[House Report 113-324] [From the U.S. Government Publishing Office] 113th Congress Report HOUSE OF REPRESENTATIVES 2d Session 113-324 ====================================================================== CRITICAL INFRASTRUCTURE RESEARCH AND DEVELOPMENT ADVANCEMENT ACT OF 2013 _______ January 9, 2014.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 2952] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 2952) to amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to the advancement of security technologies for critical infrastructure protection, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 4 Background and Need for Legislation.............................. 4 Hearings......................................................... 5 Committee Consideration.......................................... 7 Committee Votes.................................................. 8 Committee Oversight Findings..................................... 8 New Budget Authority, Entitlement Authority, and Tax Expenditures 8 Congressional Budget Office Estimate............................. 8 Statement of General Performance Goals and Objectives............ 9 Duplicative Federal Programs..................................... 10 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 10 Federal Mandates Statement....................................... 10 Preemption Clarification......................................... 10 Disclosure of Directed Rule Makings.............................. 10 Advisory Committee Statement..................................... 10 Applicability to Legislative Branch.............................. 11 Section-by-Section Analysis of the Legislation................... 11 Changes in Existing Law Made by the Bill, as Reported............ 19 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Critical Infrastructure Research and Development Advancement Act of 2013'' or the ``CIRDA Act of 2013''. SEC. 2. DEFINITIONS. Section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101) is amended by redesignating paragraphs (15) through (18) as paragraphs (16) through (19), respectively, and by inserting after paragraph (14) the following: ``(15) The term `Sector Coordinating Council' means a private sector coordinating council that is-- ``(A) recognized by the Secretary as such a Council for purposes of this Act; and ``(B) comprised of representatives of owners and operators of critical infrastructure within a particular sector of critical infrastructure.''. SEC. 3. CRITICAL INFRASTRUCTURE PROTECTION RESEARCH AND DEVELOPMENT. (a) Strategic Plan; Public-Private Consortiums.-- (1) In general.--Title III of the Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) is amended by adding at the end the following: ``SEC. 318. RESEARCH AND DEVELOPMENT STRATEGY FOR CRITICAL INFRASTRUCTURE PROTECTION. ``(a) In General.--Not later than 180 days after the date of enactment of the Critical Infrastructure Research and Development Advancement Act of 2013, the Secretary, acting through the Under Secretary for Science and Technology, shall transmit to Congress a strategic plan to guide the overall direction of Federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure, including against all threats. Once every 2 years after the initial strategic plan is transmitted to Congress under this section, the Secretary shall transmit to Congress an update of the plan. ``(b) Contents of Plan.--The strategic plan shall include the following: ``(1) An identification of critical infrastructure security risks and any associated security technology gaps, that are developed following-- ``(A) consultation with stakeholders, including the Sector Coordinating Councils; and ``(B) performance by the Department of a risk/gap analysis that considers information received in such consultations. ``(2) A set of critical infrastructure security technology needs that-- ``(A) is prioritized based on risk and gaps identified under paragraph (1); ``(B) emphasizes research and development of those technologies that need to be accelerated due to rapidly evolving threats or rapidly advancing infrastructure technology; and ``(C) includes research, development, and acquisition roadmaps with clearly defined objectives, goals, and measures. ``(3) An identification of laboratories, facilities, modeling, and simulation capabilities that will be required to support the research, development, demonstration, testing, evaluation, and acquisition of the security technologies described in paragraph (2). ``(4) An identification of current and planned programmatic initiatives for fostering the rapid advancement and deployment of security technologies for critical infrastructure protection. The initiatives shall consider opportunities for public-private partnerships, intragovernment collaboration, university centers of excellence, and national laboratory technology transfer. ``(5) A description of progress made with respect to each critical infrastructure security risk, associated security technology gap, and critical infrastructure technology need identified in the preceding strategic plan transmitted under this section. ``(c) Coordination.--In carrying out this section, the Under Secretary for Science and Technology shall coordinate with the Under Secretary for the National Protection and Programs Directorate. ``(d) Consultation.--In carrying out this section, the Under Secretary for Science and Technology shall consult with-- ``(1) the critical infrastructure Sector Coordinating Councils; ``(2) to the extent practicable, subject matter experts on critical infrastructure protection from universities, colleges, including historically black colleges and universities, Hispanic-serving institutions, and tribal colleges and universities, national laboratories, and private industry; ``(3) the heads of other relevant Federal departments and agencies that conduct research and development for critical infrastructure protection; and ``(4) State, local, and tribal governments as appropriate. ``SEC. 319. REPORT ON PUBLIC-PRIVATE RESEARCH AND DEVELOPMENT CONSORTIUMS. ``(a) In General.--Not later than 180 days after the enactment of the Critical Infrastructure Research and Development Advancement Act of 2013, the Secretary, acting through the Under Secretary for Science and Technology, shall transmit to Congress a report on the Department's utilization of public-private research and development consortiums for accelerating technology development for critical infrastructure protection. Once every 2 years after the initial report is transmitted to Congress under this section, the Secretary shall transmit to Congress an update of the report. The report shall focus on those aspects of critical infrastructure protection that are predominately operated by the private sector and that would most benefit from rapid security technology advancement. ``(b) Contents of Report.--The report shall include-- ``(1) a summary of the progress and accomplishments of on- going consortiums for critical infrastructure security technologies; ``(2) in consultation with the Sector Coordinating Councils and, to the extent practicable, in consultation with subject- matter experts on critical infrastructure protection from universities, colleges, including historically black colleges and universities, Hispanic-serving institutions, and tribal colleges and universities, national laboratories, and private industry, a prioritized list of technology development focus areas that would most benefit from a public-private research and development consortium; and ``(3) based on the prioritized list developed under paragraph (2), a proposal for implementing an expanded research and development consortium program, including an assessment of feasibility and an estimate of cost, schedule, and milestones.''. (2) Limitation on progress report requirement.--Subsection (b)(5) of section 318 of the Homeland Security Act of 2002, as amended by paragraph (1) of this subsection, shall not apply with respect to the first strategic plan transmitted under that section. (b) Clerical Amendment.--The table of contents in section 1(b) of such Act is amended by adding at the end of the items relating to such title the following: ``Sec. 318. Research and development strategy for critical infrastructure protection. ``Sec. 319. Report on public-private research and development consortiums.''