Amendments to the Homeland Security Act of 2002

Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—(1)in section 2201 (6 U.S.C. 651)—(A)by redesignating paragraphs (4), (5), and (6) as paragraphs (5), (6), and (7), respectively; and(B)by inserting after paragraph (3) the following:

(4)

Entity

The term entity shall include—(A)an association, corporation, whether for-profit or nonprofit, partnership, proprietorship, organization, institution, establishment, or individual, whether domestic or foreign;(B)a governmental agency or other governmental entity, whether domestic or foreign, including State, local, Tribal, and territorial government entities; and(C)the general public.

;

(2)in section 2202 (6 U.S.C. 652)—(A)in subsection (c)—(i)in paragraph (11), by striking and at the end;(ii)in the first paragraph (12), by striking and at the end;(iii)by redesignating the second and third paragraphs (12) as paragraphs (13) and (15), respectively;(iv)in paragraph (13), as so redesignated, by striking and at the end; and(v)by inserting after paragraph (13), as so redesignated, the following:

(14)carry out the authority of the Secretary under subsection (e)(1)(S); and

; and

(B)in subsection (e)(1), by adding at the end the following:

(S)To make grants to and enter into cooperative agreements or contracts with States, local, Tribal, and territorial governments, and other non-Federal entities as the Secretary determines necessary to carry out the responsibilities of the Secretary related to cybersecurity and infrastructure security under this Act and any other provision of law, including grants, cooperative agreements, and contracts that provide assistance and education related to cyber threat indicators, defensive measures and cybersecurity technologies, cybersecurity risks, incidents, analysis, and warnings.

; and

(3)in section 2209 (6 U.S.C. 659)—(A)in subsection (c)(6), by inserting operational and before timely;(B)in subsection (d)(1)(E), by inserting , including an entity that collaborates with election officials, after governments; and(C)by adding at the end the following:

(p)

Coordination on cybersecurity for Federal and non-Federal entities

(1)

Coordination

The Center shall, to the extent practicable, and in coordination as appropriate with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center—(A)conduct exercises with Federal and non-Federal entities;(B)provide operational and technical cybersecurity training related to cyber threat indicators, proactive and defensive measures, cybersecurity risks and vulnerabilities, and incident response and management to Federal and non-Federal entities to address cybersecurity risks or incidents, with or without reimbursement;(C)assist Federal and non-Federal entities, upon request, in sharing actionable and real time cyber threat indicators, defensive measures, cybersecurity risks, and incidents from and to the Federal Government as well as among Federal and non-Federal entities, in order to increase situational awareness and help prevent incidents;(D)provide notifications containing specific incident and malware information that may affect them or their customers and residents;(E)provide and periodically update via an easily accessible platform and other means tools, products, resources, policies, guidelines, controls, and other cybersecurity standards and best practices and procedures related to information security;(F)work with senior Federal and non-Federal officials, including State, local, Tribal, and territorial Chief Information Officers, senior election officials, and through national associations, to coordinate a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, controls, and procedures related to information security to secure and ensure the resiliency of Federal and non-Federal information systems, including election systems;(G)provide, upon request, operational and technical assistance to Federal and non-Federal entities to implement tools, products, resources, policies, guidelines, controls, and procedures on information security, including by, as appropriate, deploying and sustaining cybersecurity technologies, such as an intrusion and threat detection capability, to assist those Federal and non-Federal entities in detecting cybersecurity risks and incidents;(H)assist Federal and non-Federal entities in developing policies and procedures for coordinating vulnerability disclosures, to the extent practicable, consistent with international and national standards in the information technology industry;(I)ensure that Federal and non-Federal entities, as appropriate, are made aware of the tools, products, resources, policies, guidelines, controls, and procedures on information security developed by the Department and other appropriate Federal departments and agencies for ensuring the security and resiliency of civilian information systems; and(J)promote cybersecurity education and awareness through engagements with Federal and non-Federal entities.(q)

Report

Not later than 1 year after the date of enactment of this subsection, and every 2 years thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on—(1)the status of cybersecurity measures that are in place, and any gaps that exist, in each State and in the largest urban areas of the United States;(2)the services and capabilities that the Agency directly provides to governmental agencies or other governmental entities; and(3)the services and capabilities that the Agency indirectly provides to governmental agencies or other governmental entities through an entity described in section 2201(4)(B).