[Congressional Record Volume 165, Number 187 (Thursday, November 21, 2019)]
[Senate]
[Pages S6768-S6770]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




          STATE AND LOCAL GOVERNMENT CYBERSECURITY ACT OF 2019

  Mrs. FISCHER. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 194, S. 1846.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The clerk will report the bill by title.
  The senior assistant legislative clerk read as follows:

       A bill (S. 1846) to amend the Homeland Security Act of 2002 
     to provide for engagements with State, local, Tribal, and 
     territorial governments, and for other purposes.

  The PRESIDING OFFICER. Is there objection to proceeding to the 
measure?
  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the Committee on Homeland Security and 
Governmental Affairs, with an amendment as follows:
  (The part of the bill intended to be stricken is shown in boldfaced 
brackets.)

                                S. 1846

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``State and Local Government 
     Cybersecurity Act of 2019''.

     SEC. 2. AMENDMENTS TO THE HOMELAND SECURITY ACT OF 2002.

       Subtitle A of title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 651 et seq.) is amended--
       (1) in section 2201 (6 U.S.C. 651)--
       (A) by redesignating paragraphs (4), (5), and (6) as 
     paragraphs (5), (6), and (7), respectively; and
       (B) by inserting after paragraph (3) the following:
       ``(4) Entity.--The term `entity' shall include--
       ``(A) an association, corporation, whether for-profit or 
     nonprofit, partnership, proprietorship, organization, 
     institution, establishment, or individual, whether 
     domestically or foreign owned, that has the legal capacity to 
     enter into agreements or contracts, assume obligations, incur 
     and pay debts, sue and be sued in its own right in a court of 
     competent jurisdiction in the United States, and to be held 
     responsible for its actions;
       ``(B) a governmental agency or other governmental entity, 
     including State, local, Tribal, and territorial government 
     entities; and
       ``(C) the general public.''; and
       (2) in section 2202 (6 U.S.C. 652)--
       (A) in subsection (c)--
       (i) in paragraph (10), by striking ``and'' at the end;
       (ii) by redesignating paragraph (11) as paragraph (12); and
       (iii) by inserting after paragraph (10) the following:
       ``(11) carry out the authority of the Secretary under 
     subsection (e)(1)(R); and''; and
       (B) in subsection (e)(1), by adding at the end the 
     following:
       ``(R) To make grants to and enter into cooperative 
     agreements or contracts with States, local governments, and 
     other non-Federal entities as the Secretary determines 
     necessary to carry out the responsibilities of the Secretary 
     related to cybersecurity and infrastructure security under 
     this Act and any other provision of law, including grants, 
     cooperative agreements, and contracts that provide assistance 
     and education related to cyber threat indicators, defensive 
     measures and cybersecurity technologies, cybersecurity risks, 
     incidents, analysis, and warnings.''; and
       (3) in section 2209 (6 U.S.C. 659)--
       (A) in subsection (c)(6), by inserting ``operational and'' 
     after ``timely'';
       (B) in subsection (d)(1)(E), by inserting ``, including an 
     entity that collaborates with election officials,'' after 
     ``governments''; and
       (C) by adding at the end the following:
       ``(n) Coordination on Cybersecurity for Federal and Non-
     Federal Entities.--
       ``(1) Coordination.--The Center shall, to the extent 
     practicable, and in coordination as appropriate with Federal 
     and non-Federal entities, such as the Multi-State Information 
     Sharing and Analysis Center--
       ``(A) conduct exercises with Federal and non-Federal 
     entities;
       ``(B) provide operational and technical cybersecurity 
     training related to cyber threat indicators, defensive 
     measures, cybersecurity risks, and incidents to Federal and 
     non-Federal entities to address cybersecurity risks or 
     incidents, with or without reimbursement;
       ``(C) assist Federal and non-Federal entities, upon 
     request, in sharing cyber threat

[[Page S6769]]

