[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4630 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 655
118th CONGRESS
  2d Session
                                S. 4630

                          [Report No. 118-254]

 To establish an interagency committee to harmonize regulatory regimes 
in the United States relating to cybersecurity, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              July 8, 2024

    Mr. Peters (for himself, Mr. Lankford, Ms. Rosen, and Mr. King) 
introduced the following bill; which was read twice and referred to the 
        Committee on Homeland Security and Governmental Affairs

                            December 2, 2024

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
 To establish an interagency committee to harmonize regulatory regimes 
in the United States relating to cybersecurity, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Streamlining Federal 
Cybersecurity Regulations Act''.</DELETED>

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Agency.--The term ``agency'' has the meaning 
        given that term in section 551 of title 5, United States 
        Code.</DELETED>
        <DELETED>    (2) Appropriate congressional committees.--The 
        term ``appropriate congressional committees'' means--</DELETED>
                <DELETED>    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;</DELETED>
                <DELETED>    (B) the Committee on Oversight and 
                Accountability of the House of 
                Representatives;</DELETED>
                <DELETED>    (C) each committee of Congress with 
                jurisdiction over the activities of a regulatory 
                agency; and</DELETED>
                <DELETED>    (D) each committee of Congress with 
                jurisdiction over the activities of a Sector Risk 
                Management Agency with respect to a sector regulated by 
                a regulatory agency.</DELETED>
        <DELETED>    (3) Committee.--The term ``Committee'' means the 
        Harmonization Committee established under section 
        3(a).</DELETED>
        <DELETED>    (4) Cybersecurity requirement.--The term 
        ``cybersecurity requirement'' means an administrative, 
        technical, or physical safeguard, requirement, or supervisory 
        activity, including regulations, guidance, bulletins or 
        examinations, relating to information security, information 
        technology, cybersecurity, or cyber risk or 
        resilience.</DELETED>
        <DELETED>    (5) Harmonization.--</DELETED>
                <DELETED>    (A) Definition.--The term 
                ``harmonization'' means the process of aligning 
                cybersecurity requirements issued by regulatory 
                agencies such that the requirements consist of--
                </DELETED>
                        <DELETED>    (i) a common set of minimum 
                        requirements that apply across sectors and that 
                        can be updated periodically to address new or 
                        evolving risks relating to information security 
                        or cybersecurity; and</DELETED>
                        <DELETED>    (ii) sector-specific requirements 
                        that--</DELETED>
                                <DELETED>    (I) are necessary to 
                                address sector-specific risks that are 
                                not adequately addressed by the minimum 
                                requirements in clause (i); 
                                and</DELETED>
                                <DELETED>    (II) are substantially 
                                similar, where appropriate, to other 
                                requirements in that sector or a 
                                similar sector.</DELETED>
                <DELETED>    (B) Rule of construction.--Nothing in this 
                definition shall be construed to exempt regulatory 
                agencies from any otherwise applicable processes or 
                laws relating to updating regulations, including 
                subchapter II of chapter 5, and chapter 7, of title 5, 
                United States Code (commonly known as the 
                ``Administrative Procedure Act'').</DELETED>
        <DELETED>    (6) Independent regulatory agency.--The term 
        ``independent regulatory agency'' has the meaning given that 
        term in section 3502 of title 44, United States Code.</DELETED>
        <DELETED>    (7) Reciprocity.--The term ``reciprocity'' means 
        the recognition or acceptance by 1 regulatory agency of an 
        assessment, determination, examination, finding, or conclusion 
        of another regulatory agency for determining that a regulated 
        entity has complied with a cybersecurity requirement.</DELETED>
        <DELETED>    (8) Regulatory agency.--The term ``regulatory 
        agency'' means--</DELETED>
                <DELETED>    (A) any independent regulatory agency that 
                has the statutory authority to issue or enforce any 
                mandatory cybersecurity requirement; or</DELETED>
                <DELETED>    (B) any other agency that has the 
                statutory authority to issue or enforce any 
                cybersecurity requirement.</DELETED>
        <DELETED>    (9) Regulatory framework.--The term ``regulatory 
        framework'' means the framework developed under section 
        3(e)(1).</DELETED>
        <DELETED>    (10) Sector risk management agency.--The term 
        ``Sector Risk Management Agency'' has the meaning given that 
        term in section 2200 of the Homeland Security Act of 2002 (6 
        U.S.C. 650).</DELETED>

<DELETED>SEC. 3. ESTABLISHMENT OF INTERAGENCY COMMITTEE TO HARMONIZE 
              REGULATORY REGIMES IN THE UNITED STATES RELATING TO 
              CYBERSECURITY.</DELETED>

