[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3138 Engrossed in House (EH)]

<DOC>
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
117th CONGRESS
  1st Session
                                H. R. 3138

_______________________________________________________________________

                                 AN ACT


 
To amend the Homeland Security Act of 2002 to authorize a grant program 
 relating to the cybersecurity of State and local governments, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``State and Local Cybersecurity 
Improvement Act''.

SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new sections:

``SEC. 2220A. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

    ``(a) Definitions.--In this section:
            ``(1) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given the term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
            ``(2) Cybersecurity plan.--The term `Cybersecurity Plan' 
        means a plan submitted by an eligible entity under subsection 
        (e)(1).
            ``(3) Eligible entity.--The term `eligible entity' means--
                    ``(A) a State; or
                    ``(B) an Indian tribe that, not later than 120 days 
                after the date of the enactment of this section or not 
                later than 120 days before the start of any fiscal year 
                in which a grant under this section is awarded--
                            ``(i) notifies the Secretary that the 
                        Indian tribe intends to develop a Cybersecurity 
                        Plan; and
                            ``(ii) agrees to forfeit any distribution 
                        under subsection (n)(2).
            ``(4) Incident.--The term `incident' has the meaning given 
        the term in section 2209.
            ``(5) Indian tribe; tribal organization.--The term `Indian 
        tribe' or `Tribal organization' has the meaning given that term 
        in section 4(e) of the of the Indian Self-Determination and 
        Education Assistance Act (25 U.S.C. 5304(e)).
            ``(6) Information sharing and analysis organization.--The 
        term `information sharing and analysis organization' has the 
        meaning given the term in section 2222.
            ``(7) Information system.--The term `information system' 
        has the meaning given the term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
            ``(8) Online service.--The term `online service' means any 
        internet-facing service, including a website, email, virtual 
        private network, or custom application.
            ``(9) Ransomware incident.--The term `ransomware incident' 
        means an incident that actually or imminently jeopardizes, 
        without lawful authority, the integrity, confidentiality, or 
        availability of information on an information system, or 
        actually or imminently jeopardizes, without lawful authority, 
        an information system for the purpose of coercing the 
        information system's owner, operator, or another person.
            ``(10) State and local cybersecurity grant program.--The 
        term `State and Local Cybersecurity Grant Program' means the 
        program established under subsection (b).
            ``(11) State and local cybersecurity resilience 
        committee.--The term `State and Local Cybersecurity Resilience 
        Committee' means the committee established under subsection 
        (o)(1).
    ``(b) Establishment.--
            ``(1) In general.--The Secretary, acting through the 
        Director, shall establish a program, to be known as the `the 
        State and Local Cybersecurity Grant Program', to award grants 
        to eligible entities to address cybersecurity risks and 
        cybersecurity threats to information systems of State, local, 
        or Tribal organizations.
            ``(2) Application.--An eligible entity seeking a grant 
        under the State and Local Cybersecurity Grant Program shall 
        submit to the Secretary an application at such time, in such 
        manner, and containing such information as the Secretary may 
        require.
    ``(c) Baseline Requirements.--An eligible entity or multistate 
group that receives a grant under this section shall use the grant in 
compliance with--
            ``(1)(A) the Cybersecurity Plan of the eligible entity or 
        the Cybersecurity Plans of the eligible entities that comprise 
        the multistate group; and
            ``(B) the Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments developed under section 2210(e)(1); or
            ``(2) activities carried out under paragraphs (3), (4), and 
        (5) of subsection (h).
    ``(d) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same office of the Department that 
administers grants made under sections 2003 and 2004.
    ``(e) Cybersecurity Plans.--
            ``(1) In general.--An eligible entity applying for a grant 
        under this section shall submit to the Secretary a 
        Cybersecurity Plan for approval.
            ``(2) Required elements.--A Cybersecurity Plan of an 
        eligible entity shall--
                    ``(A) incorporate, to the extent practicable, any 
                existing plans of the eligible entity to protect 
                against cybersecurity risks and cybersecurity threats 
                to information systems of State, local, or Tribal 
                organizations;
                    ``(B) describe, to the extent practicable, how the 
                eligible entity will--
                            ``(i) manage, monitor, and track 
                        information systems, applications, and user 
                        accounts owned or operated by or on behalf of 
                        the eligible entity or by local or Tribal 
                        organizations within the jurisdiction of the 
                        eligible entity and the information technology 
                        deployed on those information systems, 
                        including legacy information systems and 
                        information technology that are no longer 
                        supported by the manufacturer of the systems or 
                        technology;
                            ``(ii) monitor, audit, and track activity 
                        between information systems, applications, and 
                        user accounts owned or operated by or on behalf 
                        of the eligible entity or by local or Tribal 
                        organizations within the jurisdiction of the 
                        eligible entity and between those information 
                        systems and information systems not owned or 
                        operated by the eligible entity or by local or 
                        Tribal organizations within the jurisdiction of 
                        the eligible entity;