     indicators, defensive measures, cybersecurity risks, and 
     incidents from and to the Federal Government as well as among 
     Federal and non-Federal entities, in order to increase 
     situational awareness and help prevent incidents;
       ``(D) provide notifications containing specific incident 
     and malware information that may affect them or their 
     customers and residents;
       ``(E) provide and periodically update via a web portal and 
     other means tools, products, resources, policies, guidelines, 
     controls, and other cybersecurity standards and best 
     practices and procedures related to information security;
       ``(F) work with senior Federal and non-Federal officials, 
     including State and local Chief Information Officers, senior 
     election officials, and through national associations, to 
     coordinate a nationwide effort to ensure effective 
     implementation of tools, products, resources, policies, 
     guidelines, controls, and procedures related to information 
     security to secure and ensure the resiliency of Federal and 
     non-Federal information systems and including election 
     systems;
       ``(G) provide, upon request, operational and technical 
     assistance to Federal and non-Federal entities to implement 
     tools, products, resources, policies, guidelines, controls, 
     and procedures on information security, including by, as 
     appropriate, deploying and sustaining cybersecurity 
     technologies, such as an intrusion detection capability, to 
     assist those Federal and non-Federal entities in detecting 
     cybersecurity risks and incidents;
       ``(H) assist Federal and non-Federal entities in developing 
     policies and procedures for coordinating vulnerability 
     disclosures, to the extent practicable, consistent with 
     international and national standards in the information 
     technology industry;
       ``(I) ensure that Federal and non-Federal entities, as 
     appropriate, are made aware of the tools, products, 
     resources, policies, guidelines, controls, and procedures on 
     information security developed by the Department and other 
     appropriate Federal departments and agencies for ensuring the 
     security and resiliency of civilian information systems; and
       ``(J) promote cybersecurity education and awareness through 
     engagements with Federal and non-Federal entities.
       ``(o) Report.--Not later than 1 year after the date of 
     enactment of this subsection, and every 2 years thereafter, 
     the Secretary shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives a report on the status of cybersecurity 
     measures that are in place, and any gaps that exist, in each 
     State and in the largest urban areas of the United States.
       [``(p) Pilot Deployment of Sensors.--
       ``(1) Establishment.--Not later than 180 days after the 
     date of enactment of this subsection, the Secretary shall 
     establish a pilot program to deploy network sensors capable 
     of utilizing classified indicators for the purpose of 
     identifying and filtering malicious network traffic.
       ``(2) Voluntary participation.--Activities related to the 
     pilot program established under this subsection may only be 
     carried out on a voluntary basis in coordination with the 
     owner of the impacted network.
       ``(3) Expansion authority.--If, after 12 months of 
     deployment, the Secretary determines that the network sensors 
     deployed pursuant to this subsection would provide network 
     security benefits to other critical infrastructure sectors, 
     the Secretary may make additional network sensors available 
     to those sectors on a voluntary basis at the request of 
     critical infrastructure owners and operators.
       ``(4) Report.--Not later than 1 year after the date on 
     which the Secretary establishes the pilot program under this 
     subsection, the Secretary shall submit to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Homeland Security of the House of 
     Representatives a report on the pilot program, which shall 
     include--
       ``(A) the status of the pilot program;
       ``(B) the rate of voluntary participation in the pilot 
     program;
       ``(C) the effectiveness of the pilot program in detecting 
     and blocking traffic that could not have been captured 
     without the network sensors deployed under the pilot program; 
     and
       ``(D) recommendations for expanding the use of classified 
     threat indicators to protect United States critical 
     infrastructure.''.]
       ``(p) Deployment of Enhanced Capabilities.--
       ``(1) Establishment.--Not later than 180 days after the 
     date of enactment of this subsection, the Secretary may 
     establish an initiative to enhance efforts to deploy 
     technical or analytic capabilities or services that utilize 
     classified cyber threat indicators or intelligence for the 
     purpose of detecting or preventing malicious network traffic 
     on unclassified non-Federal information systems.
       ``(2) Voluntary participation.--Activities conducted under 
     this subsection may only be carried out on a voluntary basis 
     upon request of the non-Federal entity.
       ``(3) Report.--Not later than 1 year after the date on 
     which the Secretary establishes the initiative under this 
     subsection, the Secretary shall submit to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Homeland Security of the House of 
     Representatives a report on the initiative, which shall 
     include--
       ``(A) the status of the initiative;
       ``(B) the rate of voluntary participation in the 
     initiative;
       ``(C) the effectiveness of the initiative; and
       ``(D) recommendations for expanding the use of classified 
     cyber threat indicators to protect non-Federal entities.''.
  Mrs. FISCHER. I further ask unanimous consent that the committee-
reported amendment be withdrawn; that the Peters substitute amendment, 
which is at the desk, be considered and agreed to; that the bill, as 
amended, be considered read a third time and passed; and that the 
motion to reconsider be considered made and laid upon the table with no 
intervening action or debate.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The committee-reported amendment was withdrawn.
  The amendment (No. 1252) in the nature of a substitute is as follows:

                (Purpose: In the nature of a substitute)

        Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``State and Local Government 
     Cybersecurity Act of 2019''.

     SEC. 2. AMENDMENTS TO THE HOMELAND SECURITY ACT OF 2002.

