[Congressional Record Volume 167, Number 127 (Tuesday, July 20, 2021)]
[House]
[Pages H3689-H3695]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                              {time}  1300
             STATE AND LOCAL CYBERSECURITY IMPROVEMENT ACT

  Ms. CLARKE of New York. Madam Speaker, I move to suspend the rules 
and pass the bill (H.R. 3138) to amend the Homeland Security Act of 
2002 to authorize a grant program relating to the cybersecurity of 
State and local governments, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3138

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``State and Local 
     Cybersecurity Improvement Act''.

     SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

       (a) In General.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by 
     adding at the end the following new sections:

     ``SEC. 2220A. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

       ``(a) Definitions.--In this section:
       ``(1) Cyber threat indicator.--The term `cyber threat 
     indicator' has the meaning given the term in section 102 of 
     the Cybersecurity Act of 2015 (6 U.S.C. 1501).
       ``(2) Cybersecurity plan.--The term `Cybersecurity Plan' 
     means a plan submitted by an eligible entity under subsection 
     (e)(1).
       ``(3) Eligible entity.--The term `eligible entity' means--
       ``(A) a State; or
       ``(B) an Indian tribe that, not later than 120 days after 
     the date of the enactment of this section or not later than 
     120 days before the start of any fiscal year in which a grant 
     under this section is awarded--
       ``(i) notifies the Secretary that the Indian tribe intends 
     to develop a Cybersecurity Plan; and
       ``(ii) agrees to forfeit any distribution under subsection 
     (n)(2).
       ``(4) Incident.--The term `incident' has the meaning given 
     the term in section 2209.
       ``(5) Indian tribe; tribal organization.--The term `Indian 
     tribe' or `Tribal organization' has the meaning given that 
     term in section 4(e) of the of the Indian Self-Determination 
     and Education Assistance Act (25 U.S.C. 5304(e)).
       ``(6) Information sharing and analysis organization.--The 
     term `information sharing and analysis organization' has the 
     meaning given the term in section 2222.
       ``(7) Information system.--The term `information system' 
     has the meaning given the

[[Page H3690]]

     term in section 102 of the Cybersecurity Act of 2015 (6 
     U.S.C. 1501).
       ``(8) Online service.--The term `online service' means any 
     internet-facing service, including a website, email, virtual 
     private network, or custom application.
       ``(9) Ransomware incident.--The term `ransomware incident' 
     means an incident that actually or imminently jeopardizes, 
     without lawful authority, the integrity, confidentiality, or 
     availability of information on an information system, or 
     actually or imminently jeopardizes, without lawful authority, 
     an information system for the purpose of coercing the 
     information system's owner, operator, or another person.
       ``(10) State and local cybersecurity grant program.--The 
     term `State and Local Cybersecurity Grant Program' means the 
     program established under subsection (b).
       ``(11) State and local cybersecurity resilience 
     committee.--The term `State and Local Cybersecurity 
     Resilience Committee' means the committee established under 
     subsection (o)(1).
       ``(b) Establishment.--
       ``(1) In general.--The Secretary, acting through the 
     Director, shall establish a program, to be known as the `the 
     State and Local Cybersecurity Grant Program', to award grants 
     to eligible entities to address cybersecurity risks and 
     cybersecurity threats to information systems of State, local, 
     or Tribal organizations.
       ``(2) Application.--An eligible entity seeking a grant 
     under the State and Local Cybersecurity Grant Program shall 
     submit to the Secretary an application at such time, in such 
     manner, and containing such information as the Secretary may 
     require.
       ``(c) Baseline Requirements.--An eligible entity or 
     multistate group that receives a grant under this section 
     shall use the grant in compliance with--
       ``(1)(A) the Cybersecurity Plan of the eligible entity or 
     the Cybersecurity Plans of the eligible entities that 
     comprise the multistate group; and
       ``(B) the Homeland Security Strategy to Improve the 
     Cybersecurity of State, Local, Tribal, and Territorial 
     Governments developed under section 2210(e)(1); or
       ``(2) activities carried out under paragraphs (3), (4), and 
     (5) of subsection (h).
       ``(d) Administration.--The State and Local Cybersecurity 
     Grant Program shall be administered in the same office of the 
     Department that administers grants made under sections 2003 
     and 2004.
       ``(e) Cybersecurity Plans.--
       ``(1) In general.--An eligible entity applying for a grant 
     under this section shall submit to the Secretary a 
     Cybersecurity Plan for approval.
       ``(2) Required elements.--A Cybersecurity Plan of an 
     eligible entity shall--
       ``(A) incorporate, to the extent practicable, any existing 
     plans of the eligible entity to protect against cybersecurity 
     risks and cybersecurity threats to information systems of 
     State, local, or Tribal organizations;
       ``(B) describe, to the extent practicable, how the eligible 
     entity will--
       ``(i) manage, monitor, and track information systems, 
     applications, and user accounts owned or operated by or on 
     behalf of the eligible entity or by local or Tribal 
     organizations within the jurisdiction of the eligible entity 
     and the information technology deployed on those information 
     systems, including legacy information systems and information 
     technology that are no longer supported by the manufacturer 
     of the systems or technology;
       ``(ii) monitor, audit, and track activity between 
     information systems, applications, and user accounts owned or 
     operated by or on behalf of the eligible entity or by local 
     or Tribal organizations within the jurisdiction of the 
     eligible entity and between those information systems and 
     information systems not owned or operated by the eligible 
     entity or by local or Tribal organizations within the 
     jurisdiction of the eligible entity;
       ``(iii) enhance the preparation, response, and resilience 
     of information systems, applications, and user accounts owned 
     or operated by or on behalf of the eligible entity or local 
     or Tribal organizations against cybersecurity risks and 
     cybersecurity threats;
       ``(iv) implement a process of continuous cybersecurity 
     vulnerability assessments and threat mitigation practices 
     prioritized by degree of risk to address cybersecurity risks 
     and cybersecurity threats on information systems of the 
     eligible entity or local or Tribal organizations;
       ``(v) ensure that State, local, and Tribal organizations 
     that own or operate information systems that are located 
     within the jurisdiction of the eligible entity--

