Text of S. 3511 (117th): Satellite Cybersecurity Act (Reported by Senate Committee version)

Calendar No. 428

117th CONGRESS

2d Session

S. 3511

[Report No. 117–122]

IN THE SENATE OF THE UNITED STATES

January 13 (legislative day, January 10), 2022

Mr. Peters (for himself and Mr. Cornyn) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs

June 21, 2022

Reported by Mr. Peters, with an amendment

Strike out all after the enacting clause and insert the part printed in italic

A BILL

To require a report on Federal support to the cybersecurity of commercial satellite systems, and for other purposes.

This Act may be cited as the Satellite Cybersecurity Act.

In this Act:

(1)

The term commercial satellite system means an earth satellite owned and operated by a non-Federal entity.

(2)

The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C. 5195c(e)).

(3)

The term cybersecurity risk has the meaning given the term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).

(4)

The term cybersecurity threat has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

(a)

The Comptroller General of the United States shall conduct a study on the actions the Federal Government has taken to support the cybersecurity of commercial satellite systems, including as part of any action to address the cybersecurity of critical infrastructure sectors.

(b)

Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall report to Congress on the study conducted under subsection (a), which shall include information on—

(1)

the effectiveness of efforts of the Federal Government in improving the cybersecurity of commercial satellite systems;

(2)

the resources made available to the public by Federal agencies to address cybersecurity threats to commercial satellite systems;

(3)

the extent to which commercial satellite systems are reliant on or are relied on by critical infrastructure and an analysis of how commercial satellite systems, and the threats to such systems, are integrated into Federal and non-Federal critical infrastructure risk analyses and protection plans;

(4)

the extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems; and

(5)

the extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems.

(c)

In carrying out subsections (a) and (b), the Comptroller General of the United States shall coordinate with—

(1)

the Secretary of Homeland Security;

(2)

the Director of the National Institute of Standards and Technology;

(3)

the Secretary of Defense;

(4)

the Federal Communications Commission;

(5)

the National Oceanic and Atmospheric Administration;

(6)

the National Aeronautics and Space Administration;

(7)

the Federal Aviation Administration; and

(8)

the head of any other Federal agency determined appropriate by the Comptroller General of the United States.

(a)

In this section:

(1)

The term clearinghouse means the commercial satellite system cybersecurity clearinghouse required to be developed and maintained under subsection (b)(1).

(2)

The term Director means the Director of the Cybersecurity and Infrastructure Security Agency.

(3)

The term small business concern has the meaning given the term in section 3 of the Small Business Act (15 U.S.C. 632).

(b)

(1)

Not later than 180 days after the date of enactment of this Act, the Director shall develop and maintain a commercial satellite system cybersecurity clearinghouse.

(2)

The clearinghouse shall—

(A)

be publicly available online;

(B)

contain publicly available commercial satellite system cybersecurity resources, including the recommendations developed under subsection (c), and any other materials developed by entities in the Federal Government, for reference by entities that develop commercial satellite systems; and

(C)

include materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems.

(3)

The Director shall maintain current and relevant cybersecurity information on the clearinghouse.

(4)

The Director may establish and maintain the clearinghouse on an online platform or a website that is in existence as of the date of enactment of this Act.

(c)

(1)

The Director shall develop voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems.

(2)

The recommendations required under paragraph (1) shall include materials addressing the following:

(A)

Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency.

(B)

Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident.

(C)

Protection against unauthorized access to vital commercial satellite system functions.

(D)

Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems.

(E)

Protection against communications jamming and spoofing.

(F)

Security against threats throughout a commercial satellite system’s mission lifetime.

(G)

Management of supply chain risks that affect cybersecurity of commercial satellite systems.

(H)

As appropriate, the findings and recommendations from the study conducted by the Comptroller General of the United States under section 3(a).

(I)

Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through commercial satellite systems.

(d)

With respect to the collation and development of clearinghouse content under subsection (b)(2) and the recommendations developed pursuant to subsection (c), the Director shall consult with—

(1)

the heads of appropriate Federal agencies with expertise and experience in satellite operations; and

(2)

non-Federal entities developing commercial satellite systems or otherwise supporting the cybersecurity of commercial satellite systems.

This Act may be cited as the Satellite Cybersecurity Act.

In this Act:

(1)

The term commercial satellite system means an earth satellite owned and operated by a non-Federal entity.

(2)

The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C. 5195c(e)).

(3)

The term cybersecurity risk has the meaning given the term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).