<DELETED>    (a) Harmonization Committee.--</DELETED>
        <DELETED>    (1) In general.--The National Cyber Director shall 
        establish an interagency committee to be known as the 
        Harmonization Committee to enhance the harmonization of 
        cybersecurity requirements that are applicable within the 
        United States.</DELETED>
        <DELETED>    (2) Support.--The National Cyber Director shall 
        provide the Committee with administrative and management 
        support as appropriate.</DELETED>
<DELETED>    (b) Members.--</DELETED>
        <DELETED>    (1) In general.--The Committee shall be composed 
        of--</DELETED>
                <DELETED>    (A) the National Cyber Director;</DELETED>
                <DELETED>    (B) the head of each regulatory 
                agency;</DELETED>
                <DELETED>    (C) the head of the Office of Information 
                and Regulatory Affairs of the Office of Management and 
                Budget; and</DELETED>
                <DELETED>    (D) the head of other appropriate 
                agencies, as determined by the chair of the 
                Committee.</DELETED>
        <DELETED>    (2) Publication of list of members.--The Committee 
        shall maintain a list of the agencies that are represented on 
        the Committee on a publicly available website.</DELETED>
<DELETED>    (c) Chair.--The National Cyber Director shall be the chair 
of the Committee.</DELETED>
<DELETED>    (d) Charter.--The Committee shall develop, deliver to 
Congress, and make publicly available a charter, which shall--
</DELETED>
        <DELETED>    (1) include the processes and rules of the 
        Committee; and</DELETED>
        <DELETED>    (2) detail--</DELETED>
                <DELETED>    (A) the objective and scope of the 
                Committee; and</DELETED>
                <DELETED>    (B) other items as necessary.</DELETED>
<DELETED>    (e) Regulatory Framework for Harmonization.--</DELETED>
        <DELETED>    (1) In general.--</DELETED>
                <DELETED>    (A) Framework.--Not later than 1 year 
                after the date of enactment of this Act, the Committee 
                shall develop a regulatory framework for achieving 
                harmonization of the cybersecurity requirements of each 
                regulatory agency.</DELETED>
                <DELETED>    (B) Factors.--In developing the framework 
                under subparagraph (A), the Committee shall account for 
                existing sector-specific cybersecurity requirements 
                that are identified as unique or critical to a 
                sector.</DELETED>
        <DELETED>    (2) Minimum requirements.--The framework shall 
        contain, at a minimum, processes for--</DELETED>
                <DELETED>    (A) establishing a reciprocal compliance 
                mechanism for minimum requirements relating to 
                information security or cybersecurity for entities 
                regulated by more than 1 regulatory agency;</DELETED>
                <DELETED>    (B) identifying cybersecurity requirements 
                that are overly burdensome, inconsistent, or 
                contradictory, as determined by the Committee; 
                and</DELETED>
                <DELETED>    (C) developing recommendations for 
                updating regulations, guidance, and examinations to 
                address overly burdensome, inconsistent, or 
                contradictory cybersecurity requirements identified 
                under subparagraph (B) to achieve 
                harmonization.</DELETED>
        <DELETED>    (3) Publication.--Upon completion of the 
        regulatory framework, the Committee shall publish the 
        regulatory framework in the Federal Register.</DELETED>
<DELETED>    (f) Pilot Program on Implementation of Regulatory 
Framework.--</DELETED>
        <DELETED>    (1) In general.--Not fewer than 3 regulatory 
        agencies, selected by the Committee, shall carry out a pilot 
        program to implement the regulatory framework established under 
        subsection (e) with respect to not fewer than 3 cybersecurity 
        requirements.</DELETED>
        <DELETED>    (2) Participation by regulatory agencies and 
        regulated entities.--</DELETED>
                <DELETED>    (A) Regulatory agencies.--Participation in 
                the pilot program by a regulatory agency shall be 
                voluntary and subject to the consent of the regulatory 
                agency following selection by the Committee under 
                paragraph (1).</DELETED>
                <DELETED>    (B) Regulated entities.--Participation in 
                the pilot program by a regulated entity shall be 
                voluntary.</DELETED>
        <DELETED>    (3) Selection of cybersecurity requirements.--
        Cybersecurity requirements selected for the pilot program under 
        paragraph (1) shall contain substantially similar or 
        substantially related requirements such that not fewer than 2 
        of the selected cybersecurity requirements govern the same 
        regulated entity with substantially similar or substantially 
        related requirements relating to information security or 
        cybersecurity.</DELETED>
        <DELETED>    (4) Waivers.--Notwithstanding any provision of 
        subchapter II of chapter 5, and chapter 7, of title 5, United 
        States Code (commonly known as the ``Administrative Procedure 
        Act'') and subject to the consent of any participating 
        regulated entity, in implementing the pilot program under 
        paragraph (1), a regulatory agency participating in the pilot 
        program shall have the authority to issue waivers and establish 
        alternative procedures for regulated entities participating in 
        the pilot program with respect to the cybersecurity 
        requirements included under the pilot program.</DELETED>
<DELETED>    (g) Consultation With the Committee.--</DELETED>
        <DELETED>    (1) In general.--Notwithstanding any other 
        provision of law--</DELETED>
                <DELETED>    (A) before prescribing any cybersecurity 
                requirement, the head of a regulatory agency shall 
                consult with the Committee regarding such requirement 
                and the regulatory framework established under 
                subsection (e); and</DELETED>
                <DELETED>    (B) independent regulatory agencies, when 
                updating any existing cybersecurity requirement or 
                issuing a potential new cybersecurity requirement, 
                shall consult the Committee during the development of 
                the updated cybersecurity requirement or the new 
                cybersecurity requirement to ensure that the 
                requirement is aligned to the greatest extent possible 
                with the regulatory framework.</DELETED>
        <DELETED>    (2) Determination.--Following a consultation under 
        paragraph (1), the Committee shall make a determination in 
        writing to the agency, in coordination with the Office of 
        Management and Budget as necessary, that shall--</DELETED>
                <DELETED>    (A) include to what degree the proposed 
                cybersecurity requirement or update to the 
                cybersecurity requirement aligns with the regulatory 
                framework; and</DELETED>
                <DELETED>    (B) provide a list of recommendations to 
                improve the cybersecurity requirement and align it with 
                the regulatory framework.</DELETED>
<DELETED>    (h) Consultation With Sector Risk Management Agencies.--
The Committee shall consult with appropriate Sector Risk Management 
Agencies in the development of the regulatory framework under 
subsection (e) and the implementation of the pilot program under 
subsection (f).</DELETED>
<DELETED>    (i) Reports.--</DELETED>
        <DELETED>    (1) Annual report.--Not later than 12 months after 
        the date of enactment of this Act, and annually thereafter, the 
        Committee shall submit to the appropriate congressional 
        committees a report detailing--</DELETED>
                <DELETED>    (A) member participation; and</DELETED>
                <DELETED>    (B) the application of the regulatory 
                framework, once developed, on cybersecurity 
                requirements, including consultations or discussions 
                with regulators.</DELETED>
        <DELETED>    (2) Pilot program report.--Not later than 12 
        months after the date on which the pilot program begins, the 
        Committee shall submit to the appropriate congressional 
        committees a report detailing--</DELETED>
                <DELETED>    (A) the cybersecurity requirements 
                selected for the program, including the reasons that 
                the regulatory agency and cybersecurity requirement 
                were selected;</DELETED>
                <DELETED>    (B) the information learned from the 
                program;</DELETED>
                <DELETED>    (C) any obstacles encountered during the 
                program; and</DELETED>
                <DELETED>    (D) an assessment of the applicability of 
                expanding the program to other agencies and 
                cybersecurity requirements.</DELETED>

