Congressional Record, Volume 166 Issue 170 (Wednesday, September 30, 2020)

[Congressional Record Volume 166, Number 170 (Wednesday, September 30, 2020)]
[House]
[Pages H5080-H5084]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

STATE AND LOCAL CYBERSECURITY IMPROVEMENT ACT

Ms. UNDERWOOD. Mr. Speaker, I move to suspend the rules and pass the
bill (H.R. 5823) to establish a program to make grants to States to
address cybersecurity risks and cybersecurity threats to information
systems of State, local, Tribal, or territorial governments, and for
other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:

H.R. 5823

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``State and Local
Cybersecurity Improvement Act''.

SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

(a) In General.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by
adding at the end the following new sections:

``SEC. 2215. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

``(a) Establishment.--The Secretary, acting through the
Director, shall establish a program to make grants to States
to address cybersecurity risks and cybersecurity threats to
information systems of State, local, Tribal, or territorial
governments (referred to as the `State and Local
Cybersecurity Grant Program' in this section).
``(b) Baseline Requirements.--A grant awarded under this
section shall be used in compliance with the following:
``(1) The Cybersecurity Plan required under subsection (d)
and approved pursuant to subsection (g).
``(2) The Homeland Security Strategy to Improve the
Cybersecurity of State, Local, Tribal, and Territorial
Governments required in accordance with section 2210, when
issued.
``(c) Administration.--The State and Local Cybersecurity
Grant Program shall be administered in the same program
office that administers grants made under sections 2003 and
2004.
``(d) Eligibility.--
``(1) In general.--A State applying for a grant under the
State and Local Cybersecurity Grant Program shall submit to
the Secretary a Cybersecurity Plan for approval. Such plan
shall--
``(A) incorporate, to the extent practicable, any existing
plans of such State to protect against cybersecurity risks
and cybersecurity threats to information systems of State,
local, Tribal, or territorial governments;
``(B) describe, to the extent practicable, how such State
shall--
``(i) enhance the preparation, response, and resiliency of
information systems owned or operated by such State or, if
appropriate, by local, Tribal, or territorial governments,
against cybersecurity risks and cybersecurity threats;
``(ii) implement a process of continuous cybersecurity
vulnerability assessments and threat mitigation practices
prioritized by degree of risk to address cybersecurity risks
and cybersecurity threats in information systems of such
State, local, Tribal, or territorial governments;
``(iii) ensure that State, local, Tribal, and territorial
governments that own or operate information systems within
the State adopt best practices and methodologies to enhance
cybersecurity, such as the practices set forth in the
cybersecurity framework developed by the National Institute
of Standards and Technology;
``(iv) promote the delivery of safe, recognizable, and
trustworthy online services by State, local, Tribal, and
territorial governments, including through the use of the
.gov internet domain;
``(v) mitigate any identified gaps in the State, local,
Tribal, or territorial government cybersecurity workforces,
enhance recruitment and retention efforts for such
workforces, and bolster the knowledge, skills, and abilities
of State, local, Tribal, and territorial government personnel
to address cybersecurity risks and cybersecurity threats;
``(vi) ensure continuity of communications and data
networks within such State between such State and local,
Tribal, and territorial governments that own or operate
information systems within such State in the event of an
incident involving such communications or data networks
within such State;
``(vii) assess and mitigate, to the greatest degree
possible, cybersecurity risks and cybersecurity threats
related to critical infrastructure and key resources, the
degradation of which may impact the performance of
information systems within such State;
``(viii) enhance capability to share cyber threat
indicators and related information between such State and
local, Tribal, and territorial governments that own or
operate information systems within such State; and

[[Page H5081]]

``(ix) develop and coordinate strategies to address
cybersecurity risks and cybersecurity threats in consultation
with--

``(I) local, Tribal, and territorial governments within the
State; and
``(II) as applicable--

