Union Calendar No. 384
116th CONGRESS 2d Session |
[Report No. 116–478]
To establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments, and for other purposes.
February 10, 2020
Mr. Richmond (for himself, Mr. Katko, Mr. Kilmer, Mr. McCaul, Mr. Ruppersberger, Mr. Thompson of Mississippi, Mr. Rogers of Alabama, Ms. Slotkin, Mr. Rose of New York, Mr. Payne, Mrs. Watson Coleman, Mr. Langevin, Mr. Cleaver, Ms. Underwood, and Ms. Titus) introduced the following bill; which was referred to the Committee on Homeland Security
August 18, 2020
Additional sponsors: Ms. Eshoo, Ms. Sewell of Alabama, and Ms. Jackson Lee
August 18, 2020
Reported with an amendment; committed to the Committee of the Whole House on the State of the Union and ordered to be printed
[Strike out all after the enacting clause and insert the part printed in italic]
[For text of introduced bill, see copy of bill as introduced on February 10, 2020]
To establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “State and Local Cybersecurity Improvement Act”.
SEC. 2. State and Local Cybersecurity Grant Program.
(a) In general.—Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following new sections:
“SEC. 2215. State and Local Cybersecurity Grant Program.
“(a) Establishment.—The Secretary, acting through the Director, shall establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments (referred to as the ‘State and Local Cybersecurity Grant Program’ in this section).
“(b) Baseline requirements.—A grant awarded under this section shall be used in compliance with the following:
“(c) Administration.—The State and Local Cybersecurity Grant Program shall be administered in the same program office that administers grants made under sections 2003 and 2004.
“(d) Eligibility.—
“(1) IN GENERAL.—A State applying for a grant under the State and Local Cybersecurity Grant Program shall submit to the Secretary a Cybersecurity Plan for approval. Such plan shall—
“(A) incorporate, to the extent practicable, any existing plans of such State to protect against cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments;
“(B) describe, to the extent practicable, how such State shall—
“(i) enhance the preparation, response, and resiliency of information systems owned or operated by such State or, if appropriate, by local, Tribal, or territorial governments, against cybersecurity risks and cybersecurity threats;
“(ii) implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats in information systems of such State, local, Tribal, or territorial governments;
“(iii) ensure that State, local, Tribal, and territorial governments that own or operate information systems within the State adopt best practices and methodologies to enhance cybersecurity, such as the practices set forth in the cybersecurity framework developed by the National Institute of Standards and Technology;
“(iv) promote the delivery of safe, recognizable, and trustworthy online services by State, local, Tribal, and territorial governments, including through the use of the .gov internet domain;
“(v) mitigate any identified gaps in the State, local, Tribal, or territorial government cybersecurity workforces, enhance recruitment and retention efforts for such workforces, and bolster the knowledge, skills, and abilities of State, local, Tribal, and territorial government personnel to address cybersecurity risks and cybersecurity threats;
“(vi) ensure continuity of communications and data networks within such State between such State and local, Tribal, and territorial governments that own or operate information systems within such State in the event of an incident involving such communications or data networks within such State;
“(vii) assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats related to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within such State;
“(viii) enhance capability to share cyber threat indicators and related information between such State and local, Tribal, and territorial governments that own or operate information systems within such State; and
“(C) include, to the extent practicable, an inventory of the information technology deployed on the information systems owned or operated by such State or by local, Tribal, or territorial governments within such State, including legacy information technology that is no longer supported by the manufacturer.
“(e) Planning committees.—
“(1) IN GENERAL.—A State applying for a grant under this section shall establish a cybersecurity planning committee to assist in the following:
“(2) COMPOSITION.—Cybersecurity planning committees described in paragraph (1) shall be comprised of representatives from counties, cities, towns, and Tribes within the State receiving a grant under this section, including, as appropriate, representatives of rural, suburban, and high-population jurisdictions.