                            ``(iii) enhance the preparation, response, 
                        and resilience of information systems, 
                        applications, and user accounts owned or 
                        operated by or on behalf of the eligible entity 
                        or local or Tribal organizations against 
                        cybersecurity risks and cybersecurity threats;
                            ``(iv) implement a process of continuous 
                        cybersecurity vulnerability assessments and 
                        threat mitigation practices prioritized by 
                        degree of risk to address cybersecurity risks 
                        and cybersecurity threats on information 
                        systems of the eligible entity or local or 
                        Tribal organizations;
                            ``(v) ensure that State, local, and Tribal 
                        organizations that own or operate information 
                        systems that are located within the 
                        jurisdiction of the eligible entity--
                                    ``(I) adopt best practices and 
                                methodologies to enhance cybersecurity, 
                                such as the practices set forth in the 
                                cybersecurity framework developed by, 
                                and the cyber supply chain risk 
                                management best practices identified 
                                by, the National Institute of Standards 
                                and Technology; and
                                    ``(II) utilize knowledge bases of 
                                adversary tools and tactics to assess 
                                risk;
                            ``(vi) promote the delivery of safe, 
                        recognizable, and trustworthy online services 
                        by State, local, and Tribal organizations, 
                        including through the use of the .gov internet 
                        domain;
                            ``(vii) ensure continuity of operations of 
                        the eligible entity and local, and Tribal 
                        organizations in the event of a cybersecurity 
                        incident (including a ransomware incident), 
                        including by conducting exercises to practice 
                        responding to such an incident;
                            ``(viii) use the National Initiative for 
                        Cybersecurity Education Cybersecurity Workforce 
                        Framework developed by the National Institute 
                        of Standards and Technology to identify and 
                        mitigate any gaps in the cybersecurity 
                        workforces of State, local, or Tribal 
                        organizations, enhance recruitment and 
                        retention efforts for such workforces, and 
                        bolster the knowledge, skills, and abilities of 
                        State, local, and Tribal organization personnel 
                        to address cybersecurity risks and 
                        cybersecurity threats, such as through 
                        cybersecurity hygiene training;
                            ``(ix) ensure continuity of communications 
                        and data networks within the jurisdiction of 
                        the eligible entity between the eligible entity 
                        and local and Tribal organizations that own or 
                        operate information systems within the 
                        jurisdiction of the eligible entity in the 
                        event of an incident involving such 
                        communications or data networks within the 
                        jurisdiction of the eligible entity;
                            ``(x) assess and mitigate, to the greatest 
                        degree possible, cybersecurity risks and 
                        cybersecurity threats related to critical 
                        infrastructure and key resources, the 
                        degradation of which may impact the performance 
                        of information systems within the jurisdiction 
                        of the eligible entity;
                            ``(xi) enhance capabilities to share cyber 
                        threat indicators and related information 
                        between the eligible entity and local and 
                        Tribal organizations that own or operate 
                        information systems within the jurisdiction of 
                        the eligible entity, including by expanding 
                        existing information sharing agreements with 
                        the Department;
                            ``(xii) enhance the capability of the 
                        eligible entity to share cyber threat indictors 
                        and related information with the Department;
                            ``(xiii) leverage cybersecurity services 
                        offered by the Department;
                            ``(xiv) develop and coordinate strategies 
                        to address cybersecurity risks and 
                        cybersecurity threats to information systems of 
                        the eligible entity in consultation with--
                                    ``(I) local and Tribal 
                                organizations within the jurisdiction 
                                of the eligible entity; and
                                    ``(II) as applicable--
                                            ``(aa) States that neighbor 
                                        the jurisdiction of the 
                                        eligible entity or, as 
                                        appropriate, members of an 
                                        information sharing and 
                                        analysis organization; and
                                            ``(bb) countries that 
                                        neighbor the jurisdiction of 
                                        the eligible entity; and
                            ``(xv) implement an information technology 
                        and operational technology modernization 
                        cybersecurity review process that ensures 
                        alignment between information technology and 
                        operational technology cybersecurity 
                        objectives;
                    ``(C) describe, to the extent practicable, the 
                individual responsibilities of the eligible entity and 
                local and Tribal organizations within the jurisdiction 
