“(a) Establishment.—There is in the Administration a working group, to be known as the ‘Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group’.

“(b) Membership.—Members of the working group shall include the Deputy Administrator for Defense Programs, the Associate Administrator for Information Management and Chief Information Officer, and staff from other offices as determined appropriate by the Deputy Administrator and Associate Administrator.

“(c) Comprehensive Strategy.—The working group shall prepare a comprehensive strategy for inventorying the range of National Nuclear Security Administration systems that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk, and implementing risk mitigation actions. Such strategy shall incorporate key elements of effective cybersecurity risk management strategies, as identified by the Government Accountability Office, including the specification of—

“(1) goals, objectives, activities, and performance measures;

“(2) organizational roles, responsibilities, and coordination;

“(3) necessary resources needed to implement the strategy over the next ten years; and

“(4) detailed milestones and schedules for completion of tasks.

“(d) Submission to Congress.—

“(1) BRIEFING.—Not later than 120 days after the date of the enactment of this Act, the members of the working group shall provide to the congressional defense committees a briefing on the plan of the working group plan to develop the strategy required under subsection (c).

“(2) SUBMISSION OF STRATEGY.—Not later than April 1, 2025, the working group shall submit the congressional defense committees a copy of the completed strategy.

“(e) Termination.—The working group shall terminate on the date that is five years after the date of the enactment of this section.”.