``(aa) neighboring States or, as appropriate, members of an
information sharing and analysis organization; and
``(bb) neighboring countries; and
``(C) include, to the extent practicable, an inventory of
the information technology deployed on the information
systems owned or operated by such State or by local, Tribal,
or territorial governments within such State, including
legacy information technology that is no longer supported by
the manufacturer.
``(e) Planning Committees.--
``(1) In general.--A State applying for a grant under this
section shall establish a cybersecurity planning committee to
assist in the following:
``(A) The development, implementation, and revision of such
State's Cybersecurity Plan required under subsection (d).
``(B) The determination of effective funding priorities for
such grant in accordance with subsection (f).
``(2) Composition.--Cybersecurity planning committees
described in paragraph (1) shall be comprised of
representatives from counties, cities, towns, and Tribes
within the State receiving a grant under this section,
including, as appropriate, representatives of rural,
suburban, and high-population jurisdictions.
``(3) Rule of construction regarding existing planning
committees.--Nothing in this subsection may be construed to
require that any State establish a cybersecurity planning
committee if such State has established and uses a
multijurisdictional planning committee or commission that
meets the requirements of this paragraph.
``(f) Use of Funds.--A State that receives a grant under
this section shall use the grant to implement such State's
Cybersecurity Plan, or to assist with activities determined
by the Secretary, in consultation with the Director, to be
integral to address cybersecurity risks and cybersecurity
threats to information systems of State, local, Tribal, or
territorial governments, as the case may be.
``(g) Approval of Plans.--
``(1) Approval as condition of grant.--Before a State may
receive a grant under this section, the Secretary, acting
through the Director, shall review and approve such State's
Cybersecurity Plan required under subsection (d).
``(2) Plan requirements.--In approving a Cybersecurity Plan
under this subsection, the Director shall ensure such Plan--
``(A) meets the requirements specified in subsection (d);
and
``(B) upon issuance of the Homeland Security Strategy to
Improve the Cybersecurity of State, Local, Tribal, and
Territorial Governments authorized pursuant to section 2210,
complies, as appropriate, with the goals and objectives of
such Strategy.
``(3) Approval of revisions.--The Secretary, acting through
the Director, may approve revisions to a Cybersecurity Plan
as the Director determines appropriate.
``(4) Exception.--Notwithstanding the requirement under
subsection (d) to submit a Cybersecurity Plan as a condition
of apply for a grant under this section, such a grant may be
awarded to a State that has not so submitted a Cybersecurity
Plan to the Secretary if--
``(A) such State certifies to the Secretary that it will
submit to the Secretary a Cybersecurity Plan for approval by
September 30, 2022;
``(B) such State certifies to the Secretary that the
activities that will be supported by such grant are integral
to the development of such Cybersecurity Plan; or
``(C) such State certifies to the Secretary, and the
Director confirms, that the activities that will be supported
by the grant will address imminent cybersecurity risks or
cybersecurity threats to the information systems of such
State or of a local, Tribal, or territorial government in
such State.
``(h) Limitations on Uses of Funds.--
``(1) In general.--A State that receives a grant under this
section may not use such grant--
``(A) to supplant State, local, Tribal, or territorial
funds;
``(B) for any recipient cost-sharing contribution;
``(C) to pay a demand for ransom in an attempt to regain
access to information or an information system of such State
or of a local, Tribal, or territorial government in such
State;
``(D) for recreational or social purposes; or
``(E) for any purpose that does not directly address
cybersecurity risks or cybersecurity threats on an
information systems of such State or of a local, Tribal, or
territorial government in such State.
``(2) Penalties.--In addition to other remedies available,
the Secretary may take such actions as are necessary to
ensure that a recipient of a grant under this section is
using such grant for the purposes for which such grant was
awarded.
``(i) Opportunity To Amend Applications.--In considering
applications for grants under this section, the Secretary
shall provide applicants with a reasonable opportunity to
correct defects, if any, in such applications before making
final awards.
``(j) Apportionment.--For fiscal year 2020 and each fiscal
year thereafter, the Secretary shall apportion amounts
appropriated to carry out this section among States as
follows:
