[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5823 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 384
116th CONGRESS
  2d Session
                                H. R. 5823

                          [Report No. 116-478]

      To establish a program to make grants to States to address 
cybersecurity risks and cybersecurity threats to information systems of 
    State, local, Tribal, or territorial governments, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 10, 2020

   Mr. Richmond (for himself, Mr. Katko, Mr. Kilmer, Mr. McCaul, Mr. 
Ruppersberger, Mr. Thompson of Mississippi, Mr. Rogers of Alabama, Ms. 
  Slotkin, Mr. Rose of New York, Mr. Payne, Mrs. Watson Coleman, Mr. 
  Langevin, Mr. Cleaver, Ms. Underwood, and Ms. Titus) introduced the 
    following bill; which was referred to the Committee on Homeland 
                                Security

                            August 18, 2020

Additional sponsors: Ms. Eshoo, Ms. Sewell of Alabama, and Ms. Jackson 
                                  Lee

                            August 18, 2020

  Reported with an amendment; committed to the Committee of the Whole 
       House on the State of the Union and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           February 10, 2020]


_______________________________________________________________________

                                 A BILL


 
      To establish a program to make grants to States to address 
cybersecurity risks and cybersecurity threats to information systems of 
    State, local, Tribal, or territorial governments, and for other 
                               purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``State and Local Cybersecurity 
Improvement Act''.

SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new sections:

