[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4630 Reported in Senate (RS)]
<DOC>
Calendar No. 655
118th CONGRESS
2d Session
S. 4630
[Report No. 118-254]
To establish an interagency committee to harmonize regulatory regimes
in the United States relating to cybersecurity, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 8, 2024
Mr. Peters (for himself, Mr. Lankford, Ms. Rosen, and Mr. King)
introduced the following bill; which was read twice and referred to the
Committee on Homeland Security and Governmental Affairs
December 2, 2024
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To establish an interagency committee to harmonize regulatory regimes
in the United States relating to cybersecurity, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Streamlining Federal
Cybersecurity Regulations Act''.</DELETED>
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Agency.--The term ``agency'' has the meaning
given that term in section 551 of title 5, United States
Code.</DELETED>
<DELETED> (2) Appropriate congressional committees.--The
term ``appropriate congressional committees'' means--</DELETED>
<DELETED> (A) the Committee on Homeland Security and
Governmental Affairs of the Senate;</DELETED>
<DELETED> (B) the Committee on Oversight and
Accountability of the House of
Representatives;</DELETED>
<DELETED> (C) each committee of Congress with
jurisdiction over the activities of a regulatory
agency; and</DELETED>
<DELETED> (D) each committee of Congress with
jurisdiction over the activities of a Sector Risk
Management Agency with respect to a sector regulated by
a regulatory agency.</DELETED>
<DELETED> (3) Committee.--The term ``Committee'' means the
Harmonization Committee established under section
3(a).</DELETED>
<DELETED> (4) Cybersecurity requirement.--The term
``cybersecurity requirement'' means an administrative,
technical, or physical safeguard, requirement, or supervisory
activity, including regulations, guidance, bulletins or
examinations, relating to information security, information
technology, cybersecurity, or cyber risk or
resilience.</DELETED>
<DELETED> (5) Harmonization.--</DELETED>
<DELETED> (A) Definition.--The term
``harmonization'' means the process of aligning
cybersecurity requirements issued by regulatory
agencies such that the requirements consist of--
</DELETED>
<DELETED> (i) a common set of minimum
requirements that apply across sectors and that
can be updated periodically to address new or
evolving risks relating to information security
or cybersecurity; and</DELETED>
<DELETED> (ii) sector-specific requirements
that--</DELETED>
<DELETED> (I) are necessary to
address sector-specific risks that are
not adequately addressed by the minimum
requirements in clause (i);
and</DELETED>
<DELETED> (II) are substantially
similar, where appropriate, to other
requirements in that sector or a
similar sector.</DELETED>
<DELETED> (B) Rule of construction.--Nothing in this
definition shall be construed to exempt regulatory
agencies from any otherwise applicable processes or
laws relating to updating regulations, including
subchapter II of chapter 5, and chapter 7, of title 5,
United States Code (commonly known as the
``Administrative Procedure Act'').</DELETED>
<DELETED> (6) Independent regulatory agency.--The term
``independent regulatory agency'' has the meaning given that
term in section 3502 of title 44, United States Code.</DELETED>
<DELETED> (7) Reciprocity.--The term ``reciprocity'' means
the recognition or acceptance by 1 regulatory agency of an
assessment, determination, examination, finding, or conclusion
of another regulatory agency for determining that a regulated
entity has complied with a cybersecurity requirement.</DELETED>
<DELETED> (8) Regulatory agency.--The term ``regulatory
agency'' means--</DELETED>
<DELETED> (A) any independent regulatory agency that
has the statutory authority to issue or enforce any
mandatory cybersecurity requirement; or</DELETED>
<DELETED> (B) any other agency that has the
statutory authority to issue or enforce any
cybersecurity requirement.</DELETED>
<DELETED> (9) Regulatory framework.--The term ``regulatory
framework'' means the framework developed under section
3(e)(1).</DELETED>
<DELETED> (10) Sector risk management agency.--The term
``Sector Risk Management Agency'' has the meaning given that
term in section 2200 of the Homeland Security Act of 2002 (6
U.S.C. 650).</DELETED>
<DELETED>SEC. 3. ESTABLISHMENT OF INTERAGENCY COMMITTEE TO HARMONIZE
REGULATORY REGIMES IN THE UNITED STATES RELATING TO
CYBERSECURITY.</DELETED>
<DELETED> (a) Harmonization Committee.--</DELETED>
<DELETED> (1) In general.--The National Cyber Director shall
establish an interagency committee to be known as the
Harmonization Committee to enhance the harmonization of
