Industrial Control Systems Cybersecurity Competition Act

(1) by striking paragraph (3);

(2) by redesignating paragraphs (1), (2), and (4) as subparagraphs (A), (B), and (C), respectively, and adjusting the margin accordingly;

(3) by striking Each competition and inserting the following:

Each competition

(4) in subparagraph (C) of paragraph (1), as so redesignated, by striking paragraphs (1), (2), or (3) and inserting subparagraph (A) or (B); and

(5) by adding at the end the following:

Not less frequently than every second competition, the competition shall incorporate categories demonstrating offensive and defensive cyber operations involving—

(A) information technology (as defined in section 11101 of title 40, United States Code), such as software reverse engineering and exploitation, network operations, forensics, big data analysis, cyber analysis, cyber defense, cyber exploitation, secure programming, and obfuscated coding;

(B) operational technology (as defined in section 3 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3a)) or industrial control systems (as defined in section 2220C of the Homeland Security Act of 2002 (6 U.S.C. 665i)), such as knowledge of supervisory control and data acquisition systems and the protocols and communication methods used in these systems, detection of anomalies, and responding to and recovering after incidents involving such systems; or

(C) any other category of technological system requiring cybersecurity or information security, as determined appropriate by the Director.

Section 7121 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 (6 U.S.C. 665m) is amended—

(1) in subsection (d)—

(A) by striking paragraph (3);

(B) by redesignating paragraphs (1), (2), and (4) as subparagraphs (A), (B), and (C), respectively, and adjusting the margin accordingly;

(C) by striking Each competition and inserting the following:

Each competition

(D) in subparagraph (C) of paragraph (1), as so redesignated, by striking paragraphs (1), (2), or (3) and inserting subparagraph (A) or (B); and

(E) by adding at the end the following:

Not less frequently than every second competition, the competition shall incorporate categories demonstrating offensive and defensive cyber operations involving—

(A) information technology (as defined in section 11101 of title 40, United States Code), such as software reverse engineering and exploitation, network operations, forensics, big data analysis, cyber analysis, cyber defense, cyber exploitation, secure programming, and obfuscated coding;

(B) operational technology (as defined in section 3 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3a)) or industrial control systems (as defined in section 2220C of the Homeland Security Act of 2002 (6 U.S.C. 665i)), such as knowledge of supervisory control and data acquisition systems and the protocols and communication methods used in such systems, detection of anomalies, exploitation of operational technology or industrial control systems, and responding to and recovering after incidents involving operational technology or industrial control systems; or

(C) any other category of technological system requiring cybersecurity or information security, as determined appropriate by the Director.

(2) in subsection (e)(1)—

(A) in subparagraph (A), by inserting, which shall not exceed 20 percent of the amounts made available for the competition during any fiscal year after the competition;

(B) in subparagraph (B), by inserting, which shall not exceed 20 percent of the amounts made available for the competition during any fiscal year after integrity of the competition;

(C) in subparagraph (C), by inserting, which shall not exceed 20 percent of the amounts made available for the competition during any fiscal year after and apparel; and

(D) in subparagraph (D), by inserting, which shall not exceed 20 percent of the amounts made available for the competition during any fiscal year after the uniformed services; and

(3) by adding at the end the following:

The Director may not hold an annual cybersecurity competition under this section for a year until after the Director submits the report required under subsection (g) with respect to the competition held under this section during the previous year.

The Director may not conduct a competition under the authority under this section on or after the first day of the first year that begins more than 5 years after the date of enactment of the Industrial Control Systems Cybersecurity Competition Act.

No additional funds are authorized to be appropriated for the purpose of carrying out the amendments made by this Act.