[Congressional Record Volume 167, Number 144 (Monday, August 9, 2021)]
[Senate]
[Pages S6189-S6190]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                     K-12 CYBERSECURITY ACT OF 2021

  Mr. WHITEHOUSE. Madam President, I ask unanimous consent that the 
Senate proceed to the immediate consideration of Calendar No. 107, S. 
1917.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The clerk will report the bill by title.
  The senior assistant legislative clerk read as follows:

       A bill (S. 1917) bill to establish a K-12 education 
     cybersecurity initiative, and for other purposes.

  There being no objection, the Senate proceeded to consider the bill, 
which was reported from the Committee on Homeland Security and 
Governmental Affairs.
  Mr. WHITEHOUSE. Madam President, I ask unanimous consent that the 
bill be considered read a third time and passed and the motion to 
reconsider be considered made and laid upon the table.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The bill (S. 1917) was ordered to be engrossed for a third reading, 
was read the third time, and passed as follows

                                S. 1917

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``K-12 Cybersecurity Act of 
     2021''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) K-12 educational institutions across the United States 
     are facing cyber attacks.
       (2) Cyber attacks place the information systems of K-12 
     educational institutions at risk of possible disclosure of 
     sensitive student and employee information, including--

[[Page S6190]]

       (A) grades and information on scholastic development;
       (B) medical records;
       (C) family records; and
       (D) personally identifiable information.
       (3) Providing K-12 educational institutions with resources 
     to aid cybersecurity efforts will help K-12 educational 
     institutions prevent, detect, and respond to cyber events.

     SEC. 3. K-12 EDUCATION CYBERSECURITY INITIATIVE.

       (a) Definitions.--In this section:
       (1) Cybersecurity risk.--The term ``cybersecurity risk'' 
     has the meaning given the term in section 2209 of the 
     Homeland Security Act of 2002 (6 U.S.C. 659).
       (2) Director.--The term ``Director'' means the Director of 
     Cybersecurity and Infrastructure Security.
       (3) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (4) K-12 educational institution.--The term ``K-12 
     educational institution'' means an elementary school or a 
     secondary school, as those terms are defined in section 8101 
     of the Elementary and Secondary Education Act of 1965 (20 
     U.S.C. 7801).
       (b) Study.--
       (1) In general.--Not later than 120 days after the date of 
     enactment of this Act, the Director, in accordance with 
     subsection (g)(1), shall conduct a study on the specific 
     cybersecurity risks facing K-12 educational institutions 
     that--
       (A) analyzes how identified cybersecurity risks 
     specifically impact K-12 educational institutions;
       (B) includes an evaluation of the challenges K-12 
     educational institutions face in--
       (i) securing--

       (I) information systems owned, leased, or relied upon by K-
     12 educational institutions; and
       (II) sensitive student and employee records; and

       (ii) implementing cybersecurity protocols;
       (C) identifies cybersecurity challenges relating to remote 
     learning; and
       (D) evaluates the most accessible ways to communicate 
     cybersecurity recommendations and tools.
       (2) Congressional briefing.--Not later than 120 days after 
     the date of enactment of this Act, the Director shall provide 
     a Congressional briefing on the study conducted under 
     paragraph (1).
       (c) Cybersecurity Recommendations.--Not later than 60 days 
     after the completion of the study required under subsection 
     (b)(1), the Director, in accordance with subsection (g)(1), 
     shall develop recommendations that include cybersecurity 
     guidelines designed to assist K-12 educational institutions 
     in facing the cybersecurity risks described in subsection 
     (b)(1), using the findings of the study.
       (d) Online Training Toolkit.--Not later than 120 days after 
     the completion of the development of the recommendations 
     required under subsection (c), the Director shall develop an 
     online training toolkit designed for officials at K-12 
     educational institutions to--
       (1) educate the officials about the cybersecurity 
     recommendations developed under subsection (c); and
       (2) provide strategies for the officials to implement the 
     recommendations developed under subsection (c).
       (e) Public Availability.--The Director shall make available 
     on the website of the Department of Homeland Security with 
     other information relating to school safety the following:
       (1) The findings of the study conducted under subsection 
     (b)(1).
       (2) The cybersecurity recommendations developed under 
     subsection (c).
       (3) The online training toolkit developed under subsection 
     (d).
       (f) Voluntary Use.--The use of the cybersecurity 
     recommendations developed under (c) by K-12 educational 
     institutions shall be voluntary.
       (g) Consultation.--
       (1) In general.--In the course of the conduction of the 
     study required under subsection (b)(1) and the development of 
     the recommendations required under subsection (c), the 
     Director shall consult with individuals and entities focused 
     on cybersecurity and education, as appropriate, including--
       (A) teachers;
       (B) school administrators;
       (C) Federal agencies;
       (D) non-Federal cybersecurity entities with experience in 
     education issues; and
       (E) private sector organizations.
       (2) Inapplicability of faca.--The Federal Advisory 
     Committee Act (5 U.S.C App.) shall not apply to any 
     consultation under paragraph (1).

                          ____________________