity of effort to protect against terrorism threats, through investigation of strategic guidance from existing laws, Presidential policy directives, and Executive orders; and
investigate the security and resilience of the Nation’s information assurance components that provide protection against terrorism threats.
The research working group shall also consider research by subject-matter experts on cyber security in-depth approaches that study the following, and make recommendations thereon to the Secretary:
The program of the Department of Homeland Security to secure Federal agencies and critical infrastructure to create resilient secure computer systems and networks.
Cyber security preparedness of vendors, contractors, or nongovernment agency entities that provide computer-related support or services to critical infrastructure owners and operators as well as government agencies charged with securing them.
Investigation of the feasibility of developing industry- or sector-specific computer emergency rapid response teams.
The feasibility of the agency developing a guest visiting security researchers program to provide instruction to private sector and civilian agency personnel responsible for cyber security.
The research working group shall be comprised of individuals with expertise and day-to-day engagement from the sector-specific agency terrorism prevention, remediation, and response experts, as well as the specialized or support terrorism prevention capabilities of other Federal departments and agencies, as well as experts who engage in strong collaboration with critical infrastructure owners and operators and SLTTs, and academic researchers with in-depth knowledge in computing security.
Secretary of homeland security
The Secretary of Homeland Security shall establish a research program to provide strategic guidance, promote a national unity of effort, and coordinate the overall Federal effort to promote the security and resilience of the Nation’s critical infrastructure from terrorist threats.
Additional roles and responsibilities
Additional roles and responsibilities for the Secretary of Homeland Security include the following:
Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences of terrorist attacks, in coordination with SSAs and other Federal departments and agencies.
Maintain national terrorism critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about potential terrorist trends, imminent terrorist threats, and the status of terrorist incidents that may impact critical infrastructure.
In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators on terrorism prevention security protocols and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure.
Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTTs and critical infrastructure owners and operators.
Coordinate Federal Government responses to cyber or physical terrorism incidents affecting critical infrastructure consistent with statutory authorities.
Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and terrorist attacks against critical infrastructure.
Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies.
Report annually to Congress on the status of national critical infrastructure efforts to meet the objectives of this section.
Recognizing existing statutory or regulatory authorities of specific Federal departments and agencies, and leveraging existing sector familiarity and relationships, the head of each SSA shall carry out the following roles and responsibilities for their respective sectors:
Serve as a day-to-day Federal interface for the dynamic prioritization and coordination of sector-specific activities related to cyber security critical infrastructure protection from terrorism.
Carry out terrorism incident management responsibilities consistent with statutory authority and other appropriate policies, directives, or regulations.
Provide, support, or facilitate technical assistance and consultations for such sectors to identify vulnerabilities and help mitigate terrorism incidents, as appropriate.
Research and report on best practices for coordinating
The Secretary shall conduct research and submit a report to Congress not later than 180 days after the date of the enactment of this Act on the best practices for coordinating with civilian agencies, private sector critical infrastructure owners, local, State, tribal, and territorial agencies, other relevant Federal departments and agencies, where appropriate with independent regulatory agencies, and SLTTs, as appropriate, to implement this Act.
Research and report on the most efficient means for information exchange by identifying baseline data and systems requirements for the federal government
The Secretary shall facilitate the timely exchange of terrorism threat and vulnerability information as well as information that allows for the development of a situational awareness capability for Federal civilian agencies during terrorist incidents. The goal of such facilitation is to enable efficient information exchange through the identification of requirements for data and information formats and accessibility, system interoperability, and redundant systems and alternate capabilities should there be a disruption in the primary systems.