       Subtitle A of title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 651 et seq.) is amended--
       (1) in section 2201 (6 U.S.C. 651)--
       (A) by redesignating paragraphs (4), (5), and (6) as 
     paragraphs (5), (6), and (7), respectively; and
       (B) by inserting after paragraph (3) the following:
       ``(4) Entity.--The term `entity' shall include--
       ``(A) an association, corporation, whether for-profit or 
     nonprofit, partnership, proprietorship, organization, 
     institution, establishment, or individual, whether domestic 
     or foreign;
       ``(B) a governmental agency or other governmental entity, 
     whether domestic or foreign, including State, local, Tribal, 
     and territorial government entities; and
       ``(C) the general public.''; and
       (2) in section 2202 (6 U.S.C. 652)--
       (A) in subsection (c)--
       (i) in paragraph (10), by striking ``and'' at the end;
       (ii) by redesignating paragraph (11) as paragraph (12); and
       (iii) by inserting after paragraph (10) the following:
       ``(11) carry out the authority of the Secretary under 
     subsection (e)(1)(R); and''; and
       (B) in subsection (e)(1), by adding at the end the 
     following:
       ``(R) To make grants to and enter into cooperative 
     agreements or contracts with States, local, Tribal, and 
     territorial governments, and other non-Federal entities as 
     the Secretary determines necessary to carry out the 
     responsibilities of the Secretary related to cybersecurity 
     and infrastructure security under this Act and any other 
     provision of law, including grants, cooperative agreements, 
     and contracts that provide assistance and education related 
     to cyber threat indicators, defensive measures and 
     cybersecurity technologies, cybersecurity risks, incidents, 
     analysis, and warnings.''; and
       (3) in section 2209 (6 U.S.C. 659)--
       (A) in subsection (c)(6), by inserting ``operational and'' 
     after ``timely'';
       (B) in subsection (d)(1)(E), by inserting ``, including an 
     entity that collaborates with election officials,'' after 
     ``governments''; and
       (C) by adding at the end the following:
       ``(n) Coordination on Cybersecurity for Federal and Non-
     Federal Entities.--
       ``(1) Coordination.--The Center shall, to the extent 
     practicable, and in coordination as appropriate with Federal 
     and non-Federal entities, such as the Multi-State Information 
     Sharing and Analysis Center--
       ``(A) conduct exercises with Federal and non-Federal 
     entities;
       ``(B) provide operational and technical cybersecurity 
     training related to cyber threat indicators, defensive 
     measures, cybersecurity risks, and incidents to Federal and 
     non-Federal entities to address cybersecurity risks or 
     incidents, with or without reimbursement;
       ``(C) assist Federal and non-Federal entities, upon 
     request, in sharing cyber threat indicators, defensive 
     measures, cybersecurity risks, and incidents from and to the 
     Federal Government as well as among Federal and non-Federal 
     entities, in order to increase situational awareness and help 
     prevent incidents;
       ``(D) provide notifications containing specific incident 
     and malware information that may affect them or their 
     customers and residents;
       ``(E) provide and periodically update via a web portal and 
     other means tools, products, resources, policies, guidelines, 
     controls, and other cybersecurity standards and best 
     practices and procedures related to information security;
       ``(F) work with senior Federal and non-Federal officials, 
     including State and local Chief Information Officers, senior 
     election officials, and through national associations, to 
     coordinate a nationwide effort to ensure effective 
     implementation of tools, products, resources, policies, 
     guidelines, controls, and

[[Page S6770]]

     procedures related to information security to secure and 
     ensure the resiliency of Federal and non-Federal information 
     systems and including election systems;
       ``(G) provide, upon request, operational and technical 
     assistance to Federal and non-Federal entities to implement 
     tools, products, resources, policies, guidelines, controls, 
     and procedures on information security, including by, as 
     appropriate, deploying and sustaining cybersecurity 
     technologies, such as an intrusion detection capability, to 
     assist those Federal and non-Federal entities in detecting 
     cybersecurity risks and incidents;
       ``(H) assist Federal and non-Federal entities in developing 
     policies and procedures for coordinating vulnerability 
     disclosures, to the extent practicable, consistent with 
     international and national standards in the information 
     technology industry;
       ``(I) ensure that Federal and non-Federal entities, as 
     appropriate, are made aware of the tools, products, 
     resources, policies, guidelines, controls, and procedures on 
     information security developed by the Department and other 
     appropriate Federal departments and agencies for ensuring the 
     security and resiliency of civilian information systems; and
       ``(J) promote cybersecurity education and awareness through 
     engagements with Federal and non-Federal entities.
       ``(o) Report.--Not later than 1 year after the date of 
     enactment of this subsection, and every 2 years thereafter, 
     the Secretary shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives a report on the status of cybersecurity 
     measures that are in place, and any gaps that exist, in each 
     State and in the largest urban areas of the United States.''.
  The bill (S. 1846), as amended, was ordered to be engrossed for a 
third reading, was read the third time, and passed.

                          ____________________