“(3) RULE OF CONSTRUCTION REGARDING EXISTING PLANNING COMMITTEES.—Nothing in this subsection may be construed to require that any State establish a cybersecurity planning committee if such State has established and uses a multijurisdictional planning committee or commission that meets the requirements of this paragraph.
“(f) Use of funds.—A State that receives a grant under this section shall use the grant to implement such State’s Cybersecurity Plan, or to assist with activities determined by the Secretary, in consultation with the Director, to be integral to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments, as the case may be.
“(g) Approval of plans.—
“(1) APPROVAL AS CONDITION OF GRANT.—Before a State may receive a grant under this section, the Secretary, acting through the Director, shall review and approve such State’s Cybersecurity Plan required under subsection (d).
“(2) PLAN REQUIREMENTS.—In approving a Cybersecurity Plan under this subsection, the Director shall ensure such Plan—
“(3) APPROVAL OF REVISIONS.—The Secretary, acting through the Director, may approve revisions to a Cybersecurity Plan as the Director determines appropriate.
“(4) EXCEPTION.—Notwithstanding the requirement under subsection (d) to submit a Cybersecurity Plan as a condition of apply for a grant under this section, such a grant may be awarded to a State that has not so submitted a Cybersecurity Plan to the Secretary if—
“(A) such State certifies to the Secretary that it will submit to the Secretary a Cybersecurity Plan for approval by September 30, 2022;
“(h) Limitations on uses of funds.—
“(i) Opportunity To amend applications.—In considering applications for grants under this section, the Secretary shall provide applicants with a reasonable opportunity to correct defects, if any, in such applications before making final awards.
“(j) Apportionment.—For fiscal year 2020 and each fiscal year thereafter, the Secretary shall apportion amounts appropriated to carry out this section among States as follows:
“(k) Federal share.—The Federal share of the cost of an activity carried out using funds made available under the program may not exceed the following percentages:
“(l) State responsibilities.—
“(1) CERTIFICATION.—Each State that receives a grant under this section shall certify to the Secretary that the grant will be used for the purpose for which the grant is awarded and in compliance with the Cybersecurity Plan or other purpose approved by the Secretary under subsection (g).
“(2) AVAILABILITY OF FUNDS TO LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENTS.—Not later than 45 days after a State receives a grant under this section, such State shall, without imposing unreasonable or unduly burdensome requirements as a condition of receipt, obligate or otherwise make available to local, Tribal, and territorial governments in such State, consistent with the applicable Cybersecurity Plan—
“(3) CERTIFICATIONS REGARDING DISTRIBUTION OF GRANT FUNDS TO LOCAL, TRIBAL, TERRITORIAL GOVERNMENTS.—A State shall certify to the Secretary that the State has made the distribution to local, Tribal, and territorial governments required under paragraph (2).
“(4) EXTENSION OF PERIOD.—A State may request in writing that the Secretary extend the period of time specified in paragraph (2) for an additional period of time. The Secretary may approve such a request if the Secretary determines such extension is necessary to ensure the obligation and expenditure of grant funds align with the purpose of the grant program.
“(5) EXCEPTION.—Paragraph (2) shall not apply to the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, or the Virgin Islands.
“(6) DIRECT FUNDING.—If a State does not make the distribution to local, Tribal, or territorial governments in such State required under paragraph (2), such a local, Tribal, or territorial government may petition the Secretary.
“(7) PENALTIES.—In addition to other remedies available to the Secretary, the Secretary may terminate or reduce the amount of a grant awarded under this section to a State or transfer grant funds previously awarded to such State directly to the appropriate local, Tribal, or territorial government if such State violates a requirement of this subsection.
