S1425-118

1. Short title This Act may be cited as the Satellite Cybersecurity Act.

2. Definitions In this Act: The term clearinghouse means the commercial satellite system cybersecurity clearinghouse required to be developed and maintained under section 4(b)(1). The term commercial satellite system— means a system that— is owned or operated by a non-Federal entity based in the United States; and is composed of not less than 1 earth satellite; and includes— any ground support infrastructure for each satellite in the system; and any transmission link among and between any satellite in the system and any ground support infrastructure in the system. The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C. 5195c(e)). The term cybersecurity risk has the meaning given the term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659). The term cybersecurity threat has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501). The term Director means the Director of the Cybersecurity and Infrastructure Security Agency. The term sector risk management agency has the meaning given the term Sector-Specific Agency in section 2201 of the Homeland Security Act of 2002 (6 U.S.C. 651).

3. Report on commercial satellite cybersecurity The Comptroller General of the United States shall conduct a study on the actions the Federal Government has taken to support the cybersecurity of commercial satellite systems, including as part of any action to address the cybersecurity of critical infrastructure sectors. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall report to the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives on the study conducted under subsection (a), which shall include information— on efforts of the Federal Government, and the effectiveness of those efforts, to— address or improve the cybersecurity of commercial satellite systems; and support related efforts with international entities or the private sector; on the resources made available to the public by Federal agencies to address cybersecurity risks and threats to commercial satellite systems, including resources made available through the clearinghouse; on the extent to which commercial satellite systems are reliant on, or relied on by, critical infrastructure; that includes an analysis of how commercial satellite systems and the threats to those systems are integrated into Federal and non-Federal critical infrastructure risk analyses and protection plans; on the extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems; on the extent to which Federal agencies are reliant on commercial satellite systems that are owned wholly or in part or controlled by foreign entities, or that have infrastructure in foreign countries, and how Federal agencies mitigate associated cybersecurity risks; on the extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems; and as determined appropriate by the Comptroller General of the United States, that includes recommendations for further Federal action to support the cybersecurity of commercial satellite systems, including recommendations on information that should be shared through the clearinghouse. In carrying out subsections (a) and (b), the Comptroller General of the United States shall coordinate with appropriate Federal agencies and organizations, including— the Office of the National Cyber Director; the Department of Homeland Security; the Department of Commerce; the Department of Defense; the Department of Transportation; the Federal Communications Commission; the National Aeronautics and Space Administration; the National Executive Committee for Space-Based Positioning, Navigation, and Timing; and the National Space Council. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall provide a briefing to the appropriate congressional committees on the study conducted under subsection (a). The report made under subsection (b) shall be unclassified but may include a classified annex.

4. Responsibilities of the cybersecurity and infrastructure security agency In this section, the term small business concern has the meaning given the term in section 3 of the Small Business Act (15 U.S.C. 632). Not later than 180 days after the date of enactment of this Act, the Director shall develop and maintain a commercial satellite system cybersecurity clearinghouse. The clearinghouse— shall be publicly available online; shall contain publicly available commercial satellite system cybersecurity resources, including the voluntary recommendations consolidated under subsection (c)(1); shall contain appropriate materials for reference by entities that develop, operate, or maintain commercial satellite systems; shall contain materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems; and may contain controlled unclassified information distributed to commercial entities through a process determined appropriate by the Director. The Director shall maintain current and relevant cybersecurity information on the clearinghouse. To the extent practicable, the Director shall establish and maintain the clearinghouse using an online platform, a website, or a capability in existence as of the date of enactment of this Act. The Director shall consolidate voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. The recommendations consolidated under paragraph (1) shall include materials appropriate for a public resource addressing, to the greatest extent practicable, the following: Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency. Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident. Protection against unauthorized access to vital commercial satellite system functions. Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems. Protection against jamming, eavesdropping, hijacking, computer network exploitation, spoofing, threats to optical satellite communications, and electromagnetic pulse. Security against threats throughout a commercial satellite system’s mission lifetime. Management of supply chain risks that affect the cybersecurity of commercial satellite systems. Protection against vulnerabilities posed by ownership of commercial satellite systems or commercial satellite system companies by foreign entities. Protection against vulnerabilities posed by locating physical infrastructure, such as satellite ground control systems, in foreign countries. As appropriate, and as applicable pursuant to the maintenance requirement under subsection (b)(3), relevant findings and recommendations from the study conducted by the Comptroller General of the United States under section 3(a). Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through commercial satellite systems. In implementing this section, the Director shall— to the extent practicable, carry out the implementation in partnership with the private sector; coordinate with— the Office of the National Cyber Director, the National Space Council, and the head of any other agency determined appropriate by the Office of the National Cyber Director or the National Space Council; and the heads of appropriate Federal agencies with expertise and experience in satellite operations, including the entities described in section 3(c) to enable the alignment of Federal efforts on commercial satellite system cybersecurity and, to the extent practicable, consistency in Federal recommendations relating to commercial satellite system cybersecurity; and consult with non-Federal entities developing commercial satellite systems or otherwise supporting the cybersecurity of commercial satellite systems, including private, consensus organizations that develop relevant standards. Not later than 1 year after the date of enactment of this Act, and every 2 years thereafter until the date that is 9 years after the date of enactment of this Act, the Director shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives a report summarizing— any partnership with the private sector described in subsection (d)(1); any consultation with a non-Federal entity described in subsection (d)(3); the coordination carried out pursuant to subsection (d)(2); the establishment and maintenance of the clearinghouse pursuant to subsection (b); the recommendations consolidated pursuant to subsection (c)(1); and any feedback received by the Director on the clearinghouse from non-Federal entities.