                of the eligible entity in implementing the plan;
                    ``(D) outline, to the extent practicable, the 
                necessary resources and a timeline for implementing the 
                plan; and
                    ``(E) describe how the eligible entity will measure 
                progress towards implementing the plan.
            ``(3) Discretionary elements.--A Cybersecurity Plan of an 
        eligible entity may include a description of--
                    ``(A) cooperative programs developed by groups of 
                local and Tribal organizations within the jurisdiction 
                of the eligible entity to address cybersecurity risks 
                and cybersecurity threats; and
                    ``(B) programs provided by the eligible entity to 
                support local and Tribal organizations and owners and 
                operators of critical infrastructure to address 
                cybersecurity risks and cybersecurity threats.
            ``(4) Management of funds.--An eligible entity applying for 
        a grant under this section shall agree to designate the Chief 
        Information Officer, the Chief Information Security Officer, or 
        an equivalent official of the eligible entity as the primary 
        official for the management and allocation of funds awarded 
        under this section.
    ``(f) Multistate Grants.--
            ``(1) In general.--The Secretary, acting through the 
        Director, may award grants under this section to a group of two 
        or more eligible entities to support multistate efforts to 
        address cybersecurity risks and cybersecurity threats to 
        information systems within the jurisdictions of the eligible 
        entities.
            ``(2) Satisfaction of other requirements.--In order to be 
        eligible for a multistate grant under this subsection, each 
        eligible entity that comprises a multistate group shall submit 
        to the Secretary--
                    ``(A) a Cybersecurity Plan for approval in 
                accordance with subsection (i); and
                    ``(B) a plan for establishing a cybersecurity 
                planning committee under subsection (g).
            ``(3) Application.--
                    ``(A) In general.--A multistate group applying for 
                a multistate grant under paragraph (1) shall submit to 
                the Secretary an application at such time, in such 
                manner, and containing such information as the 
                Secretary may require.
                    ``(B) Multistate project description.--An 
                application of a multistate group under subparagraph 
                (A) shall include a plan describing--
                            ``(i) the division of responsibilities 
                        among the eligible entities that comprise the 
                        multistate group for administering the grant 
                        for which application is being made;
                            ``(ii) the distribution of funding from 
                        such a grant among the eligible entities that 
                        comprise the multistate group; and
                            ``(iii) how the eligible entities that 
                        comprise the multistate group will work 
                        together to implement the Cybersecurity Plan of 
                        each of those eligible entities.
    ``(g) Planning Committees.--
            ``(1) In general.--An eligible entity that receives a grant 
        under this section shall establish a cybersecurity planning 
        committee to--
                    ``(A) assist in the development, implementation, 
                and revision of the Cybersecurity Plan of the eligible 
                entity;
                    ``(B) approve the Cybersecurity Plan of the 
                eligible entity; and
                    ``(C) assist in the determination of effective 
                funding priorities for a grant under this section in 
                accordance with subsection (h).
            ``(2) Composition.--A committee of an eligible entity 
        established under paragraph (1) shall--
                    ``(A) be comprised of representatives from the 
                eligible entity and counties, cities, towns, Tribes, 
                and public educational and health institutions within 
                the jurisdiction of the eligible entity; and
                    ``(B) include, as appropriate, representatives of 
                rural, suburban, and high-population jurisdictions.
            ``(3) Cybersecurity expertise.--Not less than \1/2\ of the 
        representatives of a committee established under paragraph (1) 
        shall have professional experience relating to cybersecurity or 
        information technology.
            ``(4) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection may be construed to 
        require an eligible entity to establish a cybersecurity 
        planning committee if the eligible entity has established and 
        uses a multijurisdictional planning committee or commission 
        that meets, or may be leveraged to meet, the requirements of 
        this subsection.
    ``(h) Use of Funds.--An eligible entity that receives a grant under 
this section shall use the grant to--
            ``(1) implement the Cybersecurity Plan of the eligible 
        entity;
            ``(2) develop or revise the Cybersecurity Plan of the 
        eligible entity; or
            ``(3) assist with activities that address imminent 
        cybersecurity risks or cybersecurity threats to the information 
        systems of the eligible entity or a local or Tribal 
        organization within the jurisdiction of the eligible entity.
    ``(i) Approval of Plans.--
            ``(1) Approval as condition of grant.--Before an eligible 
        entity may receive a grant under this section, the Secretary, 
        acting through the Director, shall review the Cybersecurity 
        Plan, or any revisions thereto, of the eligible entity and 
        approve such plan, or revised plan, if it satisfies the 
        requirements specified in paragraph (2).
            ``(2) Plan requirements.--In approving a Cybersecurity Plan 
        of an eligible entity under this subsection, the Director shall 
        ensure that the Cybersecurity Plan--
                    ``(A) satisfies the requirements of subsection 
                (e)(2);
                    ``(B) upon the issuance of the Homeland Security 
                Strategy to Improve the Cybersecurity of State, Local, 
                Tribal, and Territorial Governments authorized pursuant 
                to section 2210(e), complies, as appropriate, with the 
                goals and objectives of the strategy; and
                    ``(C) has been approved by the cybersecurity 
                planning committee of the eligible entity established 