. (c) Critical Infrastructure Protection Technology Clearinghouse.-- Section 313 of the Homeland Security Act of 2002 (6 U.S.C. 193) is amended by redesignating subsection (c) as subsection (d), and by inserting after subsection (b) the following: ``(c) Critical Infrastructure Protection Technology Clearinghouse.-- ``(1) Designation.--Under the program required by this section, the Secretary, acting through the Under Secretary for Science and Technology, and in coordination with the Under Secretary for the National Protection and Programs Directorate, shall designate a technology clearinghouse for rapidly sharing proven technology solutions for protecting critical infrastructure. ``(2) Sharing of technology solutions.--Technology solutions shared through the clearinghouse shall draw from Government- furnished, commercially furnished, and publically available trusted sources. ``(3) Technology metrics.--All technologies shared through the clearinghouse shall include a set of performance and readiness metrics to assist end-users in deploying effective and timely solutions relevant for their critical infrastructures. ``(4) Review by privacy officer.--The Privacy Officer of the Department appointed under section 222 shall annually review the clearinghouse process to evaluate its consistency with fair information practice principles issued by the Privacy Officer.''. (d) Evaluation of Technology Clearinghouse by Government Accountability Office.--Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall conduct an independent evaluation of, and submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on, the effectiveness of the clearinghouses established and designated, respectively, under section 313 of the Homeland Security Act of 2002, as amended by this section. SEC. 4. NO ADDITIONAL AUTHORIZATION OF APPROPRIATIONS. No additional funds are authorized to be appropriated to carry out this Act and the amendments made by this Act, and this Act and such amendments shall be carried out using amounts otherwise available for such purpose. Purpose and Summary The purpose of H.R. 2952 is to amend the Homeland Security Act of 2002 to make certain improvements in the laws relating to the advancement of security technologies for critical infrastructure protection, and for other purposes. Background and Need for Legislation The Department of Homeland Security (DHS) is responsible for the prevention of, and defense against threats to United States critical infrastructure. Such threats come in many forms and include threats to people, property, and information. The events of September 11, 2001, demonstrated that terrorist attacks on the homeland can occur in unconventional ways and can result in unanticipated consequences to National security posture and economic vitality. The U.S. is fortunate to have a thriving infrastructure that keeps Americans safe, secure, free, and prosperous. But this infrastructure is technologically complex, interdependent, and potentially vulnerable to physical and cyber attack. New security technologies will need to keep pace with rapidly evolving threats and the rapid advancement of the infrastructure itself. Since U.S. infrastructure is primarily owned and operated by the private sector, improved mechanisms are needed to advance government-sponsored research and development (R&D) of critical infrastructure security-related technologies. It is therefore necessary that DHS develop a comprehensive R&D strategy and a set of improved R&D mechanisms to address a broad spectrum of evolving threats to critical infrastructure. The Committee believes that this strategy requires coordination across the Federal Government and must be developed in collaboration with the private sector. Legislation is required for DHS to develop such a strategy, improve R&D mechanisms, and establish and encourage the necessary coordination and collaboration. H.R. 2952, the Critical Infrastructure Research and Development Advancement Act of 2013, is bipartisan legislation developed from valuable input from stakeholders and subject matter experts across government and industry. This bill provides three major provisions that will help address R&D gaps in critical infrastructure protection. First, the bill directs the Department of Homeland Security to facilitate the development of an R&D strategy for critical infrastructure security technologies. This strategy will help the Federal Government and stakeholders prioritize their investments in those aspects of the infrastructure that are most at risk. Second, the bill requires that DHS study and report on the feasibility of expanding the use of public-private R&D consortiums to accelerate new security technologies and potentially spur innovation and economic competitiveness. Lastly, the bill designates a ``technology clearinghouse'' where proven security tools for protecting infrastructure can be rapidly shared amongst government and private partners. Hearings No hearings were held on H.R. 2952. However, the Committee held oversight hearings on programs and threats relevant to H.R. 2952, these hearings are listed below. 112th Congress. The Subcommittee on Emergency Preparedness, Response, and Communications held a hearing on April 15, 2011, entitled ``The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure.'' The Subcommittee received testimony from Mr. Sean McGurk, Director, National Cybersecurity and Communications Integration Center, Department of Homeland Security; Mr. Gerry Cauley, President and CEO, North American Electric Reliability Corporation; Ms. Jane Carlin, Chair, Financial Services Sector Coordinating Council; and Mr. Edward Amoroso, Senior Vice President and Chief Security Officer, AT&T. On July 15, 2011, the Subcommittee on Oversight, Investigations, and Management held a hearing entitled ``Homeland Security Contracting: Does the Department Effectively Leverage Emerging Technologies?'' The Subcommittee received testimony from Mr. Charles K. Edwards, Acting Inspector General, Department of Homeland Security; Mr. David Maurer, Director, Homeland Security and Justice Team, Government Accountability Office; Mr. Rafael Borras, Under Secretary for Management and Chief Acquisition Officer, Department of Homeland Security; Dr. Tara O'Toole, Under Secretary, Science and Technology Directorate, Department of Homeland Security; Mr. Jim Williams, Vice Chair, Homeland Security Committee, TechAmerica; Mr. Marc Pearl, President and CEO, Homeland Security and Defense Business Council; and Mr. Scott Amey, General Counsel, Project On Government Oversight. On November 17, 2011 the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``S&T on a Budget: Finding Smarter Approaches to Spur Innovation, Impose Discipline, Drive Job Creation, and Strengthen Homeland Security.'' The Subcommittee received testimony from Hon. Tara O'Toole, Under Secretary, Science and Technology Directorate, Department of Homeland Security; and Mr. David C. Maurer, Director, Homeland Security and Justice Issues, Government Accountability Office. On February 3, 2012, the Subcommittee on Oversight, Investigations, and Management held a hearing entitled ``Is DHS Effectively Implementing a Strategy to Counter Emerging Threats?'' The Subcommittee received testimony from Hon. Paul Schneider, Principal, The Chertoff Group; Ms. Sharon L. Caudle, PhD, The Bush School of Government and Public Service, Texas A&M University; Mr. Shawn Reese, Analyst, Emergency Management and Homeland Security Policy, Congressional Research Service; Mr. David Maurer, Director, Homeland Security and Justice Team, Government Accountability Office; and Mr. Alan Cohn, Deputy Assistant Secretary, Office of Policy, Department of Homeland Security. On April 19, 2012, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``The DHS and DOE National Labs: Finding Efficiencies and Optimizing Outputs in Homeland Security Research and Development.'' The Subcommittee received testimony from Dr. Daniel M. Gerstein, Deputy Under Secretary for Science and Technology, Department of Homeland Security; Dr. Huban Gowadia, Deputy Director, Domestic Nuclear Detection Office, Department of Homeland Security; Dr. Daniel Morgan, Specialist in Science and Technology Policy, Resources, Sciences, and Industry Division, Congressional Research Service; Ms. Jill Hruby, Vice President, International, Homeland and Nuclear Security, Sandia