       ``(I) adopt best practices and methodologies to enhance 
     cybersecurity, such as the practices set forth in the 
     cybersecurity framework developed by, and the cyber supply 
     chain risk management best practices identified by, the 
     National Institute of Standards and Technology; and
       ``(II) utilize knowledge bases of adversary tools and 
     tactics to assess risk;

       ``(vi) promote the delivery of safe, recognizable, and 
     trustworthy online services by State, local, and Tribal 
     organizations, including through the use of the .gov internet 
     domain;
       ``(vii) ensure continuity of operations of the eligible 
     entity and local, and Tribal organizations in the event of a 
     cybersecurity incident (including a ransomware incident), 
     including by conducting exercises to practice responding to 
     such an incident;
       ``(viii) use the National Initiative for Cybersecurity 
     Education Cybersecurity Workforce Framework developed by the 
     National Institute of Standards and Technology to identify 
     and mitigate any gaps in the cybersecurity workforces of 
     State, local, or Tribal organizations, enhance recruitment 
     and retention efforts for such workforces, and bolster the 
     knowledge, skills, and abilities of State, local, and Tribal 
     organization personnel to address cybersecurity risks and 
     cybersecurity threats, such as through cybersecurity hygiene 
     training;
       ``(ix) ensure continuity of communications and data 
     networks within the jurisdiction of the eligible entity 
     between the eligible entity and local and Tribal 
     organizations that own or operate information systems within 
     the jurisdiction of the eligible entity in the event of an 
     incident involving such communications or data networks 
     within the jurisdiction of the eligible entity;
       ``(x) assess and mitigate, to the greatest degree possible, 
     cybersecurity risks and cybersecurity threats related to 
     critical infrastructure and key resources, the degradation of 
     which may impact the performance of information systems 
     within the jurisdiction of the eligible entity;
       ``(xi) enhance capabilities to share cyber threat 
     indicators and related information between the eligible 
     entity and local and Tribal organizations that own or operate 
     information systems within the jurisdiction of the eligible 
     entity, including by expanding existing information sharing 
     agreements with the Department;
       ``(xii) enhance the capability of the eligible entity to 
     share cyber threat indictors and related information with the 
     Department;
       ``(xiii) leverage cybersecurity services offered by the 
     Department;
       ``(xiv) develop and coordinate strategies to address 
     cybersecurity risks and cybersecurity threats to information 
     systems of the eligible entity in consultation with--

       ``(I) local and Tribal organizations within the 
     jurisdiction of the eligible entity; and
       ``(II) as applicable--

       ``(aa) States that neighbor the jurisdiction of the 
     eligible entity or, as appropriate, members of an information 
     sharing and analysis organization; and
       ``(bb) countries that neighbor the jurisdiction of the 
     eligible entity; and
       ``(xv) implement an information technology and operational 
     technology modernization cybersecurity review process that 
     ensures alignment between information technology and 
     operational technology cybersecurity objectives;
       ``(C) describe, to the extent practicable, the individual 
     responsibilities of the eligible entity and local and Tribal 
     organizations within the jurisdiction of the eligible entity 
     in implementing the plan;
       ``(D) outline, to the extent practicable, the necessary 
     resources and a timeline for implementing the plan; and
       ``(E) describe how the eligible entity will measure 
     progress towards implementing the plan.
       ``(3) Discretionary elements.--A Cybersecurity Plan of an 
     eligible entity may include a description of--
       ``(A) cooperative programs developed by groups of local and 
     Tribal organizations within the jurisdiction of the eligible 
     entity to address cybersecurity risks and cybersecurity 
     threats; and
       ``(B) programs provided by the eligible entity to support 
     local and Tribal organizations and owners and operators of 
     critical infrastructure to address cybersecurity risks and 
     cybersecurity threats.
       ``(4) Management of funds.--An eligible entity applying for 
     a grant under this section shall agree to designate the Chief 
     Information Officer, the Chief Information Security Officer, 
     or an equivalent official of the eligible entity as the 
     primary official for the management and allocation of funds 
     awarded under this section.
       ``(f) Multistate Grants.--
       ``(1) In general.--The Secretary, acting through the 
     Director, may award grants under this section to a group of 
     two or more eligible entities to support multistate efforts 
     to address cybersecurity risks and cybersecurity threats to 
     information systems within the jurisdictions of the eligible 
     entities.
       ``(2) Satisfaction of other requirements.--In order to be 
     eligible for a multistate grant under this subsection, each 
     eligible entity that comprises a multistate group shall 
     submit to the Secretary--
       ``(A) a Cybersecurity Plan for approval in accordance with 
     subsection (i); and
       ``(B) a plan for establishing a cybersecurity planning 
     committee under subsection (g).
       ``(3) Application.--
       ``(A) In general.--A multistate group applying for a 
     multistate grant under paragraph (1) shall submit to the 
     Secretary an application at such time, in such manner, and 
     containing such information as the Secretary may require.
       ``(B) Multistate project description.--An application of a 
     multistate group under subparagraph (A) shall include a plan 
     describing--
       ``(i) the division of responsibilities among the eligible 
     entities that comprise the multistate group for administering 
     the grant for which application is being made;
       ``(ii) the distribution of funding from such a grant among 
     the eligible entities that comprise the multistate group; and
       ``(iii) how the eligible entities that comprise the 
     multistate group will work together to implement the 
     Cybersecurity Plan of each of those eligible entities.