``(1) Baseline amount.--The Secretary shall first apportion
0.25 percent of such amounts to each of American Samoa, the
Commonwealth of the Northern Mariana Islands, Guam, and the
Virgin Islands, and 0.75 percent of such amounts to each of
the remaining States.
``(2) Remainder.--The Secretary shall apportion the
remainder of such amounts in the ratio that--
``(A) the population of each State; bears to
``(B) the population of all States.
``(k) Federal Share.--The Federal share of the cost of an
activity carried out using funds made available under the
program may not exceed the following percentages:
``(1) For fiscal year 2021, 90 percent.
``(2) For fiscal year 2022, 80 percent.
``(3) For fiscal year 2023, 70 percent.
``(4) For fiscal year 2024, 60 percent.
``(5) For fiscal year 2025 and each subsequent fiscal year,
50 percent.
``(l) State Responsibilities.--
``(1) Certification.--Each State that receives a grant
under this section shall certify to the Secretary that the
grant will be used for the purpose for which the grant is
awarded and in compliance with the Cybersecurity Plan or
other purpose approved by the Secretary under subsection (g).
``(2) Availability of funds to local, tribal, and
territorial governments.--Not later than 45 days after a
State receives a grant under this section, such State shall,
without imposing unreasonable or unduly burdensome
requirements as a condition of receipt, obligate or otherwise
make available to local, Tribal, and territorial governments
in such State, consistent with the applicable Cybersecurity
Plan--
``(A) not less than 80 percent of funds available under
such grant;
``(B) with the consent of such local, Tribal, and
territorial governments, items, services, capabilities, or
activities having a value of not less than 80 percent of the
amount of the grant; or
``(C) with the consent of the local, Tribal, and
territorial governments, grant funds combined with other
items, services, capabilities, or activities having the total
value of not less than 80 percent of the amount of the grant.
``(3) Certifications regarding distribution of grant funds
to local, tribal, territorial governments.--A State shall
certify to the Secretary that the State has made the
distribution to local, Tribal, and territorial governments
required under paragraph (2).
``(4) Extension of period.--A State may request in writing
that the Secretary extend the period of time specified in
paragraph (2) for an additional period of time. The Secretary
may approve such a request if the Secretary determines such
extension is necessary to ensure the obligation and
expenditure of grant funds align with the purpose of the
grant program.
``(5) Exception.--Paragraph (2) shall not apply to the
District of Columbia, the Commonwealth of Puerto Rico,
American Samoa, the Commonwealth of the Northern Mariana
Islands, Guam, or the Virgin Islands.
``(6) Direct funding.--If a State does not make the
distribution to local, Tribal, or territorial governments in
such State required under paragraph (2), such a local,
Tribal, or territorial government may petition the Secretary.
``(7) Penalties.--In addition to other remedies available
to the Secretary, the Secretary may terminate or reduce the
amount of a grant awarded under this section to a State or
transfer grant funds previously awarded to such State
directly to the appropriate local, Tribal, or territorial
government if such State violates a requirement of this
subsection.
``(m) Advisory Committee.--
``(1) Establishment.--The Director shall establish a State
and Local Cybersecurity Resiliency Committee to provide
State, local, Tribal, and territorial stakeholder expertise,
situational awareness, and recommendations to the Director,
as appropriate, regarding how to--
``(A) address cybersecurity risks and cybersecurity threats
to information systems of State, local, Tribal, or
territorial governments; and
``(B) improve the ability of such governments to prevent,
protect against, respond, mitigate, and recover from
cybersecurity risks and cybersecurity threats.
``(2) Duties.--The State and Local Cybersecurity Resiliency
Committee shall--
``(A) submit to the Director recommendations that may
inform guidance for applicants for grants under this section;
``(B) upon the request of the Director, provide to the
Director technical assistance to inform the review of
Cybersecurity Plans submitted by applicants for grants under
this section, and, as appropriate, submit to the Director
recommendations to improve such Plans prior to the Director's
determination regarding whether to approve such Plans;
``(C) advise and provide to the Director input regarding
the Homeland Security Strategy to Improve Cybersecurity for
State, Local, Tribal, and Territorial Governments required
under section 2210; and
``(D) upon the request of the Director, provide to the
Director recommendations, as appropriate, regarding how to--