National Laboratories; and Dr. Michael Robert Carter, Senior Scientist, National Ignition Facility and Photon Science Directorate, Lawrence Livermore National Laboratory. On April 26, 2012, the Subcommittee on Counterterrorism and Intelligence and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a joint hearing entitled ``Iranian Cyber Threat to the U.S. Homeland.'' The Subcommittees received testimony from Mr. Frank J. Cilluffo, Associate Vice President and Director, Homeland Security Policy Institute, The George Washington University; Mr. Ilan Berman, Vice President, American Foreign Policy Council; and Mr. Roger Caslow, Executive Cyberconsultant, Suss Consulting. On September 20, 2012, the Full Committee held a hearing entitled ``The Department of Homeland Security: An Assessment of the Department and a Roadmap for its Future.'' The Committee received testimony from Hon. Richard L. Skinner, Former Inspector General, Department of Homeland Security; Hon. Stewart A. Baker, Former Assistant Secretary for Policy, Department of Homeland Security; Mr. Frank J. Cilluffo, Former Principal Advisor to Governor Tom Ridge, White House Office of Homeland Security; Mr. David C. Maurer, Director, Homeland Security and Justice, Government Accountability Office. 113th Congress. On March 13, 2013, the Full Committee held a hearing entitled ``DHS Cybersecurity: Roles and Responsibilities to Protect the Nation's Critical Infrastructure.'' The Committee received testimony from Hon. Jane Holl Lute, Deputy Secretary, U.S. Department of Homeland Security; Mr. Anish B. Bhimani, Chairman, Financial Services Information Sharing and Analysis Center; Mr. Gary W. Hayes, Chief Information Officer, Centerpoint Energy; and Ms. Michelle Richardson, Legislative Counsel, American Civil Liberties Union. On March 20, 2013, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Cyber Threats from China, Russia and Iran: Protecting American Critical Infrastructure.'' The Subcommittee received testimony from Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute and Co-Director, Cyber Center for National and Economic Security, The George Washington University; Mr. Richard Bejtlich, Chief Security Officer and Security Services Architect, Mandiant; Mr. Ilan Berman, Vice President, American Foreign Policy Council; and Mr. Martin C. Libicki, Senior Management Scientist, RAND Corporation. On April 25, 2013, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Striking the Right Balance: Protecting Our Nation's Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties.'' The Subcommittee received testimony from Ms. Mary Ellen Callahan, Partner, Jenner & Block and Former Chief Privacy Officer, U.S. Department of Homeland Security; Ms. Cheri F. McGuire, Vice President, Global Government Affairs & Cybersecurity Policy, Symantec; and Ms. Harriet Pearson, Partner, Hogan Lovells. On May 16, 2013, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Facilitating Cyber Threat Information Sharing and Partnering with the Private Sector to Protect Critical Infrastructure: An Assessment of DHS Capabilities.'' The Subcommittee received testimony from Ms. Roberta Stempfley, Acting Assistant Secretary, Office of Cybersecurity and Communications, U.S. Department of Homeland Security; Mr. Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security; and Mr. Charles K. Edwards, Acting Inspector General, U.S. Department of Homeland Security. On July 18, 2013, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Oversight of Executive Order 13636 and Development of the Cybersecurity Framework.'' The Subcommittee received testimony from Mr. Robert Kolasky, Director, Implementation Task Force, National Protection and Programs Directorate, U.S. Department of Homeland Security; Charles H. Romine, PhD, Director, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce; and Eric A. Fischer, PhD, Senior Specialist, Science and Technology, Congressional Research Service, Library of Congress. Committee Consideration The Committee on Homeland Security met on October 29, 2013, to consider H.R. 2952, and ordered the measure to be reported to the House with a favorable recommendation by voice vote. The Committee took the following actions: The Committee agreed to H.R. 2952, as amended, by voice vote. The following amendments were offered: An Amendment in the Nature of a Substitute to H.R. 2952 offered by Mrs. Brooks on behalf of Mr. Meehan (#1); was AGREED TO, as amended, by voice vote. A unanimous consent request by Mr. McCaul to consider the Amendment in the Nature of a Substitute as base text for purposes of amendment was not objected to. An amendment to the Amendment in the Nature of a Substitute to H.R. 2952 offered by Ms. Jackson Lee (#1A); was AGREED TO by voice vote. Page 2, line 17, after `` protecting critical infrastructure'' insert ``, including against all threats''. An amendment to the Amendment in the Nature of a Substitute to H.R. 2952 offered by Ms. Jackson Lee (#1B); was WITHDRAWN by unanimous consent. Add at the end a new section entitled ``Sec. _. Assessment and Report on Vulnerabilities and Threats on Computer Systems.'' The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies met on September 18, 2013, to consider H.R. 2952, and ordered the measure reported to the Full Committee with a favorable recommendation, as amended, by voice vote. The Subcommittee took the following actions: The following amendments were offered: An amendment by Mr. Meehan (#1); was AGREED TO by voice vote. Page 3, line 9, strike ``the'' and insert ``any''. Page 5, beginning at line 16, strike ``study on the use by the Department'' and insert ``report on the Department's utilization''. Page 5, line 20, strike ``study'' and insert ``report''. Page 5 line 22, strike ``study. The study'' and insert ``report. The Report''. Page 6, line 1, strike ``Study.--The study'' and insert ``Report.--The report''. Page 7, beginning at line 18, strike ``metrics to assist end- users in deploying timely and effective'' and insert ``performance and readiness metrics to assist end-users in deploying effective and timely'' An amendment by Ms. Clarke (#2); was AGREED TO by voice vote. Page 2, line 16, strike ``(a) In General.--'' and insert the following: ``(a) Strategic Plan; Public-private Consortiums.-- (1) In general.-- Page 4, after line 16, insert a new paragraph (5). Page 6, after line 15, insert a new section ``(2) Limitation on progress report requirement.--'' An amendment by Mr. Keating (#1); was WITHDRAWN by unanimous consent. Page 6, strike the closing quotation marks and the second period at line 15, and after line 15 insert a new section entitled ``Sec. 320. Identification of Cybersecurity Risks to the Nuclear Reactors, Materials, and Waste Sector.'' Page 6, in the matter following line 18, in the item relating to section 319 strike the closing quotation marks and the section period, and after such item insert the following: ``Sec. 320. Identification of Cybersecurity Risks to the Nuclear Reactors, Materials, and Waste Sector.'' Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 2952. Committee Oversight Findings Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 2952, the Critical Infrastructure Research and Development Advancement Act of 2013, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, November 6, 2013. Hon. Michael McCaul, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 2952, the Critical Infrastructure Research and Development Advancement Act of 2013. