[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 3207 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 458
116th CONGRESS
  2d Session
                                S. 3207

                          [Report No. 116-227]

    To require the Director of the Cybersecurity and Infrastructure 
Security Agency to establish a Cybersecurity State Coordinator in each 
                     State, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 16, 2020

   Ms. Hassan (for herself, Mr. Cornyn, Mr. Portman, Mr. Peters, Ms. 
 Rosen, Mr. Van Hollen, and Ms. Sinema) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                              June 1, 2020

               Reported by Mr. Johnson, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
    To require the Director of the Cybersecurity and Infrastructure 
Security Agency to establish a Cybersecurity State Coordinator in each 
                     State, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Cybersecurity State 
Coordinator Act of 2020''.</DELETED>

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress finds that--</DELETED>
        <DELETED>    (1) cyber threats, such as ransomware, against 
        State, local, Tribal, and territorial entities have grown at an 
        alarming rate;</DELETED>
        <DELETED>    (2) State, local, Tribal, and territorial entities 
        face a growing threat from advanced persistent threat actors, 
        hostile nation states, criminal groups, and other malicious 
        cyber actors;</DELETED>
        <DELETED>    (3) there is an urgent need for greater engagement 
        and expertise from the Federal Government to help these 
        entities build their resilience and defenses; and</DELETED>
        <DELETED>    (4) coordination within Federal entities and 
        between Federal and non-Federal entities, including State, 
        local, Tribal, and territorial governments, Information Sharing 
        and Analysis Centers, election officials, State adjutants 
        general, and other non-Federal entities, is critical to 
        anticipating, preventing, managing, and recovering from 
        cyberattacks.</DELETED>

<DELETED>SEC. 3. CYBERSECURITY STATE COORDINATOR.</DELETED>

<DELETED>    (a) In General.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--</DELETED>
        <DELETED>    (1) in section 2202(c) (6 U.S.C. 652(c))--
        </DELETED>
                <DELETED>    (A) in paragraph (10), by striking ``and'' 
                at the end;</DELETED>
                <DELETED>    (B) by redesignating paragraph (11) as 
                paragraph (12); and</DELETED>
                <DELETED>    (C) by inserting after paragraph (10) the 
                following:</DELETED>
        <DELETED>    ``(11) appoint a Cybersecurity State Coordinator 
        in each State, as described in section 2215; and''; 
        and</DELETED>
        <DELETED>    (2) by adding at the end the following:</DELETED>

<DELETED>``SEC. 2215. CYBERSECURITY STATE COORDINATOR.</DELETED>

<DELETED>    ``(a) Appointment.--The Director shall appoint an employee 
of the Agency in each State who shall serve as the Cybersecurity State 
Coordinator.</DELETED>
<DELETED>    ``(b) Duties.--The duties of a Cybersecurity State 
Coordinator appointed under subsection (b) shall include--</DELETED>
        <DELETED>    ``(1) building strategic relationships across 
        Federal and non-Federal entities by advising on establishing 
        governance structures to facilitate developing and maintaining 
        secure and resilient infrastructure;</DELETED>
        <DELETED>    ``(2) serving as a principal Federal cybersecurity 
        risk advisor and coordinating between Federal and non-Federal 
        entities to support preparation, response, and remediation 
        efforts relating to cybersecurity risks and 
        incidents;</DELETED>
        <DELETED>    ``(3) facilitating the sharing of cyber threat 
        information between Federal and non-Federal entities to improve 
        understanding of cybersecurity risks and situational awareness 
        of cybersecurity incidents;</DELETED>
        <DELETED>    ``(4) raising awareness of the financial, 
        technical, and operational resources available from the Federal 
        Government to non-Federal entities to increase resilience 
        against cyber threats;</DELETED>
        <DELETED>    ``(5) supporting training, exercises, and planning 
        for continuity of operations to expedite recovery from 
        cybersecurity incidents, including ransomware;</DELETED>
        <DELETED>    ``(6) serving as a principal point of contact for 
        non-Federal entities to engage with the Federal Government on 
        preparing, managing, and responding to cybersecurity 
        incidents;</DELETED>
        <DELETED>    ``(7) assisting non-Federal entities in developing 
        and coordinating vulnerability disclosure programs consistent 
        with Federal and information security industry standards; 
        and</DELETED>
        <DELETED>    ``(8) performing such other duties as necessary to 
        achieve the goal of managing cybersecurity risks in the United 
        States and reducing the impact of cyber threats to non-Federal 
        entities.</DELETED>
<DELETED>    ``(c) Feedback.--The Director shall take into account 
relevant feedback provided by State and local officials regarding the 
appointment, and State and local officials and other non-Federal 
entities regarding the performance, of the Cybersecurity State 
Coordinator of a State.''.</DELETED>
<DELETED>    (b) Oversight.--Not later than 1 year after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall provide to the Committee on 
Homeland Security and Governmental Affairs of the Senate and the 
Committee on Homeland Security of the House of Representatives a 
briefing on the placement and efficacy of the Cybersecurity State 
Coordinators appointed under section 2215 of the Homeland Security Act 
of 2002, as added by subsection (a).</DELETED>
<DELETED>    (c) Rule of Construction.--Nothing in this section or the 
amendments made by this section shall be construed to affect or 
otherwise modify the authority of Federal law enforcement agencies with 
respect to investigations relating to cybersecurity 
incidents.</DELETED>
<DELETED>    (d) Technical and Conforming Amendment.--The table of 
contents in section 1(b) of the Homeland Security Act of 2002 (Public 
Law 107-296; 116 Stat. 2135) is amended by inserting after the item 
relating to section 2214 the following:</DELETED>

<DELETED>``Sec. 2215. Cybersecurity State Coordinator.''.

