[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2585 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 2585

To amend the Homeland Security Act of 2002 to authorize a grant program 
relating to the cybersecurity of State, local, Tribal, and territorial 
                  governments, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             August 3, 2021

   Ms. Hassan (for herself, Mr. Cornyn, Ms. Sinema, and Mr. Tillis) 
introduced the following bill; which was read twice and referred to the 
        Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To amend the Homeland Security Act of 2002 to authorize a grant program 
relating to the cybersecurity of State, local, Tribal, and territorial 
                  governments, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``State and Local Cybersecurity 
Improvement Act''.

SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following:

``SEC. 2218. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

    ``(a) Definitions.--In this section:
            ``(1) Appropriate committees of congress.--The term 
        `appropriate committees of Congress' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    ``(B) the Committee on Homeland Security of the 
                House of Representatives.
            ``(2) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given the term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
            ``(3) Cybersecurity plan.--The term `Cybersecurity Plan' 
        means a plan submitted by an eligible entity under subsection 
        (e)(1).
            ``(4) Eligible entity.--The term `eligible entity' means 
        a--
                    ``(A) State; or
                    ``(B) Tribal government.
            ``(5) Incident.--The term `incident' has the meaning given 
        the term in section 2209.
            ``(6) Information sharing and analysis organization.--The 
        term `information sharing and analysis organization' has the 
        meaning given the term in section 2222.
            ``(7) Information system.--The term `information system' 
        has the meaning given the term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
            ``(8) Multi-entity group.--The term `multi-entity group' 
        means a group of 2 or more eligible entities desiring a grant 
        under this section.
            ``(9) Online service.--The term `online service' means any 
        internet-facing service, including a website, email, virtual 
        private network, or custom application.
            ``(10) Rural area.--The term `rural area' has the meaning 
        given the term in section 5302 of title 49, United States Code.
            ``(11) State and local cybersecurity grant program.--The 
        term `State and Local Cybersecurity Grant Program' means the 
        program established under subsection (b).
            ``(12) Tribal government.--The term `Tribal government' 
        means the recognized governing body of any Indian or Alaska 
        Native Tribe, band, nation, pueblo, village, community, 
        component band, or component reservation, that is individually 
        identified (including parenthetically) in the most recent list 
        published pursuant to Section 104 of the Federally Recognized 
        Indian Tribe List Act of 1994 (25 U.S.C. 5131).
    ``(b) Establishment.--
            ``(1) In general.--There is established within the 
        Department a program to award grants to eligible entities to 
        address cybersecurity risks and cybersecurity threats to 
        information systems owned or operated by, or on behalf of, 
        State, local, or Tribal governments.
            ``(2) Application.--An eligible entity desiring a grant 
        under the State and Local Cybersecurity Grant Program shall 
        submit to the Secretary an application at such time, in such 
        manner, and containing such information as the Secretary may 
        require.
    ``(c) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same office of the Department that 
administers grants made under sections 2003 and 2004.
    ``(d) Use of Funds.--An eligible entity that receives a grant under 
this section and a local government that receives funds from a grant 
under this section, as appropriate, shall use the grant to--
            ``(1) implement the Cybersecurity Plan of the eligible 
        entity;
            ``(2) develop or revise the Cybersecurity Plan of the 
        eligible entity;
            ``(3) pay expenses directly relating to the administration 
        of the grant, which shall not exceed 5 percent of the amount of 
        the grant;
            ``(4) assist with activities that address imminent 
        cybersecurity threats, as confirmed by the Secretary, acting 
        through the Director, to the information systems owned or 
        operated by, or on behalf of, the eligible entity or a local 
        government within the jurisdiction of the eligible entity; or
            ``(5) fund any other appropriate activity determined by the 
        Secretary, acting through the Director.
    ``(e) Cybersecurity Plans.--
            ``(1) In general.--An eligible entity applying for a grant 
        under this section shall submit to the Secretary a 
        Cybersecurity Plan for review in accordance with subsection 
        (i).