cybersecurity requirements that are applicable within the
United States.</DELETED>
<DELETED> (2) Support.--The National Cyber Director shall
provide the Committee with administrative and management
support as appropriate.</DELETED>
<DELETED> (b) Members.--</DELETED>
<DELETED> (1) In general.--The Committee shall be composed
of--</DELETED>
<DELETED> (A) the National Cyber Director;</DELETED>
<DELETED> (B) the head of each regulatory
agency;</DELETED>
<DELETED> (C) the head of the Office of Information
and Regulatory Affairs of the Office of Management and
Budget; and</DELETED>
<DELETED> (D) the head of other appropriate
agencies, as determined by the chair of the
Committee.</DELETED>
<DELETED> (2) Publication of list of members.--The Committee
shall maintain a list of the agencies that are represented on
the Committee on a publicly available website.</DELETED>
<DELETED> (c) Chair.--The National Cyber Director shall be the chair
of the Committee.</DELETED>
<DELETED> (d) Charter.--The Committee shall develop, deliver to
Congress, and make publicly available a charter, which shall--
</DELETED>
<DELETED> (1) include the processes and rules of the
Committee; and</DELETED>
<DELETED> (2) detail--</DELETED>
<DELETED> (A) the objective and scope of the
Committee; and</DELETED>
<DELETED> (B) other items as necessary.</DELETED>
<DELETED> (e) Regulatory Framework for Harmonization.--</DELETED>
<DELETED> (1) In general.--</DELETED>
<DELETED> (A) Framework.--Not later than 1 year
after the date of enactment of this Act, the Committee
shall develop a regulatory framework for achieving
harmonization of the cybersecurity requirements of each
regulatory agency.</DELETED>
<DELETED> (B) Factors.--In developing the framework
under subparagraph (A), the Committee shall account for
existing sector-specific cybersecurity requirements
that are identified as unique or critical to a
sector.</DELETED>
<DELETED> (2) Minimum requirements.--The framework shall
contain, at a minimum, processes for--</DELETED>
<DELETED> (A) establishing a reciprocal compliance
mechanism for minimum requirements relating to
information security or cybersecurity for entities
regulated by more than 1 regulatory agency;</DELETED>
<DELETED> (B) identifying cybersecurity requirements
that are overly burdensome, inconsistent, or
contradictory, as determined by the Committee;
and</DELETED>
<DELETED> (C) developing recommendations for
updating regulations, guidance, and examinations to
address overly burdensome, inconsistent, or
contradictory cybersecurity requirements identified
under subparagraph (B) to achieve
harmonization.</DELETED>
<DELETED> (3) Publication.--Upon completion of the
regulatory framework, the Committee shall publish the
regulatory framework in the Federal Register.</DELETED>
<DELETED> (f) Pilot Program on Implementation of Regulatory
Framework.--</DELETED>
<DELETED> (1) In general.--Not fewer than 3 regulatory
agencies, selected by the Committee, shall carry out a pilot
program to implement the regulatory framework established under
subsection (e) with respect to not fewer than 3 cybersecurity
requirements.</DELETED>
<DELETED> (2) Participation by regulatory agencies and
regulated entities.--</DELETED>
<DELETED> (A) Regulatory agencies.--Participation in
the pilot program by a regulatory agency shall be
voluntary and subject to the consent of the regulatory
agency following selection by the Committee under
paragraph (1).</DELETED>
<DELETED> (B) Regulated entities.--Participation in
the pilot program by a regulated entity shall be
voluntary.</DELETED>
<DELETED> (3) Selection of cybersecurity requirements.--
Cybersecurity requirements selected for the pilot program under
paragraph (1) shall contain substantially similar or
substantially related requirements such that not fewer than 2
of the selected cybersecurity requirements govern the same
regulated entity with substantially similar or substantially
related requirements relating to information security or
cybersecurity.</DELETED>
<DELETED> (4) Waivers.--Notwithstanding any provision of
subchapter II of chapter 5, and chapter 7, of title 5, United
States Code (commonly known as the ``Administrative Procedure
Act'') and subject to the consent of any participating
regulated entity, in implementing the pilot program under
paragraph (1), a regulatory agency participating in the pilot
program shall have the authority to issue waivers and establish
alternative procedures for regulated entities participating in
the pilot program with respect to the cybersecurity
requirements included under the pilot program.</DELETED>
<DELETED> (g) Consultation With the Committee.--</DELETED>
<DELETED> (1) In general.--Notwithstanding any other
provision of law--</DELETED>
