State and Local IT Modernization and Cybersecurity Improvement Act
This bill establishes in the Department of Homeland Security (DHS) grant programs to assist states and Indian tribal governments with emergency information technology (IT) expenses and modernization, and to assist state, local, tribal, or territorial governments to address cybersecurity risks and threats.
Specifically, the bill establishes a Public Health Emergency Information Technology Grant Program to make grants to states and tribal governments for emergency IT expenses during a public health emergency, specifically COVID-19 (i.e., coronavirus disease 2019).
The bill establishes in DHS the Modernizing IT Grant Program to make grants to states and Indian tribal governments to modernize IT to securely enable digital delivery of government services.
The Cybersecurity and Infrastructure Security Agency (CISA) shall distribute grants to states for addressing cybersecurity risks and threats to the information systems of state, local, tribal, or territorial governments.
The CISA must (1) establish a State and Local Cybersecurity Resiliency Committee; (2) develop and make publicly available a Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments; (3) conduct a study to assess the feasibility of implementing a short-term rotational program for the detail of approved government employees in cyber workforce positions to the agency; and (4) develop a resource guide for use by state, local, tribal, and territorial government officials.
[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8048 Introduced in House (IH)]
<DOC>
116th CONGRESS
2d Session
H. R. 8048
To establish in the Department of Homeland Security a program to make
grants for emergency information technology expenses, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
August 14, 2020
Mr. Langevin (for himself, Mr. Gallagher, Mr. Ruppersberger, Mr. Hurd
of Texas, Mr. Richmond, Mr. McCaul, Mr. Rose of New York, and Mr.
Bacon) introduced the following bill; which was referred to the
Committee on Homeland Security, and in addition to the Committees on
Oversight and Reform, and Energy and Commerce, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee
concerned
_______________________________________________________________________
A BILL
To establish in the Department of Homeland Security a program to make
grants for emergency information technology expenses, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``State and Local IT Modernization and
Cybersecurity Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``Agency'' means the Cybersecurity
and Infrastructure Security Agency of the Department of
Homeland Security.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(B) the Committee on Homeland Security of the House
of Representatives.
(3) Covered information technology.--In this section, the
term ``covered information technology'' includes the following
information technology:
(A) Enterprise productivity tools, including--
(i) email services;
(ii) computer software for the purposes of
managing payroll and budget;
(iii) personnel management solutions; and
(iv) customer relationship management
software relating to the provision of services
to users of such services.
(B) Cybersecurity services and tools.
(C) Computer networking equipment.
(4) Covered information technology services.--The term
``covered information technology services'' means any service
necessary to install, implement, maintain, or upgrade covered
information technology.
(5) Department.--The term ``Department'' means the
Department of Homeland Security.
(6) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security.
(7) Emergency information technology expenses.--The term
``emergency information technology expenses'' means expenses
related to--
(A) improving covered information technology;
(B) conducting covered information technology
services;
(C) subsidizing payroll for information technology
staff to maintain the current staffing level; or
(D) government employees having the necessary
covered information technology to telework.
(8) Fiscal year.--The term ``fiscal year'' has the meaning
given the term under the State or local law of the relevant
grant recipient.
(9) Information technology.--The term ``information
technology'' has the meaning given the term in section 11101 of
title 40, United States Code.
(10) Public health emergency.--The term ``public health
emergency'' means the public health emergency declared by the
Secretary of Health and Human Services pursuant to section 319
of the Public Health Service Act (42 U.S.C. 247d) on January
31, 2020, with respect to COVID-19.
(11) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(12) State.--The term ``State'' has the meaning given the
term in section 311 of title 5, United States Code.
(13) Tribal government.--The term ``Tribal government'' has
the meaning given the term in section 421(13) of the
Congressional Budget and Impoundment Control Act of 1974 (2
U.S.C. 658(13)).
SEC. 3. PUBLIC HEALTH EMERGENCY INFORMATION TECHNOLOGY GRANT PROGRAM.
(a) Establishment.--There is established in the Department a
program to be known as the ``Public Health Emergency Information
Technology Grant Program'' (in this section referred to as the ``Public
Health Emergency IT Grant Program''), under which the Secretary may
award grants to States for emergency information technology expenses
during the public health emergency.
(b) Application.--Each State may apply for a grant under the Public
Health Emergency IT Grant Program, and shall submit such information in
support of such a grant as the Secretary may require.
(c) Allocation of Funds.--
(1) Tribal governments.--Grants to Tribal governments under
the Public Health Emergency IT Grant Program may not exceed
$25,000,000 in the aggregate.