            ``(2) Required elements.--A Cybersecurity Plan of an 
        eligible entity shall--
                    ``(A) incorporate, to the extent practicable--
                            ``(i) any existing plans of the eligible 
                        entity to protect against cybersecurity risks 
                        and cybersecurity threats to information 
                        systems owned or operated by, or on behalf of, 
                        State, local, or Tribal governments; and
                            ``(ii) if the eligible entity is a State, 
                        consultation and feedback from local 
                        governments and associations of local 
                        governments within the jurisdiction of the 
                        eligible entity;
                    ``(B) describe, to the extent practicable, how the 
                eligible entity will--
                            ``(i) manage, monitor, and track 
                        information systems, applications, and user 
                        accounts owned or operated by, or on behalf of, 
                        the eligible entity or, if the eligible entity 
                        is a State, local governments within the 
                        jurisdiction of the eligible entity, and the 
                        information technology deployed on those 
                        information systems, including legacy 
                        information systems and information technology 
                        that are no longer supported by the 
                        manufacturer of the systems or technology;
                            ``(ii) monitor, audit, and, track network 
                        traffic and activity transiting or traveling to 
                        or from information systems, applications, and 
                        user accounts owned or operated by, or on 
                        behalf of, the eligible entity or, if the 
                        eligible entity is a State, local governments 
                        within the jurisdiction of the eligible entity;
                            ``(iii) enhance the preparation, response, 
                        and resiliency of information systems, 
                        applications, and user accounts owned or 
                        operated by, or on behalf of, the eligible 
                        entity or, if the eligible entity is a State, 
                        local governments within the jurisdiction of 
                        the eligible entity, against cybersecurity 
                        risks and cybersecurity threats;
                            ``(iv) implement a process of continuous 
                        cybersecurity vulnerability assessments and 
                        threat mitigation practices prioritized by 
                        degree of risk to address cybersecurity risks 
                        and cybersecurity threats on information 
                        systems, applications, and user accounts owned 
                        or operated by, or on behalf of, the eligible 
                        entity or, if the eligible entity is a State, 
                        local governments within the jurisdiction of 
                        the eligible entity;
                            ``(v) ensure that the eligible entity and, 
                        if the eligible entity is a State, local 
                        governments within the jurisdiction of the 
                        eligible entity, adopt and use best practices 
                        and methodologies to enhance cybersecurity, 
                        such as--
                                    ``(I) the practices set forth in 
                                the cybersecurity framework developed 
                                by the National Institute of Standards 
                                and Technology;
                                    ``(II) cyber chain supply chain 
                                risk management best practices 
                                identified by the National Institute of 
                                Standards and Technology; and
                                    ``(III) knowledge bases of 
                                adversary tools and tactics;
                            ``(vi) promote the delivery of safe, 
                        recognizable, and trustworthy online services 
                        by the eligible entity and, if the eligible 
                        entity is a State, local governments within the 
                        jurisdiction of the eligible entity, including 
                        through the use of the .gov internet domain;
                            ``(vii) ensure continuity of operations of 
                        the eligible entity and, if the eligible entity 
                        is a State, local governments within the 
                        jurisdiction of the eligible entity, in the 
                        event of a cybersecurity incident, including by 
                        conducting exercises to practice responding to 
                        a cybersecurity incident;
                            ``(viii) use the National Initiative for 
                        Cybersecurity Education Workforce Framework for 
                        Cybersecurity developed by the National 
                        Institute of Standards and Technology to 
                        identify and mitigate any gaps in the 
                        cybersecurity workforces of the eligible entity 
                        and, if the eligible entity is a State, local 
                        governments within the jurisdiction of the 
                        eligible entity, enhance recruitment and 
                        retention efforts for those workforces, and 
                        bolster the knowledge, skills, and abilities of 
                        personnel of the eligible entity and, if the 
                        eligible entity is a State, local governments 
                        within the jurisdiction of the eligible entity, 
                        to address cybersecurity risks and 
                        cybersecurity threats, such as through 
                        cybersecurity hygiene training;
                            ``(ix) if the eligible entity is a State, 
                        ensure continuity of communications and data 
                        networks within the jurisdiction of the 
                        eligible entity between the eligible entity and 
                        local governments within the jurisdiction of 
                        the eligible entity in the event of an incident 
                        involving those communications or data 
                        networks;
                            ``(x) assess and mitigate, to the greatest 
                        degree possible, cybersecurity risks and 
                        cybersecurity threats relating to critical 
                        infrastructure and key resources, the 
                        degradation of which may impact the performance 
                        of information systems within the jurisdiction 
                        of the eligible entity;
                            ``(xi) enhance capabilities to share cyber 
                        threat indicators and related information 
                        between the eligible entity and--