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity State Coordinator Act 
of 2020''.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) cyber threats, such as ransomware, against State, 
        local, Tribal, and territorial entities have grown at an 
        alarming rate;
            (2) State, local, Tribal, and territorial entities face a 
        growing threat from advanced persistent threat actors, hostile 
        nation states, criminal groups, and other malicious cyber 
        actors;
            (3) there is an urgent need for greater engagement and 
        expertise from the Federal Government to help these entities 
        build their resilience and defenses; and
            (4) coordination within Federal entities and between 
        Federal and non-Federal entities, including State, local, 
        Tribal, and territorial governments, Information Sharing and 
        Analysis Centers, election officials, State adjutants general, 
        and other non-Federal entities, is critical to anticipating, 
        preventing, managing, and recovering from cyberattacks.

SEC. 3. CYBERSECURITY STATE COORDINATOR.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
            (1) in section 2202(c) (6 U.S.C. 652(c))--
                    (A) in paragraph (10), by striking ``and'' at the 
                end;
                    (B) by redesignating paragraph (11) as paragraph 
                (12); and
                    (C) by inserting after paragraph (10) the 
                following:
            ``(11) appoint a Cybersecurity State Coordinator in each 
        State, as described in section 2215; and''; and
            (2) by adding at the end the following:

``SEC. 2215. CYBERSECURITY STATE COORDINATOR.

    ``(a) Appointment.--The Director shall appoint an employee of the 
Agency in each State, with the appropriate cybersecurity qualifications 
and expertise, who shall serve as the Cybersecurity State Coordinator.
    ``(b) Duties.--The duties of a Cybersecurity State Coordinator 
appointed under subsection (a) shall include--
            ``(1) building strategic relationships across Federal and, 
        on a voluntary basis, non-Federal entities by advising on 
        establishing governance structures to facilitate the 
        development and maintenance of secure and resilient 
        infrastructure;
            ``(2) serving as a Federal cybersecurity risk advisor and 
        coordinating between Federal and, on a voluntary basis, non-
        Federal entities to support preparation, response, and 
        remediation efforts relating to cybersecurity risks and 
        incidents;
            ``(3) facilitating the sharing of cyber threat information 
        between Federal and, on a voluntary basis, non-Federal entities 
        to improve understanding of cybersecurity risks and situational 
        awareness of cybersecurity incidents;
            ``(4) raising awareness of the financial, technical, and 
        operational resources available from the Federal Government to 
        non-Federal entities to increase resilience against cyber 
        threats;
            ``(5) supporting training, exercises, and planning for 
        continuity of operations to expedite recovery from 
        cybersecurity incidents, including ransomware;
            ``(6) serving as a principal point of contact for non-
        Federal entities to engage, on a voluntary basis, with the 
        Federal Government on preparing, managing, and responding to 
        cybersecurity incidents;
            ``(7) assisting non-Federal entities in developing and 
        coordinating vulnerability disclosure programs consistent with 
        Federal and information security industry standards; and
            ``(8) performing such other duties as determined necessary 
        by the Director to achieve the goal of managing cybersecurity 
        risks in the United States and reducing the impact of cyber 
        threats to non-Federal entities.
    ``(c) Feedback.--The Director shall consult with relevant State and 
local officials regarding the appointment, and State and local 
officials and other non-Federal entities regarding the performance, of 
the Cybersecurity State Coordinator of a State.''.
    (b) Oversight.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall provide to the Committee on 
Homeland Security and Governmental Affairs of the Senate and the 
Committee on Homeland Security of the House of Representatives a 
briefing on the placement and efficacy of the Cybersecurity State 
Coordinators appointed under section 2215 of the Homeland Security Act 
of 2002, as added by subsection (a)--
            (1) not later than 1 year after the date of enactment of 
        this Act; and
            (2) not later than 2 years after providing the first 
        briefing under this subsection.
    (c) Rule of Construction.--Nothing in this section or the 
amendments made by this section shall be construed to affect or 
otherwise modify the authority of Federal law enforcement agencies with 
respect to investigations relating to cybersecurity incidents.
    (d) Technical and Conforming Amendment.--The table of contents in 
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 
116 Stat. 2135) is amended by inserting after the item relating to 
section 2214 the following:

``Sec. 2215. Cybersecurity State Coordinator.''.
                                                       Calendar No. 458

116th CONGRESS

  2d Session

                                S. 3207

                          [Report No. 116-227]

_______________________________________________________________________

                                 A BILL

    To require the Director of the Cybersecurity and Infrastructure 
Security Agency to establish a Cybersecurity State Coordinator in each 
                     State, and for other purposes.

_______________________________________________________________________

                              June 1, 2020

                       Reported with an amendment