(2) Administration and oversight.--The Secretary may not
expend more than $10,000,000 for administration of the Public
Health Emergency IT Grant Program.
(d) Conditions on Receipt of Grant.--
(1) Management of funds.--To be eligible for a grant under
the Public Health Emergency IT Grant Program, a State shall
agree to designate the Chief Information Officer, or an
equivalent official, of the State as the primary official for
the management and allocation of funds awarded under the Public
Health Emergency IT Grant Program.
(2) Security standards and certifications.--
(A) In general.--Not later than 90 days after the
date of the enactment of this Act, the Secretary, in
consultation with the Secretary of Commerce, shall
select commonly accepted security standards and
certifications with respect to covered information
technology.
(B) Security standards and certifications
required.--To be eligible for a grant under the Public
Health Emergency IT Grant Program, a State shall agree
to procure only covered information technology that
meets or exceeds the standards and certifications
selected pursuant to paragraph (1) with funds made
available under such Program.
(e) Grants.--
(1) Single grant.--A State may not receive more than one
grant under the Public Health Emergency IT Grant Program.
(2) Grant amounts.--The Secretary may award grants to
States under the Public Health Emergency IT Grant Program on
the basis of the population of such State, except no grant
awarded under such Program may be less than $5,000,000.
(f) Subgrants.--Each State that receives a grant under the Public
Health Emergency IT Grant Program shall reserve not less than 40
percent of amounts received for the purpose of making subgrants to
local governments within such State--
(1) for emergency information technology expenses; or
(2) to purchase licenses for covered information technology
on behalf of such local governments.
(g) Return of Funds.--Amounts received by States under the Public
Health Emergency IT Grant Program that are not expended by the date
that is two years after the date of the receipt of such funds shall be
returned to the Treasury of the United States.
(h) Reports.--
(1) Reports by grant recipients.--Not later than 180 days
after receiving a grant under the Public Health Emergency IT
Grant Program, a recipient of such grant shall submit to the
Secretary a report that--
(A) describes how grant funds were obligated or
expended, including the use of funds made available as
subgrants; and
(B) demonstrates compliance by such recipient and
subgrantee with the requirements of such Program.
(2) Annual report to congress.--Not later than 1 year after
the date of the enactment of this Act and annually thereafter
until all funds under the Public Health Emergency IT Grant
Program are expended or returned to the Treasury of the United
States, the Secretary shall submit to the appropriate
congressional committees a report that--
(A) describes how grant funds were obligated or
expended, including the use of funds made available as
subgrants; and
(B) demonstrates compliance by each recipient and
subgrantee with the requirements of such Program.
(i) Authorization of Appropriations.--There is authorized to be
appropriated $1,000,000,000 for grants under the Public Health
Emergency IT Grant Program. Amounts authorized to be appropriated
pursuant to this subsection are authorized to remain available until
September 30, 2022.
SEC. 4. MODERNIZING IT GRANT PROGRAM.
(a) Establishment.--There is established in the Department a
program to be known as the ``Modernizing IT Grant Program'', under
which the Secretary may make grants to States to modernize information
technology for the purpose of securely enabling digital delivery of
government services, including the digital delivery of--
(1) emergency services;
(2) government benefit and entitlement programs; and
(3) administrative services performed by a State.
(b) Eligibility.--To be eligible for a grant under the Modernizing
IT Grant Program, a State shall--
(1) with respect to fiscal years 2021, 2022, and 2023,
maintain the funding levels of the lesser of fiscal year 2019,
or the average of fiscal years 2017, 2018, and 2019, with
respect to information technology support and modernization;
and
(2) provide matching funds equal to 5 percent of the amount
of any grant received under the Modernizing IT Grant Program.
(c) Application.--
(1) In general.--Each State may apply for a grant under the
Modernizing IT Grant Program, and shall submit such information
in support of such a grant as the Secretary may require,
including the following:
(A) A State information technology modernization
plan, including--
(i) a description of existing information
technology;
(ii) the costs related to maintenance of
existing information technology;
(iii) a compilation of recent security
audits of existing information technology;
(iv) a compilation of recent operational
performance reports of existing information
technology;
(v) a methodology to prioritize projects
and procurement to account for--
(I) security gains;
(II) operational gains; and
(III) cost; and
(vi) a transition plan to modernize
existing information technology, including--
(I) a comparative analysis of
cloud-based versus on-premise
solutions; and
(II) an estimate of operation and
maintenance costs for the information
technology to be procured under such
transition plan.
