HR 3138 Introduced - State and Local Cybersecurity Improvement Act
Last week Rep Clarke (D,NY) introduced HR 3138, the State and Local Cybersecurity Improvement Act. The bill amends the Homeland Security Act by adding a new §2220A, State and Local Cybersecurity Grant Program. It would require DHS to establish the “State and Local Cybersecurity Grant Program” to be administered by FEMA. The bill would authorize $500 million per year through 2026 for the grant program.
Definitions
Subsection (a) establishes the critical definitions used in the bill. The following terms are defined by reference to an existing definition:
• ‘Cyber threat indicator’ – 6 USC 1501(6)
• ‘Incident’ – 6 USC 659(a)(3),
• ‘Information sharing and analysis organization’ – 6 USC 671(5)
• ‘Information system – 6 USC 1501(9)
Three definitions refer to subsections within the new §2220A. Two terms were specifically defined in this subsection:
• ‘Eligible entity’ – Defined as a State or federally recognized Indian Tribe; an Indian Tribe would have to notify DHS that it intended to develop a Cybersecurity Plan and agree to forfeit any distribution under subsection (n)(2).
• ‘State’ - Defined as each of the several States, the District of Columbia, and the territories and possessions of the United States.
Grant Program
The State and Local Cybersecurity Grant Program is established in §2220A(b). The grant program will be administered by the Federal Emergency Management Agency. Generally, a eligible entity will have to submit a cybersecurity plan to DHS for approval as part of the application process and the grants awarded would have to be used in compliance with that plan as well as the Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments described in §3 of this bill.
Cybersecurity Plan
The Cybersecurity Plan submitted in the application process will describe how the applicant will {§2220A(e)(2)(B)}:
• Manage, monitor, and track information systems owned or operated by the eligible entity or by local or Tribal governments within the jurisdiction of the eligible entity and the information technology deployed on those information systems,
• Monitor activity between information systems owned or operated by the eligible entity or by local or Tribal governments within the jurisdiction of the eligible entity and between those information systems and information systems of other entities
• Enhance the preparation, response, and resiliency of information systems owned or operated by the eligible entity or local or Tribal governments against cybersecurity risks and cybersecurity threats,
• Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats,
• Ensure that State, local, and Tribal governments that own or operate information systems that are located within the jurisdiction of the eligible entity adopt best practices and methodologies to enhance cybersecurity,
• Promote the delivery of safe, recognizable, and trustworthy online services by State, local, and Tribal governments, including through the use of the .gov internet domain,
• Ensure continuity of operations of the eligible entity and local, and Tribal governments in the event of a cybersecurity incident, including by conducting exercises to practice responding to an incident,
• Use the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework developed by the National Institute of Standards and Technology to identify and mitigate any gaps in the cybersecurity workforces of State, local, or Tribal governments, and bolster the knowledge, skills, and abilities of State, local, and Tribal government personnel to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training,
• Ensure continuity of communications and data networks within the jurisdiction of the eligible entity between the eligible entity and local and Tribal governments that own or operate information systems within the jurisdiction of the eligible entity in the event of an incident involving such communications or data networks within the jurisdiction of the eligible entity,
• Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats related to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the eligible entity,
• Enhance capabilities to share cyber threat indicators and related information between the eligible entity and local and Tribal governments that own or operate information systems within the jurisdiction of the eligible entity,
• Enhance the capability of the eligible entity to share cyber threat indictors and related information with DHS, and
• Leverage cybersecurity services offered by DHS.
Multi-State Grants
Subsection (f) makes provisions for multistate grants. In addition to each component State submitting a Cybersecurity Plan, a joint cybersecurity plan will have to be submitted as part of the application process. That plan will address {§2220A(f)(3)(B)}:
• The division of responsibilities among the eligible entities that comprise the multistate group for administering the grant for which application is being made,
• The distribution of funding from such a grant among the eligible entities that comprise the multistate group, and
• How the eligible entities that comprise the multistate group will work together to implement the Cybersecurity Plan of each of those eligible entities.
Cybersecurity Planning Committee
Each applicant will also be required to have established a cybersecurity planning committee that will {§2220A(g)(1)}:
• Assist in the development, implementation, and revision of the Cybersecurity Plan of the eligible entity,
• Approve the Cybersecurity Plan of the eligible entity, and
• Assist in the determination of effective funding priorities for a grant under this section.
