[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 1846 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 1846

 To amend the Homeland Security Act of 2002 to provide for engagements 
 with State, local, Tribal, and territorial governments, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 13, 2019

Mr. Peters (for himself and Mr. Portman) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To amend the Homeland Security Act of 2002 to provide for engagements 
 with State, local, Tribal, and territorial governments, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``State and Local Government 
Cybersecurity Act of 2019''.

SEC. 2. AMENDMENTS TO THE HOMELAND SECURITY ACT OF 2002.

    Subtitle A of title XXII of the Homeland Security Act of 2002 (6 
U.S.C. 651 et seq.) is amended--
            (1) in section 2201 (6 U.S.C. 651)--
                    (A) by redesignating paragraphs (4), (5), and (6) 
                as paragraphs (5), (6), and (7), respectively; and
                    (B) by inserting after paragraph (3) the following:
            ``(4) Entity.--The term `entity' shall include--
                    ``(A) an association, corporation, whether for-
                profit or nonprofit, partnership, proprietorship, 
                organization, institution, establishment, or 
                individual, whether domestically or foreign owned, that 
                has the legal capacity to enter into agreements or 
                contracts, assume obligations, incur and pay debts, sue 
                and be sued in its own right in a court of competent 
                jurisdiction in the United States, and to be held 
                responsible for its actions;
                    ``(B) a governmental agency or other governmental 
                entity, including State, local, Tribal, and territorial 
                government entities; and
                    ``(C) the general public.''; and
            (2) in section 2202 (6 U.S.C. 652)--
                    (A) in subsection (c)--
                            (i) in paragraph (10), by striking ``and'' 
                        at the end;
                            (ii) by redesignating paragraph (11) as 
                        paragraph (12); and
                            (iii) by inserting after paragraph (10) the 
                        following:
            ``(11) carry out the authority of the Secretary under 
        subsection (e)(1)(R); and''; and
                    (B) in subsection (e)(1), by adding at the end the 
                following:
                    ``(R) To make grants to and enter into cooperative 
                agreements or contracts with States, local governments, 
                and other non-Federal entities as the Secretary 
                determines necessary to carry out the responsibilities 
                of the Secretary related to cybersecurity and 
                infrastructure security under this Act and any other 
                provision of law, including grants, cooperative 
                agreements, and contracts that provide assistance and 
                education related to cyber threat indicators, defensive 
                measures and cybersecurity technologies, cybersecurity 
                risks, incidents, analysis, and warnings.''; and
            (3) in section 2209 (6 U.S.C. 659)--
                    (A) in subsection (c)(6), by inserting 
                ``operational and'' after ``timely'';
                    (B) in subsection (d)(1)(E), by inserting ``, 
                including an entity that collaborates with election 
                officials,'' after ``governments''; and
                    (C) by adding at the end the following:
    ``(n) Coordination on Cybersecurity for Federal and Non-Federal 
Entities.--
            ``(1) Coordination.--The Center shall, to the extent 
        practicable, and in coordination as appropriate with Federal 
        and non-Federal entities, such as the Multi-State Information 
        Sharing and Analysis Center--
                    ``(A) conduct exercises with Federal and non-
                Federal entities;
                    ``(B) provide operational and technical 
                cybersecurity training related to cyber threat 
                indicators, defensive measures, cybersecurity risks, 
                and incidents to Federal and non-Federal entities to 
                address cybersecurity risks or incidents, with or 
                without reimbursement;
                    ``(C) assist Federal and non-Federal entities, upon 
                request, in sharing cyber threat indicators, defensive 
                measures, cybersecurity risks, and incidents from and 
                to the Federal Government as well as among Federal and 
                non-Federal entities, in order to increase situational 
                awareness and help prevent incidents;
                    ``(D) provide notifications containing specific 
                incident and malware information that may affect them 
                or their customers and residents;
                    ``(E) provide and periodically update via a web 
                portal and other means tools, products, resources, 
                policies, guidelines, controls, and other cybersecurity 
                standards and best practices and procedures related to 
                information security;
                    ``(F) work with senior Federal and non-Federal 
                officials, including State and local Chief Information 
                Officers, senior election officials, and through 
                national associations, to coordinate a nationwide 
                effort to ensure effective implementation of tools, 
                products, resources, policies, guidelines, controls, 
                and procedures related to information security to 
                secure and ensure the resiliency of Federal and non-
                Federal information systems and including election 
                systems;
                    ``(G) provide, upon request, operational and 
                technical assistance to Federal and non-Federal 
                entities to implement tools, products, resources, 
                policies, guidelines, controls, and procedures on 
                information security, including by, as appropriate, 
                deploying and sustaining cybersecurity technologies, 
                such as an intrusion detection capability, to assist 
                those Federal and non-Federal entities in detecting 
                cybersecurity risks and incidents;
                    ``(H) assist Federal and non-Federal entities in 
                developing policies and procedures for coordinating 
                vulnerability disclosures, to the extent practicable, 
                consistent with international and national standards in 
                the information technology industry;
                    ``(I) ensure that Federal and non-Federal entities, 
                as appropriate, are made aware of the tools, products, 
                resources, policies, guidelines, controls, and 
                procedures on information security developed by the 
                Department and other appropriate Federal departments 
                and agencies for ensuring the security and resiliency 
                of civilian information systems; and
                    ``(J) promote cybersecurity education and awareness 
                through engagements with Federal and non-Federal 
                entities.
    ``(o) Report.--Not later than 1 year after the date of enactment of 
this subsection, and every 2 years thereafter, the Secretary shall 
submit to the Committee on Homeland Security and Governmental Affairs 
of the Senate and the Committee on Homeland Security of the House of 
Representatives a report on the status of cybersecurity measures that 
are in place, and any gaps that exist, in each State and in the largest 
urban areas of the United States.
    ``(p) Pilot Deployment of Sensors.--
            ``(1) Establishment.--Not later than 180 days after the 
        date of enactment of this subsection, the Secretary shall 
        establish a pilot program to deploy network sensors capable of 
        utilizing classified indicators for the purpose of identifying 
        and filtering malicious network traffic.
            ``(2) Voluntary participation.--Activities related to the 
        pilot program established under this subsection may only be 
        carried out on a voluntary basis in coordination with the owner 
        of the impacted network.
            ``(3) Expansion authority.--If, after 12 months of 
        deployment, the Secretary determines that the network sensors 
        deployed pursuant to this subsection would provide network 
        security benefits to other critical infrastructure sectors, the 
        Secretary may make additional network sensors available to 
        those sectors on a voluntary basis at the request of critical 
        infrastructure owners and operators.
            ``(4) Report.--Not later than 1 year after the date on 
        which the Secretary establishes the pilot program under this 
        subsection, the Secretary shall submit to the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Homeland Security of the House of 
        Representatives a report on the pilot program, which shall 
        include--
                    ``(A) the status of the pilot program;
                    ``(B) the rate of voluntary participation in the 
                pilot program;
                    ``(C) the effectiveness of the pilot program in 
                detecting and blocking traffic that could not have been 
                captured without the network sensors deployed under the 
                pilot program; and
                    ``(D) recommendations for expanding the use of 
                classified threat indicators to protect United States 
                critical infrastructure.''.
                                 <all>