I 118TH CONGRESS 1ST SESSION H. R. 2866 To amend the Homeland Security Act of 2002 to establish Critical Technology Security Centers in the Department of Homeland Security to evaluate and test the security of critical technology, and for other purposes. IN THE HOUSE OF REPRESENTATIVES APRIL 25, 2023 Mr. TORRES of New York introduced the following bill; which was referred to the Committee on Homeland Security A BILL To amend the Homeland Security Act of 2002 to establish Critical Technology Security Centers in the Department of Homeland Security to evaluate and test the security of critical technology, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may be cited as the ‘‘Critical Technology 4 Security Centers Act of 2023’’. 5 SEC. 2. CRITICAL TECHNOLOGY SECURITY CENTERS. 6 (a) CRITICAL TECHNOLOGY SECURITY CENTERS.— 7 Title III of the Homeland Security Act of 2002 (6 U.S.C. 8 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 2 •HR 2866 IH 181 et seq.) is amended by adding at the end the following 1 new section: 2 ‘‘SEC. 324. CRITICAL TECHNOLOGY SECURITY CENTERS. 3 ‘‘(a) ESTABLISHMENT.—Not later than 180 days 4 after the date of the enactment of this section, the Sec- 5 retary, acting through the Under Secretary for Science 6 and Technology, and in coordination with the Director, 7 shall award grants, contracts, or cooperative agreements 8 to covered entities for the establishment of not fewer than 9 two cybersecurity-focused Critical Technology Security 10 Centers (in this section referred to as ‘Centers’) to evalu- 11 ate and test the security of critical technology. 12 ‘‘(b) EVALUATION AND TESTING.—In carrying out 13 the evaluation and testing of the security of critical tech- 14 nology pursuant to subsection (a), the Centers shall ad- 15 dress the following technologies: 16 ‘‘(1) The security of information and commu- 17 nications technology that underpins national critical 18 functions related to communications. 19 ‘‘(2) The security of networked industrial equip- 20 ment, such as connected programmable data logic 21 controllers and supervisory control and data acquisi- 22 tion servers. 23 ‘‘(3) The security of open source software that 24 underpins national critical functions. 25 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 3 •HR 2866 IH ‘‘(4) The security of critical software used by 1 the Federal Government. 2 ‘‘(c) ADDITION OR TERMINATION OF CENTERS.— 3 ‘‘(1) IN GENERAL.—The Under Secretary for 4 Science and Technology may, in coordination with 5 the Director, award or terminate grants, contracts, 6 or cooperative agreements to covered entities for the 7 establishment of additional or termination of exist- 8 ing Centers to evaluate and test the security of crit- 9 ical technologies. 10 ‘‘(2) LIMITATION.—The authority provided 11 under paragraph (1) may be exercised except if such 12 exercise would result in the operation at any time of 13 fewer than two Centers. 14 ‘‘(d) SELECTION OF CRITICAL TECHNOLOGIES.— 15 ‘‘(1) IN GENERAL.—Before awarding a grant, 16 contract, or cooperative agreement to a covered enti- 17 ty to establish a Center, the Under Secretary for 18 Science and Technology shall coordinate with the 19 Director, who shall provide the Under Secretary a 20 list of critical technologies or guidance on such tech- 21 nologies that would be within the remit of any such 22 Center. 23 ‘‘(2) EXPANSION AND MODIFICATION.—The 24 Under Secretary for Science and Technology, in co- 25 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 4 •HR 2866 IH ordination with the Director, is authorized to expand 1 or modify at any time the list of critical technologies 2 or guidance on technologies referred to in paragraph 3 (1) that is within the remit of a proposed or estab- 4 lished Center. 5 ‘‘(e) RESPONSIBILITIES.—In carrying out the evalua- 6 tion and testing of the security of critical technology pur- 7 suant to subsection (a), the Centers shall each have the 8 following responsibilities: 9 ‘‘(1) Conducting rigorous security testing to 10 identify vulnerabilities in such technologies. 11 ‘‘(2) Utilizing the coordinated vulnerability dis- 12 closure processes established under subsection (g) to 13 report to the developers of such technologies and, as 14 appropriate, to the Director, information relating to 15 vulnerabilities discovered and any information nec- 16 essary to reproduce such vulnerabilities. 17 ‘‘(3) Developing new capabilities for improving 18 the security of such technologies, including vulner- 19 ability discovery, management, mitigation, and reme- 20 diation. 