[[Page H5082]]

``(i) address cybersecurity risks and cybersecurity threats
on information systems of State, local, Tribal, or
territorial governments;
``(ii) and improve the cybersecurity resilience of such
governments.
``(3) Membership.--
``(A) Number and appointment.--The State and Local
Cybersecurity Resiliency Committee shall be composed of 15
members appointed by the Director, as follows:
``(i) Two individuals recommended to the Director by the
National Governors Association.
``(ii) Two individuals recommended to the Director by the
National Association of State Chief Information Officers.
``(iii) One individual recommended to the Director by the
National Guard Bureau.
``(iv) Two individuals recommended to the Director by the
National Association of Counties.
``(v) Two individuals recommended to the Director by the
National League of Cities.
``(vi) One individual recommended to the Director by the
United States Conference of Mayors.
``(vii) One individual recommended to the Director by the
Multi-State Information Sharing and Analysis Center.
``(viii) Four individuals who have educational and
professional experience related to cybersecurity analysis or
policy.
``(B) Terms.--Each member of the State and Local
Cybersecurity Resiliency Committee shall be appointed for a
term of two years, except that such term shall be three years
only in the case of members who are appointed initially to
the Committee upon the establishment of the Committee. Any
member appointed to fill a vacancy occurring before the
expiration of the term for which the member's predecessor was
appointed shall be appointed only for the remainder of such
term. A member may serve after the expiration of such
member's term until a successor has taken office. A vacancy
in the Commission shall be filled in the manner in which the
original appointment was made.
``(C) Pay.--Members of the State and Local Cybersecurity
Resiliency Committee shall serve without pay.
``(4) Chairperson; vice chairperson.--The members of the
State and Local Cybersecurity Resiliency Committee shall
select a chairperson and vice chairperson from among
Committee members.
``(5) Federal advisory committee act.--The Federal Advisory
Committee Act (5 U.S.C. App.) shall not apply to the State
and Local Cybersecurity Resilience Committee.
``(n) Reports.--
``(1) Annual reports by state grant recipients.--A State
that receives a grant under this section shall annually
submit to the Secretary a report on the progress of the State
in implementing the Cybersecurity Plan approved pursuant to
subsection (g). If the State does not have a Cybersecurity
Plan approved pursuant to subsection (g), the State shall
submit to the Secretary a report describing how grant funds
were obligated and expended to develop a Cybersecurity Plan
or improve the cybersecurity of information systems owned or
operated by State, local, Tribal, or territorial governments
in such State. The Secretary, acting through the Director,
shall make each such report publicly available, including by
making each such report available on the internet website of
the Agency, subject to any redactions the Director determines
necessary to protect classified or other sensitive
information.
``(2) Annual reports to congress.--At least once each year,
the Secretary, acting through the Director, shall submit to
Congress a report on the use of grants awarded under this
section and any progress made toward the following:
``(A) Achieving the objectives set forth in the Homeland
Security Strategy to Improve the Cybersecurity of State,
Local, Tribal, and Territorial Governments, upon the
strategy's issuance under section 2210.
``(B) Developing, implementing, or revising Cybersecurity
Plans.
``(C) Reducing cybersecurity risks and cybersecurity
threats to information systems owned or operated by State,
local, Tribal, and territorial governments as a result of the
award of such grants.
``(o) Authorization of Appropriations.--There are
authorized to be appropriated for grants under this section--
``(1) for each of fiscal years 2021 through 2025,
$400,000,000; and
``(2) for each subsequent fiscal year, such sums as may be
necessary.
``(p) Definitions.--In this section:
``(1) Critical infrastructure.--The term `critical
infrastructure' has the meaning given that term in section 2.
``(2) Cyber threat indicator.--The term `cyber threat
indicator' has the meaning given such term in section 102 of
the Cybersecurity Act of 2015.
``(3) Director.--The term `Director' means the Director of
the Cybersecurity and Infrastructure Security Agency.
``(4) Incident.--The term `incident' has the meaning given
such term in section 2209.
``(5) Information sharing and analysis organization.--The
term `information sharing and analysis organization' has the
meaning given such term in section 2222.
``(6) Information system.--The term `information system'
has the meaning given such term in section 102(9) of the
Cybersecurity Act of 2015 (6 U.S.C. 1501(9)).
``(7) Key resources.--The term `key resources' has the
meaning given that term in section 2.
``(8) Online service.--The term `online service' means any
internet-facing service, including a website, email, virtual
private network, or custom application.
``(9) State.--The term `State'--
``(A) means each of the several States, the District of
Colombia, and the territories and possessions of the United
States; and
``(B) includes any federally recognized Indian tribe that
notifies the Secretary, not later than 120 days after the
date of the enactment of this section or not later than 120
days before the start of any fiscal year in which a grant
under this section is awarded, that the tribe intends to
develop a Cybersecurity Plan and agrees to forfeit any
distribution under subsection (l)(2).