``SEC. 2215. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

    ``(a) Establishment.--The Secretary, acting through the Director, 
shall establish a program to make grants to States to address 
cybersecurity risks and cybersecurity threats to information systems of 
State, local, Tribal, or territorial governments (referred to as the 
`State and Local Cybersecurity Grant Program' in this section).
    ``(b) Baseline Requirements.--A grant awarded under this section 
shall be used in compliance with the following:
            ``(1) The Cybersecurity Plan required under subsection (d) 
        and approved pursuant to subsection (g).
            ``(2) The Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments required in accordance with section 2210, when 
        issued.
    ``(c) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same program office that 
administers grants made under sections 2003 and 2004.
    ``(d) Eligibility.--
            ``(1) In general.--A State applying for a grant under the 
        State and Local Cybersecurity Grant Program shall submit to the 
        Secretary a Cybersecurity Plan for approval. Such plan shall--
                    ``(A) incorporate, to the extent practicable, any 
                existing plans of such State to protect against 
                cybersecurity risks and cybersecurity threats to 
                information systems of State, local, Tribal, or 
                territorial governments;
                    ``(B) describe, to the extent practicable, how such 
                State shall--
                            ``(i) enhance the preparation, response, 
                        and resiliency of information systems owned or 
                        operated by such State or, if appropriate, by 
                        local, Tribal, or territorial governments, 
                        against cybersecurity risks and cybersecurity 
                        threats;
                            ``(ii) implement a process of continuous 
                        cybersecurity vulnerability assessments and 
                        threat mitigation practices prioritized by 
                        degree of risk to address cybersecurity risks 
                        and cybersecurity threats in information 
                        systems of such State, local, Tribal, or 
                        territorial governments;
                            ``(iii) ensure that State, local, Tribal, 
                        and territorial governments that own or operate 
                        information systems within the State adopt best 
                        practices and methodologies to enhance 
                        cybersecurity, such as the practices set forth 
                        in the cybersecurity framework developed by the 
                        National Institute of Standards and Technology;
                            ``(iv) promote the delivery of safe, 
                        recognizable, and trustworthy online services 
                        by State, local, Tribal, and territorial 
                        governments, including through the use of the 
                        .gov internet domain;
                            ``(v) mitigate any identified gaps in the 
                        State, local, Tribal, or territorial government 
                        cybersecurity workforces, enhance recruitment 
                        and retention efforts for such workforces, and 
                        bolster the knowledge, skills, and abilities of 
                        State, local, Tribal, and territorial 
                        government personnel to address cybersecurity 
                        risks and cybersecurity threats;
                            ``(vi) ensure continuity of communications 
                        and data networks within such State between 
                        such State and local, Tribal, and territorial 
                        governments that own or operate information 
                        systems within such State in the event of an 
                        incident involving such communications or data 
                        networks within such State;
                            ``(vii) assess and mitigate, to the 
                        greatest degree possible, cybersecurity risks 
                        and cybersecurity threats related to critical 
                        infrastructure and key resources, the 
                        degradation of which may impact the performance 
                        of information systems within such State;
                            ``(viii) enhance capability to share cyber 
                        threat indicators and related information 
                        between such State and local, Tribal, and 
                        territorial governments that own or operate 
                        information systems within such State; and
                            ``(ix) develop and coordinate strategies to 
                        address cybersecurity risks and cybersecurity 
                        threats in consultation with--
                                    ``(I) local, Tribal, and 
                                territorial governments within the 
                                State; and
                                    ``(II) as applicable--
                                            ``(aa) neighboring States 
                                        or, as appropriate, members of 
                                        an information sharing and 
                                        analysis organization; and
                                            ``(bb) neighboring 
                                        countries; and
                    ``(C) include, to the extent practicable, an 
                inventory of the information technology deployed on the 
                information systems owned or operated by such State or 
                by local, Tribal, or territorial governments within 
                such State, including legacy information technology 
                that is no longer supported by the manufacturer.
    ``(e) Planning Committees.--
            ``(1) In general.--A State applying for a grant under this 