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Douglas W. Elmendorf. Enclosure. H.R. 2952--Critical Infrastructure Research and Development Advancement Act of 2013 CBO estimates that implementing H.R. 2952 would have discretionary costs totaling less than $500,000 in each of fiscal years 2014 and 2015. Enacting the legislation would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. The bill would require the Department of Homeland Security (DHS), within 180 days of the bill's enactment, to transmit to the Congress a strategic plan for research and development efforts addressing the protection of critical infrastructure and a report on departmental use of public-private consortiums to develop technology to protect such infrastructure. The bill also would direct the Government Accountability Office (GAO), within two years of enactment, to evaluate the effectiveness of clearinghouses established by DHS to share technological innovation. Based on the cost of similar activities, CBO estimates the DHS and GAO reports required by H.R. 2952 would cost less than $500,000 annually in 2014 and 2015, assuming availability of appropriated funds. H.R. 2952 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. The CBO staff contact for this estimate is Mark Grabowicz. The estimate was approved by Theresa Gullo, Deputy Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 2952 contains the following general performance goals, and objectives, including outcome related goals and objectives authorized. The performance goals and objectives of H.R. 2952 are based on the development of a critical infrastructure research and development (R&D) plan and the identification of improvements to DHS R&D mechanisms. The goal of the R&D strategic plan required under H.R. 2952 is to help guide the overall direction of Federal physical security and cybersecurity technology R&D for protecting critical infrastructure. The performance objective of the R&D plan is to establish and communicate critical infrastructure security risks, gaps, and associated technology solutions, and measure progress towards that end. The goal of the report on public-private R&D consortiums required under H.R. 2952 is to aid in the acceleration of critical infrastructure security technologies through public- private collaboration. The objective of this consortium report is to measure progress on current consortiums and to establish the merits of expanding the consortium mechanism to improve DHS's R&D performance. Finally, the goal of designating a technology clearinghouse for critical infrastructure protection is to establish a focused mechanism for sharing information on proven security technologies between public and private entities. The performance objective of this clearinghouse is to assist end-users in deploying effective and timely solutions for their relevant critical infrastructures. The Congressional reports from DHS and the Government Accountability Office (GAO) that are required by this Act will allow the Congress to hold the Department accountable for the success or failure of its critical infrastructure protection R&D programs. Duplicative Federal Programs The Committee finds that H.R. 2952 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 2952 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 2952 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short Title. This section provides that the bill may be cited as the ``Critical Infrastructure Research and Development Advancement Act of 2013'' or ``the CIRDA Act of 2013.'' Section 2. Definitions. In this section, Section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101) is amended to include a definition for ``Sector Coordinating Council.'' The term ``Sector Coordinating Council'', or ``SCC'', is defined as a private sector coordinating council, comprised of representatives of owners and operators of critical infrastructure within a particular sector of critical infrastructure, which is recognized by the Secretary for purposes of this Act. The Sector Coordinating Councils are an existing construct established under presidential directives to develop and implement a National Infrastructure Protection Plan (NIPP). As of the writing of this report, there are 16 critical infrastructure sectors and 16 corresponding SCC's defined under the NIPP. The purpose of defining Sector Coordinating Councils in this bill is to codify into statute the role of such councils in informing the Federal government on critical infrastructure protection issues relevant to the research and development (R&D) of security- related technologies. The Committee believes that the Federal government needs to closely partner with the private sector during the establishment and implementation of a risk-informed R&D strategy. The Committee also believes that the SCC's should serve as the private-sector body that enables small, medium, and large businesses within each sector to inform the R&D strategy and to communicate progress on emerging critical infrastructure protection technologies. Since this bill only addresses the R&D aspects of critical infrastructure protection, it is the Committee's intent that the basic definition described in this section will suffice for such purposes. However, the Committee recognizes that SCC's have a significantly broader role in critical infrastructure protection and that the definition herein may not suffice for those broader purposes. Therefore, the Committee strongly encourages the Secretary to develop a set of effective and efficient Departmental processes for defining, designating, and interfacing with Sector Coordinating Councils to support the broad critical infrastructure protection mission. Section 3. Critical Infrastructure Protection Research and Development. This section amends Title III of the Homeland Security Act of 2002 (6 U.S.C. 181 et seq.) by adding a new Section 318 and a new Section 319. Sec. 318. Research and Development Strategy for Critical Infrastructure Protection. (a) In General. This subsection requires the Secretary, acting through the Undersecretary for Science and Technology (S&T), to develop and submit to Congress a strategic plan for guiding the direction of Federal physical security and cyber technology R&D efforts to protect critical infrastructure against all threats. The plan is due to Congress 180 days after enactment and every 2 years thereafter. Based on extensive oversight, the Committee has found that there currently is no comprehensive National strategy for the R&D of security technologies for protecting critical infrastructure. While recent efforts by the Executive branch have attempted to include R&D in the National Infrastructure Protection Plan, the Committee believes that roles, responsibilities, and accountabilities are currently ill- defined. It is the intent of the Committee that DHS, because of its statutory authorities for critical infrastructure protection, needs to provide the necessary leadership and facilitation of such a National R&D strategy. Similarly, the Committee believes that DHS S&T, because of its statutory authorities established under Title III, needs to be the primary facilitator within the Department for such a National R&D strategy. (b) Contents of Plan. In this subsection, the contents of the R&D strategic plan are prescribed. The contents prescribed are the minimum contents required, however, the Committee strongly encourages DHS to include other aspects necessary for effective multi-year planning. The Committee expects that each of the prescribed elements in the plan be developed and published in sufficient detail to enable DHS and the public/private stakeholders to adequately plan for future technology investments. While the timeline of the plan is not specified in the bill, the Committee strongly encourages DHS to address near-term (e.g. 1- 3 years), mid-term (e.g. 3-7 years), and long-term (e.g. 8 years and beyond) aspects in the plan. The Committee furthermore expects DHS to write the plan in an organized hierarchal manner structured around risk-based objectives, goals, and measures. The plan is to include an identification of critical infrastructure risks and an identification of any associated security technology gaps. DHS is to identify these risks and gaps by first consulting with stakeholders, including the Sector Coordinating Councils. Since the critical infrastructure is largely owned and operated by the private sector, the Committee believes that it is absolutely necessary for DHS to proactively engage with these owners/operators, through the SCC's and other mechanisms, in order to effectively identify risks and gaps. The Committee also believes that the risk identification needs to consider all threats to critical infrastructure, whether they be from terrorist attack or natural disaster. Furthermore, the Committee believes that the risk identification needs to consider both physical and cyber aspects, including potential vulnerabilities to control systems, computer systems, firewalls, and software. The plan is to include a set of critical infrastructure technology needs that are prioritized based on the risks and gaps identified in the plan. The Committee expects DHS to develop this plan in a manner that is not constrained by