5. Strategy Not later than 120 days after the date of the enactment of this Act, the National Space Council, jointly with the Office of the National Cyber Director, in coordination with the Director of the Office of Space Commerce and the heads of other relevant agencies, shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives a strategy for the activities of Federal agencies to address and improve the cybersecurity of commercial satellite systems, which shall include an identification of— proposed roles and responsibilities for relevant agencies; and as applicable, the extent to which cybersecurity threats to such systems are addressed in Federal and non-Federal critical infrastructure risk analyses and protection plans.

6. Rules of construction Nothing in this Act shall be construed to— designate commercial satellite systems or other space assets as a critical infrastructure sector; or infringe upon or alter the authorities of the agencies described in section 3(c).

7. Sector risk management agency transfer If the President designates an infrastructure sector that includes commercial satellite systems as a critical infrastructure sector pursuant to the process established under section 9002(b)(3) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Public Law 116–283; 134 Stat. 4770) and subsequently designates a sector risk management agency for that critical infrastructure sector that is not the Cybersecurity and Infrastructure Security Agency, the President may direct the Director to transfer the authorities of the Director under section 4 of this Act to the head of the designated sector risk management agency.

1. Short title This Act may be cited as the Satellite Cybersecurity Act.

2. Definitions In this Act: The term clearinghouse means the commercial satellite system cybersecurity clearinghouse required to be developed and maintained under section 4(b)(1). The term commercial satellite system— means a system that— is owned or operated by a non-Federal entity based in the United States; and is composed of not less than 1 earth satellite; and includes— any ground support infrastructure for each satellite in the system; and any transmission link among and between any satellite in the system and any ground support infrastructure in the system. The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C. 5195c). The term cybersecurity risk has the meaning given the term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650). The term cybersecurity threat has the meaning given the term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650). The term Director means the Director of the Cybersecurity and Infrastructure Security Agency. The term sector risk management agency has the meaning given the term Sector Risk Management Agency in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

3. Report on commercial satellite cybersecurity The Comptroller General of the United States shall conduct a study on the actions the Federal Government has taken to support the cybersecurity of commercial satellite systems, including as part of any action to address the cybersecurity of critical infrastructure sectors. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall report to the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives on the study conducted under subsection (a), which shall include information— on efforts of the Federal Government, and the effectiveness of those efforts, to— address or improve the cybersecurity of commercial satellite systems; and support related efforts with international entities or the private sector; on the resources made available to the public by Federal agencies to address cybersecurity risks and threats to commercial satellite systems, including resources made available through the clearinghouse; on the extent to which commercial satellite systems are reliant on, or relied on by, critical infrastructure; that includes an analysis of how commercial satellite systems and the threats to those systems are integrated into Federal and non-Federal critical infrastructure risk analyses and protection plans; on the extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems; on the extent to which Federal agencies are reliant on commercial satellite systems that are owned wholly or in part or controlled by foreign entities, or that have infrastructure in foreign countries, and how Federal agencies mitigate associated cybersecurity risks; on the extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems; and as determined appropriate by the Comptroller General of the United States, that includes recommendations for further Federal action to support the cybersecurity of commercial satellite systems, including recommendations on information that should be shared through the clearinghouse. In carrying out subsections (a) and (b), the Comptroller General of the United States shall coordinate with appropriate Federal agencies and organizations, including— the Office of the National Cyber Director; the Department of Homeland Security; the Department of Commerce; the Department of Defense; the Department of Transportation; the Federal Communications Commission; the National Aeronautics and Space Administration; the National Executive Committee for Space-Based Positioning, Navigation, and Timing; and the National Space Council. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall provide a briefing to the appropriate congressional committees on the study conducted under subsection (a). The report made under subsection (b) shall be unclassified but may include a classified annex.