        section shall establish a cybersecurity planning committee to 
        assist in the following:
                    ``(A) The development, implementation, and revision 
                of such State's Cybersecurity Plan required under 
                subsection (d).
                    ``(B) The determination of effective funding 
                priorities for such grant in accordance with subsection 
                (f).
            ``(2) Composition.--Cybersecurity planning committees 
        described in paragraph (1) shall be comprised of 
        representatives from counties, cities, towns, and Tribes within 
        the State receiving a grant under this section, including, as 
        appropriate, representatives of rural, suburban, and high-
        population jurisdictions.
            ``(3) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection may be construed to 
        require that any State establish a cybersecurity planning 
        committee if such State has established and uses a 
        multijurisdictional planning committee or commission that meets 
        the requirements of this paragraph.
    ``(f) Use of Funds.--A State that receives a grant under this 
section shall use the grant to implement such State's Cybersecurity 
Plan, or to assist with activities determined by the Secretary, in 
consultation with the Director, to be integral to address cybersecurity 
risks and cybersecurity threats to information systems of State, local, 
Tribal, or territorial governments, as the case may be.
    ``(g) Approval of Plans.--
            ``(1) Approval as condition of grant.--Before a State may 
        receive a grant under this section, the Secretary, acting 
        through the Director, shall review and approve such State's 
        Cybersecurity Plan required under subsection (d).
            ``(2) Plan requirements.--In approving a Cybersecurity Plan 
        under this subsection, the Director shall ensure such Plan--
                    ``(A) meets the requirements specified in 
                subsection (d); and
                    ``(B) upon issuance of the Homeland Security 
                Strategy to Improve the Cybersecurity of State, Local, 
                Tribal, and Territorial Governments authorized pursuant 
                to section 2210, complies, as appropriate, with the 
                goals and objectives of such Strategy.
            ``(3) Approval of revisions.--The Secretary, acting through 
        the Director, may approve revisions to a Cybersecurity Plan as 
        the Director determines appropriate.
            ``(4) Exception.--Notwithstanding the requirement under 
        subsection (d) to submit a Cybersecurity Plan as a condition of 
        apply for a grant under this section, such a grant may be 
        awarded to a State that has not so submitted a Cybersecurity 
        Plan to the Secretary if--
                    ``(A) such State certifies to the Secretary that it 
                will submit to the Secretary a Cybersecurity Plan for 
                approval by September 30, 2022;
                    ``(B) such State certifies to the Secretary that 
                the activities that will be supported by such grant are 
                integral to the development of such Cybersecurity Plan; 
                or
                    ``(C) such State certifies to the Secretary, and 
                the Director confirms, that the activities that will be 
                supported by the grant will address imminent 
                cybersecurity risks or cybersecurity threats to the 
                information systems of such State or of a local, 
                Tribal, or territorial government in such State.
    ``(h) Limitations on Uses of Funds.--
            ``(1) In general.--A State that receives a grant under this 
        section may not use such grant--
                    ``(A) to supplant State, local, Tribal, or 
                territorial funds;
                    ``(B) for any recipient cost-sharing contribution;
                    ``(C) to pay a demand for ransom in an attempt to 
                regain access to information or an information system 
                of such State or of a local, Tribal, or territorial 
                government in such State;
                    ``(D) for recreational or social purposes; or
                    ``(E) for any purpose that does not directly 
                address cybersecurity risks or cybersecurity threats on 
                an information systems of such State or of a local, 
                Tribal, or territorial government in such State.
            ``(2) Penalties.--In addition to other remedies available, 
        the Secretary may take such actions as are necessary to ensure 
        that a recipient of a grant under this section is using such 
        grant for the purposes for which such grant was awarded.
    ``(i) Opportunity To Amend Applications.--In considering 
applications for grants under this section, the Secretary shall provide 
applicants with a reasonable opportunity to correct defects, if any, in 
such applications before making final awards.
    ``(j) Apportionment.--For fiscal year 2020 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated to carry 
out this section among States as follows:
            ``(1) Baseline amount.--The Secretary shall first apportion 
        0.25 percent of such amounts to each of American Samoa, the 
        Commonwealth of the Northern Mariana Islands, Guam, and the 
        Virgin Islands, and 0.75 percent of such amounts to each of the 
        remaining States.
            ``(2) Remainder.--The Secretary shall apportion the 
        remainder of such amounts in the ratio that--
                    ``(A) the population of each State; bears to
                    ``(B) the population of all States.
    ``(k) Federal Share.--The Federal share of the cost of an activity 
carried out using funds made available under the program may not exceed 
the following percentages:
            ``(1) For fiscal year 2021, 90 percent.
            ``(2) For fiscal year 2022, 80 percent.
            ``(3) For fiscal year 2023, 70 percent.
            ``(4) For fiscal year 2024, 60 percent.
            ``(5) For fiscal year 2025 and each subsequent fiscal year, 
        50 percent.
    ``(l) State Responsibilities.--