Implementation of an integration and analysis function To inform planning and operational decisions regarding the protection of critical infrastructure from terrorism events
The Secretary of Homeland Security shall implement an integration and analysis function for critical infrastructure that includes operational and strategic analysis on terrorism incidents, threats, and emerging risks. Such function shall include establishment by the Secretary of 2 national centers to accomplish the following:
Implement a capability to collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information to—
aid in prioritizing assets and managing risks to critical infrastructure;
determine the staffing and professional need for cyber security critical infrastructure protection;
determine the agency staffing needed and to support cyber security critical infrastructure protection and report the findings to Congress;
research and report findings regarding the feasibility of exploring terrorist incident correlations between critical infrastructure damage, destruction, and diminished capacity, and what occurs during certain natural disasters;
anticipate interdependencies and cascading impacts related to cyber telecommunications failures;
recommend security and resilience measures for critical infrastructure prior to, during, and after a terrorism event or incident;
support post-terrorism incident management and restoration efforts related to critical infrastructure; and
make recommendations on preventing the collapse or serious degrading of the telecommunication capability in an area impacted by a terrorism event.
Support the Department of Homeland Security’s ability to maintain and share, as a common Federal service, a near real-time situational awareness capability for critical infrastructure that includes actionable information about imminent terrorist threats, significant trends, and awareness of incidents that may affect critical infrastructure.
Protection of privacy and civil liberties
The Secretary of Homeland Security shall support greater terrorism cyber security information sharing by civilian Federal agencies with the private sector that protects constitutional privacy and civil liberties rights. The heads of Federal departments and agencies shall ensure that all existing privacy principles, policies, and procedures are implemented consistent with applicable law and policy and shall include senior agency officials for privacy in their efforts to govern and oversee terrorism program information sharing properly.
Ensuring independence of privacy officer
Section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) is amended—
in subsection (a), by striking so much as precedes paragraph (1) and inserting the following:
senior official appointed under subsection (a) each place it appears and inserting
in subsection (b)(1)(A), by striking
senior official and inserting
in subsection (b)(1)(B), by striking
senior official’s and inserting
in subsection (b)(1)(C), by striking
senior official and inserting
in subsection (b)(1)(D), by striking
senior official and inserting
in subsection (c)(2)(B), by striking
senior official each place it appears and inserting
in the heading for subsection (c)(2)(B)(iii), by striking
by senior official;
in subsection (d), by striking
the senior official appointed under subsection (a) or transfers that senior official to another position or location within the Department and inserting
individual appointed as Privacy Officer;
in the heading for subsection (e), by striking “by Senior Official”; and
in subsection (e)—
senior official and inserting
Privacy Officer; and
senior official’s each place it appears and inserting
The senior official serving as the Privacy Officer of the Department of Homeland Security immediately before the enactment of this Act may continue to act as the Privacy Officer until a successor is appointed in accordance with the amendments made by this subsection.
Innovation and research and development
The Secretary of Homeland Security may consult with other Federal departments and agencies to produce and submit to congressional oversight committees a report on how best to align federally funded research and development activities that seek to strengthen the security and resilience of the Nation’s critical infrastructure, including—
promoting research and development to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology;
enhancing modeling capabilities to determine potential impacts on critical infrastructure of an incident or threat scenario, and cascading effects on other sectors;
facilitating initiatives to incentivize cyber security investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience; and
prioritizing efforts to support the strategic guidance issued by the Secretary of Homeland Security.
Implementation by Department of Homeland Security
Critical infrastructure terrorism prevention security and computer network resilience functional relationships
Within 120 days after the date of the enactment of this Act, the Secretary of Homeland Security shall conduct research and develop a description of the functional relationships within the Department of Homeland Security and across the Federal Government related to critical infrastructure security and resilience. The description shall—
include the roles and functions of the 2 national critical infrastructure centers and a discussion of the analysis and integration function;
serve as a roadmap for critical infrastructure owners and operators and SLTTs to navigate the Federal Government’s functions and primary points of contact assigned to those functions for critical infrastructure security and resilience against both physical and cyber threats; and
include identification of every contact within the Federal Government for critical infrastructure protection security and resilience, by company and industry.
The Secretary shall prepare a report on efforts to coordinate this effort with the SSAs and other relevant Federal departments and agencies.
Provision to president
The Secretary shall provide the description, supported by agency-conducted research, to the President through the Assistant to the President for Homeland Security and Counterterrorism, and to the relevant congressional homeland security oversight committees.