fiscal resources, and therefore needs to identify all potential technology solutions. Once these set of solutions are identified, however, the Committee notes that it is important for DHS to prioritize these so that they can be included in the OMB multi-year budget planning process. When identifying the set of prioritized technology needs, the bill requires DHS to emphasize the R&D of those technologies that need to be accelerated due to rapidly evolving threats or rapidly advancing infrastructure itself. Since the bill covers both physical security and cybersecurity aspects for critical infrastructure, the Committee strongly encourages DHS to consider the appropriate balance between physical and cybersecurity priorities. At the time of writing this report, the Committee believes that cyber threats are rapidly evolving and cyber infrastructure is rapidly advancing, thereby necessitating a greater emphasis in such a plan at this time. When identifying the set of prioritized technologies, the bill also requires DHS to include research, development, and acquisition roadmaps with clearly defined objectives, goals and measures. The Committee strongly encourages DHS to establish roadmaps in a manner that is consistent with industry and government best practices for technology management. Specifically, the Committee expects that the roadmaps will provide sufficient detail to enable potential technology developers to plan for the basic research, engineering development, and acquisition phases of the prioritized security technologies. The Committee also strongly encourages DHS to utilize standardized terminology and metrics when publishing these roadmaps. Specifically, the Committee strongly encourages DHS to adopt the 9-level technology readiness level (TRL) scale that has been recognized as a best practice by the GAO, NASA, DoD, and DOE. The plan is to include an identification of laboratories, facilities, modeling, and simulation capabilities required to support the maturation of the security technologies identified in the plan. The Committee believes that it is very important that DHS identify the laboratories, facilities and capabilities in order to ensure that these assets are available when needed. The Committee also believes that it is necessary for DHS to identify potential gaps in these assets to aid in the planning of new facility construction, laboratory retrofitting, or design and development of new modeling/simulation capabilities. The Committee encourages DHS to consider government assets in the plan and also include third-party assets that could be leveraged from private industry, National Laboratories, or academia. The Committee strongly recommends that DHS S&T include laboratories, facilities, modeling, and simulation aspects in all of its strategic plans that it develops in support of the DHS mission. The plan is to include an identification of current and planned initiatives for fostering the rapid advancement and deployment of security technologies for critical infrastructure protection. These initiatives include opportunities for public- private partnerships, intra-government collaboration, university centers of excellence, and National Laboratory technology transfer. The Committee believes that new technology R&D models are needed for critical infrastructure due to the highly interdisciplinary and interdependent nature of the problem. For example, under the category of public- partnerships, the Committee believes that R&D consortiums are a potential candidate for accelerating innovation, and is a topic that is expanded upon in Section 319. As another example, the Committee believes that a potential candidate for intra- government collaboration would involve an R&D partnership between DHS and the Department of Energy, through their National Laboratories, to accelerate the R&D of energy-related critical infrastructure security technologies. The Committee strongly encourages DHS S&T to seriously consider alternative R&D models for critical infrastructure protection and to implement new programs to support these initiatives. The plan is to include a description of progress made towards the elements described in the preceding version of the strategic plan. The Committee believes that it is critically important that DHS implement the strategic plan that it develops. The Committee also recognizes that plans can change due to unforeseen circumstances, and encourages DHS to actively update and republish the plan regularly as needed. The Committee recognizes that DHS S&T, as of the writing of this report, is actively engaging with several DHS components to develop strategic R&D plans. The Committee fully supports the Department's coordination efforts and strongly encourages the continuation of these strategic planning activities. It is the Committee's intent that the Congressional report required under this section leverages, and not duplicate, the strategic R&D planning activities already being implemented at DHS. (c) Coordination. This subsection requires DHS S&T to coordinate with the National Protection and Programs Directorate (NPPD) in implementing this section of the bill. Since NPPD serves as the Department's operational component for critical infrastructure protection, the Committee believes that it is absolutely necessary that S&T and NPPD coordinate to the greatest extent possible to plan and implement the R&D strategy. Based on extensive oversight conducted by the Committee, the Committee believes that S&T and NPPD have not been effectively coordinating their R&D-related activities and need to significantly improve in this regard. The Committee notes that this lack of coordination is particularly acute in the research, development, testing, evaluation, and acquisition of cyber-security technologies. The intent of the Committee is to require such coordination under statute in order to ensure that such coordination occurs. (d) Consultation. This subsection requires that DHS S&T consult with multiple entities in implementing this section of the bill. The Committee strongly encourages that DHS consult and collaborate with the owners and operators of critical infrastructure, as represented through the Sector Coordinating Councils. Furthermore, the Committee strongly encourages that DHS consult with a broad cross-section of subject matter experts on critical infrastructure protection from the private sector, National Laboratories, and academia. The Committee recognizes that such broad subject matter expert engagement has certain logistical challenges, but encourages DHS to use innovative means such as workshops, social media, and webinars to carry out such consultation. The bill also requires consultation with other Federal Departments and agencies that conduct R&D for critical infrastructure. The Committee expects DHS S&T to provide the Federal leadership role in facilitating a National R&D strategy, and the Committee believes that such intra- government consultation is absolutely necessary. The Committee notes that other branches of the Federal government that conduct critical infrastructure protection R&D include: DOE, DoD, NIST, and NSF. Finally, this subsection requires appropriate consultation with State, local, and Tribal governments. The Committee believes that State, local, and Tribal entities have an important role in preparedness and emergency response to critical infrastructure incidents and that their perspectives and needs are an important consideration in the development of the R&D strategy. The Committee notes that State and local entities include port authroities. Sec. 319. Report on Public-Private Research and Development Consortiums. (a) In General. This subsection requires the Secretary, acting through the Undersecretary for S&T, to develop and transmit to Congress a report on the Department's utilization of public-private research and development consortiums for accelerating technology development for critical infrastructure protection. The report is due 180 days after enactment of the bill and updated every 2 years thereafter. The bill requires that the report focus on those aspects of critical protection that are predominately operated by the private sector and would benefit from rapid security technology development. The Committee believes that DHS has underutilized public- private R&D partnerships in its overall science and