            ``(1) Certification.--Each State that receives a grant 
        under this section shall certify to the Secretary that the 
        grant will be used for the purpose for which the grant is 
        awarded and in compliance with the Cybersecurity Plan or other 
        purpose approved by the Secretary under subsection (g).
            ``(2) Availability of funds to local, tribal, and 
        territorial governments.--Not later than 45 days after a State 
        receives a grant under this section, such State shall, without 
        imposing unreasonable or unduly burdensome requirements as a 
        condition of receipt, obligate or otherwise make available to 
        local, Tribal, and territorial governments in such State, 
        consistent with the applicable Cybersecurity Plan--
                    ``(A) not less than 80 percent of funds available 
                under such grant;
                    ``(B) with the consent of such local, Tribal, and 
                territorial governments, items, services, capabilities, 
                or activities having a value of not less than 80 
                percent of the amount of the grant; or
                    ``(C) with the consent of the local, Tribal, and 
                territorial governments, grant funds combined with 
                other items, services, capabilities, or activities 
                having the total value of not less than 80 percent of 
                the amount of the grant.
            ``(3) Certifications regarding distribution of grant funds 
        to local, tribal, territorial governments.--A State shall 
        certify to the Secretary that the State has made the 
        distribution to local, Tribal, and territorial governments 
        required under paragraph (2).
            ``(4) Extension of period.--A State may request in writing 
        that the Secretary extend the period of time specified in 
        paragraph (2) for an additional period of time. The Secretary 
        may approve such a request if the Secretary determines such 
        extension is necessary to ensure the obligation and expenditure 
        of grant funds align with the purpose of the grant program.
            ``(5) Exception.--Paragraph (2) shall not apply to the 
        District of Columbia, the Commonwealth of Puerto Rico, American 
        Samoa, the Commonwealth of the Northern Mariana Islands, Guam, 
        or the Virgin Islands.
            ``(6) Direct funding.--If a State does not make the 
        distribution to local, Tribal, or territorial governments in 
        such State required under paragraph (2), such a local, Tribal, 
        or territorial government may petition the Secretary.
            ``(7) Penalties.--In addition to other remedies available 
        to the Secretary, the Secretary may terminate or reduce the 
        amount of a grant awarded under this section to a State or 
        transfer grant funds previously awarded to such State directly 
        to the appropriate local, Tribal, or territorial government if 
        such State violates a requirement of this subsection.
    ``(m) Advisory Committee.--
            ``(1) Establishment.--The Director shall establish a State 
        and Local Cybersecurity Resiliency Committee to provide State, 
        local, Tribal, and territorial stakeholder expertise, 
        situational awareness, and recommendations to the Director, as 
        appropriate, regarding how to--
                    ``(A) address cybersecurity risks and cybersecurity 
                threats to information systems of State, local, Tribal, 
                or territorial governments; and
                    ``(B) improve the ability of such governments to 
                prevent, protect against, respond, mitigate, and 
                recover from cybersecurity risks and cybersecurity 
                threats.
            ``(2) Duties.--The State and Local Cybersecurity Resiliency 
        Committee shall--
                    ``(A) submit to the Director recommendations that 
                may inform guidance for applicants for grants under 
                this section;
                    ``(B) upon the request of the Director, provide to 
                the Director technical assistance to inform the review 
                of Cybersecurity Plans submitted by applicants for 
                grants under this section, and, as appropriate, submit 
                to the Director recommendations to improve such Plans 
                prior to the Director's determination regarding whether 
                to approve such Plans;
                    ``(C) advise and provide to the Director input 
                regarding the Homeland Security Strategy to Improve 
                Cybersecurity for State, Local, Tribal, and Territorial 
                Governments required under section 2210; and
                    ``(D) upon the request of the Director, provide to 
                the Director recommendations, as appropriate, regarding 
                how to--
                            ``(i) address cybersecurity risks and 
                        cybersecurity threats on information systems of 
                        State, local, Tribal, or territorial 
                        governments; and
                            ``(ii) improve the cybersecurity resilience 
                        of such governments.
            ``(3) Membership.--
                    ``(A) Number and appointment.--The State and Local 
                Cybersecurity Resiliency Committee shall be composed of 
                15 members appointed by the Director, as follows:
                            ``(i) Two individuals recommended to the 
                        Director by the National Governors Association.
                            ``(ii) Two individuals recommended to the 
                        Director by the National Association of State 
                        Chief Information Officers.
                            ``(iii) One individual recommended to the 
                        Director by the National Guard Bureau.
                            ``(iv) Two individuals recommended to the 
                        Director by the National Association of 
                        Counties.
                            ``(v) Two individuals recommended to the 