                                    ``(I) if the eligible entity is a 
                                State, local governments within the 
                                jurisdiction of the eligible entity, 
                                including by expanding information 
                                sharing agreements with the Department; 
                                and
                                    ``(II) the Department;
                            ``(xii) leverage cybersecurity services 
                        offered by the Department;
                            ``(xiii) implement an information 
                        technology and operational technology 
                        modernization cybersecurity review process that 
                        ensures alignment between information 
                        technology and operational technology 
                        cybersecurity objectives;
                            ``(xiv) develop and coordinate strategies 
                        to address cybersecurity risks and 
                        cybersecurity threats in consultation with--
                                    ``(I) if the eligible entity is a 
                                State, local governments and 
                                associations of local governments 
                                within the jurisdiction of the eligible 
                                entity; and
                                    ``(II) as applicable--
                                            ``(aa) eligible entities 
                                        that neighbor the jurisdiction 
                                        of the eligible entity or, as 
                                        appropriate, members of an 
                                        information sharing and 
                                        analysis organization; and
                                            ``(bb) countries that 
                                        neighbor the jurisdiction of 
                                        the eligible entity;
                            ``(xv) ensure adequate access to, and 
                        participation in, the services and programs 
                        described in this subparagraph by rural areas 
                        within the jurisdiction of the eligible entity; 
                        and
                            ``(xvi) distribute funds, items, services, 
                        capabilities, or activities to local 
                        governments under subsection (n)(2)(A), 
                        including the fraction of that distribution the 
                        eligible entity plans to distribute to rural 
                        areas under subsection (n)(2)(B);
                    ``(C) assess the capabilities of the eligible 
                entity relating to the actions described in 
                subparagraph (B);
                    ``(D) describe, as appropriate and to the extent 
                practicable, the individual responsibilities of the 
                eligible entity and local governments within the 
                jurisdiction of the eligible entity in implementing the 
                plan;
                    ``(E) outline, to the extent practicable, the 
                necessary resources and a timeline for implementing the 
                plan; and
                    ``(F) describe the metrics the eligible entity will 
                use to measure progress towards--
                            ``(i) implementing the plan; and
                            ``(ii) reducing cybersecurity risks to, and 
                        identifying, responding to, and recovering from 
                        cybersecurity threats to, information systems 
                        owned or operated by, or on behalf of, the 
                        eligible entity or, if the eligible entity is a 
                        State, local governments within the 
                        jurisdiction of the eligible entity.
            ``(3) Discretionary elements.--In drafting a Cybersecurity 
        Plan, an eligible entity may--
                    ``(A) consult with the Multi-State Information 
                Sharing and Analysis Center;
                    ``(B) include a description of cooperative programs 
                developed by groups of local governments within the 
                jurisdiction of the eligible entity to address 
                cybersecurity risks and cybersecurity threats; and
                    ``(C) include a description of programs provided by 
                the eligible entity to support local governments and 
                owners and operators of critical infrastructure to 
                address cybersecurity risks and cybersecurity threats.
    ``(f) Multi-Entity Grants.--
            ``(1) In general.--The Secretary may award grants under 
        this section to a multi-entity group to support multi-entity 
        efforts to address cybersecurity risks and cybersecurity 
        threats to information systems within the jurisdictions of the 
        eligible entities that comprise the multi-entity group.
            ``(2) Satisfaction of other requirements.--In order to be 
        eligible for a multi-entity grant under this subsection, each 
        eligible entity that comprises a multi-entity group shall 
        have--
                    ``(A) a Cybersecurity Plan that has been reviewed 
                by the Secretary in accordance with subsection (i); and
                    ``(B) a cybersecurity planning committee 
                established in accordance with subsection (g).
            ``(3) Application.--
                    ``(A) In general.--A multi-entity group applying 
                for a multi-entity grant under paragraph (1) shall 
                submit to the Secretary an application at such time, in 
                such manner, and containing such information as the 
                Secretary may require.
                    ``(B) Multi-entity project plan.--An application 
                for a grant under this section of a multi-entity group 
                under subparagraph (A) shall include a plan 
                describing--
                            ``(i) the division of responsibilities 
                        among the eligible entities that comprise the 
                        multi-entity group;
                            ``(ii) the distribution of funding from the 
                        grant among the eligible entities that comprise 
                        the multi-entity group; and
                            ``(iii) how the eligible entities that 
                        comprise the multi-entity group will work 
                        together to implement the Cybersecurity Plan of 
                        each of those eligible entities.
    ``(g) Planning Committees.--
            ``(1) In general.--An eligible entity that receives a grant 
        under this section shall establish a cybersecurity planning 
        committee to--
                    ``(A) assist with the development, implementation, 
                and revision of the Cybersecurity Plan of the eligible 
                entity;
                    ``(B) approve the Cybersecurity Plan of the 
                eligible entity; and
                    ``(C) assist with the determination of effective 
                funding priorities for a grant under this section in 
                accordance with subsections (d) and (j).