technology strategy. The Technology Transfer Commercialization Act of 2000 (Pub. L. 106-404) and other related legislation, provides the Federal government the necessary mechanisms to conduct public- private shared R&D. While DHS has implemented some public- private R&D consortiums, they have tended to be small (several million dollars or less), and managed through non-private third-party entities. The Committee believes that DHS needs to expand its consideration of public-private R&D consortiums, especially in areas that are mutually beneficial between the two sectors. The Committee notes that critical infrastructure protection, because of significant private-sector stakeholder interest, would greatly benefit from increased use of improved R&D consortiums. When implementing Section 319, the Committee strongly encourages DHS to develop an implementation plan for expanding the use of public-private R&D consortiums for critical infrastructure protection. (b) Contents of Report. In this subsection, the contents of the public-private R&D consortium report are prescribed. The contents prescribed therein are the minimum contents and it is the Committee's expectation that DHS will include additional content as necessary to enable effective consortium planning. It is the Committee's intent that this report is to complement the R&D strategy report prescribed under Section 318. The Committee strongly encourages DHS to develop and transmit these two reports in tandem and avoid any unnecessary duplication within the two reports. The consortium report is to include a summary of the progress and accomplishments of on-going R&D consortiums for critical infrastructure security technologies. The Committee encourages DHS to establish objectives, goals, and measures for each of its R&D consortium projects in the context of the strategic plan prescribed under Section 318. The consortium report is to include, in consultation with stakeholders and subject matter experts, a prioritized list of technology development focus areas that would benefit from a public-private R&D consortium. In developing this prioritized list, the Committee strongly encourages DHS to utilize the risk-based analyses and the stakeholder consultations conducted under Section 318. The Committee also encourages DHS to look holistically at R&D consortium focus opportunities and consider both physical security technologies and cybersecurity technologies. As of the writing of this report, the Committee believes that cybersecurity R&D may be particularly appropriate for expanded R&D partnership opportunities. Specifically, the Committee believes that a cybersecurity protection and prevention R&D consortium would generate substantial interest from both the public and the private sectors. The consortium report is to include a prioritized proposal for implementing an expanded R&D consortium program. This proposal is to include an assessment of feasibility and an estimate of cost, schedule and milestones. It is the Committee's intent that DHS establish such a proposal and then seek Congressional authorization and appropriation to implement such a proposed expanded program. Although the bill does not prescribe how such a consortium should be constructed, the Committee strongly encourages DHS to include a working partnership model in its R&D consortium proposal. The Committee believes that the consortium model should include the following key attributes: (1) The model draws upon industry, academic, and government best-practices for successful R&D consortiums; (2) the model encourages active participation and leadership by the private sector, while streamlining government administrative overhead; (3) the model provides matching funding for R&D projects, with the U.S. Government's funding contributions not exceeding 50 percent; (4) the model leverages security technology investments made by other departments and agencies of the Federal government; (5) the model leverages and encourages technology transfer from National Laboratories and academia; and (6) the model provides a mechanism for accelerating technology certification under subtitle G of title VII (known as the ``SAFETY Act''). (c) Critical Infrastructure Protection Technology Clearinghouse. (1) Designation. This subsection amends Section 313 of the Homeland Security Act 2002 and requires requires the Secretary, acting through the Undersecretary for S&T, and in coordination with the Undersecretary for NPPD, to designate a focused technology clearinghouse within the clearinghouse program required under Section 313. The designated technology clearinghouse is to focus on the rapid sharing of proven technology solutions for protecting critical infrastructure. The Congressional intent of this subsection is twofold: Firstly, to authorize the DHS, through a designated clearinghouse, to focus on the Department's mission in critical infrastructure protection; and secondly, to ensure that the designated technology clearinghouse is well coordinated between the Science and Technology Directorate and the operational mission of the National Protection and Program Directorate. The Committee believes that DHS has underutilized the clearinghouse mechanism established under Section 313. Specifically, Section 313 requires ``The establishment of a centralized Federal clearinghouse for information relating to technologies that would further the mission of the Department for dissemination, as appropriate, to Federal, State, and local government and private sector entities for additional review, purchase, or use.'' Based on Committee oversight, the Committee has found that DHS has not established such a Federal-wide clearinghouse, and that the current clearinghouse is only used to gather first responder requirements. The clearinghouse does not currently disseminate information on mission-relevant technologies, and does not provide a technology information sharing mechanism for the private sector, as statutorily required. The Committee further believes that DHS has under- resourced the clearinghouse program and that its information sharing mechanism, which is a simple website, has been largely ineffective. Therefore, the Committee strongly encourages DHS to increase and improve its utilization of the clearinghouse mechanism to meet the statutory requirements. The Committee believes that focused clearinghouses, such as the critical infrastructure clearinghouse designated in this section, will serve as a driver for DHS to improve its technology information sharing and better coordinate amongst private and public stakeholders. (2) Sharing of Technology Solutions. This subsection requires that technology solutions shared through the clearinghouse be drawn from government-furnished, commercially-furnished, and publicly available trusted sources. The Committee believes that DHS does not effectively use the clearinghouse as a technology information sharing mechanism, and this subsection clarifies the Congressional intent that DHS share such information from various sources. When sharing technology solutions through the clearinghouse, the Committee notes that it will be important for DHS to exercise due diligence to ensure that the sources of that information are trustworthy and reputable from a National security perspective. (3) Technology Metrics. This subsection requires that all technologies shared (or information about technologies thereof), include a set of performance and readiness metrics. These metrics are required to assist end-users in deploying effective and timely solutions relevant for their critical infrastructures. The Committee believes that metrics are an important aspect in technology information sharing and help security professionals make objective decisions about which technologies best meet their mission needs. The bill does not specify which specific metrics are required, and allows DHS flexibility in establishing an effective metrics set. However, the Committee believes that these metrics need to be based on industry and government technology management best practices. The Committee also believes that test and evaluation activities should be tied to these metrics. The Committee strongly encourages DHS to improve its implementation of the clearinghouse mechanism, share relevant technology information to the broad stakeholder community, and do so in an objective manner through