21 ‘‘(4) Assessing the security of software, 22 firmware, and hardware that underpin national crit- 23 ical functions. 24 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 5 •HR 2866 IH ‘‘(5) Supporting existing communities of inter- 1 est, including through grant making, in mitigating 2 and remediating vulnerabilities discovered within 3 such technologies. 4 ‘‘(6) Sharing findings to inform and support 5 the future work of the Cybersecurity and Infrastruc- 6 ture Security Agency. 7 ‘‘(f) RISK-BASED EVALUATIONS.—Unless otherwise 8 directed pursuant to guidance issued by the Under Sec- 9 retary for Science and Technology or Director under sub- 10 section (d), to the greatest extent practicable activities 11 carried out pursuant to the responsibilities specified in 12 subsection (e) shall leverage risk-based evaluations to 13 focus on activities that have the greatest effect on the se- 14 curity of the critical technologies within each Center’s 15 remit, such as the following: 16 ‘‘(1) Developing capabilities that can detect or 17 eliminate entire classes of vulnerabilities. 18 ‘‘(2) Testing for vulnerabilities in the most 19 widely used critical technologies, or vulnerabilities 20 that affect many such critical technologies. 21 ‘‘(g) COORDINATED VULNERABILITY DISCLOSURE 22 PROCESSES.—Each Center shall establish, in coordination 23 with the Director, coordinated vulnerability disclosure 24 processes regarding the disclosure of vulnerabilities that— 25 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 6 •HR 2866 IH ‘‘(1) are adhered to when a vulnerability is dis- 1 covered or disclosed by each such Center, consistent 2 with international standards and coordinated vulner- 3 ability disclosure best practices; and 4 ‘‘(2) are published on the website of each such 5 Center. 6 ‘‘(h) APPLICATION.—To be eligible for an award of 7 a grant, contract, or cooperative agreement as a Center, 8 a covered entity shall submit to the Secretary an applica- 9 tion at such time, in such manner, and including such in- 10 formation as the Secretary may require. 11 ‘‘(i) PUBLIC REPORTING OF VULNERABILITIES.— 12 The Under Secretary for Science and Technology shall en- 13 sure that vulnerabilities discovered by a Center are re- 14 ported to the National Vulnerability Database of the Na- 15 tional Institute of Standards and Technology, as appro- 16 priate and using the coordinated vulnerability disclosure 17 processes established under subsection (g). 18 ‘‘(j) ADDITIONAL GUIDANCE.—The Under Secretary 19 for Science and Technology, in coordination with the Di- 20 rector, shall develop, and periodically update, guidance, in- 21 cluding eligibility and any additional requirements, relat- 22 ing to how Centers may award grants to communities of 23 interest pursuant to subsection (e)(5) to mitigate and re- 24 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 7 •HR 2866 IH mediate vulnerabilities and take other actions under such 1 subsection and subsection (k). 2 ‘‘(k) OPEN SOURCE SOFTWARE SECURITY 3 GRANTS.— 4 ‘‘(1) IN GENERAL.—Any Center addressing 5 open source software security may, in consultation 6 with the Under Secretary for Science and Tech- 7 nology and Director, award grants to individual open 8 source software developers and maintainers, non- 9 profit organizations, and other non-Federal entities 10 as determined appropriate by any such Center, to 11 fund improvements in the security of the open 12 source software ecosystem. 13 ‘‘(2) IMPROVEMENTS.—A grant awarded under 14 paragraph (1) may include improvements such as 15 the following: 16 ‘‘(A) Security audits. 17 ‘‘(B) Funding for developers to patch 18 vulnerabilities. 19 ‘‘(C) Addressing code, infrastructure, and 20 structural weaknesses, including rewrites of 21 open source software components in memory- 22 safe programming languages. 23 ‘‘(D) Research and tools to assess and im- 24 prove the overall security of the open source 25 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 8 •HR 2866 IH software ecosystem, such as improved software 1 fault isolation techniques. 2 ‘‘(E) Training and other tools to aid open 3 source software developers in the secure devel- 4 opment of open source software, including se- 5 cure coding practices and secure systems archi- 6 tecture. 7 ‘‘(3) PRIORITY.—In awarding grants under 8 paragraph (1), a Center shall prioritize, to the great- 9 est extent practicable, the following: 10 ‘‘(A) Where applicable, open source soft- 11 ware components identified in guidance from 12 the Director, or if no such guidance is so pro- 13 vided, utilizing the risk-based evaluation de- 14 scribed in subsection (f). 