[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2845 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 2845

To direct the Director of the Cybersecurity and Infrastructure Security 
Agency to establish a School Cybersecurity Improvement Program, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 25, 2023

Ms. Matsui (for herself and Mr. Nunn of Iowa) introduced the following 
bill; which was referred to the Committee on Homeland Security, and in 
addition to the Committee on Education and the Workforce, for a period 
    to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
To direct the Director of the Cybersecurity and Infrastructure Security 
Agency to establish a School Cybersecurity Improvement Program, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may cited as the ``Enhancing K-12 Cybersecurity Act''.

SEC. 2. SCHOOL CYBERSECURITY INFORMATION EXCHANGE.

    (a) Establishment.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall enhance existing information 
exchange efforts implemented through partnerships with one or more 
information sharing and analysis organizations to focus specific 
attention on the needs of K-12 organizations with regard to 
cybersecurity, including a new publicly accessible website (to be known 
as the ``School Cybersecurity Information Exchange'') to disseminate 
information, cybersecurity best practices, training, and lessons 
learned tailored to the specific needs, technical expertise, and 
resources available to K-12 organizations in accordance with subsection 
(b).
    (b) Duties.--In establishing the School Cybersecurity Information 
Exchange under subsection (a), the Director shall--
            (1) engage appropriate Federal, State, local, and 
        nongovernmental organizations to identify, promote, and 
        disseminate information and best practices for local 
        educational agencies, State educational agencies, and 
        educational service agencies (as such terms are defined in 
        section 8101 of the Elementary and Secondary Education Act of 
        1965 (20 U.S.C. 7801)) with respect to cybersecurity, data 
        protection, remote learning security, and student online 
        privacy;
            (2) maintain a database for an elementary school, secondary 
        school, local educational agency, State educational agency, and 
        educational service agency to identify cybersecurity security 
        tools and services funded by the Federal Government, as well as 
        tools and services recommended for purchase with State and 
        local government funding; and
            (3) provide a searchable database for an elementary school, 
        secondary school, local educational agency, State educational 
        agency, and educational service agency to find and apply for 
        funding opportunities to improve cybersecurity.
    (c) Consultation.--In carrying out the duties under subsection (b), 
the Director shall consult with the following:
            (1) The Secretary of Education.
            (2) The Director of the National Institute of Standards and 
        Technology.
            (3) The Federal Communication Commission.
            (4) The Director of the National Science Foundation.
            (5) The Federal Bureau of Investigation.
            (6) State and local leaders, including, when appropriate, 
        Governors, employees of State government departments and 
        agencies, members of State legislatures and State boards of 
        education, local educational agencies, State educational 
        agencies, representatives of Indian tribes, teachers, 
        principals, other school leaders, charter school leaders, 
        specialized instructional support personnel, paraprofessionals, 
        administrators, other staff, and parents.
            (7) When determined appropriate by the Director, subject-
        matter experts and expert organizations, including 
        nongovernmental organizations, vendors of school information 
        technology products and services, cybersecurity insurance 
        companies, and cybersecurity threat companies.

SEC. 3. CYBERSECURITY INCIDENT REGISTRY.