(B) A local government information technology
modernization plan describing how grants awarded under
the Modernizing IT Grant Program will be used to
provide--
(i) subgrants to local governments to
modernize their information technology
supporting digital delivery of government
services; or
(ii) shared services to local governments
to support the digital delivery of government
services.
(2) Application evaluation.--The Secretary, acting through
the Director, and in consultation with the Administrator of
General Services, shall evaluate each application for a grant
under the Modernizing IT Grant Program with respect to the
appropriateness of the information technology modernization
plan to improve cybersecurity and enhance the capability to
effectively deliver digital government services.
(3) Technical assistance.--The Director may provide
technical assistance to States applying for a grant under the
Modernizing IT Grant Program with respect to State and local
government information technology modernization plans described
in paragraph (1)(B).
(d) Conditions on Receipt of Grant.--
(1) Management of funds.--To be eligible for a grant under
the Modernizing IT Grant Program, a State shall agree to
designate the Chief Information Officer, or an equivalent
official, of the State as the primary official for the
management and allocation of funds awarded under the
Modernizing IT Grant Program.
(2) Security standards and certifications.--
(A) In general.--Not later than 1 year after the
date of the enactment of this Act, the Secretary, in
consultation with the Secretary of Commerce, shall
select commonly accepted security standards and
certifications with respect to information technology.
(B) Security standards and certifications
required.--To be eligible for a grant under the
Modernizing IT Grant Program, a State shall agree to
procure only information technology that meets or
exceeds the standards and certifications described in
paragraph (1) with funds made available under such
Program.
(e) Grants.--
(1) Single grant.--A State may not receive more than one
grant under the Modernizing IT Grant Program.
(2) Grant amounts.--
(A) State governments.--The Secretary may determine
the amount of a grant to be awarded to a State,
excluding Tribal governments, under the Modernizing IT
Grant Program based on the population of such State,
except no grant awarded under such Program may be less
than $100,000,000.
(B) Tribal governments.--Grants to Tribal
governments under the Modernization Grant Program may
not exceed $500,000,000 in the aggregate.
(3) Disbursement of funds.--Grant funds awarded under the
Modernizing IT Grant Program shall be dispersed in structured
payments over a period of five years, in such increments as the
Secretary determines appropriate for the project or procurement
to be carried out using the funds.
(f) Subgrants.--Each State that receives a grant under the
Modernizing IT Grant Program shall reserve not less than 40 percent of
amounts received under such grant for the purpose of making a subgrant
to local governments to implement the local government information
technology modernization plan required under subsection (c)(1)(B).
(g) Return of Funds.--Amounts received under the Modernizing IT
Grant Program that are not expended by the date that is five years
after the date of the receipt of such funds shall be returned to the
Treasury of the United States.
(h) Administrative Costs.--The Secretary may not expend more than
$25,000,000 for administration of the Modernizing IT Grant Program.
(i) Reports.--
(1) Reports by grant recipients.--Not later than 180 days
after receiving a grant under the Modernizing IT Grant Program,
a recipient of such grant shall submit to the Secretary a
report that--
(A) describes how grant funds were obligated or
expended, including the use of funds made available as
subgrants; and
(B) demonstrates compliance by each recipient and
subgrantee with the requirements of such Program.
(2) Annual report to congress.--Not later than 1 year after
the date of the first grant awarded under the Modernizing IT
Grant Program and annually thereafter until all funds are
expended or returned to the Treasury of the United States, the
Secretary shall submit to the appropriate congressional
committees a report that--
(A) describes how grant funds were obligated or
expended, including the use of funds made available as
subgrants; and
(B) demonstrates compliance by each recipient and
subgrantee with the requirements of such Program.
(j) Authorization of Appropriations.--There is authorized to be
appropriated $25,000,000,000 for grants under the Modernizing IT Grant
Program. Amounts authorized to be appropriated pursuant to this
subsection are authorized to remain available until September 30, 2027.
SEC. 5. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following new sections:
``SEC. 2215. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.
``(a) Establishment.--The Secretary, acting through the Director,
shall establish a program to make grants to States to address
cybersecurity risks and cybersecurity threats to information systems of
State, local, Tribal, or territorial governments (referred to as the
`State and Local Cybersecurity Grant Program' in this section).
``(b) Baseline Requirements.--A grant awarded under this section
shall be used in compliance with the following:
``(1) The Cybersecurity Plan required under subsection (d)
and approved pursuant to subsection (g).
``(2) The Homeland Security Strategy to Improve the
Cybersecurity of State, Local, Tribal, and Territorial
Governments required in accordance with section 2210, when
issued.
