[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 2665 Introduced in Senate (IS)]

<DOC>






114th CONGRESS
  2d Session
                                S. 2665

 To amend the Homeland Security Act of 2002 to require State and local 
   coordination on cybersecurity with the national cybersecurity and 
       communications integration center, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 10, 2016

Mr. Peters (for himself and Mr. Perdue) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To amend the Homeland Security Act of 2002 to require State and local 
   coordination on cybersecurity with the national cybersecurity and 
       communications integration center, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``State and Local Cyber Protection Act 
of 2016''.

SEC. 2. STATE AND LOCAL COORDINATION ON CYBERSECURITY WITH THE NATIONAL 
              CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.

    (a) In General.--Section 227 of the Homeland Security Act of 2002 
(6 U.S.C. 148) is amended by adding at the end the following:
    ``(m) State and Local Coordination on Cybersecurity.--
            ``(1) In general.--The Center shall, to the extent 
        practicable--
                    ``(A) assist State and local governments, upon 
                request, in identifying information system 
                vulnerabilities;
                    ``(B) assist State and local governments, upon 
                request, in identifying information security 
                protections commensurate with cybersecurity risks and 
                the magnitude of the potential harm resulting from the 
                unauthorized access, use, disclosure, disruption, 
                modification, or destruction of--
                            ``(i) information collected or maintained 
                        by or on behalf of a State or local government; 
                        or
                            ``(ii) information systems used or operated 
                        by an agency or by a contractor of a State or 
                        local government or other organization on 
                        behalf of a State or local government;
                    ``(C) in consultation with State and local 
                governments, provide and periodically update via a web 
                portal tools, products, resources, policies, 
                guidelines, and procedures related to information 
                security;
                    ``(D) work with senior State and local government 
                officials, including State and local Chief Information 
                Officers, through national associations to coordinate a 
                nationwide effort to ensure effective implementation of 
                tools, products, resources, policies, guidelines, and 
                procedures related to information security to secure 
                and ensure the resiliency of State and local 
                information systems;
                    ``(E) provide, upon request, operational and 
                technical cybersecurity training to State and local 
                government and fusion center analysts and operators to 
                address cybersecurity risks or incidents;
                    ``(F) provide, in coordination with the Chief 
                Privacy Officer and the Chief Civil Rights and Civil 
                Liberties Officer of the Department, privacy and civil 
                liberties training to State and local governments 
                related to cybersecurity;
                    ``(G) provide, upon request, operational and 
                technical assistance to State and local governments to 
                implement tools, products, resources, policies, 
                guidelines, and procedures on information security by--
                            ``(i) deploying technology to assist such 
                        State or local government to continuously 
                        diagnose and mitigate against cyber threats and 
                        vulnerabilities, with or without reimbursement;
                            ``(ii) compiling and analyzing data on 
                        State and local information security; and
                            ``(iii) developing and conducting targeted 
                        operational evaluations, including threat and 
                        vulnerability assessments, on the information 
                        systems of State and local governments;
                    ``(H) assist State and local governments to develop 
                policies and procedures for coordinating vulnerability 
                disclosures, to the extent practicable, consistent with 
                international and national standards in the information 
                technology industry, including standards developed by 
                the National Institute of Standards and Technology; and
                    ``(I) ensure that State and local governments, as 
                appropriate, are made aware of the tools, products, 
                resources, policies, guidelines, and procedures on 
                information security developed by the Department and 
                other appropriate Federal departments and agencies for 
                ensuring the security and resiliency of Federal 
                civilian information systems.
            ``(2) Training.--Privacy and civil liberties training 
        provided pursuant to subparagraph (F) of paragraph (1) shall 
        include processes, methods, and information that--
                    ``(A) are consistent with the Department's Fair 
                Information Practice Principles developed pursuant to 
                section 552a of title 5, United States Code (commonly 
                referred to as the `Privacy Act of 1974' or the 
                `Privacy Act');
                    ``(B) reasonably limit, to the greatest extent 
                practicable, the receipt, retention, use, and 
                disclosure of information related to cybersecurity 
                risks and incidents associated with specific persons 
                that is not necessary, for cybersecurity purposes, to 
                protect an information system or network of information 
                systems from cybersecurity risks or to mitigate 
                cybersecurity risks and incidents in a timely manner;
                    ``(C) minimize any impact on privacy and civil 
                liberties;
                    ``(D) provide data integrity through the prompt 
                removal and destruction of obsolete or erroneous names 
                and personal information that is unrelated to the 
                cybersecurity risk or incident information shared and 
                retained by the Center in accordance with this section;
                    ``(E) include requirements to safeguard cyber 
                threat indicators and defensive measures retained by 
                the Center, including information that is proprietary 
                or business-sensitive that may be used to identify 
                specific persons from unauthorized access or 
                acquisition;
                    ``(F) protect the confidentiality of cyber threat 
                indicators and defensive measures associated with 
                specific persons to the greatest extent practicable; 
                and
                    ``(G) ensure all relevant constitutional, legal, 
                and privacy protections are observed, including that 
                information obtained from efforts to address 
                cybersecurity risks and incidents is used only for such 
                purposes, or as specifically authorized by law.''.
    (b) Congressional Oversight.--Not later than 2 years after the date 
of enactment of this Act, the national cybersecurity and communications 
integration center of the Department of Homeland Security shall provide 
to the Committee on Homeland Security of the House of Representatives 
and the Committee on Homeland Security and Governmental Affairs of the 
Senate information on the activities and effectiveness of such 
activities under subsection (m) of section 227 of the Homeland Security 
Act of 2002 (6 U.S.C. 148), as added by subsection (a) of this section, 
on State and local information security. The center shall seek feedback 
from State and local governments regarding the effectiveness of such 
activities and include such feedback in the information required to be 
provided under this subsection.
                                 <all>