[Congressional Record Volume 167, Number 170 (Wednesday, September 29, 2021)]
[House]
[Pages H5538-H5539]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]





                              {time}  1600
                     K-12 CYBERSECURITY ACT OF 2021

  Mr. THOMPSON of Mississippi. Madam Speaker, I move to suspend the 
rules and pass the bill (S. 1917) to establish a K-12 education 
cybersecurity initiative, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                                S. 1917

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``K-12 Cybersecurity Act of 
     2021''.

     SEC. 2. FINDINGS.

       Congress finds the following:
       (1) K-12 educational institutions across the United States 
     are facing cyber attacks.
       (2) Cyber attacks place the information systems of K-12 
     educational institutions at risk of possible disclosure of 
     sensitive student and employee information, including--
       (A) grades and information on scholastic development;
       (B) medical records;
       (C) family records; and
       (D) personally identifiable information.
       (3) Providing K-12 educational institutions with resources 
     to aid cybersecurity efforts will help K-12 educational 
     institutions prevent, detect, and respond to cyber events.

     SEC. 3. K-12 EDUCATION CYBERSECURITY INITIATIVE.

       (a) Definitions.--In this section:
       (1) Cybersecurity risk.--The term ``cybersecurity risk'' 
     has the meaning given the term in section 2209 of the 
     Homeland Security Act of 2002 (6 U.S.C. 659).
       (2) Director.--The term ``Director'' means the Director of 
     Cybersecurity and Infrastructure Security.
       (3) Information system.--The term ``information system'' 
     has the meaning given the term in section 3502 of title 44, 
     United States Code.
       (4) K-12 educational institution.--The term ``K-12 
     educational institution'' means an elementary school or a 
     secondary school, as those terms are defined in section 8101 
     of the Elementary and Secondary Education Act of 1965 (20 
     U.S.C. 7801).
       (b) Study.--
       (1) In general.--Not later than 120 days after the date of 
     enactment of this Act, the Director, in accordance with 
     subsection (g)(1), shall conduct a study on the specific 
     cybersecurity risks facing K-12 educational institutions 
     that--
       (A) analyzes how identified cybersecurity risks 
     specifically impact K-12 educational institutions;
       (B) includes an evaluation of the challenges K-12 
     educational institutions face in--
       (i) securing--

       (I) information systems owned, leased, or relied upon by K-
     12 educational institutions; and
       (II) sensitive student and employee records; and

       (ii) implementing cybersecurity protocols;
       (C) identifies cybersecurity challenges relating to remote 
     learning; and
       (D) evaluates the most accessible ways to communicate 
     cybersecurity recommendations and tools.
       (2) Congressional briefing.--Not later than 120 days after 
     the date of enactment of this Act, the Director shall provide 
     a Congressional briefing on the study conducted under 
     paragraph (1).
       (c) Cybersecurity Recommendations.--Not later than 60 days 
     after the completion of the study required under subsection 
     (b)(1), the Director, in accordance with subsection (g)(1), 
     shall develop recommendations that include cybersecurity 
     guidelines designed to assist K-12 educational institutions 
     in facing the cybersecurity risks described in subsection 
     (b)(1), using the findings of the study.
       (d) Online Training Toolkit.--Not later than 120 days after 
     the completion of the development of the recommendations 
     required under subsection (c), the Director shall develop an 
     online training toolkit designed for officials at K-12 
     educational institutions to--
       (1) educate the officials about the cybersecurity 
     recommendations developed under subsection (c); and
       (2) provide strategies for the officials to implement the 
     recommendations developed under subsection (c).
       (e) Public Availability.--The Director shall make available 
     on the website of the Department of Homeland Security with 
     other information relating to school safety the following:
       (1) The findings of the study conducted under subsection 
     (b)(1).
       (2) The cybersecurity recommendations developed under 
     subsection (c).
       (3) The online training toolkit developed under subsection 
     (d).
       (f) Voluntary Use.--The use of the cybersecurity 
     recommendations developed under (c) by K-12 educational 
     institutions shall be voluntary.
       (g) Consultation.--
       (1) In general.--In the course of the conduction of the 
     study required under subsection (b)(1) and the development of 
     the recommendations required under subsection (c), the 
     Director shall consult with individuals and entities focused 
     on cybersecurity and education, as appropriate, including--
       (A) teachers;
       (B) school administrators;
       (C) Federal agencies;
       (D) non-Federal cybersecurity entities with experience in 
     education issues; and
       (E) private sector organizations.
       (2) Inapplicability of faca.--The Federal Advisory 
     Committee Act (5 U.S.C App.) shall not apply to any 
     consultation under paragraph (1).