``SEC. 2216. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR
STATE, LOCAL, TRIBAL, AND TERRITORIAL
GOVERNMENT OFFICIALS.

``The Secretary, acting through the Director, shall develop
a resource guide for use by State, local, Tribal, and
territorial government officials, including law enforcement
officers, to help such officials identify, prepare for,
detect, protect against, respond to, and recover from
cybersecurity risks, cybersecurity threats, and incidents (as
such term is defined in section 2209).''.
(b) Clerical Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 is amended by
inserting after the item relating to section 2214 the
following new items:

``Sec. 2215. State and Local Cybersecurity Grant Program.
``Sec. 2216. Cybersecurity resource guide development for State, local,
Tribal, and territorial government officials.''.

SEC. 3. STRATEGY.

(a) Homeland Security Strategy To Improve the Cybersecurity
of State, Local, Tribal, and Territorial Governments.--
Section 2210 of the Homeland Security Act of 2002 (6 U.S.C.
660) is amended by adding at the end the following new
subsection:
``(e) Homeland Security Strategy To Improve the
Cybersecurity of State, Local, Tribal, and Territorial
Governments.--
``(1) In general.--Not later than 270 days after the date
of the enactment of this subsection, the Secretary, acting
through the Director, shall, in coordination with appropriate
Federal departments and agencies, State, local, Tribal, and
territorial governments, the State and Local Cybersecurity
Resilience Committee (established under section 2215), and
other stakeholders, as appropriate, develop and make publicly
available a Homeland Security Strategy to Improve the
Cybersecurity of State, Local, Tribal, and Territorial
Governments that provides recommendations regarding how the
Federal Government should support and promote the ability
State, local, Tribal, and territorial governments to
identify, protect against, detect respond to, and recover
from cybersecurity risks, cybersecurity threats, and
incidents (as such term is defined in section 2209) and
establishes baseline requirements and principles to which
Cybersecurity Plans under such section shall be aligned.
``(2) Contents.--The Homeland Security Strategy to Improve
the Cybersecurity of State, Local, Tribal, and Territorial
Governments required under paragraph (1) shall--
``(A) identify capability gaps in the ability of State,
local, Tribal, and territorial governments to identify,
protect against, detect, respond to, and recover from
cybersecurity risks, cybersecurity threats, and incidents;
``(B) identify Federal resources and capabilities that are
available or could be made available to State, local, Tribal,
and territorial governments to help such governments
identify, protect against, detect, respond to, and recover
from cybersecurity risks, cybersecurity threats, and
incidents;
``(C) identify and assess the limitations of Federal
resources and capabilities available to State, local, Tribal,
and territorial governments to help such governments
identify, protect against, detect, respond to, and recover
from cybersecurity risks, cybersecurity threats, and
incidents, and make recommendations to address such
limitations;
``(D) identify opportunities to improve the Agency's
coordination with Federal and non-Federal entities, such as
the Multi-State Information Sharing and Analysis Center, to
improve incident exercises, information sharing and incident
notification procedures, the ability for State, local,
Tribal, and territorial governments to voluntarily adapt and
implement guidance in Federal binding operational directives,
and opportunities to leverage Federal schedules for
cybersecurity investments under section 502 of title 40,
United States Code;
``(E) recommend new initiatives the Federal Government
should undertake to improve the ability of State, local,
Tribal, and territorial governments to help such governments
identify, protect against, detect, respond to, and recover
from cybersecurity risks, cybersecurity threats, and
incidents;
``(F) set short-term and long-term goals that will improve
the ability of State, local, Tribal, and territorial
governments to help such governments identify, protect
against, detect, respond to, and recover from cybersecurity
risks, cybersecurity threats, and incidents; and
``(G) set dates, including interim benchmarks, as
appropriate for State, local, Tribal, territorial governments
to establish baseline capabilities to identify, protect
against,