[[Page H3691]]

       ``(g) Planning Committees.--
       ``(1) In general.--An eligible entity that receives a grant 
     under this section shall establish a cybersecurity planning 
     committee to--
       ``(A) assist in the development, implementation, and 
     revision of the Cybersecurity Plan of the eligible entity;
       ``(B) approve the Cybersecurity Plan of the eligible 
     entity; and
       ``(C) assist in the determination of effective funding 
     priorities for a grant under this section in accordance with 
     subsection (h).
       ``(2) Composition.--A committee of an eligible entity 
     established under paragraph (1) shall--
       ``(A) be comprised of representatives from the eligible 
     entity and counties, cities, towns, Tribes, and public 
     educational and health institutions within the jurisdiction 
     of the eligible entity; and
       ``(B) include, as appropriate, representatives of rural, 
     suburban, and high-population jurisdictions.
       ``(3) Cybersecurity expertise.--Not less than \1/2\ of the 
     representatives of a committee established under paragraph 
     (1) shall have professional experience relating to 
     cybersecurity or information technology.
       ``(4) Rule of construction regarding existing planning 
     committees.--Nothing in this subsection may be construed to 
     require an eligible entity to establish a cybersecurity 
     planning committee if the eligible entity has established and 
     uses a multijurisdictional planning committee or commission 
     that meets, or may be leveraged to meet, the requirements of 
     this subsection.
       ``(h) Use of Funds.--An eligible entity that receives a 
     grant under this section shall use the grant to--
       ``(1) implement the Cybersecurity Plan of the eligible 
     entity;
       ``(2) develop or revise the Cybersecurity Plan of the 
     eligible entity; or
       ``(3) assist with activities that address imminent 
     cybersecurity risks or cybersecurity threats to the 
     information systems of the eligible entity or a local or 
     Tribal organization within the jurisdiction of the eligible 
     entity.
       ``(i) Approval of Plans.--
       ``(1) Approval as condition of grant.--Before an eligible 
     entity may receive a grant under this section, the Secretary, 
     acting through the Director, shall review the Cybersecurity 
     Plan, or any revisions thereto, of the eligible entity and 
     approve such plan, or revised plan, if it satisfies the 
     requirements specified in paragraph (2).
       ``(2) Plan requirements.--In approving a Cybersecurity Plan 
     of an eligible entity under this subsection, the Director 
     shall ensure that the Cybersecurity Plan--
       ``(A) satisfies the requirements of subsection (e)(2);
       ``(B) upon the issuance of the Homeland Security Strategy 
     to Improve the Cybersecurity of State, Local, Tribal, and 
     Territorial Governments authorized pursuant to section 
     2210(e), complies, as appropriate, with the goals and 
     objectives of the strategy; and
       ``(C) has been approved by the cybersecurity planning 
     committee of the eligible entity established under subsection 
     (g).
       ``(3) Approval of revisions.--The Secretary, acting through 
     the Director, may approve revisions to a Cybersecurity Plan 
     as the Director determines appropriate.
       ``(4) Exception.--Notwithstanding subsection (e) and 
     paragraph (1) of this subsection, the Secretary may award a 
     grant under this section to an eligible entity that does not 
     submit a Cybersecurity Plan to the Secretary if--
       ``(A) the eligible entity certifies to the Secretary that--
       ``(i) the activities that will be supported by the grant 
     are integral to the development of the Cybersecurity Plan of 
     the eligible entity; and
       ``(ii) the eligible entity will submit by September 30, 
     2023, to the Secretary a Cybersecurity Plan for review, and 
     if appropriate, approval; or
       ``(B) the eligible entity certifies to the Secretary, and 
     the Director confirms, that the eligible entity will use 
     funds from the grant to assist with the activities described 
     in subsection (h)(3).
       ``(j) Limitations on Uses of Funds.--
       ``(1) In general.--An eligible entity that receives a grant 
     under this section may not use the grant--
       ``(A) to supplant State, local, or Tribal funds;
       ``(B) for any recipient cost-sharing contribution;
       ``(C) to pay a demand for ransom in an attempt to--
       ``(i) regain access to information or an information system 
     of the eligible entity or of a local or Tribal organization 
     within the jurisdiction of the eligible entity; or
       ``(ii) prevent the disclosure of information that has been 
     removed without authorization from an information system of 
     the eligible entity or of a local or Tribal organization 
     within the jurisdiction of the eligible entity;
       ``(D) for recreational or social purposes; or
       ``(E) for any purpose that does not address cybersecurity 
     risks or cybersecurity threats on information systems of the 
     eligible entity or of a local or Tribal organization within 
     the jurisdiction of the eligible entity.
       ``(2) Penalties.--In addition to any other remedy 
     available, the Secretary may take such actions as are 
     necessary to ensure that a recipient of a grant under this 
     section uses the grant for the purposes for which the grant 
