Staff Draft Including Potential Edits 1-27-121
TITLE XX: [PROTECTING CRITICAL INFRASTRUCTURE]
Sec. 00 Definitions and ResponsibilitiesSec. 1. Sector-by-Sector Cyber Risk AssessmentsSec. 2. Procedure for Designation of Covered Critical InfrastructureSec. 3. Advisory Standards, Guidelines and Widely Accepted Industry PracticesSec. 4. Sector-by Sector Risk-Based Cybersecurity Performance RequirementsSec. 5. Security of Covered Critical InfrastructureSec. 6. Sector Specific AgenciesSec. 7. Protection of InformationSec. 8. Voluntary Technical AssistanceSec. 9. Emergency PlanningSec. 10. International CooperationSec. 00 Definitions & Responsibilities.
(a) Definitions.–(1) Owner.–For the purposes of this title, the term “owner” shall mean the entity thatowns the designated covered critical infrastructure and shall not be construed to mean acompany contracted by the owner to manage, run, or operate a designated system orasset, or to provide a specific information technology product or service that is used orincorporated into a designated system or asset.(2) Operator.–For the purposes of this title, the term "operator" shall mean an entity thatmanages, runs, or operates, in whole or in part, the day-to-day operations of a designatedsystem or asset. An operator can, but does not have to be, the owner of the system orasset.(b) Responsibility of Owner.–It shall be the responsibility of the owner of a system or assetdesignated as covered critical infrastructure pursuant to comply with the requirements of thisAct.
Sec. 1. Sector-by-Sector Cyber Risk Assessments
The Secretary of Homeland Security, in consultation with owners and operators of criticalinfrastructure, the Critical Infrastructure Partnership and Advisory Committee, and the NationalCybersecurity Advisory Council, and in coordination with the Intelligence Community, theDepartment of Defense, the Department of Commerce, sector-specific agencies and otherFederal agencies with responsibilities for regulating owners and operators of criticalinfrastructure shall –(a) within 90 days of the effective date of this Act, conduct a top-level assessment of thecybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all