[[Page H5083]]

detect, respond to, and recover from cybersecurity risks,
cybersecurity threats, and incidents.
``(3) Considerations.--In developing the Homeland Security
Strategy to Improve the Cybersecurity of State, Local,
Tribal, and Territorial Governments required under paragraph
(1), the Director, in coordination with appropriate Federal
departments and agencies, State, local, Tribal, and
territorial governments, the State and Local Cybersecurity
Resilience Committee, and other stakeholders, as appropriate,
shall consider--
``(A) lessons learned from incidents that have affected
State, local, Tribal, and territorial governments, and
exercises with Federal and non-Federal entities;
``(B) the impact of incidents that have affected State,
local, Tribal, and territorial governments, including the
resulting costs to such governments;
``(C) the information related to the interest and ability
of state and non-state threat actors to compromise
information systems owned or operated by State, local,
Tribal, and territorial governments;
``(D) emerging cybersecurity risks and cybersecurity
threats to State, local, Tribal, and territorial governments
resulting from the deployment of new technologies; and
``(E) recommendations made by the State and Local
Cybersecurity Resilience Committee.''.
(b) Responsibilities of the Director of the Cybersecurity
and Infrastructure Security Agency.--Subsection (c) of
section 2202 of the Homeland Security Act of 2002 (6 U.S.C.
652) is amended--
(1) by redesignating paragraphs (6) through (11) as
paragraphs (11) through (16), respectively; and
(2) by inserting after paragraph (5) the following new
paragraphs:
``(6) develop program guidance, in consultation with the
State and Local Government Cybersecurity Resiliency Committee
established under section 2215, for the State and Local
Cybersecurity Grant Program under such section or any other
homeland security assistance administered by the Department
to improve cybersecurity;
``(7) review, in consultation with the State and Local
Cybersecurity Resiliency Committee, all cybersecurity plans
of State, local, Tribal, and territorial governments
developed pursuant to any homeland security assistance
administered by the Department to improve cybersecurity;
``(8) provide expertise and technical assistance to State,
local, Tribal, and territorial government officials with
respect to cybersecurity;
``(9) provide education, training, and capacity development
to enhance the security and resilience of cybersecurity and
infrastructure security;
``(10) provide information to State, local, Tribal, and
territorial governments on the security benefits of .gov
domain name registration services;''.
(c) Feasibility Study.--Not later than 180 days after the
date of the enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security shall conduct a study to
assess the feasibility of implementing a short-term
rotational program for the detail of approved State, local,
Tribal, and territorial government employees in cyber
workforce positions to the Agency.

The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
Illinois (Ms. Underwood) and the gentleman from Pennsylvania (Mr.
Joyce) each will control 20 minutes.
The Chair recognizes the gentlewoman from Illinois.