            ``(2) Composition.--A committee of an eligible entity 
        established under paragraph (1) shall--
                    ``(A) be comprised of representatives from--
                            ``(i) the eligible entity;
                            ``(ii) if the eligible entity is a State, 
                        counties, cities, and towns within the 
                        jurisdiction of the eligible entity; and
                            ``(iii) institutions of public education 
                        and health within the jurisdiction of the 
                        eligible entity; and
                    ``(B) include, as appropriate, representatives of 
                rural, suburban, and high-population jurisdictions.
            ``(3) Cybersecurity expertise.--Not less than one-half of 
        the representatives of a committee established under paragraph 
        (1) shall have professional experience relating to 
        cybersecurity or information technology.
            ``(4) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection shall be construed to 
        require an eligible entity to establish a cybersecurity 
        planning committee if the eligible entity has established and 
        uses a multijurisdictional planning committee or commission 
        that--
                    ``(A) meets the requirements of this subsection; or
                    ``(B) may be expanded or leveraged to meet the 
                requirements of this subsection, including through the 
                formation of a cybersecurity planning subcommittee.
            ``(5) Rule of construction regarding control of information 
        systems of eligible entities.--Nothing in this subsection shall 
        be construed to permit a cybersecurity planning committee of an 
        eligible entity that meets the requirements of this subsection 
        to make decisions relating to information systems owned or 
        operated by, or on behalf of, the eligible entity.
    ``(h) Special Rule for Tribal Governments.--With respect to any 
requirement under subsection (e) or (g), the Secretary, in consultation 
with the Secretary of the Interior and Tribal governments, may 
prescribe an alternative substantively similar requirement for Tribal 
governments if the Secretary finds that the alternative requirement is 
necessary for the effective delivery and administration of grants to 
Tribal governments under this section.
    ``(i) Review of Plans.--
            ``(1) Review as condition of grant.--
                    ``(A) In general.--Subject to paragraph (3), before 
                an eligible entity may receive a grant under this 
                section, the Secretary, acting through the Director, 
                shall--
                            ``(i) review the Cybersecurity Plan of the 
                        eligible entity, including any revised 
                        Cybersecurity Plans of the eligible entity; and
                            ``(ii) determine that the Cybersecurity 
                        Plan reviewed under clause (i) satisfies the 
                        requirements under paragraph (2).
                    ``(B) Duration of determination.--In the case of a 
                determination under subparagraph (A)(ii) that a 
                Cybersecurity Plan satisfies the requirements under 
                paragraph (2), the determination shall be effective for 
                the 2-year period beginning on the date of the 
                determination.
                    ``(C) Annual renewal.--Not later than 2 years after 
                the date on which the Secretary determines under 
                subparagraph (A)(ii) that a Cybersecurity Plan 
                satisfies the requirements under paragraph (2), and 
                annually thereafter, the Secretary, acting through the 
                Director, shall--
                            ``(i) determine whether the Cybersecurity 
                        Plan and any revisions continue to meet the 
                        criteria described in paragraph (2); and
                            ``(ii) renew the determination if the 
                        Secretary, acting through the Director, makes a 
                        positive determination under clause (i).
            ``(2) Plan requirements.--In reviewing a Cybersecurity Plan 
        of an eligible entity under this subsection, the Secretary, 
        acting through the Director, shall ensure that the 
        Cybersecurity Plan--
                    ``(A) satisfies the requirements of subsection 
                (e)(2); and
                    ``(B) has been approved by--
                            ``(i) the cybersecurity planning committee 
                        of the eligible entity established under 
                        subsection (g); and
                            ``(ii) the Chief Information Officer, the 
                        Chief Information Security Officer, or an 
                        equivalent official of the eligible entity.
            ``(3) Exception.--Notwithstanding subsection (e) and 
        paragraph (1) of this subsection, the Secretary may award a 
        grant under this section to an eligible entity that does not 
        submit a Cybersecurity Plan to the Secretary for review before 
        September 30, 2023, if the eligible entity certifies to the 
        Secretary that--
                    ``(A) the activities that will be supported by the 
                grant are--
                            ``(i) integral to the development of the 
                        Cybersecurity Plan of the eligible entity; or
                            ``(ii) necessary to assist with activities 
                        described in subsection (d)(4), as confirmed by 
                        the Director; and
                    ``(B) the eligible entity will submit to the 
                Secretary a Cybersecurity Plan for review under this 
                subsection by September 30, 2023.