standardized metrics. (4) Review by Privacy Officer. This subsection requires the Privacy Officer of the Department to annually review the clearinghouse process to evaluate its consistency with Fair Information Practice Principles and the Privacy Act of 1974. The Committee believes that security-related technologies need to be developed and deployed in a manner that fully considers privacy and civil liberty implications, including protection of personally identifiable information. The Committee notes that consideration of privacy and civil liberty implications is critically important for cybersecurity and information-based technologies. While the bill does not require that each technology within the clearinghouse be assessed, the Committee expects DHS to establish a process for conducting privacy impact assessments when appropriate. (d) Evaluation of Technology Clearinghouse by Government Accountability Office. This subsection requires the GAO to evaluate and report on the effectiveness of the clearinghouses established and designated under Section 313 as amended. The GAO report is to be transmitted to the relevant Congressional committees within 2 years after enactment of the bill. The Committee's intent of this subsection is to direct GAO to gather data, assess DHS's implementation of Section 313, and evaluate the effectiveness and efficiency of the implemented clearinghouses. As stated in a prior section of this report, the Committee believes that DHS does not currently implement technology clearinghouses in a manner consistent with statute, and this independent assessment will inform the Committee on this issue. It is the Committee's belief that the GAO report will provide important inputs for continuing Congressional oversight and provide additional transparency for the American public. Sec. 4. No Additional Authorization of Appropriations. This section requires the provisions of this bill to be carried out using amounts otherwise available. The Committee believes that the strategic planning and R&D consortium planning required under this bill represents work that is largely already conducted at DHS. As such, the Committee believes that DHS should appropriately absorb the minimal costs required to improve its R&D strategies, report to Congress, and increase its transparency. The Committee believes that DHS has underutilized technology clearinghouses and has not implemented them in a manner consistent with Congressional intent of the Homeland Security Act of 2002. It is the Committee's belief that DHS will need to strengthen the clearinghouses in order to comply with existing law, and that costs incurred to do so should be absorbed from lower priority DHS programs. The Committee strongly encourages DHS to implement these provisions in a manner that leads to more effective and efficient R&D programs, thereby resulting in long-term Federal Government savings. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Homeland Security Act of 2002''. (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY * * * * * * * Sec. 318. Research and development strategy for critical infrastructure protection. Sec. 319. Report on public-private research and development consortiums. * * * * * * * SEC. 2. DEFINITIONS. In this Act, the following definitions apply: (1) Each of the terms ``American homeland'' and ``homeland'' means the United States. (2) The term ``appropriate congressional committee'' means any committee of the House of Representatives or the Senate having legislative or oversight jurisdiction under the Rules of the House of Representatives or the Senate, respectively, over the matter concerned. (3) The term ``assets'' includes contracts, facilities, property, records, unobligated or unexpended balances of appropriations, and other funds or resources (other than personnel). (4) The term ``critical infrastructure'' has the meaning given that term in section 1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e)). (5) The term ``Department'' means the Department of Homeland Security. (6) The term ``emergency response providers'' includes Federal, State, and local governmental and nongovernmental emergency public safety, fire, law enforcement, emergency response, emergency medical (including hospital emergency facilities), and related personnel, agencies, and authorities. (7) The term ``executive agency'' means an executive agency and a military department, as defined, respectively, in sections 105 and 102 of title 5, United States Code. (8) The term ``functions'' includes authorities, powers, rights, privileges, immunities, programs, projects, activities, duties, and responsibilities. (9) The term ``intelligence component of the Department'' means any element or entity of the Department that collects, gathers, processes, analyzes, produces, or disseminates intelligence information within the scope of the information sharing environment, including homeland security information, terrorism information, and weapons of mass destruction information, or national intelligence, as defined under section 3(5) of the National Security Act of 1947 (50 U.S.C. 401a(5)), except-- (A) the United States Secret Service; and (B) the Coast Guard, when operating under the direct authority of the Secretary of Defense or Secretary of the Navy pursuant to section 3 of title 14, United States Code, except that nothing in this paragraph shall affect or diminish the authority and responsibilities of the Commandant of the Coast Guard to command or control the Coast Guard as an armed force or the authority of the Director of National Intelligence with respect to the Coast Guard as an element of the intelligence community (as defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)). (10) The term ``key resources'' means publicly or privately controlled resources essential to the minimal operations of the economy and government. (11) The term ``local government'' means-- (A) a county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government; (B) an Indian tribe or authorized tribal organization, or in Alaska a Native village or Alaska Regional Native Corporation; and (C) a rural community, unincorporated town or village, or other public entity. (12) The term ``major disaster'' has the meaning given in section 102(2) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122). (13) The term ``personnel'' means officers and employees. (14) The term ``Secretary'' means the Secretary of Homeland Security. (15) The term ``Sector Coordinating Council'' means a private sector coordinating council that is-- (A) recognized by the Secretary as such a Council for purposes of this Act; and (B) comprised of representatives of owners and operators of critical infrastructure within a particular sector of critical infrastructure. [(15)] (16) The term ``State'' means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and any possession of the United States. [(16)] (17) The term ``terrorism'' means any activity that-- (A) involves an act that-- (i) is dangerous to human life or potentially destructive of critical infrastructure or key resources; and (ii) is a violation of the criminal laws of the United States or of any State or other subdivision of the United States; and (B) appears to be intended-- (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping. [(17)] (18)(A) The term ``United States'', when used in a geographic sense, means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, any possession of the United States, and any waters within the jurisdiction of the United States. (B) Nothing in this paragraph or any other provision of this Act shall be construed to modify the definition of ``United States'' for the purposes of the Immigration and Nationality Act or any other immigration or nationality law. [(18)] (19) The term ``voluntary preparedness standards'' means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the American National Standards Institute's National Fire Protection Association Standard on Disaster/ Emergency Management and Business Continuity Programs (ANSI/NFPA 1600). * * * * * * * TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY * * * * * * * SEC. 313. TECHNOLOGY CLEARINGHOUSE TO ENCOURAGE AND SUPPORT INNOVATIVE SOLUTIONS TO ENHANCE HOMELAND SECURITY. (a) Establishment of Program.