General Leave

Ms. UNDERWOOD. Mr. Speaker, I ask unanimous consent that all Members
may have 5 legislative days to revise and extend their remarks and to
include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from Illinois?
There was no objection.
Ms. UNDERWOOD. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, I don't need to tell anyone here that cyberattacks
against State and local governments are growing more frequent and more
sophisticated. In 2019, there were over 100 ransomware attacks on State
and local governments.
From major cities like New Orleans and Baltimore to small towns
across Texas, cyberattacks sought to cripple the ability of governments
across the country to carry out basic functions, from processing real
estate transactions to collecting payments for services.
The cost is more than just a mere inconvenience. A ransomware attack
against a State and local government can disrupt lifeline services,
like 911 call centers and public hospitals, and extort money those
governments do not have.
Last summer, the mayor of Atlanta, Keisha Lance Bottoms, testified
before my subcommittee that the ransomware attack that hit her city in
2018 cost city taxpayers $7.2 million to recover from, but experts
expect that cost to grow to as much as $17 million.
The COVID-19 pandemic, by dramatically expanding the threat landscape
and making government networks more attractive targets for hackers, has
made the situation more dire. More Americans than ever before are
working from home. That includes State and local government workers who
may be less accustomed to teleworking and less prepared to do it
securely.
At the same time, the cyber risk to State and local networks has
increased dramatically due to unprecedented demand for online services,
including unemployment compensation and human services applications.
The transition to online learning that COVID-19 has forced many
schools to undertake has also not been without incident. According to
Education Week, there have been 220 cyberattacks against schools so far
this year. And while the pandemic is bringing the vulnerability of our
school districts' networks into focus, it is worth noting that there
have been over 1,000 cyberattacks against school districts since 2016,
according to the K-12 Research Center.
Despite the urgent need to address their cyber vulnerabilities, many
State and local governments are not in a position to do so without
outside assistance, as they are overwhelmed by the challenges of
maintaining basic services in the face of steep COVID-19-related
revenue losses.
It is time for the Federal Government to step up and help. Passing
H.R. 5823, the State and Local Cybersecurity Improvement Act, which I
am proud to cosponsor, is an important first step.
The bill would establish a $400 million targeted grant program to
help States and local governments develop robust cybersecurity
capabilities. Importantly, it requires States to pay a graduated match
to incentivize them to budget better for cybersecurity.
And it requires the Department of Homeland Security to create a plan
to improve the cybersecurity posture of State and local governments to
ensure that Federal resources align with State goals and objectives.
The smart investments we make in the cybersecurity of our State and
local governments now will pay for themselves in the future.
Mr. Speaker, I urge my colleagues to support H.R. 5823, and I reserve
the balance of my time.
Mr. JOYCE of Pennsylvania. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, I rise in strong support of H.R. 5823.
Preparing our State, local, Tribal, and territorial governments for
the increasing number of cyber threats they face is a necessary
priority.
Cybersecurity preparedness is ineffective if our only focus is on
Federal preparedness. It is incumbent on us to ensure that our State
and local partners are taking advantage of the resources that we can
offer so they, too, can prepare for the threats that they might face.
H.R. 5823 will do just that. It establishes a matching grant program
for State and local governments to access and close vulnerabilities in
their IT systems.
Mr. Speaker, I thank Representatives Richmond and Katko for their
bill, and I reserve the balance of my time.
Ms. UNDERWOOD. Mr. Speaker, I yield 2 minutes to the gentleman from
Maryland (Mr. Ruppersberger).
Mr. RUPPERSBERGER. Mr. Speaker, I thank the gentlewoman for yielding.
Before I start, I want to acknowledge the gentlewoman's leadership
position. I was sitting in my chair--I have been dealing with cyber
issues for a long time--and when I heard Mr. Joyce agree with the
gentlewoman, I almost fell out of my chair, but I didn't. I really
applaud both Members for working together.
Cyber issues are some of the most important national security issues
that our country faces, internationally and also within our country,
and coming together like this is how we get things done for our
constituents. I hope people on both sides of the aisle observe what
these Representatives are doing. That is the way we need to go.
First, as a former Baltimore County executive, I am well aware of the
problems that State and local governments face on a daily basis. They
are where