            ``(4) Rule of construction.--Nothing in this subsection 
        shall be construed to provide authority to the Secretary to--
                    ``(A) regulate the manner by which an eligible 
                entity or local government improves the cybersecurity 
                of the information systems owned or operated by, or on 
                behalf of, the eligible entity or local government; or
                    ``(B) condition the receipt of grants under this 
                section on--
                            ``(i) participation in a particular Federal 
                        program; or
                            ``(ii) the use of a specific product or 
                        technology.
    ``(j) Limitations on Uses of Funds.--
            ``(1) In general.--Any entity that receives funds from a 
        grant under this section may not use the grant--
                    ``(A) to supplant State or local funds;
                    ``(B) for any recipient cost-sharing contribution;
                    ``(C) to pay a ransom;
                    ``(D) for recreational or social purposes; or
                    ``(E) for any purpose that does not address 
                cybersecurity risks or cybersecurity threats on 
                information systems owned or operated by, or on behalf 
                of, the eligible entity that receives the grant or a 
                local government within the jurisdiction of the 
                eligible entity.
            ``(2) Compliance oversight.--In addition to any other 
        remedy available, the Secretary may take such actions as are 
        necessary to ensure that a recipient of a grant under this 
        section uses the grant for the purposes for which the grant is 
        awarded.
            ``(3) Rule of construction.--Nothing in paragraph (1)(A) 
        shall be construed to prohibit the use of funds from a grant 
        under this section awarded to a State, local, or Tribal 
        government for otherwise permissible uses under this section on 
        the basis that the State, local, or Tribal government has 
        previously used State, local, or Tribal funds to support the 
        same or similar uses.
    ``(k) Opportunity To Amend Applications.--In considering 
applications for grants under this section, the Secretary shall provide 
applicants with a reasonable opportunity to correct any defects in 
those applications before making final awards, including by allowing 
applicants to revise a submitted Cybersecurity Plan.
    ``(l) Apportionment.--For fiscal year 2022 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated to carry 
out this section among eligible entities as follows:
            ``(1) Baseline amount.--The Secretary shall first 
        apportion--
                    ``(A) 0.25 percent of such amounts to each of 
                American Samoa, the Commonwealth of the Northern 
                Mariana Islands, Guam, and the United States Virgin 
                Islands;
                    ``(B) 1 percent of such amounts to each of the 
                remaining States; and
                    ``(C) 3 percent of such amounts to Tribal 
                governments.
            ``(2) Remainder.--The Secretary shall apportion the 
        remainder of such amounts to States as follows:
                    ``(A) 50 percent of such remainder in the ratio 
                that the population of each State, bears to the 
                population of all States; and
                    ``(B) 50 percent of such remainder in the ratio 
                that the population of each State that resides in rural 
                areas, bears to the population of all States that 
                resides in rural areas.
            ``(3) Apportionment among tribal governments.--In 
        determining how to apportion amounts to Tribal governments 
        under paragraph (1)(C), the Secretary shall consult with the 
        Secretary of the Interior and Tribal governments.
            ``(4) Multi-entity grants.--An amount received from a 
        multi-entity grant awarded under subsection (f)(1) by a State 
        or Tribal government that is a member of the multi-entity group 
        shall qualify as an apportionment for the purpose of this 
        subsection.
    ``(m) Federal Share.--
            ``(1) In general.--The Federal share of the cost of an 
        activity carried out using funds made available with a grant 
        under this section may not exceed--
                    ``(A) in the case of a grant to an eligible 
                entity--
                            ``(i) for fiscal year 2022, 90 percent;
                            ``(ii) for fiscal year 2023, 80 percent;
                            ``(iii) for fiscal year 2024, 70 percent; 
                        and
                            ``(iv) for fiscal year 2025, 60 percent; 
                        and
                    ``(B) in the case of a grant to a multi-entity 
                group--
                            ``(i) for fiscal year 2022, 100 percent;
                            ``(ii) for fiscal year 2023, 90 percent;
                            ``(iii) for fiscal year 2024, 80 percent; 
                        and
                            ``(iv) for fiscal year 2025, 70 percent.
            ``(2) Waiver.--
                    ``(A) In general.--The Secretary may waive or 
                modify the requirements of paragraph (1) if an eligible 
                entity or multi-entity group demonstrates economic 
                hardship.