                        Director by the National League of Cities.
                            ``(vi) One individual recommended to the 
                        Director by the United States Conference of 
                        Mayors.
                            ``(vii) One individual recommended to the 
                        Director by the Multi-State Information Sharing 
                        and Analysis Center.
                            ``(viii) Four individuals who have 
                        educational and professional experience related 
                        to cybersecurity analysis or policy.
                    ``(B) Terms.--Each member of the State and Local 
                Cybersecurity Resiliency Committee shall be appointed 
                for a term of two years, except that such term shall be 
                three years only in the case of members who are 
                appointed initially to the Committee upon the 
                establishment of the Committee. Any member appointed to 
                fill a vacancy occurring before the expiration of the 
                term for which the member's predecessor was appointed 
                shall be appointed only for the remainder of such term. 
                A member may serve after the expiration of such 
                member's term until a successor has taken office. A 
                vacancy in the Commission shall be filled in the manner 
                in which the original appointment was made.
                    ``(C) Pay.--Members of the State and Local 
                Cybersecurity Resiliency Committee shall serve without 
                pay.
            ``(4) Chairperson; vice chairperson.--The members of the 
        State and Local Cybersecurity Resiliency Committee shall select 
        a chairperson and vice chairperson from among Committee 
        members.
            ``(5) Federal advisory committee act.--The Federal Advisory 
        Committee Act (5 U.S.C. App.) shall not apply to the State and 
        Local Cybersecurity Resilience Committee.
    ``(n) Reports.--
            ``(1) Annual reports by state grant recipients.--A State 
        that receives a grant under this section shall annually submit 
        to the Secretary a report on the progress of the State in 
        implementing the Cybersecurity Plan approved pursuant to 
        subsection (g). If the State does not have a Cybersecurity Plan 
        approved pursuant to subsection (g), the State shall submit to 
        the Secretary a report describing how grant funds were 
        obligated and expended to develop a Cybersecurity Plan or 
        improve the cybersecurity of information systems owned or 
        operated by State, local, Tribal, or territorial governments in 
        such State. The Secretary, acting through the Director, shall 
        make each such report publicly available, including by making 
        each such report available on the internet website of the 
        Agency, subject to any redactions the Director determines 
        necessary to protect classified or other sensitive information.
            ``(2) Annual reports to congress.--At least once each year, 
        the Secretary, acting through the Director, shall submit to 
        Congress a report on the use of grants awarded under this 
        section and any progress made toward the following:
                    ``(A) Achieving the objectives set forth in the 
                Homeland Security Strategy to Improve the Cybersecurity 
                of State, Local, Tribal, and Territorial Governments, 
                upon the strategy's issuance under section 2210.
                    ``(B) Developing, implementing, or revising 
                Cybersecurity Plans.
                    ``(C) Reducing cybersecurity risks and 
                cybersecurity threats to information systems owned or 
                operated by State, local, Tribal, and territorial 
                governments as a result of the award of such grants.
    ``(o) Authorization of Appropriations.--There are authorized to be 
appropriated for grants under this section--
            ``(1) for each of fiscal years 2021 through 2025, 
        $400,000,000; and
            ``(2) for each subsequent fiscal year, such sums as may be 
        necessary.
    ``(p) Definitions.--In this section:
            ``(1) Critical infrastructure.--The term `critical 
        infrastructure' has the meaning given that term in section 2.
            ``(2) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given such term in section 102 of 
        the Cybersecurity Act of 2015.
            ``(3) Director.--The term `Director' means the Director of 
        the Cybersecurity and Infrastructure Security Agency.
            ``(4) Incident.--The term `incident' has the meaning given 
        such term in section 2209.
            ``(5) Information sharing and analysis organization.--The 
        term `information sharing and analysis organization' has the 
        meaning given such term in section 2222.
            ``(6) Information system.--The term `information system' 
        has the meaning given such term in section 102(9) of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501(9)).
            ``(7) Key resources.--The term `key resources' has the 
        meaning given that term in section 2.
            ``(8) Online service.--The term `online service' means any 
        internet-facing service, including a website, email, virtual 
        private network, or custom application.
            ``(9) State.--The term `State'--
                    ``(A) means each of the several States, the 
                District of Colombia, and the territories and 
                possessions of the United States; and
                    ``(B) includes any federally recognized Indian 
                tribe that notifies the Secretary, not later than 120 
                days after the date of the enactment of this section or 
                not later than 120 days before the start of any fiscal 
                year in which a grant under this section is awarded, 
                that the tribe intends to develop a Cybersecurity Plan 
                and agrees to forfeit any distribution under subsection 
                (l)(2).