                under subsection (g).
            ``(3) Approval of revisions.--The Secretary, acting through 
        the Director, may approve revisions to a Cybersecurity Plan as 
        the Director determines appropriate.
            ``(4) Exception.--Notwithstanding subsection (e) and 
        paragraph (1) of this subsection, the Secretary may award a 
        grant under this section to an eligible entity that does not 
        submit a Cybersecurity Plan to the Secretary if--
                    ``(A) the eligible entity certifies to the 
                Secretary that--
                            ``(i) the activities that will be supported 
                        by the grant are integral to the development of 
                        the Cybersecurity Plan of the eligible entity; 
                        and
                            ``(ii) the eligible entity will submit by 
                        September 30, 2023, to the Secretary a 
                        Cybersecurity Plan for review, and if 
                        appropriate, approval; or
                    ``(B) the eligible entity certifies to the 
                Secretary, and the Director confirms, that the eligible 
                entity will use funds from the grant to assist with the 
                activities described in subsection (h)(3).
    ``(j) Limitations on Uses of Funds.--
            ``(1) In general.--An eligible entity that receives a grant 
        under this section may not use the grant--
                    ``(A) to supplant State, local, or Tribal funds;
                    ``(B) for any recipient cost-sharing contribution;
                    ``(C) to pay a demand for ransom in an attempt to--
                            ``(i) regain access to information or an 
                        information system of the eligible entity or of 
                        a local or Tribal organization within the 
                        jurisdiction of the eligible entity; or
                            ``(ii) prevent the disclosure of 
                        information that has been removed without 
                        authorization from an information system of the 
                        eligible entity or of a local or Tribal 
                        organization within the jurisdiction of the 
                        eligible entity;
                    ``(D) for recreational or social purposes; or
                    ``(E) for any purpose that does not address 
                cybersecurity risks or cybersecurity threats on 
                information systems of the eligible entity or of a 
                local or Tribal organization within the jurisdiction of 
                the eligible entity.
            ``(2) Penalties.--In addition to any other remedy 
        available, the Secretary may take such actions as are necessary 
        to ensure that a recipient of a grant under this section uses 
        the grant for the purposes for which the grant is awarded.
            ``(3) Rule of construction.--Nothing in paragraph (1) may 
        be construed to prohibit the use of grant funds provided to a 
        State, local, or Tribal organization for otherwise permissible 
        uses under this section on the basis that a State, local, or 
        Tribal organization has previously used State, local, or Tribal 
        funds to support the same or similar uses.
    ``(k) Opportunity to Amend Applications.--In considering 
applications for grants under this section, the Secretary shall provide 
applicants with a reasonable opportunity to correct defects, if any, in 
such applications before making final awards.
    ``(l) Apportionment.--For fiscal year 2022 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated to carry 
out this section among States as follows:
            ``(1) Baseline amount.--The Secretary shall first apportion 
        0.25 percent of such amounts to each of American Samoa, the 
        Commonwealth of the Northern Mariana Islands, Guam, the U.S. 
        Virgin Islands, and 0.75 percent of such amounts to each of the 
        remaining States.
            ``(2) Remainder.--The Secretary shall apportion the 
        remainder of such amounts in the ratio that--
                    ``(A) the population of each eligible entity, bears 
                to
                    ``(B) the population of all eligible entities.
            ``(3) Minimum allocation to indian tribes.--
                    ``(A) In general.--In apportioning amounts under 
                this section, the Secretary shall ensure that, for each 
                fiscal year, directly eligible Tribes collectively 
                receive, from amounts appropriated under the State and 
                Local Cybersecurity Grant Program, not less than an 
                amount equal to three percent of the total amount 
                appropriated for grants under this section.
                    ``(B) Allocation.--Of the amount reserved under 
                subparagraph (A), funds shall be allocated in a manner 
                determined by the Secretary in consultation with Indian 
                tribes.
                    ``(C) Exception.--This paragraph shall not apply in 
                any fiscal year in which the Secretary--
                            ``(i) receives fewer than five applications 
                        from Indian tribes; or
                            ``(ii) does not approve at least two 
                        applications from Indian tribes.
    ``(m) Federal Share.--
            ``(1) In general.--The Federal share of the cost of an 
        activity carried out using funds made available with a grant 
        under this section may not exceed--
                    ``(A) in the case of a grant to an eligible 
                entity--
                            ``(i) for fiscal year 2022, 90 percent;
                            ``(ii) for fiscal year 2023, 80 percent;
                            ``(iii) for fiscal year 2024, 70 percent;
                            ``(iv) for fiscal year 2025, 60 percent; 
                        and
                            ``(v) for fiscal year 2026 and each 
                        subsequent fiscal year, 50 percent; and
                    ``(B) in the case of a grant to a multistate 
                group--
                            ``(i) for fiscal year 2022, 95 percent;
                            ``(ii) for fiscal year 2023, 85 percent;
                            ``(iii) for fiscal year 2024, 75 percent;
                            ``(iv) for fiscal year 2025, 65 percent; 
                        and
                            ``(v) for fiscal year 2026 and each 
                        subsequent fiscal year, 55 percent.
            ``(2) Waiver.--The Secretary may waive or modify the 
        requirements of paragraph (1) for an Indian tribe if the 
        Secretary determines such a waiver is in the public interest.
    ``(n) Responsibilities of Grantees.--