     is awarded.
       ``(3) Rule of construction.--Nothing in paragraph (1) may 
     be construed to prohibit the use of grant funds provided to a 
     State, local, or Tribal organization for otherwise 
     permissible uses under this section on the basis that a 
     State, local, or Tribal organization has previously used 
     State, local, or Tribal funds to support the same or similar 
     uses.
       ``(k) Opportunity to Amend Applications.--In considering 
     applications for grants under this section, the Secretary 
     shall provide applicants with a reasonable opportunity to 
     correct defects, if any, in such applications before making 
     final awards.
       ``(l) Apportionment.--For fiscal year 2022 and each fiscal 
     year thereafter, the Secretary shall apportion amounts 
     appropriated to carry out this section among States as 
     follows:
       ``(1) Baseline amount.--The Secretary shall first apportion 
     0.25 percent of such amounts to each of American Samoa, the 
     Commonwealth of the Northern Mariana Islands, Guam, the U.S. 
     Virgin Islands, and 0.75 percent of such amounts to each of 
     the remaining States.
       ``(2) Remainder.--The Secretary shall apportion the 
     remainder of such amounts in the ratio that--
       ``(A) the population of each eligible entity, bears to
       ``(B) the population of all eligible entities.
       ``(3) Minimum allocation to indian tribes.--
       ``(A) In general.--In apportioning amounts under this 
     section, the Secretary shall ensure that, for each fiscal 
     year, directly eligible Tribes collectively receive, from 
     amounts appropriated under the State and Local Cybersecurity 
     Grant Program, not less than an amount equal to three percent 
     of the total amount appropriated for grants under this 
     section.
       ``(B) Allocation.--Of the amount reserved under 
     subparagraph (A), funds shall be allocated in a manner 
     determined by the Secretary in consultation with Indian 
     tribes.
       ``(C) Exception.--This paragraph shall not apply in any 
     fiscal year in which the Secretary--
       ``(i) receives fewer than five applications from Indian 
     tribes; or
       ``(ii) does not approve at least two applications from 
     Indian tribes.
       ``(m) Federal Share.--
       ``(1) In general.--The Federal share of the cost of an 
     activity carried out using funds made available with a grant 
     under this section may not exceed--
       ``(A) in the case of a grant to an eligible entity--
       ``(i) for fiscal year 2022, 90 percent;
       ``(ii) for fiscal year 2023, 80 percent;
       ``(iii) for fiscal year 2024, 70 percent;
       ``(iv) for fiscal year 2025, 60 percent; and
       ``(v) for fiscal year 2026 and each subsequent fiscal year, 
     50 percent; and
       ``(B) in the case of a grant to a multistate group--
       ``(i) for fiscal year 2022, 95 percent;
       ``(ii) for fiscal year 2023, 85 percent;
       ``(iii) for fiscal year 2024, 75 percent;
       ``(iv) for fiscal year 2025, 65 percent; and
       ``(v) for fiscal year 2026 and each subsequent fiscal year, 
     55 percent.
       ``(2) Waiver.--The Secretary may waive or modify the 
     requirements of paragraph (1) for an Indian tribe if the 
     Secretary determines such a waiver is in the public interest.
       ``(n) Responsibilities of Grantees.--
       ``(1) Certification.--Each eligible entity or multistate 
     group that receives a grant under this section shall certify 
     to the Secretary that the grant will be used--
       ``(A) for the purpose for which the grant is awarded; and
       ``(B) in compliance with, as the case may be--
       ``(i) the Cybersecurity Plan of the eligible entity;
       ``(ii) the Cybersecurity Plans of the eligible entities 
     that comprise the multistate group; or
       ``(iii) a purpose approved by the Secretary under 
     subsection (h) or pursuant to an exception under subsection 
     (i).
       ``(2) Availability of funds to local and tribal 
     organizations.--Not later than 45 days after the date on 
     which an eligible entity or multistate group receives a grant 
     under this section, the eligible entity or multistate group 
     shall, without imposing unreasonable or unduly burdensome 
     requirements as a condition of receipt, obligate or otherwise 
     make available to local and Tribal organizations within the 
     jurisdiction of the eligible entity or the eligible entities 
     that comprise the multistate group, and as applicable, 
     consistent with the Cybersecurity Plan of the eligible entity 
     or the Cybersecurity Plans of the eligible entities that 
     comprise the multistate group--
       ``(A) not less than 80 percent of funds available under the 
     grant;
       ``(B) with the consent of the local and Tribal 
     organizations, items, services, capabilities, or activities 
     having a value of not less than 80 percent of the amount of 
     the grant; or
       ``(C) with the consent of the local and Tribal 
     organizations, grant funds combined with other items, 
     services, capabilities, or activities having the total value 
     of not less than 80 percent of the amount of the grant.
       ``(3) Certifications regarding distribution of grant funds 
     to local and tribal organizations.--An eligible entity or 
     multistate group shall certify to the Secretary that the 
     eligible entity or multistate group has made the distribution 
     to local,