    (a) In General.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall establish, through partnerships 
with one or more information sharing and analysis organizations, a 
voluntary registry of information relating to cyber incidents affecting 
information technology systems owned or managed by a covered entity, 
and determine the scope of cyber incidents to be included in the 
registry and processes by which incidents can be reported for 
collection in the registry.
    (b) Use.--Information in the registry established pursuant to 
subsection (a) may be used to--
            (1) improve data collection and coordination activities 
        related to the nationwide monitoring of the incidence and 
        impact of cyber incidents affecting a covered entity;
            (2) conduct analyses regarding trends in cyber incidents 
        against such entity;
            (3) develop systematic approaches to assist such entity in 
        preventing and responding to cyber incidents;
            (4) increase the awareness and preparedness of a covered 
        entity regarding the cybersecurity of such covered entity; and
            (5) identify, prevent, or investigate cyber incidents 
        targeting a covered entity.
    (c) Information Collection.--The Director of the Cybersecurity and 
Infrastructure Security Agency may collect information relating to 
cyber incidents to store in the registry established pursuant to 
subsection (a). Such information may be submitted by a covered entity 
and may include the following:
            (1) The dates of each cyber incident, including the dates 
        on which each such incident was initially detected and the 
        dates on which each such incident was first publicly reported 
        or disclosed to another entity.
            (2) A description of each cyber incident, which shall 
        include whether each such incident was as a result of a breach, 
        malware, distributed denial of service attack, or other method 
        designed to cause a vulnerability.
            (3) The effects of each cyber incident, including 
        descriptions of the type and size of each such incident.
            (4) Other information determined relevant by the Director.
    (d) Report.--The Director of the Cybersecurity and Infrastructure 
Security Agency shall make available on the School Cybersecurity 
Information Exchange established under section 2 an annual report 
relating to cyber incidents affecting elementary schools and secondary 
schools which includes data, and the analysis of such data, in a manner 
that--
            (1) is--
                    (A) de-identified; and
                    (B) presented in the aggregate; and
            (2) at a minimum, protects personal privacy to the extent 
        required by applicable Federal and State privacy laws.
    (e) Covered Entity Defined.--In this section, the term ``covered 
entity'' means the following:
            (1) An elementary school.
            (2) A secondary school.
            (3) A local educational agency.
            (4) A State educational agency.
            (5) An educational service agency.

SEC. 4. K-12 CYBERSECURITY TECHNOLOGY IMPROVEMENT PROGRAM.

    (a) Establishment.--The Director of the Cybersecurity and 
Infrastructure Security Agency, shall establish, through partnerships 
with one or more information sharing and analysis organizations, a 
program (to be known as the ``K-12 Cybersecurity Technology Improvement 
program'') to deploy cybersecurity capabilities to address 
cybersecurity risks and threats to information systems of elementary 
schools and secondary schools through--
            (1) developing cybersecurity strategies and installation of 
        effective cybersecurity tools tailored for K-12 schools;
            (2) making available cybersecurity services that enhance 
        the ability of K-12 schools to protect themselves from 
        ransomware and other cybersecurity threats; and
            (3) continuing training opportunities on cybersecurity 
        threats, best practices, and relevant technologies for K-12 
        schools.
    (b) Report.--The Director of the Cybersecurity and Infrastructure 
Security Agency shall make available on the School Cybersecurity 
Information Exchange established under section 2 an annual report 
relating to the impact of the K-12 Cybersecurity Technology Improvement 
Program, including information on the cybersecurity capabilities made 
available to information technology systems owned or managed by 
elementary schools, secondary schools, local educational agencies, 
State educational agencies, and educational service agencies, the 
number of students served, and cybersecurity incidents identified or 
prevented.

SEC. 5. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to carry out this Act 
$10,000,000 for each of fiscal years 2024 and 2025.

SEC. 6. DEFINITIONS.

    In this Act:
            (1) Educational service agency.--The term ``educational 
        service agency'' has the meaning given that term in section 
        8101 of the Elementary and Secondary Education Act of 1965 (20 
        U.S.C. 7801).
            (2) Elementary school.--The term ``elementary school'' has 
        the meaning given that term in section 8101 of the Elementary 
        and Secondary Education Act of 1965 (20 U.S.C. 7801).
            (3) Information sharing and analysis organization.--The 
        term ``information sharing and analysis organization'' has the 
        meaning given that term in section 2200 of the Homeland 
        Security Act of 2002 (6 U.S.C. 650).
            (4) Local educational agency.--The term ``local educational 
        agency'' has the meaning given that term in section 8101 of the 
        Elementary and Secondary Education Act of 1965 (20 U.S.C. 
        7801).
            (5) State educational agency.--The term ``State educational 
        agency'' has the meaning given that term in section 8101 of the 
        Elementary and Secondary Education Act of 1965 (20 U.S.C. 
        7801).
            (6) Secondary school.--The term ``secondary school'' has 
        the meaning given that term in section 8101 of the Elementary 
        and Secondary Education Act of 1965 (20 U.S.C. 7801).
                                 <all>