Evaluation of the existing public-Private partnership model
Within 150 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the SSAs, other relevant Federal departments and agencies, SLTTs, and critical infrastructure owners and operators, shall conduct an analysis of the existing public-private partnership model, evaluate its effectiveness, and recommend options for improving the effectiveness of the partnership in both the physical and cyber space.
The research and recommendations shall—
consider options to streamline or automate (or both) processes for collaboration and exchange of terrorism-related information and to minimize duplication of effort;
consider how the model for terrorism information exchange can be flexible and adaptable to meet the unique needs of individual critical infrastructure sectors while providing a focused, disciplined, and effective approach for the Federal Government to coordinate with the critical infrastructure owners and operators and with SLTTs governments; and
result in recommendations to enhance partnerships to be approved for implementation by the President.
Identification of baseline data and systems requirements for the federal government To enable efficient information exchange
Within 18 months after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the SSAs and other Federal departments and agencies, shall convene a team of researchers to identify baseline data and systems requirements—
to enable the efficient exchange of terrorism information and intelligence relevant to strengthening the security and resilience of critical infrastructure; and
for sharing of data and interoperability of systems to enable the timely exchange of terrorism or terrorist threat data and information to secure critical infrastructure and make it more resilient.
The experts shall include representatives from—
those entities that routinely possess information important to critical infrastructure security and resilience;
those entities that determine and manage information technology systems used to exchange information; and
those entities responsible for the security of information being exchanged.
Analysis by such team of experts shall include—
interoperability with critical infrastructure partners;
identification of key data and the information requirements of key Federal, SLTT, and private sector entities;
availability, accessibility, and formats of data;
the ability to exchange various classifications of information;
the security of those systems to be used; and
appropriate protections for individual privacy and civil liberties.
Provision to president
The Secretary shall provide such analysis to the President through the Assistant to the President for Homeland Security and Counterterrorism, and to congressional homeland security oversight committees.
Develop a research program To inform the agency of a situational awareness capability for critical infrastructure
Within 2 years after the date of the enactment of this Act, the Secretary of Homeland Security shall demonstrate a near real-time situational awareness, research-based pilot project for critical infrastructure that—
includes threat streams and all-hazards information as well as vulnerabilities;
provides the status of critical infrastructure and potential cascading effects;
disseminates critical information that may be needed to save or sustain lives, mitigate damage, or reduce further degradation of a critical infrastructure capability throughout an incident; and
is available for and covers physical and cyber elements of critical infrastructure, and enables an integration of information as necessitated by an incident.
Update to national infrastructure protection plan
Within 18 months after the date of the enactment of this Act, the Secretary of Homeland Security shall provide to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the congressional homeland security oversight committees, a research report that outlines the National Infrastructure Protection Plan to address the implementation of this Act, the requirements of title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.), and alignment with the National Preparedness Goal and System required by Presidential Policy Directive 8.
The plan shall include—
identification of a risk management framework to be used to strengthen the security and resilience of critical infrastructure against terrorist threats;
the methods to be used to prioritize critical infrastructure in the event of a terrorism event that impacts multiple infrastructure systems;
the protocols to be used to synchronize communication and actions within the Federal Government to effectively respond to critical infrastructure terrorist threats or events; and
a metrics and analysis process to be used to measure the Nation’s ability to manage and reduce terrorism risks to critical infrastructure.
Relationship to other provisions
The plan shall reflect the terrorism threat identification, prevention, mediation, and recovery relationships within the Department of Homeland Security and across the Federal Government identified under this Act and the updates to the public-private partnership model under this Act.
Energy and communication systems
The plan shall consider sector dependencies on energy and communications systems during a terrorism event, and identify pre-event and mitigation measures or alternate capabilities during disruptions to those systems.
The Secretary shall coordinate activities under this subsection with the SSAs, other relevant Federal departments and agencies, SLTTs, and critical infrastructure owners and operators.