                    ``(B) Guidelines.--The Secretary shall establish 
                and publish guidelines for determining what constitutes 
                economic hardship for the purposes of this subsection.
                    ``(C) Considerations.--In developing guidelines 
                under subparagraph (B), the Secretary shall consider, 
                with respect to the jurisdiction of an eligible 
                entity--
                            ``(i) changes in rates of unemployment in 
                        the jurisdiction from previous years;
                            ``(ii) changes in the percentage of 
                        individuals who are eligible to receive 
                        benefits under the supplemental nutrition 
                        assistance program established under the Food 
                        and Nutrition Act of 2008 (7 U.S.C. 2011 et 
                        seq.) from previous years; and
                            ``(iii) any other factors the Secretary 
                        considers appropriate.
            ``(3) Waiver for tribal governments.--Notwithstanding 
        paragraph (2), the Secretary, in consultation with the 
        Secretary of the Interior and Tribal governments, may waive or 
        modify the requirements of paragraph (1) for 1 or more Tribal 
        governments if the Secretary determines that the waiver is in 
        the public interest.
    ``(n) Responsibilities of Grantees.--
            ``(1) Certification.--Each eligible entity or multi-entity 
        group that receives a grant under this section shall certify to 
        the Secretary that the grant will be used--
                    ``(A) for the purpose for which the grant is 
                awarded; and
                    ``(B) in compliance with subsections (d) and (j).
            ``(2) Availability of funds to local governments and rural 
        areas.--
                    ``(A) In general.--Subject to subparagraph (C), not 
                later than 45 days after the date on which an eligible 
                entity or multi-entity group receives a grant under 
                this section, the eligible entity or multi-entity group 
                shall, without imposing unreasonable or unduly 
                burdensome requirements as a condition of receipt, 
                obligate or otherwise make available to local 
                governments within the jurisdiction of the eligible 
                entity or the eligible entities that comprise the 
                multi-entity group, consistent with the Cybersecurity 
                Plan of the eligible entity or the Cybersecurity Plans 
                of the eligible entities that comprise the multi-entity 
                group--
                            ``(i) not less than 80 percent of funds 
                        available under the grant;
                            ``(ii) with the consent of the local 
                        governments, items, services, capabilities, or 
                        activities having a value of not less than 80 
                        percent of the amount of the grant; or
                            ``(iii) with the consent of the local 
                        governments, grant funds combined with other 
                        items, services, capabilities, or activities 
                        having the total value of not less than 80 
                        percent of the amount of the grant.
                    ``(B) Availability to rural areas.--In obligating 
                funds, items, services, capabilities, or activities to 
                local governments under subparagraph (A), the eligible 
                entity or eligible entities that comprise the multi-
                entity group shall ensure that rural areas within the 
                jurisdiction of the eligible entity or the eligible 
                entities that comprise the multi-entity group receive 
                not less than--
                            ``(i) 25 percent of the amount of the grant 
                        awarded to the eligible entity;
                            ``(ii) items, services, capabilities, or 
                        activities having a value of not less than 25 
                        percent of the amount of the grant awarded to 
                        the eligible entity; or
                            ``(iii) grant funds combined with other 
                        items, services, capabilities, or activities 
                        having the total value of not less than 25 
                        percent of the grant awarded to the eligible 
                        entity.
                    ``(C) Exceptions.--This paragraph shall not apply 
                to--
                            ``(i) any grant awarded under this section 
                        that solely supports activities that are 
                        integral to the development or revision of the 
                        Cybersecurity Plan of the eligible entity; or
                            ``(ii) the District of Columbia, the 
                        Commonwealth of Puerto Rico, American Samoa, 
                        the Commonwealth of the Northern Mariana 
                        Islands, Guam, the United States Virgin 
                        Islands, or a Tribal government.
            ``(3) Certifications regarding distribution of grant funds 
        to local governments.--An eligible entity or multi-entity group 
        shall certify to the Secretary that the eligible entity or 
        multi-entity group has made the distribution to local 
        governments required under paragraph (2).
            ``(4) Extension of period.--
                    ``(A) In general.--An eligible entity or multi-
                entity group may request in writing that the Secretary 
                extend the period of time specified in paragraph (2) 
                for an additional period of time.
                    ``(B) Approval.--The Secretary may approve a 
                request for an extension under subparagraph (A) if the 
                Secretary determines the extension is necessary to 
                ensure that the obligation and expenditure of grant 
                funds align with the purpose of the State and Local 
                Cybersecurity Grant Program.