``(c) Administration.--The State and Local Cybersecurity Grant
Program shall be administered in the same program office that
administers grants made under sections 2003 and 2004.
``(d) Eligibility.--
``(1) In general.--A State applying for a grant under the
State and Local Cybersecurity Grant Program shall submit to the
Secretary a Cybersecurity Plan for approval. Such plan shall--
``(A) incorporate, to the extent practicable, any
existing plans of such State to protect against
cybersecurity risks and cybersecurity threats to
information systems of State, local, Tribal, or
territorial governments;
``(B) describe, to the extent practicable, how such
State shall--
``(i) enhance the preparation, response,
and resiliency of information systems owned or
operated by such State or, if appropriate, by
local, Tribal, or territorial governments,
against cybersecurity risks and cybersecurity
threats;
``(ii) implement a process of continuous
cybersecurity vulnerability assessments and
threat mitigation practices prioritized by
degree of risk to address cybersecurity risks
and cybersecurity threats in information
systems of such State, local, Tribal, or
territorial governments;
``(iii) ensure that State, local, Tribal,
and territorial governments that own or operate
information systems within the State adopt best
practices and methodologies to enhance
cybersecurity, such as the practices set forth
in the cybersecurity framework developed by the
National Institute of Standards and Technology;
``(iv) promote the delivery of safe,
recognizable, and trustworthy online services
by State, local, Tribal, and territorial
governments, including through the use of the
.gov internet domain;
``(v) mitigate any identified gaps in the
State, local, Tribal, or territorial government
cybersecurity workforces, enhance recruitment
and retention efforts for such workforces, and
bolster the knowledge, skills, and abilities of
State, local, Tribal, and territorial
government personnel to address cybersecurity
risks and cybersecurity threats;
``(vi) ensure continuity of communications
and data networks within such State between
such State and local, Tribal, and territorial
governments that own or operate information
systems within such State in the event of an
incident involving such communications or data
networks within such State;
``(vii) assess and mitigate, to the
greatest degree possible, cybersecurity risks
and cybersecurity threats related to critical
infrastructure and key resources, the
degradation of which may impact the performance
of information systems within such State;
``(viii) enhance capability to share cyber
threat indicators and related information
between such State and local, Tribal, and
territorial governments that own or operate
information systems within such State; and
``(ix) develop and coordinate strategies to
address cybersecurity risks and cybersecurity
threats in consultation with--
``(I) local, Tribal, and
territorial governments within the
State; and
``(II) as applicable--
``(aa) neighboring States
or, as appropriate, members of
an information sharing and
analysis organization; and
``(bb) neighboring
countries; and
``(C) include, to the extent practicable, an
inventory of the information technology deployed on the
information systems owned or operated by such State or
by local, Tribal, or territorial governments within
such State, including legacy information technology
that is no longer supported by the manufacturer.
``(2) Discretionary elements.--The Cybersecurity Plan of a
State described in paragraph (1) may include--
``(A) cooperative programs developed by groups of
local, Tribal, and territorial governments within such
State to address cybersecurity risks and cybersecurity
threats; and
``(B) programs provided by such State to support
local, Tribal, and territorial governments and critical
infrastructure owners and operators to address
cybersecurity risks and cybersecurity threats.
``(e) Planning Committees.--
``(1) In general.--A State applying for a grant under this
section shall establish a cybersecurity planning committee to
assist in the following:
``(A) The development, implementation, and revision
of such State's Cybersecurity Plan required under
subsection (d).
``(B) The determination of effective funding
priorities for such grant in accordance with subsection
(f).
``(2) Composition.--Cybersecurity planning committees
described in paragraph (1) shall be comprised of
representatives from counties, cities, towns, and Tribes within
the State receiving a grant under this section, including, as
appropriate, representatives of rural, suburban, and high-
population jurisdictions.
``(3) Rule of construction regarding existing planning
committees.--Nothing in this subsection may be construed to
require that any State establish a cybersecurity planning
committee if such State has established and uses a
multijurisdictional planning committee or commission that meets
the requirements of this paragraph.
``(f) Use of Funds.--A State that receives a grant under this
section shall use the grant to implement such State's Cybersecurity
Plan, or to assist with activities determined by the Secretary, in
consultation with the Director, to be integral to address cybersecurity
risks and cybersecurity threats to information systems of State, local,
Tribal, or territorial governments, as the case may be.
``(g) Approval of Plans.--
``(1) Approval as condition of grant.--Before a State may
receive a grant under this section, the Secretary, acting
through the Director, shall review and approve such State's
Cybersecurity Plan required under subsection (d).