The plan shall include an analysis of the feasibility of developing terrorism response plans, based on research conducted on the resilience of critical infrastructure when faced with terrorism threats, that focus on action plans to achieve a level of function and eventual recovery of full operability of critical infrastructure post-cyber attack.
National critical infrastructure security and resilience R&D plan
Within 2 years after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the Office of Science and Technology Policy, the SSAs, the Department of Commerce, and other Federal departments and agencies, shall provide to the President, through the Assistant to the President for Homeland Security and Counterterrorism, a National Critical Infrastructure Security and Resilience Research and Development Plan that takes into account the evolving threat landscape, annual metrics, and other relevant information to identify priorities and guide research and development requirements and investments. The Secretary shall reissue the plan every 4 years after its initial issuance, and make interim updates as needed.
Consistency in PPD–1
Policy coordination, dispute resolution, and periodic in-progress reviews for the implementation of this Act shall be carried out consistent with Presidential Policy Directive 1, including the use of interagency policy committees coordinated by the national security staff.
Relationship to other authorities
Nothing in this Act alters, supersedes, or impedes the authorities of Federal departments and agencies, including independent regulatory agencies, to carry out their functions and duties consistent with applicable legal authorities and other Presidential guidance and directives, including the designation of critical infrastructure under such authorities.
Designation of critical infrastructure sectors and sector-specific agencies
For purposes of this Act, the Secretary of Homeland Security shall determine which critical infrastructure sectors and sector specific agencies for such sectors should be engaged in efforts to detect, deter, mitigate, and lead recovery efforts related to terrorist incidents.
Cultivation of relationships
The Secretary shall evaluate the appropriate relationships among Federal agencies, SSAs, SLTTs, and critical infrastructure owners and operators to establish the most effective defense against terrorist attacks.
The Secretary shall provide institutional knowledge and specialized expertise to lead, facilitate, or support security and resilience programs and associated terrorism prevention activities with respect to sectors designated under subsection (a)(1).
The Secretary of Homeland Security shall periodically evaluate the need for and make changes to plans and evaluations made under this section. The Secretary shall consult with the Assistant to the President for Homeland Security and Counterterrorism and congressional homeland security oversight committees before changing the designation of a critical infrastructure sector or SSA for a sector.
The Secretary of Homeland Security shall seek periodic research reports on critical infrastructure protection from Federal agencies as considered necessary by the Secretary.
Evaluation of achievement of objectives
The National Research Council, beginning 12 months after the date of enactment of this Act, shall evaluate how well the Department of Homeland Security is meeting the objectives of this Act.
The review shall include evaluation of—
cyber security threats to critical infrastructure;
the success of Department programs in implementing section 8; and
the long-term vulnerabilities faced by the Department, other Federal agencies, and critical infrastructure managers and owners.
The Council shall complete the review by not later than the end of the 18-month period beginning on the date of enactment of this Act, except that the Secretary of Homeland Security may extend such period.
Upon the completion of the review, the Council shall submit to the Secretary a report on the findings of the review, including recommendations based on such findings.
For purposes of this Act:
The term all hazards means a threat or an incident, natural or manmade, that warrants action to protect life, property, the environment, and public health or safety, and to minimize disruptions of government, social, or economic activities. The term includes natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical infrastructure.
The term collaboration means the process of working together to achieve shared goals.
The term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
Federal departments and agencies
The term Federal departments and agencies means any authority of the United States that is an
agency under section 3502(1) of title 44, United States Code, other than those considered to be independent regulatory agencies as defined in section 3502(5) of such title.
National essential functions
The term national essential functions means that subset of Government functions that are necessary to lead and sustain the Nation during a catastrophic emergency.
Primary mission essential functions
The term primary mission essential functions means those Government functions that must be performed in order to support or implement the performance of the national essential functions before, during, and in the aftermath of an emergency.
The term resilience means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. The term includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
Sector-specific agency; SSA
The terms sector-specific agency and SSA mean the Federal department or agency designated under this Act for a critical infrastructure sector.
The terms secure and security mean reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.
The term SLTT means State, local, tribal, and territorial entities.