<DELETED>SEC. 4. STATUS UPDATES ON INCIDENT REPORTING.</DELETED>

<DELETED>    (a) Status Update on Memoranda of Agreement.--Not later 
than 180 days after the date of enactment of this Act, and not less 
frequently than every 180 days thereafter, the Director of the 
Cybersecurity and Infrastructure Security Agency shall provide to the 
appropriate congressional committees a status update on the development 
and implementation of memoranda of agreement between agencies required 
under section 104(a)(5) of the Cyber Incident Reporting for Critical 
Infrastructure Act of 2022 (6 U.S.C. 681g(a)(5)).</DELETED>
<DELETED>    (b) Status Update on Efforts of the Cyber Incident 
Reporting Council.--Not later than 180 days after the date of enactment 
of this Act, and not less frequently than every 180 days thereafter, 
the Secretary of Homeland Security shall provide to the appropriate 
congressional committees a status update on the efforts of the Cyber 
Incident Reporting Council established under section 2246 of the 
Homeland Security Act of 2002 (6 U.S.C. 681f).</DELETED>

<DELETED>SEC. 5. RULE OF CONSTRUCTION.</DELETED>

<DELETED>    Nothing in this Act shall be construed--</DELETED>
        <DELETED>    (1) to expand or alter the existing regulatory 
        authorities of any agency, including any independent regulatory 
        agency, except for exemptions under section 3(f) to implement 
        the pilot program established under that section;</DELETED>
        <DELETED>    (2) to provide any such agency any new or 
        additional regulatory authorities; or</DELETED>
        <DELETED>    (3) to address security incident reporting 
        requirements subject to coordination by the Cyber Incident 
        Reporting Council established under section 2246 of the 
        Homeland Security Act of 2022 (6 U.S.C. 681f), except for the 
        required status updates under section 4.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Streamlining Federal Cybersecurity 
Regulations Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given that 
        term in section 551 of title 5, United States Code.
            (2) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Accountability 
                of the House of Representatives;
                    (C) each committee of Congress with jurisdiction