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Mississippi (Mr. Thompson) and the gentleman from Mississippi (Mr. 
Guest) each will control 20 minutes.
  The Chair recognizes the gentleman from Mississippi (Mr. Thompson).


                             General Leave

  Mr. THOMPSON of Mississippi. Madam Speaker, I ask unanimous consent 
that all Members have 5 legislative days to revise and extend their 
remarks and to include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Mississippi?
  There was no objection.
  Mr. THOMPSON of Mississippi. Madam Speaker, I yield myself such time 
as I may consume.
  Madam Speaker, in the past few weeks, millions of students have 
returned to school across the country. The range of public health, 
safety, and security risks that schools face today is truly astounding.
  In recent years, schools have increasingly been subjected to 
ransomware attacks where cybercriminals lock networks and demand ransom 
payments, sometimes while threatening to release sensitive information, 
including students' personal data.
  According to the K-12 Cybersecurity Resource Center, in 2020 alone, 
there were over 480 publicly disclosed cyber incidents at schools in 
the United States, an 18 percent increase over the previous year.
  Notably, the rate of such incidents increased in the second half of 
last year as COVID-19 forced schools to shift to virtual learning, 
creating new risks, such as the disruption of online classes and online 
school meetings.
  The impacts of ransomware attacks on schools have included the 
cancellation of classes, the release of sensitive information, like the 
name of a 9-year-old student being evaluated for a disability, and 
costs as high as $7.7 million for Baltimore County schools to respond 
to and recover from a November 2020 attack.
  With many schools still operating under virtual or hybrid conditions 
because of the ongoing COVID-19 pandemic, the vulnerabilities to such 
cyberattacks are even greater.
  In December, the FBI Cybersecurity and Infrastructure Security 
Agency, or CISA, and the Multi-State Information Sharing and Analysis 
Center released a joint cybersecurity advisory to alert schools to the 
increase in cyber threats and provide best practices on how to reduce 
the risk of such incidents.
  To further assist K-12 schools, we must do more to help schools guard 
against cyber threats.
  S. 1917, the K-12 Cybersecurity Act, introduced by Senator Gary 
Peters from Michigan, requires CISA to conduct a study of the 
cybersecurity risks facing K-12 educational institutions and develop 
recommendations based on that study.
  By developing an online training tool kit for schools, and making the 
study and recommendations publicly available, CISA will be able to 
provide schools with targeted information to better protect their 
networks and reduce their cybersecurity risk.
  An identical version of this legislation was introduced in the House 
by the gentleman from Rhode Island (Mr. Langevin) and cosponsored by 
Representatives Matsui, Slotkin, Garbarino, and Clyde. The House 
measure was reported favorably by the Homeland Security Committee by 
voice vote in July.
  Passing S. 1917 today would send this bill to the President for 
signature, allowing CISA to begin this important work to better secure 
our schools.
  Mr. Speaker, I urge my colleagues to support this legislation, and I 
reserve the balance of my time.
  Mr. GUEST. Mr. Speaker, I yield myself such time as I may consume.
  I rise today in support of S. 1917, the K-12 Cybersecurity Act of 
2021.
  Schools around our country are increasingly the target of malicious 
cyber actors and have recently been targeted with a deluge of 
ransomware attacks.

[[Page H5539]]