<DELETED> (A) before prescribing any cybersecurity
requirement, the head of a regulatory agency shall
consult with the Committee regarding such requirement
and the regulatory framework established under
subsection (e); and</DELETED>
<DELETED> (B) independent regulatory agencies, when
updating any existing cybersecurity requirement or
issuing a potential new cybersecurity requirement,
shall consult the Committee during the development of
the updated cybersecurity requirement or the new
cybersecurity requirement to ensure that the
requirement is aligned to the greatest extent possible
with the regulatory framework.</DELETED>
<DELETED> (2) Determination.--Following a consultation under
paragraph (1), the Committee shall make a determination in
writing to the agency, in coordination with the Office of
Management and Budget as necessary, that shall--</DELETED>
<DELETED> (A) include to what degree the proposed
cybersecurity requirement or update to the
cybersecurity requirement aligns with the regulatory
framework; and</DELETED>
<DELETED> (B) provide a list of recommendations to
improve the cybersecurity requirement and align it with
the regulatory framework.</DELETED>
<DELETED> (h) Consultation With Sector Risk Management Agencies.--
The Committee shall consult with appropriate Sector Risk Management
Agencies in the development of the regulatory framework under
subsection (e) and the implementation of the pilot program under
subsection (f).</DELETED>
<DELETED> (i) Reports.--</DELETED>
<DELETED> (1) Annual report.--Not later than 12 months after
the date of enactment of this Act, and annually thereafter, the
Committee shall submit to the appropriate congressional
committees a report detailing--</DELETED>
<DELETED> (A) member participation; and</DELETED>
<DELETED> (B) the application of the regulatory
framework, once developed, on cybersecurity
requirements, including consultations or discussions
with regulators.</DELETED>
<DELETED> (2) Pilot program report.--Not later than 12
months after the date on which the pilot program begins, the
Committee shall submit to the appropriate congressional
committees a report detailing--</DELETED>
<DELETED> (A) the cybersecurity requirements
selected for the program, including the reasons that
the regulatory agency and cybersecurity requirement
were selected;</DELETED>
<DELETED> (B) the information learned from the
program;</DELETED>
<DELETED> (C) any obstacles encountered during the
program; and</DELETED>
<DELETED> (D) an assessment of the applicability of
expanding the program to other agencies and
cybersecurity requirements.</DELETED>
<DELETED>SEC. 4. STATUS UPDATES ON INCIDENT REPORTING.</DELETED>
<DELETED> (a) Status Update on Memoranda of Agreement.--Not later
than 180 days after the date of enactment of this Act, and not less
frequently than every 180 days thereafter, the Director of the
Cybersecurity and Infrastructure Security Agency shall provide to the
appropriate congressional committees a status update on the development
and implementation of memoranda of agreement between agencies required
under section 104(a)(5) of the Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (6 U.S.C. 681g(a)(5)).</DELETED>
<DELETED> (b) Status Update on Efforts of the Cyber Incident
Reporting Council.--Not later than 180 days after the date of enactment
of this Act, and not less frequently than every 180 days thereafter,
the Secretary of Homeland Security shall provide to the appropriate
congressional committees a status update on the efforts of the Cyber
Incident Reporting Council established under section 2246 of the
Homeland Security Act of 2002 (6 U.S.C. 681f).</DELETED>
<DELETED>SEC. 5. RULE OF CONSTRUCTION.</DELETED>
<DELETED> Nothing in this Act shall be construed--</DELETED>
<DELETED> (1) to expand or alter the existing regulatory
authorities of any agency, including any independent regulatory
agency, except for exemptions under section 3(f) to implement
the pilot program established under that section;</DELETED>
<DELETED> (2) to provide any such agency any new or
additional regulatory authorities; or</DELETED>
<DELETED> (3) to address security incident reporting
requirements subject to coordination by the Cyber Incident
Reporting Council established under section 2246 of the
Homeland Security Act of 2022 (6 U.S.C. 681f), except for the
required status updates under section 4.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Streamlining Federal Cybersecurity
Regulations Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given that
term in section 551 of title 5, United States Code.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(B) the Committee on Oversight and Accountability
of the House of Representatives;
(C) each committee of Congress with jurisdiction