The publication is reproduced in full below:
CISA CYBER EXERCISE ACT
Ms. CLARKE of New York. Madam Speaker, I move to suspend the rules and pass the bill (H.R. 3223) to amend the Homeland Security Act of 2002 to establish in the Cybersecurity and Infrastructure Security Agency the National Cyber Exercise Program, and for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 3223
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``CISA Cyber Exercise Act''.
SEC. 2. NATIONAL CYBER EXERCISE PROGRAM.
(a)In General.--Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following new section:
``SEC. 2220A. NATIONAL CYBER EXERCISE PROGRAM.
``(a)Establishment of Program.--
``(1)In general.--There is established in the Agency the National Cyber Exercise Program (referred to in this section as the `Exercise Program') to evaluate the National Cyber Incident Response Plan, and other related plans and strategies.
``(2)Requirements.--
``(A)In general.--The Exercise Program shall be--
``(i) based on current risk assessments, including credible threats, vulnerabilities, and consequences;
``(ii) designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident;
``(iii) designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements; and
``(iv) designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.
``(B)Model exercise selection.--The Exercise Program shall--
``(i) include a selection of model exercises that government and private entities can readily adapt for use; and--
``(ii) aid such governments and private entities with the design, implementation, and evaluation of exercises that--
``(I) conform to the requirements described in subparagraph
(A);
``(II) are consistent with any applicable national, State, local, or Tribal strategy or plan; and
``(III) provide for systematic evaluation of readiness.
``(3)Consultation.--In carrying out the Exercise Program, the Director may consult with appropriate representatives from Sector Risk Management Agencies, cybersecurity research stakeholders, and Sector Coordinating Councils.
``(b)Definitions.--In this section:
``(1)State.--The term `State' means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any other territory or possession of the United States.
``(2)Private entity.--The term `private entity' has the meaning given such term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).''.
(b)Technical Amendments.--
(1)Homeland security act of 2002.--Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--
(A) in the first section 2215 (6 U.S.C. 665; relating to the duties and authorities relating to .gov internet domain), by amending the section enumerator and heading to read as follows:
``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET
DOMAIN.'';
(B) in the second section 2215 (6 U.S.C. 665b; relating to the joint cyber planning office), by amending the section enumerator and heading to read as follows:
``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';
(C) in the third section 2215 (6 U.S.C. 665c; relating to the Cybersecurity State Coordinator), by amending the section enumerator and heading to read as follows:
``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';
(D) in the fourth section 2215 (6 U.S.C. 665d; relating to Sector Risk Management Agencies), by amending the section enumerator and heading to read as follows:
``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';
(E) in section 2216 (6 U.S.C. 665e; relating to the Cybersecurity Advisory Committee), by amending the section enumerator and heading to read as follows:
``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';
and
(F) in section 2217 (6 U.S.C. 665f; relating to Cybersecurity Education and Training Programs), by amending the section enumerator and heading to read as follows:
``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING
PROGRAMS.''.
(2)Consolidated appropriations act, 2021.--Paragraph (1) of section 904(b) of division U of the Consolidated Appropriations Act, 2021 (Public Law 116-260) is amended, in the matter preceding subparagraph (A), by inserting ``of 2002'' after ``Homeland Security Act''.
(c)Clerical Amendment.--The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by striking the items relating to sections 2214 through 2217 and inserting the following new items:
``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.
``Sec. 2220A. National Cyber Exercise Program.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from New York (Ms. Clarke) and the gentleman from New York (Mr. Katko) each will control 20 minutes.
The Chair recognizes the gentlewoman from New York.
General Leave
Ms. CLARKE of New York. Madam Speaker, I ask unanimous consent that all Members may have 5 legislative days to revise and extend their remarks and to include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the gentlewoman from New York?
There was no objection.
Ms. CLARKE of New York. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, as Americans prepared for their 4th of July holiday weekends, a Russian-based cybercrime crime group launched a ransomware attack that would affect up to 1,500 small- and medium-sized businesses and local governments.
The Kaseya ransomware attacks followed a series of cyberattacks, including one that resulted in the shutdown of 5,500 miles of pipeline on the East Coast.
The unfortunate reality is that the rate and ferocity of cyberattacks show no signs of ebbing.
State actors and cybercriminals alike use cyber tools to advance their goals, regardless of whether they are driven by geopolitical considerations or profiteering.
Together, the Federal Government and its State, local, and private sector partners must do everything in their power to defend our networks while deterring and raising the cost of cyberattacks.
At the same time, we must have tested, exercised cyber-incident response plans in place in the event a malicious hacker successfully gains access to a victim network.