Grant Use
Grant funds provided under the State and Local Cybersecurity Grant Program will be used to {§2220A(h)}:
• Implement the Cybersecurity Plan of the eligible entity,
• Develop or revise the Cybersecurity Plan of the eligible entity; or
• Assist with activities that address imminent cybersecurity risks or cybersecurity threats to the information systems of the eligible entity or a local or Tribal government within the jurisdiction of the eligible entity.
Grant funds may not be used to {§2220A(j)}:
• To supplant State, local, or Tribal funds,
• For any recipient cost-sharing contribution,
• To pay a demand for ransom in an attempt to regain access to information or an information system of the eligible entity or of a local or Tribal government within the jurisdiction of the eligible entity,
• For recreational or social purposes, or
• For any purpose that does not address cybersecurity risks or cybersecurity threats on information systems of the eligible entity or of a local or Tribal government within the jurisdiction of the eligible entity.
Advisory Committee
The bill would require CISA to establish a State and Local Cybersecurity Resiliency Committee to provide State, local, and Tribal stakeholder expertise, situational awareness, and recommendations to the Director on how to {§2220A(o)(1)}:
• Address cybersecurity risks and cybersecurity threats to information systems of State, local, or Tribal governments, and
• Improve the ability of State, local, and Tribal governments to prevent, protect against, respond to, mitigate, and recover from such cybersecurity risks and cybersecurity threats.
The fifteen member of the Committee, who would serve two-year terms, would include {§2220A(o)(3)(A)}:
• Two individuals recommended to the Director by the National Governors Association.
• Two individuals recommended to the Director by the National Association of State Chief Information Officers.
• One individual recommended to the Director by the National Guard Bureau.
• Two individuals recommended to the Director by the National Association of Counties.
• One individual recommended to the Director by the National League of Cities.
• One individual recommended to the Director by the United States Conference of Mayors.
• One individual recommended to the Director by the Multi-State Information Sharing and Analysis Center.
• One individual recommended to the Director by the National Congress of American Indians.
• Four individuals who have educational and professional experience relating to cybersecurity work or cybersecurity policy.
Cybersecurity Resource Guide
The bill would also add §2220B, Cybersecurity Resource Guide Development for State, Local, Tribal, And Territorial Government Officials. CISA would be required to produce and maintain a Cybersecurity Resource Guide to help State, local, Tribal, and territorial government officials, including law enforcement officers, to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.
Section 3 of the bill would amend 6 USC 660, Cybersecurity Plans, by adding a new subsection (e). That subsection would require CISA to develop and make publicly available a Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments. In addition to providing recommendations on the ways in which the Federal Government should support and promote State, local, Tribal, and territorial governments cybersecurity efforts, the strategy would establish baseline requirements for cybersecurity plans under §660.
The strategy will {§660(e)(2)}:
• Identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents,
• Identify Federal resources and capabilities that are available or could be made available to help those governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents,
• Identify and assess the limitations of Federal resources and capabilities available to help those governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents, and make recommendations to address such limitations;
• Identify opportunities to improve the coordination of the Agency with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center,
• Recommend new initiatives the Federal Government should undertake to improve the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents,
• Set short-term and long-term goals that will improve the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents, and
• Set dates, including interim benchmarks, as appropriate for State, local, Tribal, and territorial governments to establish baseline capabilities to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.
CISA Director Duties
Section 3(b) would amend 6 USC 652(c), Responsibilities, by inserting four new paragraphs adding additional responsibilities for the Director of CISA {§3(b)(2)}:
“(6) develop program guidance, in consultation with the State and Local Government Cybersecurity Resiliency Committee established under section 2220A, for the State and Local Cybersecurity Grant Program under such section or any other homeland security assistance administered by the Department to improve cybersecurity;
“(7) review, in consultation with the State and Local Cybersecurity Resiliency Committee, all cybersecurity plans of State, local, Tribal, and territorial governments developed pursuant to any homeland security assistance administered by the Department to improve cybersecurity;
“(8) provide expertise and technical assistance to State, local, Tribal, and territorial government officials with respect to cybersecurity;
“(9) provide education, training, and capacity development to enhance the security and resilience of cybersecurity and infrastructure security;”.
Additionally, CISA would be required to conduct a study “to assess the feasibility of implementing a short-term rotational program for the detail to the Agency of approved State, local, Tribal, and territorial government employees in cyber workforce positions.”
Technical Corrections
Finally, §4 of the bill would make the same technical corrections to the section numbering in the Homeland Security Act of 2002 that I described in a blog post yesterday. Proposing the same corrections in multiple proposed pieces of legislation makes it more likely that Congress will not have to address these changes in a stand-alone piece of legislation.