            ``(5) Direct funding.--If an eligible entity does not make 
        a distribution to a local government required under paragraph 
        (2) in a timely fashion, the local government may petition the 
        Secretary to request the Secretary to provide funds directly to 
        the local government.
            ``(6) Limitation on construction.--A grant awarded under 
        this section may not be used to acquire land or to construct, 
        remodel, or perform alterations of buildings or other physical 
        facilities.
            ``(7) Consultation in allocating funds.--An eligible entity 
        applying for a grant under this section shall agree to consult 
        the Chief Information Officer, the Chief Information Security 
        Officer, or an equivalent official of the eligible entity in 
        allocating funds from a grant awarded under this section.
            ``(8) Penalties.--In addition to other remedies available 
        to the Secretary, if an eligible entity violates a requirement 
        of this subsection, the Secretary may--
                    ``(A) terminate or reduce the amount of a grant 
                awarded under this section to the eligible entity; or
                    ``(B) distribute grant funds previously awarded to 
                the eligible entity--
                            ``(i) in the case of an eligible entity 
                        that is a State, directly to the appropriate 
                        local government as a replacement grant in an 
                        amount determined by the Secretary; or
                            ``(ii) in the case of an eligible entity 
                        that is a Tribal government, to another Tribal 
                        government or Tribal governments as a 
                        replacement grant in an amount determined by 
                        the Secretary.
    ``(o) Consultation With State, Local, and Tribal Representatives.--
In carrying out this section, the Secretary shall consult with State, 
local, and Tribal representatives with professional experience relating 
to cybersecurity, including representatives of associations 
representing State, local, and Tribal governments, to inform--
            ``(1) guidance for applicants for grants under this 
        section, including guidance for Cybersecurity Plans;
            ``(2) the study of risk-based formulas required under 
        subsection (q)(4);
            ``(3) the development of guidelines required under 
        subsection (m)(2)(B); and
            ``(4) any modifications described in subsection (q)(2)(D).
    ``(p) Notification to Congress.--Not later than 3 business days 
before the date on which the Department announces the award of a grant 
to an eligible entity under this section, including an announcement to 
the eligible entity, the Secretary shall provide to the appropriate 
committees of Congress notice of the announcement.
    ``(q) Reports, Study, and Review.--
            ``(1) Annual reports by grant recipients.--
                    ``(A) In general.--Not later than 1 year after the 
                date on which an eligible entity receives a grant under 
                this section for the purpose of implementing the 
                Cybersecurity Plan of the eligible entity, including an 
                eligible entity that comprises a multi-entity group 
                that receives a grant for that purpose, and annually 
                thereafter until 1 year after the date on which funds 
                from the grant are expended or returned, the eligible 
                entity shall submit to the Secretary a report that, 
                using the metrics described in the Cybersecurity Plan 
                of the eligible entity, describes the progress of the 
                eligible entity in--
                            ``(i) implementing the Cybersecurity Plan 
                        of the eligible entity; and
                            ``(ii) reducing cybersecurity risks to, and 
                        identifying, responding to, and recovering from 
                        cybersecurity threats to, information systems 
                        owned or operated by, or on behalf of, the 
                        eligible entity or, if the eligible entity is a 
                        State, local governments within the 
                        jurisdiction of the eligible entity.
                    ``(B) Absence of plan.--Not later than 1 year after 
                the date on which an eligible entity that does not have 
                a Cybersecurity Plan receives funds under this section, 
                and annually thereafter until 1 year after the date on 
                which funds from the grant are expended or returned, 
                the eligible entity shall submit to the Secretary a 
                report describing how the eligible entity obligated and 
                expended grant funds to--
                            ``(i) develop or revise a Cybersecurity 
                        Plan; or
                            ``(ii) assist with the activities described 
                        in subsection (d)(4).
            ``(2) Annual reports to congress.--Not less frequently than 
        annually, the Secretary, acting through the Director, shall 
        submit to Congress a report on--
                    ``(A) the use of grants awarded under this section;
                    ``(B) the proportion of grants used to support 
                cybersecurity in rural areas;
                    ``(C) the effectiveness of the State and Local 
                Cybersecurity Grant Program;
                    ``(D) any necessary modifications to the State and 
                Local Cybersecurity Grant Program; and
                    ``(E) any progress made toward--
                            ``(i) developing, implementing, or revising 
                        Cybersecurity Plans; and
                            ``(ii) reducing cybersecurity risks to, and 
                        identifying, responding to, and recovering from 
                        cybersecurity threats to, information systems 
                        owned or operated by, or on behalf of, State, 
                        local, or Tribal governments as a result of the 
                        award of grants under this section.
