S824-118

1. Short title This Act may be cited as the National Risk Management Act of 2023.

2. National risk management cycle Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following: In this section, the term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The Secretary, acting through the Director, shall establish a recurring process by which to identify and assess risks to critical infrastructure, considering both cyber and physical threats and the associated likelihoods, vulnerabilities, and consequences. In establishing the process required under subparagraph (A), the Secretary shall consult— Sector Risk Management Agencies; critical infrastructure owners and operators; the Assistant to the President for National Security Affairs; the Assistant to the President for Homeland Security; and the National Cyber Director. The process established under subparagraph (A) shall include elements to— collect relevant information, collected pursuant to section 2218, from Sector Risk Management Agencies relating to the threats, vulnerabilities, and consequences related to the particular sectors of those Sector Risk Management Agencies; allow critical infrastructure owners and operators to submit relevant information to the Secretary for consideration; and outline how the Secretary will solicit input from other Federal departments and agencies. Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A), subject to any redactions the Secretary determines are necessary to protect classified or other sensitive information. The Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)— not later than 1 year after the date of enactment of this section; and not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)). Not later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary. Each strategy delivered under subparagraph (A) shall— prioritize areas of risk to critical infrastructure that would compromise or disrupt national critical functions impacting national security, economic security, or public health and safety; assess the implementation of the previous national critical infrastructure resilience strategy, as applicable; identify and outline current and proposed national-level actions, programs, and efforts, including resource requirements, to be taken to address the risks identified; identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each; and request any additional authorities necessary to successfully execute the strategy. Each strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex. Not later than 1 year after the date on which the President delivers the first strategy required under paragraph (2)(A), and each year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives on— the national risk management cycle activities undertaken pursuant to the strategy delivered under subparagraph (A)paragraph (2)(A); and the amounts and timeline for funding that the Secretary has determined would be necessary to address risks and successfully execute the full range of activities proposed by the strategy delivered subparagraph (A)under paragraph (2)(A). The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2220E the following: 2220F.National risk management cycle(a)National critical functions definedIn this section, the term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.(b)National risk management cycle(1)Risk identification and assessment(A)In generalThe Secretary, acting through the Director, shall establish a recurring process by which to identify and assess risks to critical infrastructure, considering both cyber and physical threats and the associated likelihoods, vulnerabilities, and consequences.(B)ConsultationIn establishing the process required under subparagraph (A), the Secretary shall consult— (i)Sector Risk Management Agencies; (ii)critical infrastructure owners and operators; (iii)the Assistant to the President for National Security Affairs; (iv)the Assistant to the President for Homeland Security; and(v)the National Cyber Director.(C)Process elementsThe process established under subparagraph (A) shall include elements to—(i)collect relevant information, collected pursuant to section 2218, from Sector Risk Management Agencies relating to the threats, vulnerabilities, and consequences related to the particular sectors of those Sector Risk Management Agencies; (ii)allow critical infrastructure owners and operators to submit relevant information to the Secretary for consideration; and(iii)outline how the Secretary will solicit input from other Federal departments and agencies.(D)PublicationNot later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A), subject to any redactions the Secretary determines are necessary to protect classified or other sensitive information.(E)ReportThe Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)—(i)not later than 1 year after the date of enactment of this section; and(ii)not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)).(2)National critical infrastructure resilience strategy(A)In generalNot later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary.(B)ElementsEach strategy delivered under subparagraph (A) shall—(i)prioritize areas of risk to critical infrastructure that would compromise or disrupt national critical functions impacting national security, economic security, or public health and safety;(ii)assess the implementation of the previous national critical infrastructure resilience strategy, as applicable;(iii)identify and outline current and proposed national-level actions, programs, and efforts, including resource requirements, to be taken to address the risks identified;(iv)identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each; and(v)request any additional authorities necessary to successfully execute the strategy.(C)FormEach strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex.(3)Congressional briefingNot later than 1 year after the date on which the President delivers the first strategy required under paragraph (2)(A), and each year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives on—(A)the national risk management cycle activities undertaken pursuant to the strategy delivered under subparagraph (A)paragraph (2)(A); and(B)the amounts and timeline for funding that the Secretary has determined would be necessary to address risks and successfully execute the full range of activities proposed by the strategy delivered subparagraph (A)under paragraph (2)(A).. Sec. 2220F. National risk management cycle..

2220F. National risk management cycle In this section, the term national critical functions means the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The Secretary, acting through the Director, shall establish a recurring process by which to identify and assess risks to critical infrastructure, considering both cyber and physical threats and the associated likelihoods, vulnerabilities, and consequences. In establishing the process required under subparagraph (A), the Secretary shall consult— Sector Risk Management Agencies; critical infrastructure owners and operators; the Assistant to the President for National Security Affairs; the Assistant to the President for Homeland Security; and the National Cyber Director. The process established under subparagraph (A) shall include elements to— collect relevant information, collected pursuant to section 2218, from Sector Risk Management Agencies relating to the threats, vulnerabilities, and consequences related to the particular sectors of those Sector Risk Management Agencies; allow critical infrastructure owners and operators to submit relevant information to the Secretary for consideration; and outline how the Secretary will solicit input from other Federal departments and agencies. Not later than 180 days after the date of enactment of this section, the Secretary shall publish in the Federal Register procedures for the process established under subparagraph (A), subject to any redactions the Secretary determines are necessary to protect classified or other sensitive information. The Secretary shall submit to the President, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a report on the risks identified by the process established under subparagraph (A)— not later than 1 year after the date of enactment of this section; and not later than 1 year after the date on which the Secretary submits a periodic evaluation described in section 9002(b)(2) of title XC of division H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 652a(b)(2)). Not later than 1 year after the date on which the Secretary delivers each report required under paragraph (1), the President shall deliver to majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a national critical infrastructure resilience strategy designed to address the risks identified by the Secretary. Each strategy delivered under subparagraph (A) shall— prioritize areas of risk to critical infrastructure that would compromise or disrupt national critical functions impacting national security, economic security, or public health and safety; assess the implementation of the previous national critical infrastructure resilience strategy, as applicable; identify and outline current and proposed national-level actions, programs, and efforts, including resource requirements, to be taken to address the risks identified; identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each; and request any additional authorities necessary to successfully execute the strategy. Each strategy delivered under subparagraph (A) shall be unclassified, but may contain a classified annex. Not later than 1 year after the date on which the President delivers the first strategy required under paragraph (2)(A), and each year thereafter, the Secretary, in coordination with Sector Risk Management Agencies, shall brief the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives on— the national risk management cycle activities undertaken pursuant to the strategy delivered under subparagraph (A)paragraph (2)(A); and the amounts and timeline for funding that the Secretary has determined would be necessary to address risks and successfully execute the full range of activities proposed by the strategy delivered subparagraph (A)under paragraph (2)(A).