“(m) Advisory committee.—
“(1) ESTABLISHMENT.—The Director shall establish a State and Local Cybersecurity Resiliency Committee to provide State, local, Tribal, and territorial stakeholder expertise, situational awareness, and recommendations to the Director, as appropriate, regarding how to—
“(2) DUTIES.—The State and Local Cybersecurity Resiliency Committee shall—
“(A) submit to the Director recommendations that may inform guidance for applicants for grants under this section;
“(B) upon the request of the Director, provide to the Director technical assistance to inform the review of Cybersecurity Plans submitted by applicants for grants under this section, and, as appropriate, submit to the Director recommendations to improve such Plans prior to the Director’s determination regarding whether to approve such Plans;
“(C) advise and provide to the Director input regarding the Homeland Security Strategy to Improve Cybersecurity for State, Local, Tribal, and Territorial Governments required under section 2210; and
“(3) MEMBERSHIP.—
“(A) NUMBER AND APPOINTMENT.—The State and Local Cybersecurity Resiliency Committee shall be composed of 15 members appointed by the Director, as follows:
“(ii) Two individuals recommended to the Director by the National Association of State Chief Information Officers.
“(B) TERMS.—Each member of the State and Local Cybersecurity Resiliency Committee shall be appointed for a term of two years, except that such term shall be three years only in the case of members who are appointed initially to the Committee upon the establishment of the Committee. Any member appointed to fill a vacancy occurring before the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of such term. A member may serve after the expiration of such member’s term until a successor has taken office. A vacancy in the Commission shall be filled in the manner in which the original appointment was made.
“(n) Reports.—
“(1) ANNUAL REPORTS BY STATE GRANT RECIPIENTS.—A State that receives a grant under this section shall annually submit to the Secretary a report on the progress of the State in implementing the Cybersecurity Plan approved pursuant to subsection (g). If the State does not have a Cybersecurity Plan approved pursuant to subsection (g), the State shall submit to the Secretary a report describing how grant funds were obligated and expended to develop a Cybersecurity Plan or improve the cybersecurity of information systems owned or operated by State, local, Tribal, or territorial governments in such State. The Secretary, acting through the Director, shall make each such report publicly available, including by making each such report available on the internet website of the Agency, subject to any redactions the Director determines necessary to protect classified or other sensitive information.
“(2) ANNUAL REPORTS TO CONGRESS.—At least once each year, the Secretary, acting through the Director, shall submit to Congress a report on the use of grants awarded under this section and any progress made toward the following:
“(o) Authorization of appropriations.—There are authorized to be appropriated for grants under this section—
“(p) Definitions.—In this section:
“(1) CRITICAL INFRASTRUCTURE.—The term ‘critical infrastructure’ has the meaning given that term in section 2.
“(2) CYBER THREAT INDICATOR.—The term ‘cyber threat indicator’ has the meaning given such term in section 102 of the Cybersecurity Act of 2015.
“(3) DIRECTOR.—The term ‘Director’ means the Director of the Cybersecurity and Infrastructure Security Agency.
“(5) INFORMATION SHARING AND ANALYSIS ORGANIZATION.—The term ‘information sharing and analysis organization’ has the meaning given such term in section 2222.
“(6) INFORMATION SYSTEM.—The term ‘information system’ has the meaning given such term in section 102(9) of the Cybersecurity Act of 2015 (6 U.S.C. 1501(9)).
“(8) ONLINE SERVICE.—The term ‘online service’ means any internet-facing service, including a website, email, virtual private network, or custom application.
“(9) STATE.—The term ‘State’—
“(A) means each of the several States, the District of Colombia, and the territories and possessions of the United States; and
“(B) includes any federally recognized Indian tribe that notifies the Secretary, not later than 120 days after the date of the enactment of this section or not later than 120 days before the start of any fiscal year in which a grant under this section is awarded, that the tribe intends to develop a Cybersecurity Plan and agrees to forfeit any distribution under subsection (l)(2).
“SEC. 2216. Cybersecurity resource guide development for State, local, Tribal, and territorial government officials.
“The Secretary, acting through the Director, shall develop a resource guide for use by State, local, Tribal, and territorial government officials, including law enforcement officers, to help such officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents (as such term is defined in section 2209).”.