[[Page H3692]]

     Tribal, and territorial governments required under paragraph 
     (2).
       ``(4) Extension of period.--
       ``(A) In general.--An eligible entity or multistate group 
     may request in writing that the Secretary extend the period 
     of time specified in paragraph (2) for an additional period 
     of time.
       ``(B) Approval.--The Secretary may approve a request for an 
     extension under subparagraph (A) if the Secretary determines 
     the extension is necessary to ensure that the obligation and 
     expenditure of grant funds align with the purpose of the 
     State and Local Cybersecurity Grant Program.
       ``(5) Exception.--Paragraph (2) shall not apply to the 
     District of Columbia, the Commonwealth of Puerto Rico, 
     American Samoa, the Commonwealth of the Northern Mariana 
     Islands, Guam, the Virgin Islands, or an Indian tribe.
       ``(6) Direct funding.--If an eligible entity does not make 
     a distribution to a local or Tribal organization required in 
     accordance with paragraph (2), the local or Tribal 
     organization may petition the Secretary to request that grant 
     funds be provided directly to the local or Tribal 
     organization.
       ``(7) Penalties.--In addition to other remedies available 
     to the Secretary, the Secretary may terminate or reduce the 
     amount of a grant awarded under this section to an eligible 
     entity or distribute grant funds previously awarded to such 
     eligible entity directly to the appropriate local or Tribal 
     organization as a replacement grant in an amount the 
     Secretary determines appropriate if such eligible entity 
     violates a requirement of this subsection.
       ``(o) Advisory Committee.--
       ``(1) Establishment.--Not later than 120 days after the 
     date of enactment of this section, the Director shall 
     establish a State and Local Cybersecurity Resilience 
     Committee to provide State, local, and Tribal stakeholder 
     expertise, situational awareness, and recommendations to the 
     Director, as appropriate, regarding how to--
       ``(A) address cybersecurity risks and cybersecurity threats 
     to information systems of State, local, or Tribal 
     organizations; and
       ``(B) improve the ability of State, local, and Tribal 
     organizations to prevent, protect against, respond to, 
     mitigate, and recover from such cybersecurity risks and 
     cybersecurity threats.
       ``(2) Duties.--The committee established under paragraph 
     (1) shall--
       ``(A) submit to the Director recommendations that may 
     inform guidance for applicants for grants under this section;
       ``(B) upon the request of the Director, provide to the 
     Director technical assistance to inform the review of 
     Cybersecurity Plans submitted by applicants for grants under 
     this section, and, as appropriate, submit to the Director 
     recommendations to improve those plans prior to the approval 
     of the plans under subsection (i);
       ``(C) advise and provide to the Director input regarding 
     the Homeland Security Strategy to Improve Cybersecurity for 
     State, Local, Tribal, and Territorial Governments required 
     under section 2210;
       ``(D) upon the request of the Director, provide to the 
     Director recommendations, as appropriate, regarding how to--
       ``(i) address cybersecurity risks and cybersecurity threats 
     on information systems of State, local, or Tribal 
     organizations; and
       ``(ii) improve the cybersecurity resilience of State, 
     local, or Tribal organizations; and
       ``(E) regularly coordinate with the State, Local, Tribal 
     and Territorial Government Coordinating Council, within the 
     Critical Infrastructure Partnership Advisory Council, 
     established under section 871.
       ``(3) Membership.--
       ``(A) Number and appointment.--The State and Local 
     Cybersecurity Resilience Committee established pursuant to 
     paragraph (1) shall be composed of 15 members appointed by 
     the Director, as follows:
       ``(i) Two individuals recommended to the Director by the 
     National Governors Association.
       ``(ii) Two individuals recommended to the Director by the 
     National Association of State Chief Information Officers.
       ``(iii) One individual recommended to the Director by the 
     National Guard Bureau.
       ``(iv) Two individuals recommended to the Director by the 
     National Association of Counties.
       ``(v) One individual recommended to the Director by the 
     National League of Cities.
       ``(vi) One individual recommended to the Director by the 
     United States Conference of Mayors.
       ``(vii) One individual recommended to the Director by the 
     Multi-State Information Sharing and Analysis Center.
       ``(viii) One individual recommended to the Director by the 
     National Congress of American Indians.
       ``(viii) Four individuals who have educational and 
     professional experience relating to cybersecurity work or 
     cybersecurity policy.
       ``(B) Terms.--
       ``(i) In general.--Subject to clause (ii), each member of 
     the State and Local Cybersecurity Resilience Committee shall 
     be appointed for a term of two years.
       ``(ii) Requirement.--At least two members of the State and 
     Local Cybersecurity Resilience Committee shall also be 
     members of the State, Local, Tribal and Territorial 
     Government Coordinating Council, within the Critical 
     Infrastructure Partnership Advisory Council, established 
     under section 871.
       ``(iii) Exception.--A term of a member of the State and 
     Local Cybersecurity Resilience Committee shall be three years 
     if the member is appointed initially to the Committee upon 
     the establishment of the Committee.
       ``(iv) Term remainders.--Any member of the State and Local 
     Cybersecurity Resilience Committee appointed to fill a 
     vacancy occurring before the expiration of the term for which 
     the member's predecessor was appointed shall be appointed 
     only for the remainder of such term. A member may serve after 
     the expiration of such member's term until a successor has 
     taken office.
       ``(v) Vacancies.--A vacancy in the State and Local 
     Cybersecurity Resilience Committee shall be filled in the 
     manner in which the original appointment was made.
       ``(C) Pay.--Members of the State and Local Cybersecurity 
     Resilience Committee shall serve without pay.
       ``(4) Chairperson; vice chairperson.--The members of the 
     State and Local Cybersecurity Resilience Committee shall 
     select a chairperson and vice chairperson from among members 
     of the committee.
       ``(5) Permanent authority.--Notwithstanding section 14 of 
     the Federal Advisory Committee Act (5 U.S.C. App.), the State 
     and Local Cybersecurity Resilience Committee shall be a 
     permanent authority.
       ``(p) Reports.--
       ``(1) Annual reports by grant recipients.--
       ``(A) In general.--Not later than one year after an 
     eligible entity or multistate group receives funds under this 
     section, the eligible entity or multistate group shall submit 
     to the Secretary a report on the progress of the eligible 
     entity or multistate group in implementing the Cybersecurity 
     Plan of the eligible entity or Cybersecurity Plans of the 
     eligible entities that comprise the multistate group, as the 
     case may be.
       ``(B) Absence of plan.--Not later than 180 days after an 
     eligible entity that does not have a Cybersecurity Plan 
     receives funds under this section for developing its 
     Cybersecurity Plan, the eligible entity shall submit to the 
     Secretary a report describing how the eligible entity 
     obligated and expended grant funds during the fiscal year 
     to--
       ``(i) so develop such a Cybersecurity Plan; or
       ``(ii) assist with the activities described in subsection 
     (h)(3).
       ``(2) Annual reports to congress.--Not less frequently than 
     once per year, the Secretary, acting through the Director, 
     shall submit to Congress a report on the use of grants 
     awarded under this section and any progress made toward the 
     following:
       ``(A) Achieving the objectives set forth in the Homeland 
     Security Strategy to Improve the Cybersecurity of State, 
     Local, Tribal, and Territorial Governments, upon the date on 
     which the strategy is issued under section 2210.
       ``(B) Developing, implementing, or revising Cybersecurity 
     Plans.
       ``(C) Reducing cybersecurity risks and cybersecurity 
     threats to information systems, applications, and user 
     accounts owned or operated by or on behalf of State, local, 
     and Tribal organizations as a result of the award of such 
     grants.
       ``(q) Authorization of Appropriations.--There are 
     authorized to be appropriated for grants under this section--
       ``(1) for each of fiscal years 2022 through 2026, 
     $500,000,000; and
       ``(2) for each subsequent fiscal year, such sums as may be 
     necessary.

