[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8775 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 8775
To require an assessment on manual operations for critical
infrastructure, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 18, 2024
Mr. Crenshaw (for himself and Mr. Magaziner) introduced the following
bill; which was referred to the Committee on Homeland Security, and in
addition to the Committee on Transportation and Infrastructure, for a
period to be subsequently determined by the Speaker, in each case for
consideration of such provisions as fall within the jurisdiction of the
committee concerned
_______________________________________________________________________
A BILL
To require an assessment on manual operations for critical
infrastructure, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Contingency Plan for Critical
Infrastructure Act''.
SEC. 2. ASSESSMENT ON MANUAL OPERATIONS FOR CRITICAL INFRASTRUCTURE.
(a) Assessment.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Director of the Cybersecurity
and Infrastructure Security Agency (CISA) of the Department of
Homeland Security, in coordination with the Administrator of
the Federal Emergency Management Agency (FEMA) and each sector
risk management agency, shall provide to Congress a joint
sector-by-sector assessment on the ability of critical
infrastructure owners and operators to operate critical systems
in a manual operating mode during cyber incidents.
(2) Elements.--The assessment under paragraph (1) shall
include the following:
(A) An assessment of how the National Cyber
Incident Response Plan (last published December 2016),
accounts for the risk to critical infrastructure from
not being able to rapidly transition into manually
operating mode.
(B) An assessment of CISA's capabilities and
responsibilities to not only remediate and respond to
the digital aspects of cyber incidents, but to assist
owners and operators of critical infrastructure to
continue to operate key systems.
(C) An assessment of how FEMA's National Response
Framework, including various Emergency Support
Functions (ESFs) and Catastrophic Incident Response
Teams (CIRT), are prepared to support owners and
operators of critical infrastructure in events that
require shifting to manual operating mode.
(D) An assessment of the potential costs and
challenges associated with requiring sectors to be able
to shift to manual operating mode in the event of a
cyber incident.
(E) Policy recommendations to ensure continued
operations of critical infrastructure in the event of a
widespread cyber incident impacting critical
infrastructure.
(b) Updated Planning Considerations for Cyber Incidents.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Administrator of the Federal
Emergency Management Agency, in coordination with the Director
of the Cybersecurity and Critical Infrastructure Agency, shall
update their Planning Considerations for Cyber Incidents (last
published November 2023).
(2) Elements.--The updates required pursuant to paragraph
(1) shall include the following:
(A) Best practices and guidelines for the essential
personnel of critical infrastructure owners and
operators to perform mission critical functions and
continue to operate critical infrastructure in a manual
operating mode during a cyber incident that disables
business enterprise, process control, or communications
systems.
(B) Steps that critical infrastructure owners and
operators should take to respond to various levels of
degradation to their systems to maintain operations.
(C) Identifying Federal, State, and local resources
available to assist owners and operators of critical
infrastructure in the event that a switch to manual
operating mode is necessary.
(D) Specific guidelines on how to respond to and
remediate the impact of cyber incidents on industrial
control devices.
(c) Definitions.--In this section:
(1) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given such term in section
1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e)).
(2) Manual operating mode.--The term ``manual operating
mode'' means a mode of operation with respect to critical
infrastructure that is disconnected from the internet and with
respect to which internal communication systems are degraded as
a result of a cyber incident, but continues to allow such
critical infrastructure to function to provide services to the
public.
<all>