            ``(1) Certification.--Each eligible entity or multistate 
        group that receives a grant under this section shall certify to 
        the Secretary that the grant will be used--
                    ``(A) for the purpose for which the grant is 
                awarded; and
                    ``(B) in compliance with, as the case may be--
                            ``(i) the Cybersecurity Plan of the 
                        eligible entity;
                            ``(ii) the Cybersecurity Plans of the 
                        eligible entities that comprise the multistate 
                        group; or
                            ``(iii) a purpose approved by the Secretary 
                        under subsection (h) or pursuant to an 
                        exception under subsection (i).
            ``(2) Availability of funds to local and tribal 
        organizations.--Not later than 45 days after the date on which 
        an eligible entity or multistate group receives a grant under 
        this section, the eligible entity or multistate group shall, 
        without imposing unreasonable or unduly burdensome requirements 
        as a condition of receipt, obligate or otherwise make available 
        to local and Tribal organizations within the jurisdiction of 
        the eligible entity or the eligible entities that comprise the 
        multistate group, and as applicable, consistent with the 
        Cybersecurity Plan of the eligible entity or the Cybersecurity 
        Plans of the eligible entities that comprise the multistate 
        group--
                    ``(A) not less than 80 percent of funds available 
                under the grant;
                    ``(B) with the consent of the local and Tribal 
                organizations, items, services, capabilities, or 
                activities having a value of not less than 80 percent 
                of the amount of the grant; or
                    ``(C) with the consent of the local and Tribal 
                organizations, grant funds combined with other items, 
                services, capabilities, or activities having the total 
                value of not less than 80 percent of the amount of the 
                grant.
            ``(3) Certifications regarding distribution of grant funds 
        to local and tribal organizations.--An eligible entity or 
        multistate group shall certify to the Secretary that the 
        eligible entity or multistate group has made the distribution 
        to local, Tribal, and territorial governments required under 
        paragraph (2).
            ``(4) Extension of period.--
                    ``(A) In general.--An eligible entity or multistate 
                group may request in writing that the Secretary extend 
                the period of time specified in paragraph (2) for an 
                additional period of time.
                    ``(B) Approval.--The Secretary may approve a 
                request for an extension under subparagraph (A) if the 
                Secretary determines the extension is necessary to 
                ensure that the obligation and expenditure of grant 
                funds align with the purpose of the State and Local 
                Cybersecurity Grant Program.
            ``(5) Exception.--Paragraph (2) shall not apply to the 
        District of Columbia, the Commonwealth of Puerto Rico, American 
        Samoa, the Commonwealth of the Northern Mariana Islands, Guam, 
        the Virgin Islands, or an Indian tribe.
            ``(6) Direct funding.--If an eligible entity does not make 
        a distribution to a local or Tribal organization required in 
        accordance with paragraph (2), the local or Tribal organization 
        may petition the Secretary to request that grant funds be 
        provided directly to the local or Tribal organization.
            ``(7) Penalties.--In addition to other remedies available 
        to the Secretary, the Secretary may terminate or reduce the 
        amount of a grant awarded under this section to an eligible 
        entity or distribute grant funds previously awarded to such 
        eligible entity directly to the appropriate local or Tribal 
        organization as a replacement grant in an amount the Secretary 
        determines appropriate if such eligible entity violates a 
        requirement of this subsection.
    ``(o) Advisory Committee.--
            ``(1) Establishment.--Not later than 120 days after the 
        date of enactment of this section, the Director shall establish 
        a State and Local Cybersecurity Resilience Committee to provide 
        State, local, and Tribal stakeholder expertise, situational 
        awareness, and recommendations to the Director, as appropriate, 
        regarding how to--
                    ``(A) address cybersecurity risks and cybersecurity 
                threats to information systems of State, local, or 
                Tribal organizations; and
                    ``(B) improve the ability of State, local, and 
                Tribal organizations to prevent, protect against, 
                respond to, mitigate, and recover from such 
                cybersecurity risks and cybersecurity threats.
            ``(2) Duties.--The committee established under paragraph 
        (1) shall--
                    ``(A) submit to the Director recommendations that 
                may inform guidance for applicants for grants under 
                this section;
                    ``(B) upon the request of the Director, provide to 
                the Director technical assistance to inform the review 
                of Cybersecurity Plans submitted by applicants for 
                grants under this section, and, as appropriate, submit 
                to the Director recommendations to improve those plans 
                prior to the approval of the plans under subsection 
                (i);
                    ``(C) advise and provide to the Director input 
                regarding the Homeland Security Strategy to Improve 
                Cybersecurity for State, Local, Tribal, and Territorial 
                Governments required under section 2210;
                    ``(D) upon the request of the Director, provide to 
                the Director recommendations, as appropriate, regarding 
                how to--
                            ``(i) address cybersecurity risks and 
                        cybersecurity threats on information systems of 
                        State, local, or Tribal organizations; and
                            ``(ii) improve the cybersecurity resilience 
                        of State, local, or Tribal organizations; and
                    ``(E) regularly coordinate with the State, Local, 
                Tribal and Territorial Government Coordinating Council, 
                within the Critical Infrastructure Partnership Advisory 
                Council, established under section 871.