     ``SEC. 2220B. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR 
                   STATE, LOCAL, TRIBAL, AND TERRITORIAL 
                   GOVERNMENT OFFICIALS.

       ``The Secretary, acting through the Director, shall 
     develop, regularly update, and maintain a resource guide for 
     use by State, local, Tribal, and territorial government 
     officials, including law enforcement officers, to help such 
     officials identify, prepare for, detect, protect against, 
     respond to, and recover from cybersecurity risks (as such 
     term is defined in section 2209), cybersecurity threats, and 
     incidents (as such term is defined in section 2209).''.
       (b) Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002, as amended by 
     section 4, is further amended by inserting after the item 
     relating to section 2220 the following new items:

``Sec. 2220A. State and Local Cybersecurity Grant Program.
``Sec. 2220B. Cybersecurity resource guide development for State, 
              local, Tribal, and territorial government officials.''.

     SEC. 3. STRATEGY.

       (a) Homeland Security Strategy to Improve the Cybersecurity 
     of State, Local, Tribal, and Territorial Governments.--
     Section 2210 of the Homeland Security Act of 2002 (6 U.S.C. 
     660) is amended by adding at the end the following new 
     subsection:
       ``(e) Homeland Security Strategy to Improve the 
     Cybersecurity of State, Local, Tribal, and Territorial 
     Governments.--
       ``(1) In general.--
       ``(A) Requirement.--Not later than one year after the date 
     of the enactment of this subsection, the Secretary, acting 
     through the Director, shall, in coordination with the heads 
     of appropriate Federal agencies, State, local, Tribal, and 
     territorial governments, the State and Local Cybersecurity 
     Resilience Committee established under section 2220A, and 
     other stakeholders, as appropriate, develop and make publicly 
     available

[[Page H3693]]

     a Homeland Security Strategy to Improve the Cybersecurity of 
     State, Local, Tribal, and Territorial Governments.
       ``(B) Recommendations and requirements.--The strategy 
     required under subparagraph (A) shall--
       ``(i) provide recommendations relating to the ways in which 
     the Federal Government should support and promote the ability 
     of State, local, Tribal, and territorial governments to 
     identify, mitigate against, protect against, detect, respond 
     to, and recover from cybersecurity risks (as such term is 
     defined in section 2209), cybersecurity threats, and 
     incidents (as such term is defined in section 2209); and
       ``(ii) establish baseline requirements for cybersecurity 
     plans under this section and principles with which such plans 
     shall align.
       ``(2) Contents.--The strategy required under paragraph (1) 
     shall--
       ``(A) identify capability gaps in the ability of State, 
     local, Tribal, and territorial governments to identify, 
     protect against, detect, respond to, and recover from 
     cybersecurity risks, cybersecurity threats, incidents, and 
     ransomware incidents;
       ``(B) identify Federal resources and capabilities that are 
     available or could be made available to State, local, Tribal, 
     and territorial governments to help those governments 
     identify, protect against, detect, respond to, and recover 
     from cybersecurity risks, cybersecurity threats, incidents, 
     and ransomware incidents;
       ``(C) identify and assess the limitations of Federal 
     resources and capabilities available to State, local, Tribal, 
     and territorial governments to help those governments 
     identify, protect against, detect, respond to, and recover 
     from cybersecurity risks, cybersecurity threats, incidents, 
     and ransomware incidents and make recommendations to address 
     such limitations;
       ``(D) identify opportunities to improve the coordination of 
     the Agency with Federal and non-Federal entities, such as the 
     Multi-State Information Sharing and Analysis Center, to 
     improve--
       ``(i) incident exercises, information sharing and incident 
     notification procedures;
       ``(ii) the ability for State, local, Tribal, and 
     territorial governments to voluntarily adapt and implement 
     guidance in Federal binding operational directives; and
       ``(iii) opportunities to leverage Federal schedules for 
     cybersecurity investments under section 502 of title 40, 
     United States Code;
       ``(E) recommend new initiatives the Federal Government 
     should undertake to improve the ability of State, local, 
     Tribal, and territorial governments to identify, protect 
     against, detect, respond to, and recover from cybersecurity 
     risks, cybersecurity threats, incidents, and ransomware 
     incidents;
       ``(F) set short-term and long-term goals that will improve 
     the ability of State, local, Tribal, and territorial 
     governments to identify, protect against, detect, respond to, 
     and recover from cybersecurity risks, cybersecurity threats, 
     incidents, and ransomware incidents; and
       ``(G) set dates, including interim benchmarks, as 
     appropriate for State, local, Tribal, and territorial 
     governments to establish baseline capabilities to identify, 
     protect against, detect, respond to, and recover from 
     cybersecurity risks, cybersecurity threats, incidents, and 
     ransomware incidents.
       ``(3) Considerations.--In developing the strategy required 
     under paragraph (1), the Director, in coordination with the 
     heads of appropriate Federal agencies, State, local, Tribal, 
     and territorial governments, the State and Local 
     Cybersecurity Resilience Committee established under section 
     2220A, and other stakeholders, as appropriate, shall 
     consider--
       ``(A) lessons learned from incidents that have affected 
     State, local, Tribal, and territorial governments, and 
     exercises with Federal and non-Federal entities;
       ``(B) the impact of incidents that have affected State, 
     local, Tribal, and territorial governments, including the 
     resulting costs to such governments;
       ``(C) the information related to the interest and ability 
     of state and non-state threat actors to compromise 
     information systems (as such term is defined in section 102 
     of the Cybersecurity Act of 2015 (6 U.S.C. 1501)) owned or 
     operated by State, local, Tribal, and territorial 
     governments;
       ``(D) emerging cybersecurity risks and cybersecurity 
     threats to State, local, Tribal, and territorial governments 
     resulting from the deployment of new technologies; and
       ``(E) recommendations made by the State and Local 
     Cybersecurity Resilience Committee established under section 
     2220A.
       ``(4) Exemption.--Chapter 35 of title 44, United States 
     Code (commonly known as the `Paperwork Reduction Act'), shall 
     not apply to any action to implement this subsection.''.
       (b) Responsibilities of the Director of the Cybersecurity 
     and Infrastructure Security Agency.--Section 2202 of the 
     Homeland Security Act of 2002 (6 U.S.C. 652) is amended--
       (1) by redesignating subsections (d) through (i) as 
     subsections (e) through (j), respectively; and
       (2) by inserting after subsection (c) the following new 
     subsection:
       ``(d) Additional Responsibilities.--In addition to the 
     responsibilities under subsection (c), the Director shall--
       ``(1) develop program guidance, in consultation with the 
     State and Local Government Cybersecurity Resilience Committee 
     established under section 2220A, for the State and Local 
     Cybersecurity Grant Program under such section or any other 
     homeland security assistance administered by the Department 
     to improve cybersecurity;
       ``(2) review, in consultation with the State and Local 
     Cybersecurity Resilience Committee, all cybersecurity plans 
     of State, local, Tribal, and territorial governments 
     developed pursuant to any homeland security assistance 
     administered by the Department to improve cybersecurity;
       ``(3) provide expertise and technical assistance to State, 
     local, Tribal, and territorial government officials with 
     respect to cybersecurity; and
       ``(4) provide education, training, and capacity development 
     to enhance the security and resilience of cybersecurity and 
     infrastructure security.''.
       (c) Feasibility Study.--Not later than 270 days after the 
     date of the enactment of this Act, the Director of the 
     Cybersecurity and Infrastructure Security of the Department 
     of Homeland Security shall conduct a study to assess the 
     feasibility of implementing a short-term rotational program 
     for the detail to the Agency of approved State, local, 
     Tribal, and territorial government employees in cyber 
     workforce positions.