15 ‘‘(B) Activities that most promote the 16 long-term security of the open source software 17 ecosystem. 18 ‘‘(l) BIENNIAL REPORTS TO UNDER SECRETARY.— 19 Not later than one year after the date of the enactment 20 of this section and every two years thereafter, each Center 21 shall submit to the Under Secretary for Science and Tech- 22 nology, Director, and the appropriate congressional com- 23 mittees a report that includes the following: 24 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 9 •HR 2866 IH ‘‘(1) A summary of the work performed by such 1 Center. 2 ‘‘(2) Information relating to the allocation of 3 Federal funds at such Center. 4 ‘‘(3) A list of critical technologies studied by 5 such Center. 6 ‘‘(4) A description of each vulnerability that has 7 been publicly disclosed pursuant to subsection (g), 8 including information relating to the corresponding 9 software weakness. 10 ‘‘(5) An assessment of the criticality of each 11 such vulnerability. 12 ‘‘(6) An overview of the methodologies used by 13 such Center, such as tactics, techniques, and proce- 14 dures. 15 ‘‘(7) A description of such Center’s development 16 of capabilities for vulnerability discovery, manage- 17 ment, and mitigation. 18 ‘‘(8) A summary of such Center’s support to ex- 19 isting communities of interest, including an account- 20 ing of dispersed grant funds. 21 ‘‘(9) For such Center, if applicable, a summary 22 of any grants awarded during the period covered by 23 the report that includes the following: 24 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 10 •HR 2866 IH ‘‘(A) An identification of the entity to 1 which each such grant was awarded. 2 ‘‘(B) The amount of each such grant. 3 ‘‘(C) The purpose of each such grant. 4 ‘‘(D) The expected impact of each such 5 grant. 6 ‘‘(10) The coordinated vulnerability disclosure 7 processes established by such Center. 8 ‘‘(m) REPORTS TO CONGRESS.—Upon receiving the 9 reports required under subsection (l), the Under Secretary 10 for Science and Technology shall submit to the appro- 11 priate congressional committees a summary of such re- 12 ports, and, where applicable, an explanation for any devi- 13 ations in the list of critical technologies studied by a Cen- 14 ter from the list of critical technologies or guidance relat- 15 ing to such technologies provided by the Director pursuant 16 to subsection (d). 17 ‘‘(n) CONSULTATION WITH RELEVANT AGENCIES.— 18 In carrying out this section, the Under Secretary shall 19 consult with the heads of other Federal agencies con- 20 ducting cybersecurity research, including the following: 21 ‘‘(1) The National Institute of Standards and 22 Technology. 23 ‘‘(2) The National Science Foundation. 24 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 11 •HR 2866 IH ‘‘(3) Relevant agencies of the Department of 1 Energy. 2 ‘‘(4) Relevant agencies of the Department of 3 Defense. 4 ‘‘(o) AUTHORIZATION OF APPROPRIATIONS.—There 5 are authorized to be appropriated to carry out this section 6 the following: 7 ‘‘(1) $42,000,000 for fiscal year 2024. 8 ‘‘(2) $44,000,000 for fiscal year 2025. 9 ‘‘(3) $46,000,000 for fiscal year 2026. 10 ‘‘(4) $49,000,000 for fiscal year 2027. 11 ‘‘(5) $52,000,000 for fiscal year 2028. 12 ‘‘(p) DEFINITIONS.—In this section: 13 ‘‘(1) APPROPRIATE CONGRESSIONAL COMMIT- 14 TEES.—The term ‘appropriate congressional com- 15 mittees’ means— 16 ‘‘(A) the Committee on Homeland Security 17 of the House of Representatives; and 18 ‘‘(B) the Committee on Homeland Security 19 and Governmental Affairs of the Senate. 20 ‘‘(2) COVERED ENTITY.—The term ‘covered en- 21 tity’ means a university or federally-funded research 22 and development center, including a national labora- 23 tory, or a consortia thereof. 24 VerDate Sep 11 2014 04:17 May 02, 2023 Jkt 039200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\H2866.IH H2866 kjohnson on DSK79L0C42PROD with BILLS 12 •HR 2866 IH ‘‘(3) CRITICAL TECHNOLOGY.—The term ‘crit- 1 ical technology’ means technology that underpins 2 one or more national critical functions. 3 ‘‘(4) CRITICAL SOFTWARE.—The term ‘critical 4 software’ has the meaning given such term by the 5 National Institute of Standards and Technology pur- 6 suant to Executive Order 14028 or any successor 7 provision. 8 ‘‘(5) OPEN SOURCE SOFTWARE.—The term 9 ‘open source software’ means software for which the 10 human-readable source code is made available to the 11 public for use, [Text truncated for display. Full text available on Congress.gov.]