``(2) Plan requirements.--In approving a Cybersecurity Plan
under this subsection, the Director shall ensure such Plan--
``(A) meets the requirements specified in
subsection (d); and
``(B) upon issuance of the Homeland Security
Strategy to Improve the Cybersecurity of State, Local,
Tribal, and Territorial Governments authorized pursuant
to section 2210, complies, as appropriate, with the
goals and objectives of such Strategy.
``(3) Approval of revisions.--The Secretary, acting through
the Director, may approve revisions to a Cybersecurity Plan as
the Director determines appropriate.
``(4) Exception.--Notwithstanding the requirement under
subsection (d) to submit a Cybersecurity Plan as a condition of
apply for a grant under this section, such a grant may be
awarded to a State that has not so submitted a Cybersecurity
Plan to the Secretary if--
``(A) such State certifies to the Secretary that it
will submit to the Secretary a Cybersecurity Plan for
approval by September 30, 2022;
``(B) such State certifies to the Secretary that
the activities that will be supported by such grant are
integral to the development of such Cybersecurity Plan;
or
``(C) such State certifies to the Secretary, and
the Director confirms, that the activities that will be
supported by the grant will address imminent
cybersecurity risks or cybersecurity threats to the
information systems of such State or of a local,
Tribal, or territorial government in such State.
``(h) Limitations on Uses of Funds.--
``(1) In general.--A State that receives a grant under this
section may not use such grant--
``(A) to supplant State, local, Tribal, or
territorial funds;
``(B) for any recipient cost-sharing contribution;
``(C) to pay a demand for ransom in an attempt to
regain access to information or an information system
of such State or of a local, Tribal, or territorial
government in such State;
``(D) for recreational or social purposes; or
``(E) for any purpose that does not directly
address cybersecurity risks or cybersecurity threats on
an information systems of such State or of a local,
Tribal, or territorial government in such State.
``(2) Penalties.--In addition to other remedies available,
the Secretary may take such actions as are necessary to ensure
that a recipient of a grant under this section is using such
grant for the purposes for which such grant was awarded.
``(i) Opportunity To Amend Applications.--In considering
applications for grants under this section, the Secretary shall provide
applicants with a reasonable opportunity to correct defects, if any, in
such applications before making final awards.
``(j) Apportionment.--For fiscal year 2020 and each fiscal year
thereafter, the Secretary shall apportion amounts appropriated to carry
out this section among States as follows:
``(1) Baseline amount.--The Secretary shall first apportion
0.25 percent of such amounts to each of American Samoa, the
Commonwealth of the Northern Mariana Islands, Guam, and the
Virgin Islands, and 0.75 percent of such amounts to each of the
remaining States.
``(2) Remainder.--The Secretary shall apportion the
remainder of such amounts in the ratio that--
``(A) the population of each State; bears to
``(B) the population of all States.
``(k) Federal Share.--The Federal share of the cost of an activity
carried out using funds made available under the program may not exceed
the following percentages:
``(1) For fiscal year 2021, 90 percent.
``(2) For fiscal year 2022, 80 percent.
``(3) For fiscal year 2023, 70 percent.
``(4) For fiscal year 2024, 60 percent.
``(5) For fiscal year 2025 and each subsequent fiscal year,
50 percent.
``(l) State Responsibilities.--
``(1) Certification.--Each State that receives a grant
under this section shall certify to the Secretary that the
grant will be used for the purpose for which the grant is
awarded and in compliance with the Cybersecurity Plan or other
purpose approved by the Secretary under subsection (g).
``(2) Availability of funds to local, tribal, and
territorial governments.--Not later than 45 days after a State
receives a grant under this section, such State shall, without
imposing unreasonable or unduly burdensome requirements as a
condition of receipt, obligate or otherwise make available to
local, Tribal, and territorial governments in such State,
consistent with the applicable Cybersecurity Plan--
``(A) not less than 80 percent of funds available
under such grant;
``(B) with the consent of such local, Tribal, and
territorial governments, items, services, capabilities,
or activities having a value of not less than 80
percent of the amount of the grant; or
``(C) with the consent of the local, Tribal, and
territorial governments, grant funds combined with
other items, services, capabilities, or activities
having the total value of not less than 80 percent of
the amount of the grant.
``(3) Certifications regarding distribution of grant funds
to local, tribal, territorial governments.--A State shall
certify to the Secretary that the State has made the
distribution to local, Tribal, and territorial governments
required under paragraph (2).