            ``(3) Membership.--
                    ``(A) Number and appointment.--The State and Local 
                Cybersecurity Resilience Committee established pursuant 
                to paragraph (1) shall be composed of 15 members 
                appointed by the Director, as follows:
                            ``(i) Two individuals recommended to the 
                        Director by the National Governors Association.
                            ``(ii) Two individuals recommended to the 
                        Director by the National Association of State 
                        Chief Information Officers.
                            ``(iii) One individual recommended to the 
                        Director by the National Guard Bureau.
                            ``(iv) Two individuals recommended to the 
                        Director by the National Association of 
                        Counties.
                            ``(v) One individual recommended to the 
                        Director by the National League of Cities.
                            ``(vi) One individual recommended to the 
                        Director by the United States Conference of 
                        Mayors.
                            ``(vii) One individual recommended to the 
                        Director by the Multi-State Information Sharing 
                        and Analysis Center.
                            ``(viii) One individual recommended to the 
                        Director by the National Congress of American 
                        Indians.
                            ``(viii) Four individuals who have 
                        educational and professional experience 
                        relating to cybersecurity work or cybersecurity 
                        policy.
                    ``(B) Terms.--
                            ``(i) In general.--Subject to clause (ii), 
                        each member of the State and Local 
                        Cybersecurity Resilience Committee shall be 
                        appointed for a term of two years.
                            ``(ii) Requirement.--At least two members 
                        of the State and Local Cybersecurity Resilience 
                        Committee shall also be members of the State, 
                        Local, Tribal and Territorial Government 
                        Coordinating Council, within the Critical 
                        Infrastructure Partnership Advisory Council, 
                        established under section 871.
                            ``(iii) Exception.--A term of a member of 
                        the State and Local Cybersecurity Resilience 
                        Committee shall be three years if the member is 
                        appointed initially to the Committee upon the 
                        establishment of the Committee.
                            ``(iv) Term remainders.--Any member of the 
                        State and Local Cybersecurity Resilience 
                        Committee appointed to fill a vacancy occurring 
                        before the expiration of the term for which the 
                        member's predecessor was appointed shall be 
                        appointed only for the remainder of such term. 
                        A member may serve after the expiration of such 
                        member's term until a successor has taken 
                        office.
                            ``(v) Vacancies.--A vacancy in the State 
                        and Local Cybersecurity Resilience Committee 
                        shall be filled in the manner in which the 
                        original appointment was made.
                    ``(C) Pay.--Members of the State and Local 
                Cybersecurity Resilience Committee shall serve without 
                pay.
            ``(4) Chairperson; vice chairperson.--The members of the 
        State and Local Cybersecurity Resilience Committee shall select 
        a chairperson and vice chairperson from among members of the 
        committee.
            ``(5) Permanent authority.--Notwithstanding section 14 of 
        the Federal Advisory Committee Act (5 U.S.C. App.), the State 
        and Local Cybersecurity Resilience Committee shall be a 
        permanent authority.
    ``(p) Reports.--
            ``(1) Annual reports by grant recipients.--
                    ``(A) In general.--Not later than one year after an 
                eligible entity or multistate group receives funds 
                under this section, the eligible entity or multistate 
                group shall submit to the Secretary a report on the 
                progress of the eligible entity or multistate group in 
                implementing the Cybersecurity Plan of the eligible 
                entity or Cybersecurity Plans of the eligible entities 
                that comprise the multistate group, as the case may be.
                    ``(B) Absence of plan.--Not later than 180 days 
                after an eligible entity that does not have a 
                Cybersecurity Plan receives funds under this section 
                for developing its Cybersecurity Plan, the eligible 
                entity shall submit to the Secretary a report 
                describing how the eligible entity obligated and 
                expended grant funds during the fiscal year to--
                            ``(i) so develop such a Cybersecurity Plan; 
                        or
                            ``(ii) assist with the activities described 
                        in subsection (h)(3).
            ``(2) Annual reports to congress.--Not less frequently than 
        once per year, the Secretary, acting through the Director, 
        shall submit to Congress a report on the use of grants awarded 
        under this section and any progress made toward the following:
                    ``(A) Achieving the objectives set forth in the 
                Homeland Security Strategy to Improve the Cybersecurity 
                of State, Local, Tribal, and Territorial Governments, 
                upon the date on which the strategy is issued under 
                section 2210.
                    ``(B) Developing, implementing, or revising 
                Cybersecurity Plans.
                    ``(C) Reducing cybersecurity risks and 
                cybersecurity threats to information systems, 
                applications, and user accounts owned or operated by or 
                on behalf of State, local, and Tribal organizations as 
                a result of the award of such grants.
    ``(q) Authorization of Appropriations.--There are authorized to be 
appropriated for grants under this section--
            ``(1) for each of fiscal years 2022 through 2026, 
        $500,000,000; and
            ``(2) for each subsequent fiscal year, such sums as may be 
        necessary.

