[House Report 114-629] [From the U.S. Government Publishing Office] 114th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 114-629 ====================================================================== SUPPORT FOR RAPID INNOVATION ACT OF 2016 _______ June 21, 2016.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 5388] The Committee on Homeland Security, to whom was referred the bill (H.R. 5388) to amend the Homeland Security Act of 2002 to provide for innovative research and development, and for other purposes, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 1 Background and Need for Legislation.............................. 2 Hearings......................................................... 2 Committee Consideration.......................................... 3 Committee Votes.................................................. 3 Committee Oversight Findings..................................... 3 New Budget Authority, Entitlement Authority, and Tax Expenditures 3 Congressional Budget Office Estimate............................. 3 Statement of General Performance Goals and Objectives............ 4 Duplicative Federal Programs..................................... 4 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 4 Federal Mandates Statement....................................... 4 Preemption Clarification......................................... 4 Disclosure of Directed Rule Makings.............................. 4 Advisory Committee Statement..................................... 4 Applicability to Legislative Branch.............................. 5 Section-by-Section Analysis of the Legislation................... 5 Changes in Existing Law Made by the Bill, as Reported............ 6 Purpose and Summary H.R. 5388, the Support for Rapid Innovation Act of 2016, requires the Under Secretary for Science and Technology (S&T) to support cybersecurity research, development, testing, evaluation and transition and to coordinate those activities with other Federal agencies, industry, and academia. In service to the components of the Department of Homeland Security (DHS), the Under Secretary is required to: 1) advance the development and deployment of secure information systems; 2) improve and create technologies to detect attacks or intrusions; 3) improve and create mitigation and recovery methodologies; 4) support the review of source code that underpins critical infrastructure information systems in coordination with the private sector; 5) develop and support tools to support cybersecurity research and development efforts; 6) assist the development of technologies to reduce vulnerabilities in industrial control systems; and 7) develop and support forensics and attack attribution capabilities. In addition, the bill requires the Under Secretary to support the full life cycle of cyber research and development projects, identify mature technologies that address existing or imminent cybersecurity gaps, and introduce new cybersecurity technologies throughout the homeland security enterprise through partnerships and commercialization. The Under Secretary is directed to target Federally funded cybersecurity research that demonstrates a high probability of successful transition to the commercial market within two years. This bill also extends the timeframe for the Secretary to exercise Other Transaction Authority (OTA) until the year 2020. In the event that the head of a component seeks to have funds expended under OTA, the Secretary must provide prior approval after evaluating the component's proposal which must include the rationale, funds to be spent, and expected outcomes of the project. The Secretary is required to submit an annual report to Congress detailing those projects for which OTA was authorized. Background and Need for Legislation The S&T Directorate was established by Congress in Title III of the Homeland Security Act of 2002 (Pub. L. 107-296), and is DHS's primary research and development arm. This Directorate manages basic and applied research and development of science and technology, including cybersecurity research and development, for the Department's operational components and first responders that protect the homeland. OTA allows the Department to engage with nontraditional entities outside the regular government contracting mechanisms. Ensuring there are mechanisms in place like S&T's cybersecurity research and development programs and OTA to support the dynamic nature of cybersecurity R&D is essential for addressing homeland security capability gaps. Hearings No hearings were held on H.R. 5388, however the Committee held the following overight hearings. On February 12, 2015, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Emerging Threats and Technologies to Protect the Homeland.'' The Subcommittee received testimony from Mr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security; Dr. Huban Gowadia, Director, Domestic Nuclear Detection Office, U.S. Department of Homeland Security; Mr. Joseph Martin, Acting Director, Homeland Security Enterprise and First Responders Group, Science and Technology Directorate, U.S. Department of Homeland Security; Mr. William Noonan, Deputy Special Agent in Charge, Criminal Investigative Division, Cyber Operations Branch, United States Secret Service, U.S. Department of Homeland Security; and Mr. William Painter, Analyst, Government and Finance Division, Congressional Research Service, Library of Congress. On May 19, 2015, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Examining DHS Science and Technology Directorate's Engagement with Academia and Industry.'' The Subcommittee received testimony from Mr. Jake Parker, Director Government Relations, Security Industry Association; Mr. Marc Pearl, President and Chief Executive Officer, Homeland Security and Defense Business Council; and Dr. Samuel H. Aronson, President, American Physical Society. Committee Consideration The Committee met on June 8, 2016, to consider H.R. 5388, and ordered the measure to be reported to the House with a favorable recommendation, without amendment, by voice vote. Committee Votes Clause 3(b) of Rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 5388. Committee Oversight Findings Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of Rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 5388, the Support for Rapid Innovation Act of 2016, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the House of Representatives, a cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974 was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the House of Representatives, H.R. 5388 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. This legislation