``(4) Extension of period.--A State may request in writing
that the Secretary extend the period of time specified in
paragraph (2) for an additional period of time. The Secretary
may approve such a request if the Secretary determines such
extension is necessary to ensure the obligation and expenditure
of grant funds align with the purpose of the grant program.
``(5) Exception.--Paragraph (2) shall not apply to the
District of Columbia, the Commonwealth of Puerto Rico, American
Samoa, the Commonwealth of the Northern Mariana Islands, Guam,
or the Virgin Islands.
``(6) Direct funding.--If a State does not make the
distribution to local, Tribal, or territorial governments in
such State required under paragraph (2), such a local, Tribal,
or territorial government may petition the Secretary.
``(7) Penalties.--In addition to other remedies available
to the Secretary, the Secretary may terminate or reduce the
amount of a grant awarded under this section to a State or
transfer grant funds previously awarded to such State directly
to the appropriate local, Tribal, or territorial government if
such State violates a requirement of this subsection.
``(m) Advisory Committee.--
``(1) Establishment.--The Director shall establish a State
and Local Cybersecurity Resiliency Committee to provide State,
local, Tribal, and territorial stakeholder expertise,
situational awareness, and recommendations to the Director, as
appropriate, regarding how to--
``(A) address cybersecurity risks and cybersecurity
threats to information systems of State, local, Tribal,
or territorial governments; and
``(B) improve the ability of such governments to
prevent, protect against, respond, mitigate, and
recover from cybersecurity risks and cybersecurity
threats.
``(2) Duties.--The State and Local Cybersecurity Resiliency
Committee shall--
``(A) submit to the Director recommendations that
may inform guidance for applicants for grants under
this section;
``(B) upon the request of the Director, provide to
the Director technical assistance to inform the review
of Cybersecurity Plans submitted by applicants for
grants under this section, and, as appropriate, submit
to the Director recommendations to improve such Plans
prior to the Director's determination regarding whether
to approve such Plans;
``(C) advise and provide to the Director input
regarding the Homeland Security Strategy to Improve
Cybersecurity for State, Local, Tribal, and Territorial
Governments required under section 2210; and
``(D) upon the request of the Director, provide to
the Director recommendations, as appropriate, regarding
how to--
``(i) address cybersecurity risks and
cybersecurity threats on information systems of
State, local, Tribal, or territorial
governments; and
``(ii) improve the cybersecurity resilience
of such governments.
``(3) Membership.--
``(A) Number and appointment.--The State and Local
Cybersecurity Resiliency Committee shall be composed of
15 members appointed by the Director, as follows:
``(i) Two individuals recommended to the
Director by the National Governors Association.
``(ii) Two individuals recommended to the
Director by the National Association of State
Chief Information Officers.
``(iii) One individual recommended to the
Director by the National Guard Bureau.
``(iv) Two individuals recommended to the
Director by the National Association of
Counties.
``(v) Two individuals recommended to the
Director by the National League of Cities.
``(vi) One individual recommended to the
Director by the United States Conference of
Mayors.
``(vii) One individual recommended to the
Director by the Multi-State Information Sharing
and Analysis Center.
``(viii) Four individuals who have
educational and professional experience related
to cybersecurity analysis or policy.
``(B) Terms.--Each member of the State and Local
Cybersecurity Resiliency Committee shall be appointed
for a term of two years, except that such term shall be
three years only in the case of members who are
appointed initially to the Committee upon the
establishment of the Committee. Any member appointed to
fill a vacancy occurring before the expiration of the
term for which the member's predecessor was appointed
shall be appointed only for the remainder of such term.
A member may serve after the expiration of such
member's term until a successor has taken office. A
vacancy in the Commission shall be filled in the manner
in which the original appointment was made.
``(C) Pay.--Members of the State and Local
Cybersecurity Resiliency Committee shall serve without
pay.
``(4) Chairperson; vice chairperson.--The members of the
State and Local Cybersecurity Resiliency Committee shall select
a chairperson and vice chairperson from among Committee
members.
``(5) Federal advisory committee act.--The Federal Advisory
Committee Act (5 U.S.C. App.) shall not apply to the State and
Local Cybersecurity Resilience Committee.
``(n) Reports.--
``(1) Annual reports by state grant recipients.--A State
that receives a grant under this section shall annually submit
to the Secretary a report on the progress of the State in
implementing the Cybersecurity Plan approved pursuant to
subsection (g). If the State does not have a Cybersecurity Plan
approved pursuant to subsection (g), the State shall submit to
the Secretary a report describing how grant funds were
obligated and expended to develop a Cybersecurity Plan or
improve the cybersecurity of information systems owned or
operated by State, local, Tribal, or territorial governments in
such State. The Secretary, acting through the Director, shall
make each such report publicly available, including by making
each such report available on the internet website of the
Agency, subject to any redactions the Director determines
necessary to protect classified or other sensitive information.