     SEC. 4. TITLE XXII TECHNICAL AND CLERICAL AMENDMENTS.

       (a) Technical Amendments.--
       (1) Homeland security act of 2002.--Subtitle A of title 
     XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et 
     seq.) is amended--
       (A) in the first section 2215 (6 U.S.C. 665; relating to 
     the duties and authorities relating to .gov internet domain), 
     by amending the section enumerator and heading to read as 
     follows:

     ``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
                   DOMAIN.'';

       (B) in the second section 2215 (6 U.S.C. 665b; relating to 
     the joint cyber planning office), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

       (C) in the third section 2215 (6 U.S.C. 665c; relating to 
     the Cybersecurity State Coordinator), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

       (D) in the fourth section 2215 (6 U.S.C. 665d; relating to 
     Sector Risk Management Agencies), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

       (E) in section 2216 (6 U.S.C. 665e; relating to the 
     Cybersecurity Advisory Committee), by amending the section 
     enumerator and heading to read as follows:

     ``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.''; AND

       (F) in section 2217 (6 U.S.C. 665f; relating to 
     Cybersecurity Education and Training Programs), by amending 
     the section enumerator and heading to read as follows:

     ``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING 
                   PROGRAMS.''.

       (2) Consolidated appropriations act, 2021.--Paragraph (1) 
     of section 904(b) of division U of the Consolidated 
     Appropriations Act, 2021 (Public Law 116-260) is amended, in 
     the matter preceding subparagraph (A), by inserting ``of 
     2002'' after ``Homeland Security Act''.
       (b) Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended by 
     striking the items relating to sections 2214 through 2217 and 
     inserting the following new items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.
  The SPEAKER pro tempore (Ms. Kaptur). Pursuant to the rule, the 
gentlewoman from New York (Ms. Clarke) and the gentleman from 
Mississippi (Mr. Guest) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Ms. CLARKE of New York. Madam Speaker, I ask unanimous consent that 
all Members may have 5 legislative days in which to revise and extend 
their remarks and include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Ms. CLARKE of New York. Madam Speaker, I yield myself such time as I 
may consume.
  Madam Speaker, the recent Colonial Pipeline, JBS, and Kaseya 
ransomware attacks have brought the Nation's attention to the 
tremendous national security threat posed by ransomware.
  The Colonial Pipeline breach alone disrupted the supply of gasoline 
for a

[[Page H3694]]

