HR 3138 Amended in Committee - State and Local Cybersecurity Improvement Act
Earlier this month the House Homeland Security Committee held a markup hearing that considered seven bills, including four cybersecurity related bills. One of those cyber bills was HR 3138, the State and Local Cybersecurity Improvement Act. Substitute language was adopted for the bill and it was ordered favorably reported, both by unanimous consent.
Changes to the bill made in the substitute language reflect a higher concern about ransomware incidents at State and local levels and some subtle difference in the way the bill treats Indian organizations.
New Definitions
The adopted language contains three new definitions in the new §2220A(a). The three new definitions are for the terms:
Cyberthreat indicator (refers to 6 USC 1501),
Indian tribe or tribal organization (refers to 25 USC 5304(e), and
Ransomware incident.
It is interesting to see the ‘definition’ of ‘Indian tribe’ and ‘tribal organization’ being combined in a single entry in §2202A(a). Section 5304 defines both separately with the term ‘tribal organization’ describing a much larger universe of potential organizations. From the usage of the terms in the revised language, the crafters expect to equate ‘tribal organizations’ with local governments under State direction.
‘Ransomware’ is defined as “an incident that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system for the purpose of coercing the information system’s owner, operator, or another person {new §2202A(a)(9)}.
Grant Program Changes
There was only one change made in the language of subsections (b), (c), and (d), the subsections that deal directly with the State and Local Cybersecurity Grant Program. That change was made in subsection (c), discussing the baseline requirements for using the grant funds. First the two existing paragraphs in original version of subsection (c) were combined as separate sub-paragraphs under paragraph (1) and a new paragraph (2) was added:
‘‘(2) activities carried out under paragraphs (3), (4), and (5) of subsection (h).”
Unfortunately, there are no such paragraphs found in either the new or old versions of subsection (h).
Cybersecurity Plan Changes
There are a number of minor changes to the wording in the ‘Required elements’ paragraph of subsection (e). The first is the addition of the phrase ‘, applications , and user accounts’ in most places where there is a reference to ‘information systems’. Additionally, whereever the phrase ‘Tribal government’ should be referring to a subordinate organization, the crafters have substituted the more appropriate ‘Tribal organization’.
Next sub-paragraph (2)(B)(v) is rewritten. The ending phrase ‘adopting best practices’ becomes a separate clause (I) and a new clause (II) is added:
‘‘(II) utilize knowledge bases of adversary tools and tactics to assess risk;”
Then sub-paragraph (2)(B)(vii) was modified by adding after the words ‘cybersecurity incident, the parenthetical phrase ‘(including a ransomware incident). Then subsection (x)(i) was amended by adding the phrase “including by expanding existing information sharing agreements with the Department” at the end. Finally, a new subsection (x) was added:
‘‘(xv) implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives;”
Multi-State Grant Changes
The only change that was made to subsection (f) is found in sub-paragraph (2)(B), governing the application process for multi-state grants. The old sub-paragraph heading of “Joint Cybersecurity Plan” is replaced with “Multistate Project Description”. The verbiage in the rest of the sub-paragraph and its clauses remains the same.
Planning Committee Changes
There are two minor changes made to subsection (g). The first slightly expands the potential sources of Planning Committee members in (g)(2)(A) by adding the phrase: “and public educational and health institutions” to sub-paragraph (A). The second change clarifies the use of existing organizations to satisfy the Planning Committee requirement by adding the phrase: “or may be leveraged to meet” the requirements of subsection (g).
Limitation on Use of Funds Changes
There are two changes, one major and the other relatively minor, to subsection (j) limiting the use of funds from the State and Local Cybersecurity Grant Program. The major change deals with limitation on the use of the funds for paying ransoms. The old language of (j)(1)(C) simply prohibited using grant funds to pay “a demand for ransom in an attempt to regain access to information or an information system. The revised language makes that ‘regain access…’ phrase clause (i) and adds a second clause:
‘‘(ii) prevent the disclosure of information that has been removed without authorization from an information system of the eligible entity or of a local or Tribal organization within the jurisdiction of the eligible entity;”
The second change clarifies in a new paragraph (j)(3) that nothing in (j)(1) prohibits funds being used for a project that “has previously used State, local, or Tribal funds to support the same or similar uses.”
Moving Forward
Technically, this bill will not be able to move to the full House for consideration until the Committee report is published. The reality of the situation is that while Committee reports frequently take months to publish, Committee Chair Thompson (D,MS) could report the bill without written report on the first day the House returns to Washington, currently scheduled to be on June 14th. I do not think the bill will be considered quite that quickly, but it will probably be considered before the summer recess.
This bill will almost certainly be considered under the House suspension of the rules process. That process limits debate, prohibits floor amendments, and requires a super majority for passage. The unanimous consent approval in Committee means that the bill should receive wide-spread bipartisan support on the floor of the House.
This bill could be considered in the Senate under their unanimous consent process. There should not be any specific opposition to this bill, even with the $500 million authorization for the grant program. Supporting State and local government cybersecurity efforts is good politics this year. Even so, an opportunistic Senator could use the broad support for this bill as leverage to get a vote on a pet bill or resolution that would not normally make it to the floor. That ‘bargaining chip’ tactic has killed many bills that would have made it to the President’s desk were it not for the action of a single Senator.
Commentary
The language changes that were approved by the Homeland Security Committee will have little or no affect on success of the cybersecurity grant program proposed in this bill. The FEMA Administrators approval of grants under this program will have a much more substantial impact than these minor editorial corrections. And of course, the greatest impact will be dealt by the folks at the State and Tribal government level, and it will depend on how they parcel out the funds. The grand annual sum of $500 million sounds like a lot of cybersecurity spending, but there are a lot of problems out there that will take more than simply throwing money at them.