PRIA Logo
Take the PRIA Score
Title 6Domestic SecurityRelease 119-73

§652a Sector Risk Management Agencies

Title 6 › Chapter CHAPTER 1— - HOMELAND SECURITY ORGANIZATION › Subchapter SUBCHAPTER XVIII— - CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY › Part Part A— - Cybersecurity and Infrastructure Security › § 652a

Last updated Apr 6, 2026|Official source

Summary

Require the Secretary of Homeland Security to review how the nation protects critical infrastructure and report findings and recommendations. Within 180 days after January 1, 2021, and in consultation with the heads of the agencies that manage each sector, the Secretary must give the President and the named congressional committees a report that explains the review method, the data and metrics used, and recommends changes to the list of critical infrastructure sectors, any subsectors, and which federal agencies manage them. The Secretary must repeat a full review at least once every five years with the CISA Director and sector agency heads. The President has 180 days after any recommendation to accept or change sector or agency designations and must send a written explanation to the congressional committees, the Senate Majority and Minority Leaders, and the Speaker and Minority Leader of the House. Any official list of sectors must be posted in the Federal Register. Key terms (one line each): appropriate congressional committees = House Committees on Homeland Security and Armed Services; Senate Committees on Homeland Security and Governmental Affairs and Armed Services. critical infrastructure = defined in 42 U.S.C. 5195c(e). Department = Department of Homeland Security. Director = CISA Director. Secretary = Secretary of Homeland Security. Sector Risk Management Agency = the federal agency assigned to manage a sector (see section 650). Any mention of “Sector Specific Agency” in U.S. papers now means the Sector Risk Management Agency. The Comptroller General must report to the House and Senate homeland security committees on sector agencies’ effectiveness no later than two years after January 1, 2021 and then every four years for 12 years.

Full Legal Text

Title 6, §652a

Domestic Security — Source: USLM XML via OLRC

(a)In this section:
(1)The term “appropriate congressional committees” means—
(A)the Committee on Homeland Security and the Committee on Armed Services in the House of Representatives; and
(B)the Committee on Homeland Security and Governmental Affairs and the Committee on Armed Services in the Senate.
(2)The term “critical infrastructure” has the meaning given that term in section 5195c(e) of title 42.
(3)The term “Department” means the Department of Homeland Security.
(4)The term “Director” means the Director of the Cybersecurity and Infrastructure Security Agency of the Department.
(5)The term “Secretary” means the Secretary of Homeland Security.
(7)The term “Sector Risk Management Agency” has the meaning given the term in section 650 of this title.
(b)(1)Not later than 180 days after January 1, 2021, the Secretary, in consultation with the heads of Sector Risk Management Agencies, shall—
(A)review the current framework for securing critical infrastructure, as described in section 652(c)(4) of this title and Presidential Policy Directive 21; and
(B)submit to the President and appropriate congressional committees a report that includes—
(i)information relating to—
(I)the analysis framework or methodology used to—
(aa)evaluate the current framework for securing critical infrastructure referred to in subparagraph (A); and
(bb)develop recommendations to—
(AA)revise the current list of critical infrastructure sectors designated pursuant to Presidential Policy Directive 21, any successor or related document, or policy; or
(BB)identify and designate any subsectors of such sectors;
(II)the data, metrics, and other information used to develop the recommendations required under clause (ii); and
(ii)recommendations relating to—
(I)revising—
(aa)the current framework for securing critical infrastructure referred to in subparagraph (A);
(bb)the current list of critical infrastructure sectors designated pursuant to Presidential Policy Directive 21, any successor or related document, or policy; or
(cc)the identification and designation of any subsectors of such sectors; and
(II)any revisions to the list of designated Federal departments or agencies that serve as the Sector Risk Management Agency for a sector or subsector of such section, necessary to comply with paragraph (3)(B).
(2)At least once every five years, the Secretary, in consultation with the Director and the heads of Sector Risk Management Agencies, shall—
(A)evaluate the current list of designated critical infrastructure sectors and subsectors of such sectors and the appropriateness of Sector Risk Management Agency designations, as set forth in Presidential Policy Directive 21, any successor or related document, or policy; and
(B)recommend, as appropriate, to the President—
(i)revisions to the current list of designated critical infrastructure sectors or subsectors of such sectors; and
(ii)revisions to the designation of any Federal department or agency designated as the Sector Risk Management Agency for a sector or subsector of such sector.
(3)Not later than 180 days after the Secretary submits a recommendation pursuant to paragraph (1) or (2), the President shall—
(A)review the recommendation and revise, as appropriate, the designation of a critical infrastructure sector or subsector or the designation of a Sector Risk Management Agency; and
(B)submit to the appropriate congressional committees, the Majority and Minority Leaders of the Senate, and the Speaker and Minority Leader of the House of Representatives, a report that includes—
(i)an explanation with respect to the basis for accepting or rejecting the recommendations of the Secretary; and
(ii)information relating to the analysis framework, methodology, metrics, and data used to—
(I)evaluate the current framework for securing critical infrastructure referred to in paragraph (1)(A); and
(II)develop—
(aa)recommendations to revise—
(AA)the list of critical infrastructure sectors designated pursuant to Presidential Policy Directive 21, any successor or related document, or policy; or
(BB)the designation of any subsectors of such sectors; and
(bb)the recommendations of the Secretary.
(4)Any designation of critical infrastructure sectors shall be published in the Federal Register.
(c)(1)
(2)
(3)Any reference to a Sector Specific Agency (including any permutations or conjugations thereof) in any law, regulation, map, document, record, or other paper of the United States shall be deemed to—
(A)be a reference to the Sector Risk Management Agency of the relevant critical infrastructure sector; and
(B)have the meaning given such term in section 650 of this title.
(4)
(d)Not later than two years after January 1, 2021 and every four years thereafter for 12 years, the Comptroller General of the United States shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on the effectiveness of Sector Risk Management Agencies in carrying out their responsibilities under section 665d of this title.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