(b) Clerical amendment.—The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 2214 the following new items:
“Sec. 2215. State and Local Cybersecurity Grant Program.
“Sec. 2216. Cybersecurity resource guide development for State, local, Tribal, and territorial government officials.”.
(a) Homeland Security Strategy To Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments.—Section 2210 of the Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at the end the following new subsection:
“(e) Homeland Security Strategy To Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments.—
“(1) IN GENERAL.—Not later than 270 days after the date of the enactment of this subsection, the Secretary, acting through the Director, shall, in coordination with appropriate Federal departments and agencies, State, local, Tribal, and territorial governments, the State and Local Cybersecurity Resilience Committee (established under section 2215), and other stakeholders, as appropriate, develop and make publicly available a Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments that provides recommendations regarding how the Federal Government should support and promote the ability State, local, Tribal, and territorial governments to identify, protect against, detect respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents (as such term is defined in section 2209) and establishes baseline requirements and principles to which Cybersecurity Plans under such section shall be aligned.
“(2) CONTENTS.—The Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments required under paragraph (1) shall—
“(A) identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;
“(B) identify Federal resources and capabilities that are available or could be made available to State, local, Tribal, and territorial governments to help such governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;
“(C) identify and assess the limitations of Federal resources and capabilities available to State, local, Tribal, and territorial governments to help such governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents, and make recommendations to address such limitations;
“(D) identify opportunities to improve the Agency’s coordination with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center, to improve incident exercises, information sharing and incident notification procedures, the ability for State, local, Tribal, and territorial governments to voluntarily adapt and implement guidance in Federal binding operational directives, and opportunities to leverage Federal schedules for cybersecurity investments under section 502 of title 40, United States Code;
“(E) recommend new initiatives the Federal Government should undertake to improve the ability of State, local, Tribal, and territorial governments to help such governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;
“(3) CONSIDERATIONS.—In developing the Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments required under paragraph (1), the Director, in coordination with appropriate Federal departments and agencies, State, local, Tribal, and territorial governments, the State and Local Cybersecurity Resilience Committee, and other stakeholders, as appropriate, shall consider—
“(A) lessons learned from incidents that have affected State, local, Tribal, and territorial governments, and exercises with Federal and non-Federal entities;
“(B) the impact of incidents that have affected State, local, Tribal, and territorial governments, including the resulting costs to such governments;
“(C) the information related to the interest and ability of state and non-state threat actors to compromise information systems owned or operated by State, local, Tribal, and territorial governments;
(b) Responsibilities of the Director of the Cybersecurity and Infrastructure Security Agency.—Subsection (c) of section 2202 of the Homeland Security Act of 2002 (6 U.S.C. 652) is amended—
(2) by inserting after paragraph (5) the following new paragraphs:
“(6) develop program guidance, in consultation with the State and Local Government Cybersecurity Resiliency Committee established under section 2215, for the State and Local Cybersecurity Grant Program under such section or any other homeland security assistance administered by the Department to improve cybersecurity;
“(7) review, in consultation with the State and Local Cybersecurity Resiliency Committee, all cybersecurity plans of State, local, Tribal, and territorial governments developed pursuant to any homeland security assistance administered by the Department to improve cybersecurity;
“(8) provide expertise and technical assistance to State, local, Tribal, and territorial government officials with respect to cybersecurity;
(c) Feasibility study.—Not later than 180 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall conduct a study to assess the feasibility of implementing a short-term rotational program for the detail of approved State, local, Tribal, and territorial government employees in cyber workforce positions to the Agency.
Union Calendar No. 384 | |||||
| |||||
[Report No. 116–478] | |||||
A BILL | |||||
To establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments, and for other purposes. | |||||
August 18, 2020 | |||||
Reported with an amendment; committed to the Committee of the Whole House on the State of the Union and ordered to be printed |