[[Page H5084]]

the rubber meets the road and the source of many of the critical
services our constituents rely on, which includes schools, law
enforcement, parks, fire, and libraries.
Yet, according to the National Association of State Chief Information
Officers, nearly half of all States do not have a dedicated
cybersecurity line item in their budget. In fact, most State
cybersecurity budgets are between 0 and 3 percent of their overall
information technology budget.
While some support from the Federal Government does exist already,
less than 4 percent of current Homeland Security Grant Program funding
has been allocated to cybersecurity needs at the State and local level.
As we have seen from recent cyberattacks on many American cities and
States, this is simply not enough.
Last year, there were at least 24 public-sector ransomware attacks,
including a ransomware attack in Baltimore, my hometown, that is
expected to cost more than $18 million in remediation. A separate
attack in 2018 temporarily disabled Baltimore's 911 dispatch system.
This is part of a growing nationwide trend. The COVID-19 pandemic has
only exacerbated the threat to local governments as hackers exploit
overwhelmed organizations that are increasingly dependent on digital
tools. We cannot simply stand by and watch this happen. We can and must
do more.
The SPEAKER pro tempore. The time of the gentleman has expired.
Ms. UNDERWOOD. Mr. Speaker, I yield the gentleman from Maryland an
additional 2 minutes.
Mr. RUPPERSBERGER. Mr. Speaker, the bill before us today establishes
a program making grants available to State, local, Tribal, and
territorial governments to address cybersecurity risks and threats to
their information systems.
This is not a silver bullet, but it allows us to leverage Federal
expertise in cyber, like that of the Cybersecurity and Infrastructure
Security Agency, or CISA, to help State and local governments get their
information security programs off the ground.
This bill will further empower State and local governments around the
country to begin assuming the funding burden in their normal budget
cycles in the future by reducing the Federal share over time.
I thank Chairman Thompson, Chairman Richmond, and all those involved
for this bipartisan coalition.
Ms. UNDERWOOD. Mr. Speaker, I yield 3 minutes to the gentleman from
Washington (Mr. Kilmer).
Mr. KILMER. Mr. Speaker, I thank my good friend for yielding and echo
the gratitude for her leadership and the bipartisan leadership of the
subcommittee.
Mr. Speaker, I rise in strong support of the State and Local
Cybersecurity Improvement Act, a bipartisan bill that I was proud to
help introduce, to deliver urgently needed investments to address the
vulnerabilities that persist in State, local, Tribal, and territorial
cyber infrastructures.
These cyber threats are real, and our communities need help.
I have spoken with a county auditor just recently who said she is
conscious that her systems are constantly targeted.
I have spoken with public power providers who understand that, in the
absence of sufficient cybersecurity, we could see an attack that would
wipe out our critical utilities for citizens and could undermine our
economy.
I have recently spoken with a Tribal leader who said that they have
enough technology challenges without seeing the threat of cyberattack
compound things.
I have spoken with a county hospital in my district that was hit by a
ransomware attack.
This bill is about letting those folks know and the people whom they
serve know that they are not on their own, that the Federal Government
understands that cybersecurity vulnerabilities don't only exist in
marble buildings in Washington, D.C., but that they exist in
communities in every State in our Nation, and with this bill the
Federal Government says: We are going to have your back. That is why I
urge my colleagues on both sides of the aisle to support this
bipartisan plan. There is no time to waste.
Ms. UNDERWOOD. Mr. Speaker, I have no more speakers, and I am
prepared to close after the gentleman from Pennsylvania closes. I
reserve the balance of my time.
Mr. JOYCE of Pennsylvania. Mr. Speaker, I urge a ``yes'' vote on the
bill, and I yield back the balance of my time.
Ms. UNDERWOOD. Mr. Speaker, over the past decade and a half, Congress
has redoubled efforts to secure Federal networks. This legislation will
continue that work by supporting State and local cybersecurity
improvements. It was approved on a bipartisan basis in committee and
has broad and deep support within stakeholder communities.
I would like to congratulate Congressman Cedric Richmond, the former
chairman of the Cybersecurity, Infrastructure Protection, and
Innovation Subcommittee, on this important legislation.
Mr. Speaker, I urge my colleagues to support the measure, and I yield
back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from Illinois (Ms. Underwood) that the House suspend the
rules and pass the bill, H.R. 5823, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.

____________________