Last year's National Defense Authorization Act included language directing DHS, in coordination with interagency partners, to conduct four exercises over the next 12 years to test the resiliency, response, and recovery of the U.S. to a significant cyber incident impacting critical infrastructure.
Such exercises are critical to understanding our national resilience to cyberattacks and where we need to invest in improving capability.
H.R. 3223 would complement the capstone exercise program authorized last year.
It directs the Cybersecurity and Infrastructure Security Agency, or CISA, together with sector risk management agencies, to develop an exercise program that is designed to more regularly test and assess systemic preparedness and resilience to cyberattacks against critical infrastructure.
The authorization includes requirements for the development of model exercises that State and local governments or private sector entities could readily adapt.
Our collective resilience to cyberattacks demands that we regularly assess and improve our ability to respond to cyberattacks.
The exercise program authorized by H.R. 3223 will help State and local governments and private sector critical infrastructure entities to do just that.
So I urge my colleagues to support H.R. 3223, and I reserve the balance of my time
Mr. KATKO. Madam Speaker, I yield myself such time as I may consume.
I rise today in support of H.R. 3223, the CISA Cyber Exercise Act. I thank my friend and colleague, Ms. Slotkin, for her leadership on this bill, which establishes a cyber exercise program within CISA to elevate the National Cyber Incident Response Plan.
As cyberattacks affecting our Nation's critical infrastructure continue to rise, it is imperative that State and local governments and the private sector leverage the free services CISA offers to help prevent and mitigate the scourge of ransomware and other cyberattacks facing our Nation.
I am pleased that this legislation will authorize another vital tool in CISA's arsenal.
I urge Members to join me in supporting H.R. 3223, and I reserve the balance of my time.
Ms. CLARKE of New York. Madam Speaker, I yield 2 minutes to the gentlewoman from Michigan (Ms. Slotkin).
Ms. SLOTKIN. Madam Speaker, I rise to urge my colleagues to support the CISA Cyber Exercise Act, a bipartisan bill to strengthen our preparation for cyber threats, which I introduced following the ransomware attacks on the Colonial Pipeline.
Last month, I happened to have the Secretary of Agriculture, Mr. Vilsack join me in Ingham County in my district to talk to farmers about protecting family farms, a very important topic in a rural community like mine. And when we went to open Q and A what I think shocked everybody was that the first man to stand up, the first farmer that stood up in his John Deere hat and his overalls wanted to know about cybersecurity. That was the first thing on his mind.
I never imagined that, as a Member of Congress, I would find myself standing in a barn talking with local farmers about ransomware, cyberattacks, and how we are going to protect ourselves but, in fact, I have been having that conversation over and over again in my community. And that is because the last few months have made clear to all Americans that cybersecurity is not just a tech issue, it has gone mainstream. It is at the very heart of protecting our critical infrastructure, energy, food, water, and healthcare that drives our daily lives, and it affects every single one of us. That is why just a week after a ransomware attack struck the world's largest meat processor, these Ingham County farmers wanted to know how cyberattacks would affect their family farms, their livelihood.
What would happen if we were struck by ransomware in Michigan? Who could they turn to to call for help? And above all, what is our government doing to protect citizens who are on the front lines of this threat?
I introduced the CISA Cyber Exercise Act to help answer exactly those questions.
This bill will make sure that our government is preparing for the full range of cyber threats and that we are giving our communities and businesses the tools they need to be secure and resilient.
It strengthens CISA, which is literally America's 911 call for cybersecurity, by formally establishing a National Cyber Exercise Program to test our Nation's response plans for major cyberattacks.
It also directs CISA to build and expand a set of model cyber exercises that can be used by our State and local governments.
By passing this legislation today, we are helping to ensure our Nation and our communities are protected.
Mr. KATKO. Madam Speaker, I have no further speakers, and I urge Members to support this fine bill. I yield back the balance of my time.
Ms. CLARKE of New York. Madam Speaker, I yield myself the balance of my time.
Madam Speaker, the country is experiencing an unprecedented number of significant cyberattacks.
From hospitals to schools to pipelines and a meat processing plant, nothing is immune.
The key to ensuring we are resilient to cyberattacks is to ensure that we have trained and tested cyber incident response plans.
H.R. 3223, the CISA Cyber Exercise Act, is critical in that effort.
I urge my colleagues to support H.R. 3223, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the gentlewoman from New York (Ms. Clarke) that the House suspend the rules and pass the bill, H.R. 3223.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds being in the affirmative, the ayes have it.
Mr. BISHOP of North Carolina. Madam Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion are postponed.
____________________
SOURCE: Congressional Record Vol. 167, No. 127
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
House Representatives' salaries are historically higher than the median US income.
Alerts Sign-up