Codification Section was enacted as part of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 and not as part of the Homeland Security Act of 2002 which comprises this chapter. Section is comprised of section 9002 of Pub. L. 116–283. Subsec. (c)(1) of section 9002 of Pub. L. 116–283 enacted section 665d of this title. Subsec. (c)(2) of section 9002 of Pub. L. 116–283 amended section 195f, 321m, 651, 652, and 664 of this title. Subsec. (c)(4) of section 9002 of Pub. L. 116–283 amended the table of contents in section 1(b) of the Homeland Security Act of 2002.

Amendments

2022—Subsec. (a)(5). Pub. L. 117–263, § 7143(d)(5)(A)(i), (ii), redesignated par. (6) as (5) and struck out former par. (5). Prior to amendment, text of par. (5) read as follows: “The term ‘information sharing and analysis organization’ has the meaning given that term in section 671(5) of this title.” Subsec. (a)(6), (7). Pub. L. 117–263, § 7143(d)(5)(A)(ii), (iii), which redesignated par. (7) as (6) and then directed the general amendment of par. (7), was executed by making the redesignation and generally amending par. (6) as redesignated, to reflect the probable intent of Congress. As amended, such par. remained designated as (7). Prior to amendment, text of par. (7) read as follows: “The term ‘sector risk management agency’ has the meaning given the term ‘Sector-Specific Agency’ in section 651(5) of this title.” Subsec. (c)(3)(B). Pub. L. 117–263, § 7143(d)(5)(B), which directed substitution of “given such term in section 650 of this title” for “given such term in section 651(5) of this title”, was executed by making the substitution for “give such term in section 651(5) of this title”, to reflect the probable intent of Congress. Subsec. (d). Pub. L. 117–263, § 7143(d)(5)(C), made technical amendment to reference in original act which appears in text as reference to section 665d of this title.

Reference

Citations & Metadata

Citation

6 U.S.C. § 652a

Title 6Domestic Security

Last Updated

Apr 6, 2026

Release point: 119-73