4. Responsibilities of the cybersecurity and infrastructure security agency In this section, the term small business concern has the meaning given the term in section 3 of the Small Business Act (15 U.S.C. 632). Not later than 180 days after the date of enactment of this Act, the Director shall develop and maintain a commercial satellite system cybersecurity clearinghouse. The clearinghouse— shall be publicly available online; shall contain publicly available commercial satellite system cybersecurity resources, including the voluntary recommendations consolidated under subsection (c)(1); shall contain appropriate materials for reference by entities that develop, operate, or maintain commercial satellite systems; shall contain materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems; and may contain controlled unclassified information distributed to commercial entities through a process determined appropriate by the Director. The Director shall maintain current and relevant cybersecurity information on the clearinghouse. To the extent practicable, the Director shall establish and maintain the clearinghouse using an online platform, a website, or a capability in existence as of the date of enactment of this Act. The Director shall consolidate voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. The recommendations consolidated under paragraph (1) shall include materials appropriate for a public resource addressing, to the greatest extent practicable, the following: Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency. Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident. Protection against unauthorized access to vital commercial satellite system functions. Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems. Protection against jamming, eavesdropping, hijacking, computer network exploitation, spoofing, threats to optical satellite communications, and electromagnetic pulse. Security against threats throughout a commercial satellite system’s mission lifetime. Management of supply chain risks that affect the cybersecurity of commercial satellite systems. Protection against vulnerabilities posed by ownership of commercial satellite systems or commercial satellite system companies by foreign entities. Protection against vulnerabilities posed by locating physical infrastructure, such as satellite ground control systems, in foreign countries. As appropriate, and as applicable pursuant to the maintenance requirement under subsection (b)(3), relevant findings and recommendations from the study conducted by the Comptroller General of the United States under section 3(a). Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through commercial satellite systems. In implementing this section, the Director shall— to the extent practicable, carry out the implementation in partnership with the private sector; coordinate with— the Office of the National Cyber Director, the National Space Council, and the head of any other agency determined appropriate by the Office of the National Cyber Director or the National Space Council; and the heads of appropriate Federal agencies with expertise and experience in satellite operations, including the entities described in section 3(c), to enable— the alignment of Federal efforts on commercial satellite system cybersecurity; and to the extent practicable, consistency in Federal recommendations relating to commercial satellite system cybersecurity; and consult with non-Federal entities developing commercial satellite systems or otherwise supporting the cybersecurity of commercial satellite systems, including private, consensus organizations that develop relevant standards. Not later than 1 year after the date of enactment of this Act, and every 2 years thereafter until the date that is 9 years after the date of enactment of this Act, the Director shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives a report summarizing— any partnership with the private sector described in subsection (d)(1); any consultation with a non-Federal entity described in subsection (d)(3); the coordination carried out pursuant to subsection (d)(2); the establishment and maintenance of the clearinghouse pursuant to subsection (b); the recommendations consolidated pursuant to subsection (c)(1); and any feedback received by the Director on the clearinghouse from non-Federal entities.

5. Strategy Not later than 120 days after the date of the enactment of this Act, the National Space Council, jointly with the Office of the National Cyber Director, in coordination with the Director of the Office of Space Commerce and the heads of other relevant agencies, shall submit to the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives a strategy for the activities of Federal agencies to address and improve the cybersecurity of commercial satellite systems, which shall include an identification of— proposed roles and responsibilities for relevant agencies; and as applicable, the extent to which cybersecurity threats to such systems are addressed in Federal and non-Federal critical infrastructure risk analyses and protection plans.

6. Rules of construction Nothing in this Act shall be construed to— designate commercial satellite systems or other space assets as a critical infrastructure sector; or infringe upon or alter the authorities of the agencies described in section 3(c).

7. Sector risk management agency transfer If the President designates an infrastructure sector that includes commercial satellite systems as a critical infrastructure sector pursuant to the process established under section 9002(b)(3) of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a(b)(3)) and subsequently designates a sector risk management agency for that critical infrastructure sector that is not the Cybersecurity and Infrastructure Security Agency, the President may direct the Director to transfer the authorities of the Director under section 4 of this Act to the head of the designated sector risk management agency.