``SEC. 2220B. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, 
              LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.

    ``The Secretary, acting through the Director, shall develop, 
regularly update, and maintain a resource guide for use by State, 
local, Tribal, and territorial government officials, including law 
enforcement officers, to help such officials identify, prepare for, 
detect, protect against, respond to, and recover from cybersecurity 
risks (as such term is defined in section 2209), cybersecurity threats, 
and incidents (as such term is defined in section 2209).''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002, as amended by section 4, is further 
amended by inserting after the item relating to section 2220 the 
following new items:

``Sec. 2220A. State and Local Cybersecurity Grant Program.
``Sec. 2220B. Cybersecurity resource guide development for State, 
                            local, Tribal, and territorial government 
                            officials.''.

SEC. 3. STRATEGY.

    (a) Homeland Security Strategy To Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments.--Section 2210 of the 
Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at 
the end the following new subsection:
    ``(e) Homeland Security Strategy To Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments.--
            ``(1) In general.--
                    ``(A) Requirement.--Not later than one year after 
                the date of the enactment of this subsection, the 
                Secretary, acting through the Director, shall, in 
                coordination with the heads of appropriate Federal 
                agencies, State, local, Tribal, and territorial 
                governments, the State and Local Cybersecurity 
                Resilience Committee established under section 2220A, 
                and other stakeholders, as appropriate, develop and 
                make publicly available a Homeland Security Strategy to 
                Improve the Cybersecurity of State, Local, Tribal, and 
                Territorial Governments.
                    ``(B) Recommendations and requirements.--The 
                strategy required under subparagraph (A) shall--
                            ``(i) provide recommendations relating to 
                        the ways in which the Federal Government should 
                        support and promote the ability of State, 
                        local, Tribal, and territorial governments to 
                        identify, mitigate against, protect against, 
                        detect, respond to, and recover from 
                        cybersecurity risks (as such term is defined in 
                        section 2209), cybersecurity threats, and 
                        incidents (as such term is defined in section 
                        2209); and
                            ``(ii) establish baseline requirements for 
                        cybersecurity plans under this section and 
                        principles with which such plans shall align.
            ``(2) Contents.--The strategy required under paragraph (1) 
        shall--
                    ``(A) identify capability gaps in the ability of 
                State, local, Tribal, and territorial governments to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents;
                    ``(B) identify Federal resources and capabilities 
                that are available or could be made available to State, 
                local, Tribal, and territorial governments to help 
                those governments identify, protect against, detect, 
                respond to, and recover from cybersecurity risks, 
                cybersecurity threats, incidents, and ransomware 
                incidents;
                    ``(C) identify and assess the limitations of 
                Federal resources and capabilities available to State, 
                local, Tribal, and territorial governments to help 
                those governments identify, protect against, detect, 
                respond to, and recover from cybersecurity risks, 
                cybersecurity threats, incidents, and ransomware 
                incidents and make recommendations to address such 
                limitations;
                    ``(D) identify opportunities to improve the 
                coordination of the Agency with Federal and non-Federal 
                entities, such as the Multi-State Information Sharing 
                and Analysis Center, to improve--
                            ``(i) incident exercises, information 
                        sharing and incident notification procedures;
                            ``(ii) the ability for State, local, 
                        Tribal, and territorial governments to 
                        voluntarily adapt and implement guidance in 
                        Federal binding operational directives; and
                            ``(iii) opportunities to leverage Federal 
                        schedules for cybersecurity investments under 
                        section 502 of title 40, United States Code;
                    ``(E) recommend new initiatives the Federal 
                Government should undertake to improve the ability of 
                State, local, Tribal, and territorial governments to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents;
                    ``(F) set short-term and long-term goals that will 
                improve the ability of State, local, Tribal, and 
                territorial governments to identify, protect against, 
                detect, respond to, and recover from cybersecurity 
                risks, cybersecurity threats, incidents, and ransomware 
                incidents; and
                    ``(G) set dates, including interim benchmarks, as 
                appropriate for State, local, Tribal, and territorial 
                governments to establish baseline capabilities to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents.
            ``(3) Considerations.--In developing the strategy required 
        under paragraph (1), the Director, in coordination with the 
        heads of appropriate Federal agencies, State, local, Tribal, 
        and territorial governments, the State and Local Cybersecurity 
        Resilience Committee established under section 2220A, and other 
        stakeholders, as appropriate, shall consider--
                    ``(A) lessons learned from incidents that have 
                affected State, local, Tribal, and territorial 
                governments, and exercises with Federal and non-Federal 
                entities;
                    ``(B) the impact of incidents that have affected 
                State, local, Tribal, and territorial governments, 
                including the resulting costs to such governments;
                    ``(C) the information related to the interest and 
                ability of state and non-state threat actors to 
                compromise information systems (as such term is defined 
                in section 102 of the Cybersecurity Act of 2015 (6 
                U.S.C. 1501)) owned or operated by State, local, 
                Tribal, and territorial governments;
                    ``(D) emerging cybersecurity risks and 
                cybersecurity threats to State, local, Tribal, and 
                territorial governments resulting from the deployment 
                of new technologies; and
                    ``(E) recommendations made by the State and Local 
                Cybersecurity Resilience Committee established under 
                section 2220A.
            ``(4) Exemption.--Chapter 35 of title 44, United States 
        Code (commonly known as the `Paperwork Reduction Act'), shall 
        not apply to any action to implement this subsection.''.
    (b) Responsibilities of the Director of the Cybersecurity and 
Infrastructure Security Agency.--Section 2202 of the Homeland Security 
Act of 2002 (6 U.S.C. 652) is amended--
            (1) by redesignating subsections (d) through (i) as 
        subsections (e) through (j), respectively; and
            (2) by inserting after subsection (c) the following new 
        subsection:
    ``(d) Additional Responsibilities.--In addition to the 
responsibilities under subsection (c), the Director shall--
            ``(1) develop program guidance, in consultation with the 
        State and Local Government Cybersecurity Resilience Committee 
        established under section 2220A, for the State and Local 
        Cybersecurity Grant Program under such section or any other 
        homeland security assistance administered by the Department to 
        improve cybersecurity;
            ``(2) review, in consultation with the State and Local 
        Cybersecurity Resilience Committee, all cybersecurity plans of 
        State, local, Tribal, and territorial governments developed 
        pursuant to any homeland security assistance administered by 
        the Department to improve cybersecurity;
            ``(3) provide expertise and technical assistance to State, 
        local, Tribal, and territorial government officials with 
        respect to cybersecurity; and
            ``(4) provide education, training, and capacity development 
        to enhance the security and resilience of cybersecurity and 
        infrastructure security.''.
    (c) Feasibility Study.--Not later than 270 days after the date of 
the enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security of the Department of Homeland Security shall 
conduct a study to assess the feasibility of implementing a short-term 
rotational program for the detail to the Agency of approved State, 
local, Tribal, and territorial government employees in cyber workforce 
positions.