provides for the Secretary of Homeland Security to report to Congress on the projects for which OTA is used, the rationale for use, the funds spent, the extent of cost-sharing, the extent to which the use of the authority addresses a homeland security capability gap, the outcome of the project and any audits of each project. Duplicative Federal Programs Pursuant to clause 3(c) of Rule XIII, the Committee finds that H.R. 5388 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with Rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule XXI. Federal Mandates Statement Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the House of Representatives, a cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974 was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 5388 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 5388 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short Title. This section provides that this bill may be cited as the ``Support for Rapid Innovation Act of 2016''. Sec. 2. Cybersecurity Research and Development Projects. This section amends the Homeland Security Act of 2002 to insert a new section entitled ``Sec. 319. Cybersecurity Research and Development.'' This section requires the Under Secretary for Science and Technology to support research, development, testing, evaluation, and transition of cybersecurity technologies that will: 1) advance the development and deployment of secure information systems; 2) improve and create technologies to detect attacks or intrusions; 3) improve and create mitigation and recovery methodologies; 4) support the review of source code that underpins critical infrastructure information systems in coordination with the private sector; 5) develop and support tools to support cybersecurity research and development efforts; 6) assist the development of technologies to reduce vulnerabilities in industrial control systems; and 7) develop and support forensics and attack attribution capabilities. This section also requires the Under Secretary to coordinate these cybersecurity activities with other relevant Federal agencies, and industry and academia. The Committee intends for this coordination to include inter-agency Federal programs like the Networking and Information Technology Research and Development program as well as technology-based small businesses and startup ventures. Additionally, this section codifies in law the Transition to Practice program that currently is being administered by the Under Secretary to support the life cycle of projects, including research, development, testing, evaluation, pilots, and transitions. This section requires the Under Secretary to target federally funded research that demonstrates a high probability of successful transition to the commercial market within two years that is expected to have a notable impact on public or private information systems and networks. The Committee intends for the research and development to support the development of technologies targeted at detecting and analyzing known and unknown intrusions and anomalous behavior, as well as managing data loss and manipulation with attention to insider threats. These efforts shall seek to enhance capabilities to identify emerging methods of carrying out cyber attacks and to mitigate the effects of cyber attacks and intrusions. The Committee is supportive of the Transition to Practice program, which takes advantage of research already conducted and funds already spent to support robust cyber tools nationwide. Where appropriate, the Committee encourages the Under Secretary to utilize the Department of Energy and Federally Funded Research and Development Centers and academic institutions funded by the National Science Foundation (NSF). The Committee intends for the Under Secretary to introduce new technologies and capabilities throughout the homeland security enterprise. This section also amends section 831 of the HSA, extending Other Transaction Authority (OTA) until 2020 and requiring the Secretary to approve OTA prior to its use. This section updates existing reporting requirements and requires training of acquisition staff in the use of OTA. The Committee encourages the Under Secretary to support the transition of innovative or emerging cyber technologies that currently are not procured by the Federal government but may offer novel or groundbreaking methods to address cyber capability gaps. The Committee intends for the Secretary to engage the Under Secretary for Science and Technology in the evaluation of OTA requests not involving the Science and Technology Directorate. No additional funds are authorized to be appropriated to carry out this Act or the amendments made by this Act. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italics, and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Homeland Security Act of 2002''. (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY * * * * * * * Sec. 319. Cybersecurity research and development. * * * * * * * TITLE III--SCIENCE AND TECHNOLOGY IN SUPPORT OF HOMELAND SECURITY * * * * * * * SEC. 319. CYBERSECURITY RESEARCH AND DEVELOPMENT. (a) In General.--The Under Secretary for Science and Technology shall support the research, development, testing, evaluation, and transition of cybersecurity technologies, including fundamental research to improve the sharing of information, analytics, and methodologies related to cybersecurity risks and incidents, consistent with current law. (b) Activities.--The research and development supported under subsection (a) shall serve the components of the Department and shall-- (1) advance the development and accelerate the deployment of more secure information systems; (2) improve and create technologies for detecting attacks or intrusions, including real-time continuous diagnostics and real-time analytic technologies; (3) improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks, and development of resilient networks and information systems; (4) support, in coordination with non-Federal entities, the review of source code that underpins critical infrastructure information systems; (5) develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, testbeds, and data sets for assessment of new cybersecurity technologies; (6) assist the development and support of technologies to reduce vulnerabilities in industrial control systems; and (7) develop and support cyber forensics and attack attribution capabilities. (c) Coordination.--In carrying out this section, the Under Secretary for Science and Technology shall coordinate activities with-- (1) the Under Secretary appointed pursuant to section 103(a)(1)(H); (2) the heads of other relevant Federal departments and agencies, as appropriate; and (3) industry and academia. (d) Transition to Practice.