(4)

The term cybersecurity threat has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

(a)

(b)

Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall report to Congress on the study conducted under subsection (a), which shall include information on—

(1)

the effectiveness of efforts of the Federal Government in improving the cybersecurity of commercial satellite systems;

(2)

the resources made available to the public, as of the date of enactment of this Act, by Federal agencies to address cybersecurity risks and threats to commercial satellite systems;

(3)

(4)

the extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems;

(5)

the extent to which Federal agencies are reliant on commercial satellite systems owned wholly or in part or controlled by foreign entities, and how Federal agencies mitigate associated cybersecurity risks;

(6)

the extent to which Federal agencies are reliant on commercial satellite systems with physical structures, such as satellite ground control systems, in foreign countries, and how Federal agencies mitigate associated cybersecurity risks; and

(7)

the extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems.

(c)

In carrying out subsections (a) and (b), the Comptroller General of the United States shall coordinate with appropriate Federal agencies, including—

(1)

the Department of Homeland Security;

(2)

the Department of Commerce;

(3)

the Department of Defense;

(4)

the Department of Transportation;

(5)

the Federal Communications Commission;

(6)

the National Aeronautics and Space Administration; and

(7)

the National Executive Committee for Space-Based Positioning, Navigation, and Timing.

(d)

Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall provide a briefing to the appropriate congressional committees.

(e)

The report made under subsection (b) shall be unclassified but may include a classified annex.

(a)

In this section:

(1)

The term clearinghouse means the commercial satellite system cybersecurity clearinghouse required to be developed and maintained under subsection (b)(1).

(2)

The term Director means the Director of the Cybersecurity and Infrastructure Security Agency.

(3)

The term small business concern has the meaning given the term in section 3 of the Small Business Act (15 U.S.C. 632).

(b)

(1)

Not later than 180 days after the date of enactment of this Act, the Director shall develop and maintain a commercial satellite system cybersecurity clearinghouse.

(2)

The clearinghouse shall—

(A)

be publicly available online;

(B)

contain publicly available commercial satellite system cybersecurity resources, including the recommendations consolidated under subsection (c)(1), and any other appropriate materials for reference by entities that develop commercial satellite systems; and

(C)

include materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems.

(3)

The Director shall maintain current and relevant cybersecurity information on the clearinghouse.

(4)

The Director may establish and maintain the clearinghouse on an online platform or a website that is in existence as of the date of enactment of this Act.

(c)

(1)

The Director shall consolidate voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems.

(2)

The recommendations consolidated under paragraph (1) shall include, to the greatest extent practicable, materials addressing the following:

(A)

Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency.

(B)

Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident.

(C)

Protection against unauthorized access to vital commercial satellite system functions.

(D)

Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems.

(E)

Protection against jamming and spoofing.

(F)

Security against threats throughout a commercial satellite system’s mission lifetime.

(G)

Management of supply chain risks that affect the cybersecurity of commercial satellite systems.

(H)

Protection against vulnerabilities posed by ownership of commercial satellite systems or commercial satellite system companies by foreign entities.

(I)

Protection against vulnerabilities posed by locating physical infrastructure, such as satellite ground control systems, in foreign countries.

(J)

As appropriate, and as applicable pursuant to the maintenance requirement under subsection (b)(3), the findings and recommendations from the study conducted by the Comptroller General of the United States under section 3(a).

(K)

Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through commercial satellite systems.

(d)

In implementing this Act, the Director shall—

(1)

to the extent practicable, carry out the implementation as a public-private partnership;

(2)

coordinate with the heads of appropriate Federal agencies with expertise and experience in satellite operations, including the entities described in section 3(c); and

(3)

consult with non-Federal entities developing commercial satellite systems or otherwise supporting the cybersecurity of commercial satellite systems, including private, consensus organizations that develop relevant standards.

June 21, 2022

Reported with an amendment

S. 3511 (117^th): Satellite Cybersecurity Act

This bill has 2 versions. Select a version to view:

Compare to a previous version to see how the bill has changed:

Compare this bill to another bill:

React to this bill with an emoji

Save your opinion on this bill on a six-point scale from strongly oppose to strongly support

Primary Source

Widget for your website

Follow GovTrack on social media for more updates:

On GovTrack Insider:

S. 3511 (117th): Satellite Cybersecurity Act

This bill has 2 versions. Select a version to view: Jan 13, 2022: Introduced Jun 21, 2022: Reported by Senate Committee