  This legislation introduced by Chairman Peters and passed by the 
Senate mirrors the House version spearheaded by Representatives 
Langevin, Garbarino, and Matsui.
  This bill requires CISA to conduct a study to develop recommendations 
and provide resources regarding specific cybersecurity risks facing K-
12 educational institutions. Importantly, it requires CISA to do so in 
consultation with teachers, schools, administrators, Federal agencies, 
nine Federal cybersecurity entities, and other private-sector 
organizations.
  In doing so, the study required by this bill would help the Federal 
Government better support schools in defending against cyber threats.
  I urge Members to join me in supporting S. 1917, and I reserve the 
balance of my time.
  Mr. THOMPSON of Mississippi. Mr. Speaker, while we are in the process 
of getting the sponsor of this legislation prepared to give his 
comments, let me say that we all have been involved in making sure that 
our schools are as safe as possible. Clearly, this legislation, as 
offered by Senator Peters and Representative Langevin and others, is 
integral to making sure that our schools are kept as safe as possible 
from cyberattacks.
  Mr. Speaker, I yield 3 minutes to the gentleman from Rhode Island 
(Mr. Langevin), the sponsor of the House version of this bill.
  Mr. LANGEVIN. Mr. Speaker, I thank the gentleman for yielding, and I 
commend the chairman for his strong leadership on cybersecurity issues 
and in support of this act before us today.
  This bill, the House companion of which I sponsored with 
Representatives Matsui, Katko, and Garbarino, would help address a 
serious issue that has not received the attention it deserves: the 
cyber threats targeting our Nation's schools.
  The education of our children is clearly a critical function, yet the 
increasing frequency and severity of cyber threats targeting K-12 
schools have jeopardized the education of students across America.

  In the past 4 years, more than 1,000 educational organizations across 
the country have fallen victim to cybercriminals. More than 400 
incidents have occurred in the past year alone. What is more, an 
increasing proportion of these incidents are ransomware attacks that 
are particularly debilitating to the operation of our schools.
  Our students and educators have experienced more than enough 
disruption in the past year and a half. We cannot afford to let this 
issue continue to go unaddressed.
  Many of our schools do not have the resources to counter the cyber 
threats that we face. Without assistance, this problem will continue to 
get worse, jeopardizing our students' privacy and ability to learn.
  Fortunately, this Congress has already demonstrated a recognition of 
the government's need to provide cybersecurity assistance to entities 
that perform essential functions yet live below the cybersecurity 
poverty line, unable to defend themselves against the myriad threats 
they face.
  It is why we took steps to invest $50 million in support for State 
and local government entities as part of the forthcoming reconciliation 
bill.
  It is also why I fought to increase the budget of the Cybersecurity 
and Infrastructure Security Agency by more than $400 million earlier 
this year. I thank Chairwoman Roybal-Allard for her leadership, and I 
thank her team and the members of the Appropriations Committee, along 
with Chairman Thompson and his team and the members of the Homeland 
Security Committee.
  It should also be the reason that we pass the K-12 Cybersecurity Act 
into law without delay.
  This bill would direct the Cybersecurity and Infrastructure Security 
Agency to study the cybersecurity risks facing our elementary schools 
and secondary schools.
  With a detailed understanding of the specific cybersecurity 
challenges facing our schools, including challenges raised by remote 
learning, CISA would then be required to develop cybersecurity 
recommendations and online training tools for educational officials at 
K-12 institutions. Our educators and administrators would be equipped 
with the knowledge they need to better defend themselves against cyber 
threats and keep our schools safe for our students.
  Mr. Speaker, I thank Representative Matsui for her tireless attention 
to this issue and Representatives Garbarino, Slotkin, and Clyde for 
joining us in advancing this legislation. I recognize the efforts of my 
colleagues in the Senate, Senator Peters and Senator Scott, who deftly 
shepherded this bill through their Chamber. Finally, I recognize my 
good friend, Chairman Bennie Thompson, for ensuring this bill received 
the consideration it deserves.
  Mr. Speaker, I urge my colleagues to support this important 
legislation.
  Mr. GUEST. Mr. Speaker, I urge all Members to support this bill, and 
I yield back the balance of my time.
  Mr. THOMPSON of Mississippi. Mr. Speaker, I yield myself the balance 
of my time.
  With sophisticated cybercriminals operating overseas launching 
ransomware attacks on our schools, it is essential that the Federal 
Government step up efforts to support the cybersecurity of our schools.
  Without more assistance, many of our Nation's school districts will 
continue to be vulnerable, as many lack the cyber expertise to defend 
against these incidents.
  Enactment of the K-12 Cybersecurity Act would enhance the technical 
support provided by CISA to schools to help better protect school IT 
networks.
  Mr. Speaker, I urge my colleagues to support S. 1917, and I yield 
back the balance of my time.
  The SPEAKER pro tempore (Mr. Cuellar). The question is on the motion 
offered by the gentleman from Mississippi (Mr. Thompson) that the House 
suspend the rules and pass the bill, S. 1917.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________