--The Secretary, acting through the Under Secretary for Science and Technology, shall establish and promote a program to encourage technological innovation in facilitating the mission of the Department (as described in section 101). (b) Elements of Program.--The program described in subsection (a) shall include the following components: (1) The establishment of a centralized Federal clearinghouse for information relating to technologies that would further the mission of the Department for dissemination, as appropriate, to Federal, State, and local government and private sector entities for additional review, purchase, or use. (2) The issuance of announcements seeking unique and innovative technologies to advance the mission of the Department. (3) The establishment of a technical assistance team to assist in screening, as appropriate, proposals submitted to the Secretary (except as provided in subsection (c)(2)) to assess the feasibility, scientific and technical merits, and estimated cost of such proposals, as appropriate. (4) The provision of guidance, recommendations, and technical assistance, as appropriate, to assist Federal, State, and local government and private sector efforts to evaluate and implement the use of technologies described in paragraph (1) or (2). (5) The provision of information for persons seeking guidance on how to pursue proposals to develop or deploy technologies that would enhance homeland security, including information relating to Federal funding, regulation, or acquisition. (c) Critical Infrastructure Protection Technology Clearinghouse.-- (1) Designation.--Under the program required by this section, the Secretary, acting through the Under Secretary for Science and Technology, and in coordination with the Under Secretary for the National Protection and Programs Directorate, shall designate a technology clearinghouse for rapidly sharing proven technology solutions for protecting critical infrastructure. (2) Sharing of technology solutions.--Technology solutions shared through the clearinghouse shall draw from Government-furnished, commercially furnished, and publically available trusted sources. (3) Technology metrics.--All technologies shared through the clearinghouse shall include a set of performance and readiness metrics to assist end-users in deploying effective and timely solutions relevant for their critical infrastructures. (4) Review by privacy officer.--The Privacy Officer of the Department appointed under section 222 shall annually review the clearinghouse process to evaluate its consistency with fair information practice principles issued by the Privacy Officer. [(c)] (d) Miscellaneous Provisions.-- (1) In general.--Nothing in this section shall be construed as authorizing the Secretary or the technical assistance team established under subsection (b)(3) to set standards for technology to be used by the Department, any other executive agency, any State or local government entity, or any private sector entity. (2) Certain proposals.--The technical assistance team established under subsection (b)(3) shall not consider or evaluate proposals submitted in response to a solicitation for offers for a pending procurement or for a specific agency requirement. (3) Coordination.--In carrying out this section, the Secretary shall coordinate with the Technical Support Working Group (organized under the April 1982 National Security Decision Directive Numbered 30). * * * * * * * SEC. 318. RESEARCH AND DEVELOPMENT STRATEGY FOR CRITICAL INFRASTRUCTURE PROTECTION. (a) In General.--Not later than 180 days after the date of enactment of the Critical Infrastructure Research and Development Advancement Act of 2013, the Secretary, acting through the Under Secretary for Science and Technology, shall transmit to Congress a strategic plan to guide the overall direction of Federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure, including against all threats. Once every 2 years after the initial strategic plan is transmitted to Congress under this section, the Secretary shall transmit to Congress an update of the plan. (b) Contents of Plan.--The strategic plan shall include the following: (1) An identification of critical infrastructure security risks and any associated security technology gaps, that are developed following-- (A) consultation with stakeholders, including the Sector Coordinating Councils; and (B) performance by the Department of a risk/ gap analysis that considers information received in such consultations. (2) A set of critical infrastructure security technology needs that-- (A) is prioritized based on risk and gaps identified under paragraph (1); (B) emphasizes research and development of those technologies that need to be accelerated due to rapidly evolving threats or rapidly advancing infrastructure technology; and (C) includes research, development, and acquisition roadmaps with clearly defined objectives, goals, and measures. (3) An identification of laboratories, facilities, modeling, and simulation capabilities that will be required to support the research, development, demonstration, testing, evaluation, and acquisition of the security technologies described in paragraph (2). (4) An identification of current and planned programmatic initiatives for fostering the rapid advancement and deployment of security technologies for critical infrastructure protection. The initiatives shall consider opportunities for public-private partnerships, intragovernment collaboration, university centers of excellence, and national laboratory technology transfer. (5) A description of progress made with respect to each critical infrastructure security risk, associated security technology gap, and critical infrastructure technology need identified in the preceding strategic plan transmitted under this section. (c) Coordination.--In carrying out this section, the Under Secretary for Science and Technology shall coordinate with the Under Secretary for the National Protection and Programs Directorate. (d) Consultation.--In carrying out this section, the Under Secretary for Science and Technology shall consult with-- (1) the critical infrastructure Sector Coordinating Councils; (2) to the extent practicable, subject matter experts on critical infrastructure protection from universities, colleges, including historically black colleges and universities, Hispanic-serving institutions, and tribal colleges and universities, national laboratories, and private industry; (3) the heads of other relevant Federal departments and agencies that conduct research and development for critical infrastructure protection; and (4) State, local, and tribal governments as appropriate. SEC. 319. REPORT ON PUBLIC-PRIVATE RESEARCH AND DEVELOPMENT CONSORTIUMS. (a) In General.--Not later than 180 days after the enactment of the Critical Infrastructure Research and Development Advancement Act of 2013, the Secretary, acting through the Under Secretary for Science and Technology, shall transmit to Congress a report on the Department's utilization of public- private research and development consortiums for accelerating technology development for critical infrastructure protection. Once every 2 years after the initial report is transmitted to Congress under this section, the Secretary shall transmit to Congress an update of the report. The report shall focus on those aspects of critical infrastructure protection that are predominately operated by the private sector and that would most benefit from rapid security technology advancement. (b) Contents of Report.--The report shall include-- (1) a summary of the progress and accomplishments of on-going consortiums for critical infrastructure security technologies; (2) in consultation with the Sector Coordinating Councils and, to the extent practicable, in consultation with subject-matter experts on critical infrastructure protection from universities, colleges, including historically black colleges and universities, Hispanic-serving institutions, and tribal colleges and universities, national laboratories, and private industry, a prioritized list of technology development focus areas that would most benefit from a public- private research and development consortium; and (3) based on the prioritized list developed under paragraph (2), a proposal for implementing an expanded research and development consortium program, including an assessment of feasibility and an estimate of cost, schedule, and milestones. * * * * * * *![]()