S 1350 Introduced - National Risk Management Act

Last month Sen Hassan (D,NH) introduced S 1350, the National Risk Management Act of 2021. The bill would require CISA to “establish a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences” {new §2218(b)(1)(A). The bill adds a new §2218, National Risk Management Cycle, to the Homeland Security Act of 2002.

NOTE: This review is based upon a submission draft of the bill from Hassan’s web site. An official GPO version of the bill is not yet available. See my blog post about that publication delay problem.

Definitions

Section 2218(a) provides the key definition for the Section. Two terms are defined:

• Critical infrastructure, and

• National critical functions

The first is defined by reference to 42 USC 5195c(e). The term ‘national critical functions’ is similarly defined as {new §2218(a)(2)}:

The functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

National Risk Management Cycle

Subsection (b)(1) requires CISA to establish “a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences”. The process will include CISA consultation with “Sector Risk Management Agencies, critical infrastructure owners and operators, and the National Cyber Director” {new §2218(b)(1)(B)}. The process will be publicly reported in the Federal Register within 180 days of the enactment of this bill.

National Critical Infrastructure Resilience Strategy

Subsection (b)(2) requires the President to submit to Congress a national critical infrastructure resilience strategy designed to address the risks identified above. In the submitted strategy, the President will {new §2218(b)(2)(B):

• Identify, assess, and prioritize areas of risk to critical infrastructure that would compromise, disrupt, or impede their ability to support the national critical functions of national security, economic security, or public health and safety,

• Assess the implementation of the previous national critical infrastructure resilience strategy, as applicable,

• Identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified,

• Identify the Federal departments or agencies responsible for leading each national-level action, program, or effort and the relevant critical infrastructure sectors for each,

• Outline the budget plan required to provide sufficient resources to successfully execute the full range of activities proposed or described by the strategy, and

• Request any additional authorities or resources necessary to successfully execute the strategy.

Moving Forward

As I mentioned earlier today, S 1350 will be considered by the Senate Homeland Security and Governmental Affairs Committee during a business meeting on Wednesday. This almost certainly means that there will be significant bipartisan support for the bill in Committee.

The problem will be moving the bill to the floor of the Senate. Last year I would have said that this would not be an important enough bill to be considered on the floor under regular order. The extended debate, amendment and cloture process takes up a lot of the Senate’s limited floor time. This is especially true early in an Administration when so much of the Senate efforts are expended in providing advice and consent on political appointees. Typically, I would have said that this bill would have to run the risks of the unanimous consent process; the risk being that a single Senator could stop consideration of the bill.

This year with the ghosts of the SolarWind and Microsoft Server attacks and the ongoing problems with the ransomware attack on Colonial Pipeline, there might be some serious pressure to bring this bill to the floor. It could end up being the vessel for containing the increasing political pressures to do something about the national cybersecurity problem. The problem then would be for the fractured Senate leadership to keep some modicum of control over the amendment process.

Commentary

This bill is very broadly written and that was certainly the intent. The crafters wanted to give CISA and the President the greatest leeway to define a frequently changing problem and provide congress with specific proposals to Congress for future lawmaking efforts to support solving the problem. In general, I support this process.

Having said that, there is a glaring disconnect between the risk identification process and the national response process. The first cause of this is the failure to limit the risk identification process to just those areas where the national government can have a direct impact on risk mitigation. The Federal government cannot afford the people, time or money to address all of the risks faced by the critical infrastructure in the United States. Fortunately, the second definition in §2218(a) provides a reasonable means for limiting that risk assessment process. I would make the following revisions to §2218(b)(1)(A):

‘‘(A) IN GENERAL.—The Secretary, acting through the Director, shall establish a process by which to identify, assess, and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences.:

“(i) establish a process by which to identify, assess, and prioritize risks to critical infrastructure that would be expected to impact national critical functions, and

“(ii) consider both cyber and physical threats, vulnerabilities, and consequences.”

The second part of the problem is the failure to identify those mitigation and resiliency measures that ought to be the sole responsibility of the critical infrastructure owner/operators (including in some instances State, local and Tribal governments). To that end, I would add an additional subparagraph to (A) above:

“(iii) identify the necessary minimum self-protection measures and reporting requirements that a critical infrastructure facility should be expected to implement to help reduce the risks identified in this Section.”