

116 S3207 RS: Cybersecurity State Coordinator Act of 2020
U.S. Senate
2020-01-16
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



IICalendar No. 458116th CONGRESS2d SessionS. 3207[Report No. 116–227]IN THE SENATE OF THE UNITED STATESJanuary 16, 2020Ms. Hassan (for herself, Mr. Cornyn, Mr. Portman, Mr. Peters, Ms. Rosen, Mr. Van Hollen, and Ms. Sinema) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsJune 1, 2020Reported by Mr. Johnson, with an amendmentStrike out all after the enacting clause and insert the part printed in italicA BILLTo require the Director of the Cybersecurity and Infrastructure Security Agency to establish a
 Cybersecurity State Coordinator in each State, and for other purposes.1.Short titleThis Act may be cited as the Cybersecurity State Coordinator Act of 2020.2.FindingsCongress finds that—(1)cyber threats, such as ransomware, against State, local, Tribal, and territorial entities have grown at an alarming rate;(2)State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors;(3)there is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses; and(4)coordination within Federal entities and between Federal and non-Federal entities, including State, local, Tribal, and territorial governments, Information Sharing and Analysis Centers, election officials, State adjutants general, and other non-Federal entities, is critical to anticipating, preventing, managing, and recovering from cyberattacks.3.Cybersecurity State Coordinator(a)In generalSubtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—(1)in section 2202(c) (6 U.S.C. 652(c))—(A)in paragraph (10), by striking and at the end;(B)by redesignating paragraph (11) as paragraph (12); and(C)by inserting after paragraph (10) the following:(11)appoint a Cybersecurity State Coordinator in each State, as described in section 2215; and; and(2)by adding at the end the following:2215.Cybersecurity State Coordinator(a)AppointmentThe Director shall appoint an employee of the Agency in each State who shall serve as the Cybersecurity State Coordinator.(b)DutiesThe duties of a Cybersecurity State Coordinator appointed under subsection (b) shall include—(1)building strategic relationships across Federal and non-Federal entities by advising on establishing governance structures to facilitate developing and maintaining secure and resilient infrastructure;(2)serving as a principal Federal cybersecurity risk advisor and coordinating between Federal and non-Federal entities to support preparation, response, and remediation efforts relating to cybersecurity risks and incidents;(3)facilitating the sharing of cyber threat information between Federal and non-Federal entities to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents;(4)raising awareness of the financial, technical, and operational resources available from the Federal Government to non-Federal entities to increase resilience against cyber threats;(5)supporting training, exercises, and planning for continuity of operations to expedite recovery from cybersecurity incidents, including ransomware;(6)serving as a principal point of contact for non-Federal entities to engage with the Federal Government on preparing, managing, and responding to cybersecurity incidents;(7)assisting non-Federal entities in developing and coordinating vulnerability disclosure programs consistent with Federal and information security industry standards; and(8)performing such other duties as necessary to achieve the goal of managing cybersecurity risks in the United States and reducing the impact of cyber threats to non-Federal entities.(c)FeedbackThe Director shall take into account relevant feedback provided by State and local officials regarding the appointment, and State and local officials and other non-Federal entities regarding the performance, of the Cybersecurity State Coordinator of a State..(b)OversightNot later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a briefing on the placement and efficacy of the Cybersecurity State Coordinators appointed under section 2215 of the Homeland Security Act of 2002, as added by subsection (a).(c)Rule of constructionNothing in this section or the amendments made by this section shall be construed to affect or otherwise modify the authority of Federal law enforcement agencies with respect to investigations relating to cybersecurity incidents.(d)Technical and conforming amendmentThe table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2214 the following:Sec. 2215. Cybersecurity State Coordinator..1.Short titleThis Act may be cited as the Cybersecurity State Coordinator Act of 2020.2.FindingsCongress finds that—(1)cyber threats, such as ransomware, against State, local, Tribal, and territorial entities have grown at an alarming rate;(2)State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors;(3)there is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses; and(4)coordination within Federal entities and between Federal and non-Federal entities, including State, local, Tribal, and territorial governments, Information Sharing and Analysis Centers, election officials, State adjutants general, and other non-Federal entities, is critical to anticipating, preventing, managing, and recovering from cyberattacks.3.Cybersecurity State Coordinator(a)In generalSubtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—(1)in section 2202(c) (6 U.S.C. 652(c))—(A)in paragraph (10), by striking and at the end;(B)by redesignating paragraph (11) as paragraph (12); and(C)by inserting after paragraph (10) the following:(11)appoint a Cybersecurity State Coordinator in each State, as described in section 2215; and; and(2)by adding at the end the following:2215.Cybersecurity State Coordinator(a)AppointmentThe Director shall appoint an employee of the Agency in each State, with the appropriate cybersecurity qualifications and expertise, who shall serve as the Cybersecurity State Coordinator.(b)DutiesThe duties of a Cybersecurity State Coordinator appointed under subsection (a) shall include—(1)building strategic relationships across Federal and, on a voluntary basis, non-Federal entities by advising on establishing governance structures to facilitate the development and maintenance of secure and resilient infrastructure;(2)serving as a Federal cybersecurity risk advisor and coordinating between Federal and, on a voluntary basis, non-Federal entities to support preparation, response, and remediation efforts relating to cybersecurity risks and incidents;(3)facilitating the sharing of cyber threat information between Federal and, on a voluntary basis, non-Federal entities to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents;(4)raising awareness of the financial, technical, and operational resources available from the Federal Government to non-Federal entities to increase resilience against cyber threats;(5)supporting training, exercises, and planning for continuity of operations to expedite recovery from cybersecurity incidents, including ransomware;(6)serving as a principal point of contact for non-Federal entities to engage, on a voluntary basis, with the Federal Government on preparing, managing, and responding to cybersecurity incidents;(7)assisting non-Federal entities in developing and coordinating vulnerability disclosure programs consistent with Federal and information security industry standards; and(8)performing such other duties as determined necessary by the Director to achieve the goal of managing cybersecurity risks in the United States and reducing the impact of cyber threats to non-Federal entities.(c)FeedbackThe Director shall consult with relevant State and local officials regarding the appointment, and State and local officials and other non-Federal entities regarding the performance, of the Cybersecurity State Coordinator of a State..(b)OversightThe Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a briefing on the placement and efficacy of the Cybersecurity State Coordinators appointed under section 2215 of the Homeland Security Act of 2002, as added by subsection (a)—(1)not later than 1 year after the date of enactment of this Act; and(2)not later than 2 years after providing the first briefing under this subsection.(c)Rule of constructionNothing in this section or the amendments made by this section shall be construed to affect or otherwise modify the authority of Federal law enforcement agencies with respect to investigations relating to cybersecurity incidents.(d)Technical and conforming amendmentThe table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2214 the following:Sec. 2215. Cybersecurity State Coordinator..June 1, 2020Reported with an amendment