``(2) Annual reports to congress.--At least once each year,
the Secretary, acting through the Director, shall submit to
Congress a report on the use of grants awarded under this
section and any progress made toward the following:
``(A) Achieving the objectives set forth in the
Homeland Security Strategy to Improve the Cybersecurity
of State, Local, Tribal, and Territorial Governments,
upon the strategy's issuance under section 2210.
``(B) Developing, implementing, or revising
Cybersecurity Plans.
``(C) Reducing cybersecurity risks and
cybersecurity threats to information systems owned or
operated by State, local, Tribal, and territorial
governments as a result of the award of such grants.
``(o) Authorization of Appropriations.--There are authorized to be
appropriated for grants under this section--
``(1) for each of fiscal years 2021 through 2025,
$400,000,000; and
``(2) for each subsequent fiscal year, such sums as may be
necessary.
``(p) Definitions.--In this section:
``(1) Critical infrastructure.--The term `critical
infrastructure' has the meaning given that term in section 2.
``(2) Cyber threat indicator.--The term `cyber threat
indicator' has the meaning given such term in section 102 of
the Cybersecurity Act of 2015.
``(3) Director.--The term `Director' means the Director of
the Cybersecurity and Infrastructure Security Agency.
``(4) Incident.--The term `incident' has the meaning given
such term in section 2209.
``(5) Information sharing and analysis organization.--The
term `information sharing and analysis organization' has the
meaning given such term in section 2222.
``(6) Information system.--The term `information system'
has the meaning given such term in section 102(9) of the
Cybersecurity Act of 2015 (6 U.S.C. 1501(9)).
``(7) Key resources.--The term `key resources' has the
meaning given that term in section 2.
``(8) Online service.--The term `online service' means any
internet-facing service, including a website, email, virtual
private network, or custom application.
``(9) State.--The term `State'--
``(A) means each of the several States, the
District of Columbia, and the territories and
possessions of the United States; and
``(B) includes any federally recognized Indian
tribe that notifies the Secretary, not later than 120
days after the date of the enactment of this section or
not later than 120 days before the start of any fiscal
year in which a grant under this section is awarded,
that the tribe intends to develop a Cybersecurity Plan
and agrees to forfeit any distribution under subsection
(l)(2).
``SEC. 2216. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, LOCAL,
TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.
``The Secretary, acting through the Director, shall develop a
resource guide for use by State, local, Tribal, and territorial
government officials, including law enforcement officers, to help such
officials identify, prepare for, detect, protect against, respond to,
and recover from cybersecurity risks, cybersecurity threats, and
incidents (as such term is defined in section 2209).''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by inserting after the
item relating to section 2214 the following new items:
``Sec. 2215. State and Local Cybersecurity Grant Program.
``Sec. 2216. Cybersecurity resource guide development for State, local,
Tribal, and territorial government
officials.''.
SEC. 6. STRATEGY.
(a) Homeland Security Strategy To Improve the Cybersecurity of
State, Local, Tribal, and Territorial Governments.--Section 2210 of the
Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at
the end the following new subsection:
``(e) Homeland Security Strategy To Improve the Cybersecurity of
State, Local, Tribal, and Territorial Governments.--
``(1) In general.--Not later than 270 days after the date
of the enactment of this subsection, the Secretary, acting
through the Director, shall, in coordination with appropriate
Federal departments and agencies, State, local, Tribal, and
territorial governments, the State and Local Cybersecurity
Resilience Committee (established under section 2215), and
other stakeholders, as appropriate, develop and make publicly
available a Homeland Security Strategy to Improve the
Cybersecurity of State, Local, Tribal, and Territorial
Governments that provides recommendations regarding how the
Federal Government should support and promote the ability
State, local, Tribal, and territorial governments to identify,
protect against, detect respond to, and recover from
cybersecurity risks, cybersecurity threats, and incidents (as
such term is defined in section 2209) and establishes baseline
requirements and principles to which Cybersecurity Plans under
such section shall be aligned.