--The Under Secretary for Science and Technology shall support projects carried out under this title through the full life cycle of such projects, including research, development, testing, evaluation, pilots, and transitions. The Under Secretary shall identify mature technologies that address existing or imminent cybersecurity gaps in public or private information systems and networks of information systems, identify and support necessary improvements identified during pilot programs and testing and evaluation activities, and introduce new cybersecurity technologies throughout the homeland security enterprise through partnerships and commercialization. The Under Secretary shall target federally funded cybersecurity research that demonstrates a high probability of successful transition to the commercial market within two years and that is expected to have a notable impact on the public or private information systems and networks of information systems. (e) Definitions.--In this section: (1) Cybersecurity risk.--The term ``cybersecurity risk'' has the meaning given such term in section 227. (2) Homeland security enterprise.--The term ``homeland security enterprise'' means relevant governmental and nongovernmental entities involved in homeland security, including Federal, State, local, and tribal government officials, private sector representatives, academics, and other policy experts. (3) Incident.--The term ``incident'' has the meaning given such term in section 227. (4) Information system.--The term ``information system'' has the meaning given such term in section 3502(8) of title 44, United States Code. * * * * * * * TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS * * * * * * * Subtitle D--Acquisitions SEC. 831. RESEARCH AND DEVELOPMENT PROJECTS. (a) Authority.--Until September 30, [2016] 2020, and subject to subsection (d), the Secretary may carry out a pilot program under which the Secretary may exercise the following authorities: (1) In general.--When the Secretary carries out basic, applied, and advanced research and development projects, including the expenditure of funds for such projects, the Secretary may exercise the same authority (subject to the same limitations and conditions) with respect to such research and projects as the Secretary of Defense may exercise under section 2371 of title 10, United States Code (except for subsections (b) and (f)), after making a determination that the use of a contract, grant, or cooperative agreement for such project is not feasible or appropriate. [The annual report required under subsection (b) of this section, as applied to the Secretary by this paragraph, shall be submitted to the President of the Senate and the Speaker of the House of Representatives.] (2) Prototype projects.--The Secretary may, under the authority of paragraph (1), carry out prototype projects in accordance with the requirements and conditions provided for carrying out prototype projects under section 845 of the National Defense Authorization Act for Fiscal Year 1994 (Public Law 103-160). In applying the authorities of that section 845, subsection (c) of that section shall apply with respect to prototype projects under this paragraph, and the Secretary shall perform the functions of the Secretary of Defense under subsection (d) thereof. (3) Prior approval.--In any case in which the head of a component or office of the Department seeks to utilize the authority under this section, such head shall first receive prior approval from the Secretary by providing to the Secretary a proposal that includes the rationale for the utilization of such authority, the funds to be spent on the use of such authority, and the expected outcome for each project that is the subject of the use of such authority. In such a case, the authority for evaluating the proposal may not be delegated by the Secretary to anyone other than the Under Secretary for Management. (b) Procurement of Temporary and Intermittent Services.--The Secretary may-- (1) procure the temporary or intermittent services of experts or consultants (or organizations thereof) in accordance with section 3109(b) of title 5, United States Code; and (2) whenever necessary due to an urgent homeland security need, procure temporary (not to exceed 1 year) or intermittent personal services, including the services of experts or consultants (or organizations thereof), without regard to the pay limitations of such section 3109. (c) Additional Requirements.-- (1) In general.--The authority of the Secretary under this section shall terminate September 30, [2016] 2020, unless before that date the Secretary-- (A) issues policy guidance detailing the appropriate use of that authority; and (B) provides training to each employee that is authorized to exercise that authority. [(2) Report.--The Secretary shall provide an annual report to the Committees on Appropriations of the Senate and the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives detailing the projects for which the authority granted by subsection (a) was used, the rationale for its use, the funds spent using that authority, the outcome of each project for which that authority was used, and the results of any audits of such projects.] (2) Report.--The Secretary shall annually submit to the Committee on Homeland Security and the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report detailing the projects for which the authority granted by subsection (a) was utilized, the rationale for such utilizations, the funds spent utilizing such authority, the extent of cost-sharing for such projects among Federal and non-Federal sources, the extent to which utilization of such authority has addressed a homeland security capability gap or threat to the homeland identified by the Department, the total amount of payments, if any, that were received by the Federal Government as a result of the utilization of such authority during the period covered by each such report, the outcome of each project for which such authority was utilized, and the results of any audits of such projects. (d) Definition of Nontraditional Government Contractor.--In this section, the term ``nontraditional Government contractor'' has the same meaning as the term ``nontraditional defense contractor'' as defined in section 845(e) of the National Defense Authorization Act for Fiscal Year 1994 (Public Law 103- 160; 10 U.S.C. 2371 note). (e) Training.--The Secretary shall develop a training program for acquisitions staff on the utilization of the authority provided under subsection (a). * * * * * * *