SEC. 4. TITLE XXII TECHNICAL AND CLERICAL AMENDMENTS.

    (a) Technical Amendments.--
            (1) Homeland security act of 2002.--Subtitle A of title 
        XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et 
        seq.) is amended--
                    (A) in the first section 2215 (6 U.S.C. 665; 
                relating to the duties and authorities relating to .gov 
                internet domain), by amending the section enumerator 
                and heading to read as follows:

``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
              DOMAIN.'';

                    (B) in the second section 2215 (6 U.S.C. 665b; 
                relating to the joint cyber planning office), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

                    (C) in the third section 2215 (6 U.S.C. 665c; 
                relating to the Cybersecurity State Coordinator), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

                    (D) in the fourth section 2215 (6 U.S.C. 665d; 
                relating to Sector Risk Management Agencies), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

                    (E) in section 2216 (6 U.S.C. 665e; relating to the 
                Cybersecurity Advisory Committee), by amending the 
                section enumerator and heading to read as follows:

``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.'';

                and
                    (F) in section 2217 (6 U.S.C. 665f; relating to 
                Cybersecurity Education and Training Programs), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.''.

            (2) Consolidated appropriations act, 2021.--Paragraph (1) 
        of section 904(b) of division U of the Consolidated 
        Appropriations Act, 2021 (Public Law 116-260) is amended, in 
        the matter preceding subparagraph (A), by inserting ``of 2002'' 
        after ``Homeland Security Act''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 is amended by striking the items 
relating to sections 2214 through 2217 and inserting the following new 
items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.

            Passed the House of Representatives July 20, 2021.

            Attest:

                                                                 Clerk.
117th CONGRESS

  1st Session

                               H. R. 3138

_______________________________________________________________________

                                 AN ACT

To amend the Homeland Security Act of 2002 to authorize a grant program 
 relating to the cybersecurity of State and local governments, and for 
                            other purposes.