large portion of the Nation and contributed to gas shortages across 
much of the Southeast. It also spurred conversations about how much of 
our Nation's critical infrastructure is privately owned and operated.
  Lost on many Americans is how much vulnerable critical infrastructure 
is actually in the public sector. Today, emergency services, public 
schools, hospitals, and agencies involved in providing essential 
services or regulating important industries are all housed in our State 
and local governments. In recent years, we have seen communities, big 
and small, that lacked dedicated cybersecurity resources fall victim to 
ransomware attacks.
  The types of incidents we have seen include a ransomware attack on 
Baltimore that cost city taxpayers $18 million; a hack on the D.C. 
police department that resulted in leaked sensitive personnel files; 
and a cyberattack against a Massachusetts school district that forced 
it to cancel its first day of in-person instruction earlier this year.
  In May, my subcommittee held a hearing on the ransomware crisis where 
experts shared their views on the policy solutions that the Federal 
Government can consider to address this challenge. Our witnesses 
uniformly urged greater investment in prevention, particularly at the 
State and local levels.
  We cannot just focus on responding to cyber incidents. We must help 
our communities reduce their vulnerability and better mitigate 
incidents when they occur.
  In the long term, front-end cybersecurity investments save money, 
protect infrastructure, and prevent disruption to our economy and in 
our communities.
  That is why I introduced the State and Local Cybersecurity 
Improvement Act. It authorizes $500 million annually for grants to 
State, local, territorial, and Tribal governments to upgrade their 
cybersecurity. It requires States to pay a graduated cost share to 
incentivize them to budget better for cybersecurity, and it requires 
them to develop cybersecurity plans so we ensure these funds are well-
spent.
  My bill also requires DHS to create a plan to improve the 
cybersecurity posture of State and local governments to ensure that 
States have goals and objectives to which they align their own 
cybersecurity plans.
  We have spent considerable resources enhancing the security of our 
Federal networks, and President Biden's recent executive order, along 
with investments included in the American Rescue Plan, demonstrate a 
continued commitment to strengthening Federal cybersecurity.
  These actions are incredibly important, but we need to do more to 
address the vulnerabilities at the State and local levels, where there 
has been inadequate investment in cybersecurity for years.
  It is essential for the Federal Government to be a partner in 
protecting State and local digital infrastructure. As Congress 
considers ways to invest in our Nation's infrastructure, State and 
local digital infrastructure must be a part of that conversation.
  As we have seen in recent months, the gap between the digital world 
and the physical one is smaller than ever. I appreciate the bipartisan 
recognition of that and the strong support this investment in our 
infrastructure security received in the Homeland Security Committee.
  In particular, I want to thank Chairman Thompson, Ranking Member 
Katko, Ranking Member Garbarino, and Representatives McCaul, 
Ruppersberger, Kilmer, and Slotkin for cosponsoring this legislation.
  By passing the State and Local Cybersecurity Improvement Act today, 
we can demonstrate to the American people that Congress can work in a 
bipartisan way to make a meaningful difference in addressing our 
Nation's cybersecurity risk.
  Madam Speaker, I urge all of my colleagues to support this important 
bill, and I reserve the balance of my time.
  Mr. GUEST. Madam Speaker, I yield myself such time as I may consume.
  Madam Speaker, I rise today in support of H.R. 3138, the State and 
Local Cybersecurity Improvement Act of 2021.
  I thank Chairwoman Clarke, Chairman Thompson, Ranking Member 
Garbarino, and my other committee colleagues for their leadership on 
H.R. 3138.
  Over the past year, we have seen the devastating impact a ransomware 
attack can have on our Nation's most critical infrastructure. But we 
must not forget that no one is immune from cyber criminals, including 
our State and local governments.
  I am pleased today that the House is taking action to give our State 
and local partners, and CISA, a leg up against these cyber criminals.
  This bill will have a tremendous impact on the cybersecurity posture 
of State and local governments by focusing important funding and 
expertise on the front lines, the State and local levels.
  I urge all Members to join me in supporting H.R. 3138, and I reserve 
the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield 2 minutes to the 
gentlewoman from Texas (Ms. Jackson Lee).
  Ms. JACKSON LEE. Madam Speaker, I thank the gentlewoman from New York 
for her leadership on the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Innovation.
  Madam Speaker, I rise to support the State and Local Cybersecurity 
Improvement Act.
  I particularly emphasize the fact that we are the United States of 
America, but the cyberattacks occur in our neighborhoods, our hamlets, 
our cities, our counties, and our States. They occur right under our 
noses, and they impact our constituents by taking their personal 
records from the Texas Medical Center, for example, impacting the 
medical care of people, interfering with various diagnostic machines, 
and dealing with the energy infrastructure, such as the Colonial 
Pipeline incident. These are happening in our neighborhoods.
  The State and Local Cybersecurity Improvement Act will make $500 
million available in grants from the Department of Homeland Security to 
State, local, and Tribal entities over the next 4 years as they address 
critical cybersecurity risks facing information systems.
  I will soon rise to the floor on legislation that I have authored, 
and I will make this point, Madam Speaker: It is crucial that the other 
body begins to address the legislation that this House is able to pass 
because we are passing innovative, corrective, and needed legislation.
  Cyber is not a joke, if I can say that. Neither are the attacks on 
our cyber infrastructure.
  However, the Department of Homeland Security was created in 2002 to 
bring together the expertise of several different government entities 
to protect against foreign threats. At that time, the Nation's main 
concern was protecting our citizens and residents from another large-
scale terrorist attack, one that we had never seen before: attacking 
tall buildings with airplanes. We had never seen it.
  But, today, 2021, is not 2001. It is not 20 years ago, and the 
landscape of terrorism has changed enormously. With rapid advancement 
in technology and malign foreign cyber aggression in nation-states that 
are not engaged, this bill is important.
  Madam Speaker, I ask my colleagues to support this bipartisan 
legislation, H.R. 3138, that will provide us a way to address this 
issue.
  Mr. GUEST. Madam Speaker, I urge Members to support this bill, and I 
yield back the balance of my time.
  Ms. CLARKE of New York. Madam Speaker, I yield myself the balance of 
my time.
  Madam Speaker, while cybersecurity threats are not new, this year has 
highlighted the serious impact cyber incidents can have on our national 
security.
  The United States has as much cybersecurity expertise as any country. 
But without adequate resources, State and local governments cannot 
implement the policies and practices we know will make their digital 
infrastructure more secure.
  Enactment of the State and Local Cybersecurity Improvement Act will 
ensure that they have the funding, planning, and support to adequately 
invest in securing government networks and reducing risk.
  Madam Speaker, I urge my colleagues to support H.R. 3138, and I yield 
back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by

[[Page H3695]]

the gentlewoman from New York (Ms. Clarke) that the House suspend the 
rules and pass the bill, H.R. 3138, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. BISHOP of North Carolina. Madam Speaker, on that I demand the 
yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________