``(2) Contents.--The Homeland Security Strategy to Improve
the Cybersecurity of State, Local, Tribal, and Territorial
Governments required under paragraph (1) shall--
``(A) identify capability gaps in the ability of
State, local, Tribal, and territorial governments to
identify, protect against, detect, respond to, and
recover from cybersecurity risks, cybersecurity
threats, and incidents;
``(B) identify Federal resources and capabilities
that are available or could be made available to State,
local, Tribal, and territorial governments to help such
governments identify, protect against, detect, respond
to, and recover from cybersecurity risks, cybersecurity
threats, and incidents;
``(C) identify and assess the limitations of
Federal resources and capabilities available to State,
local, Tribal, and territorial governments to help such
governments identify, protect against, detect, respond
to, and recover from cybersecurity risks, cybersecurity
threats, and incidents, and make recommendations to
address such limitations;
``(D) identify opportunities to improve the
Agency's coordination with Federal and non-Federal
entities, such as the Multi-State Information Sharing
and Analysis Center, to improve incident exercises,
information sharing and incident notification
procedures, the ability for State, local, Tribal, and
territorial governments to voluntarily adapt and
implement guidance in Federal binding operational
directives, and opportunities to leverage Federal
schedules for cybersecurity investments under section
502 of title 40, United States Code;
``(E) recommend new initiatives the Federal
Government should undertake to improve the ability of
State, local, Tribal, and territorial governments to
help such governments identify, protect against,
detect, respond to, and recover from cybersecurity
risks, cybersecurity threats, and incidents;
``(F) set short-term and long-term goals that will
improve the ability of State, local, Tribal, and
territorial governments to help such governments
identify, protect against, detect, respond to, and
recover from cybersecurity risks, cybersecurity
threats, and incidents; and
``(G) set dates, including interim benchmarks, as
appropriate for State, local, Tribal, territorial
governments to establish baseline capabilities to
identify, protect against, detect, respond to, and
recover from cybersecurity risks, cybersecurity
threats, and incidents.
``(3) Considerations.--In developing the Homeland Security
Strategy to Improve the Cybersecurity of State, Local, Tribal,
and Territorial Governments required under paragraph (1), the
Director, in coordination with appropriate Federal departments
and agencies, State, local, Tribal, and territorial
governments, the State and Local Cybersecurity Resilience
Committee, and other stakeholders, as appropriate, shall
consider--
``(A) lessons learned from incidents that have
affected State, local, Tribal, and territorial
governments, and exercises with Federal and non-Federal
entities;
``(B) the impact of incidents that have affected
State, local, Tribal, and territorial governments,
including the resulting costs to such governments;
``(C) the information related to the interest and
ability of state and non-state threat actors to
compromise information systems owned or operated by
State, local, Tribal, and territorial governments;
``(D) emerging cybersecurity risks and
cybersecurity threats to State, local, Tribal, and
territorial governments resulting from the deployment
of new technologies; and
``(E) recommendations made by the State and Local
Cybersecurity Resilience Committee.''.
(b) Responsibilities of the Director of the Cybersecurity and
Infrastructure Security Agency.--Subsection (c) of section 2202 of the
Homeland Security Act of 2002 (6 U.S.C. 652) is amended--
(1) by redesignating paragraphs (6) through (11) as
paragraphs (11) through (16), respectively; and
(2) by inserting after paragraph (5) the following new
paragraphs:
``(6) develop program guidance, in consultation with the
State and Local Government Cybersecurity Resiliency Committee
established under section 2215, for the State and Local
Cybersecurity Grant Program under such section or any other
homeland security assistance administered by the Department to
improve cybersecurity;
``(7) review, in consultation with the State and Local
Cybersecurity Resiliency Committee, all cybersecurity plans of
State, local, Tribal, and territorial governments developed
pursuant to any homeland security assistance administered by
the Department to improve cybersecurity;
``(8) provide expertise and technical assistance to State,
local, Tribal, and territorial government officials with
respect to cybersecurity;
``(9) provide education, training, and capacity development
to enhance the security and resilience of cybersecurity and
infrastructure security;
``(10) provide information to State, local, Tribal, and
territorial governments on the security benefits of .gov domain
name registration services;''.
(c) Feasibility Study.--Not later than 180 days after the date of
the enactment of this Act, the Director shall conduct a study to assess
the feasibility of implementing a short-term rotational program for the
detail of approved State, local, Tribal, and territorial government
employees in cyber workforce positions to the Agency.
<all>
Introduced in House
Introduced in House
Referred to the Committee on Homeland Security, and in addition to the Committees on Oversight and Reform, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Homeland Security, and in addition to the Committees on Oversight and Reform, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Homeland Security, and in addition to the Committees on Oversight and Reform, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
Referred to the Subcommittee on Emergency Preparedness, Response, and Recovery.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line