            ``(3) Public availability.--
                    ``(A) In general.--The Secretary, acting through 
                the Director, shall make each report submitted under 
                paragraph (2) publicly available, including by making 
                each report available on the website of the Agency.
                    ``(B) Redactions.--In making each report publicly 
                available under subparagraph (A), the Director may make 
                redactions that the Director, in consultation with each 
                eligible entity, determines necessary to protect 
                classified or other information exempt from disclosure 
                under section 552 of title 5, United States Code 
                (commonly referred to as the `Freedom of Information 
                Act').
            ``(4) Study of risk-based formulas.--
                    ``(A) In general.--Not later than September 30, 
                2024, the Secretary, acting through the Director, shall 
                submit to the appropriate committees of Congress a 
                study and legislative recommendations on the potential 
                use of a risk-based formula for apportioning funds 
                under this section, including--
                            ``(i) potential components that could be 
                        included in a risk-based formula, including the 
                        potential impact of those components on support 
                        for rural areas under this section;
                            ``(ii) potential sources of data and 
                        information necessary for the implementation of 
                        a risk-based formula;
                            ``(iii) any obstacles to implementing a 
                        risk-based formula, including obstacles that 
                        require a legislative solution;
                            ``(iv) if a risk-based formula were to be 
                        implemented for fiscal year 2026, a recommended 
                        risk-based formula for the State and Local 
                        Cybersecurity Grant Program; and
                            ``(v) any other information that the 
                        Secretary, acting through the Director, 
                        determines necessary to help Congress 
                        understand the progress towards, and obstacles 
                        to, implementing a risk-based formula.
                    ``(B) Inapplicability of paperwork reduction act.--
                The requirements of chapter 35 of title 44, United 
                States Code (commonly referred to as the `Paperwork 
                Reduction Act'), shall not apply to any action taken to 
                carry out this paragraph.
            ``(5) Tribal cybersecurity needs report.--Not later than 2 
        years after the date of enactment of this section, the 
        Secretary, acting through the Director, shall submit to 
        Congress a report that--
                    ``(A) describes the cybersecurity needs of Tribal 
                governments, which shall be determined in consultation 
                with the Secretary of the Interior and Tribal 
                governments; and
                    ``(B) includes any recommendations for addressing 
                the cybersecurity needs of Tribal governments, 
                including any necessary modifications to the State and 
                Local Cybersecurity Grant Program to better serve 
                Tribal governments.
            ``(6) GAO review.--Not later than 3 years after the date of 
        enactment of this section, the Comptroller General of the 
        United States shall conduct a review of the State and Local 
        Cybersecurity Grant Program, including--
                    ``(A) the grant selection process of the Secretary; 
                and
                    ``(B) a sample of grants awarded under this 
                section.
    ``(r) Authorization of Appropriations.--
            ``(1) In general.--There are authorized to be appropriated 
        for activities under this section--
                    ``(A) for fiscal year 2022, $200,000,000;
                    ``(B) for fiscal year 2023, $400,000,000;
                    ``(C) for fiscal year 2024, $300,000,000; and
                    ``(D) for fiscal year 2025, $100,000,000.
            ``(2) Transfers authorized.--
                    ``(A) In general.--During a fiscal year, the 
                Secretary or the head of any component of the 
                Department that administers the State and Local 
                Cybersecurity Grant Program may transfer not more than 
                5 percent of the amounts appropriated pursuant to 
                paragraph (1) or other amounts appropriated to carry 
                out the State and Local Cybersecurity Grant Program for 
                that fiscal year to an account of the Department for 
                salaries, expenses, and other administrative costs 
                incurred for the management, administration, or 
                evaluation of this section.
                    ``(B) Additional appropriations.--Any funds 
                transferred under subparagraph (A) shall be in addition 
                to any funds appropriated to the Department or the 
                components described in subparagraph (A) for salaries, 
                expenses, and other administrative costs.
    ``(s) Termination.--
            ``(1) In general.--Subject to paragraph (2), the 
        requirements of this section shall terminate on September 30, 
        2025.
            ``(2) Exception.--The reporting requirements under 
        subsection (q) shall terminate on the date that is 1 year after 
        the date on which the final funds from a grant under this 
        section are expended or returned.''.
    (b) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135), 
is amended by inserting after the item relating to section 2217 the 
following:

``Sec. 2218. State and Local Cybersecurity Grant Program.''.
                                 <all>