``SEC. 2216. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, LOCAL, 
              TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.

    ``The Secretary, acting through the Director, shall develop a 
resource guide for use by State, local, Tribal, and territorial 
government officials, including law enforcement officers, to help such 
officials identify, prepare for, detect, protect against, respond to, 
and recover from cybersecurity risks, cybersecurity threats, and 
incidents (as such term is defined in section 2209).''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by inserting after the 
item relating to section 2214 the following new items:

``Sec. 2215. State and Local Cybersecurity Grant Program.
``Sec. 2216. Cybersecurity resource guide development for State, local, 
                            Tribal, and territorial government 
                            officials.''.

SEC. 3. STRATEGY.

    (a) Homeland Security Strategy To Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments.--Section 2210 of the 
Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at 
the end the following new subsection:
    ``(e) Homeland Security Strategy To Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments.--
            ``(1) In general.--Not later than 270 days after the date 
        of the enactment of this subsection, the Secretary, acting 
        through the Director, shall, in coordination with appropriate 
        Federal departments and agencies, State, local, Tribal, and 
        territorial governments, the State and Local Cybersecurity 
        Resilience Committee (established under section 2215), and 
        other stakeholders, as appropriate, develop and make publicly 
        available a Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments that provides recommendations regarding how the 
        Federal Government should support and promote the ability 
        State, local, Tribal, and territorial governments to identify, 
        protect against, detect respond to, and recover from 
        cybersecurity risks, cybersecurity threats, and incidents (as 
        such term is defined in section 2209) and establishes baseline 
        requirements and principles to which Cybersecurity Plans under 
        such section shall be aligned.
            ``(2) Contents.--The Homeland Security Strategy to Improve 
        the Cybersecurity of State, Local, Tribal, and Territorial 
        Governments required under paragraph (1) shall--
                    ``(A) identify capability gaps in the ability of 
                State, local, Tribal, and territorial governments to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents;
                    ``(B) identify Federal resources and capabilities 
                that are available or could be made available to State, 
                local, Tribal, and territorial governments to help such 
                governments identify, protect against, detect, respond 
                to, and recover from cybersecurity risks, cybersecurity 
                threats, and incidents;
                    ``(C) identify and assess the limitations of 
                Federal resources and capabilities available to State, 
                local, Tribal, and territorial governments to help such 
                governments identify, protect against, detect, respond 
                to, and recover from cybersecurity risks, cybersecurity 
                threats, and incidents, and make recommendations to 
                address such limitations;
                    ``(D) identify opportunities to improve the 
                Agency's coordination with Federal and non-Federal 
                entities, such as the Multi-State Information Sharing 
                and Analysis Center, to improve incident exercises, 
                information sharing and incident notification 
                procedures, the ability for State, local, Tribal, and 
                territorial governments to voluntarily adapt and 
                implement guidance in Federal binding operational 
                directives, and opportunities to leverage Federal 
                schedules for cybersecurity investments under section 
                502 of title 40, United States Code;
                    ``(E) recommend new initiatives the Federal 
                Government should undertake to improve the ability of 
                State, local, Tribal, and territorial governments to 
                help such governments identify, protect against, 
                detect, respond to, and recover from cybersecurity 
                risks, cybersecurity threats, and incidents;
                    ``(F) set short-term and long-term goals that will 
                improve the ability of State, local, Tribal, and 
                territorial governments to help such governments 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents; and
                    ``(G) set dates, including interim benchmarks, as 
                appropriate for State, local, Tribal, territorial 
                governments to establish baseline capabilities to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents.
            ``(3) Considerations.--In developing the Homeland Security 
        Strategy to Improve the Cybersecurity of State, Local, Tribal, 
        and Territorial Governments required under paragraph (1), the 
        Director, in coordination with appropriate Federal departments 
        and agencies, State, local, Tribal, and territorial 
        governments, the State and Local Cybersecurity Resilience 
        Committee, and other stakeholders, as appropriate, shall 
        consider--
                    ``(A) lessons learned from incidents that have 
                affected State, local, Tribal, and territorial 
                governments, and exercises with Federal and non-Federal 
                entities;
                    ``(B) the impact of incidents that have affected 
                State, local, Tribal, and territorial governments, 
                including the resulting costs to such governments;
                    ``(C) the information related to the interest and 
                ability of state and non-state threat actors to 
                compromise information systems owned or operated by 
                State, local, Tribal, and territorial governments;
                    ``(D) emerging cybersecurity risks and 
                cybersecurity threats to State, local, Tribal, and 
                territorial governments resulting from the deployment 
                of new technologies; and
                    ``(E) recommendations made by the State and Local 
                Cybersecurity Resilience Committee.''.
    (b) Responsibilities of the Director of the Cybersecurity and 
Infrastructure Security Agency.--Subsection (c) of section 2202 of the 
Homeland Security Act of 2002 (6 U.S.C. 652) is amended--
            (1) by redesignating paragraphs (6) through (11) as 
        paragraphs (11) through (16), respectively; and
            (2) by inserting after paragraph (5) the following new 
        paragraphs:
            ``(6) develop program guidance, in consultation with the 
        State and Local Government Cybersecurity Resiliency Committee 
        established under section 2215, for the State and Local 
        Cybersecurity Grant Program under such section or any other 
        homeland security assistance administered by the Department to 
        improve cybersecurity;
            ``(7) review, in consultation with the State and Local 
        Cybersecurity Resiliency Committee, all cybersecurity plans of 
        State, local, Tribal, and territorial governments developed 
        pursuant to any homeland security assistance administered by 
        the Department to improve cybersecurity;
            ``(8) provide expertise and technical assistance to State, 
        local, Tribal, and territorial government officials with 
        respect to cybersecurity;
            ``(9) provide education, training, and capacity development 
        to enhance the security and resilience of cybersecurity and 
        infrastructure security;
            ``(10) provide information to State, local, Tribal, and 
        territorial governments on the security benefits of .gov domain 
        name registration services;''.
    (c) Feasibility Study.--Not later than 180 days after the date of 
the enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency of the Department of Homeland Security 
shall conduct a study to assess the feasibility of implementing a 
short-term rotational program for the detail of approved State, local, 
Tribal, and territorial government employees in cyber workforce 
positions to the Agency.
                                                 Union Calendar No. 384

116th CONGRESS

  2d Session

                               H. R. 5823

                          [Report No. 116-478]

_______________________________________________________________________

                                 A BILL

      To establish a program to make grants to States to address 
cybersecurity risks and cybersecurity threats to information systems of 
    State, local, Tribal, or territorial governments, and for other 
                               purposes.

_______________________________________________________________________

                            August 18, 2020

  Reported with an amendment; committed to the Committee of the Whole 
       House on the State of the Union and ordered to be printed