[Congressional Record Volume 168, Number 7 (Tuesday, January 11, 2022)]
[Senate]
[Pages S160-S161]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                           TEXT OF AMENDMENTS

  SA 4898. Mr. SCHUMER (for Mr. Peters) proposed an amendment to the 
bill S. 2520, to amend the Homeland Security Act of 2002 to provide for 
engagements with State, local, Tribal, and territorial governments, and 
for other purposes; as follows:

        Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``State and Local Government 
     Cybersecurity Act of 2021''.

     SEC. 2. AMENDMENTS TO THE HOMELAND SECURITY ACT OF 2002.

       Subtitle A of title XXII of the Homeland Security Act of 
     2002 (6 U.S.C. 651 et seq.) is amended--
       (1) in section 2201 (6 U.S.C. 651), by adding at the end 
     the following:
       ``(7) SLTT entity.--The term `SLTT entity' means a domestic 
     government entity that is a State government, local 
     government, Tribal government, territorial government, or any 
     subdivision thereof.''; and
       (2) in section 2209 (6 U.S.C. 659)--
       (A) in subsection (c)(6), by inserting ``operational and'' 
     before ``timely'';
       (B) in subsection (d)(1)(E), by inserting ``, including an 
     entity that collaborates with election officials,'' after 
     ``governments''; and
       (C) by adding at the end the following:
       ``(p) Coordination on Cybersecurity for SLTT Entities.--
       ``(1) Coordination.--The Center shall, upon request and to 
     the extent practicable, and in coordination as appropriate 
     with Federal and non-Federal entities, such as the Multi-
     State Information Sharing and Analysis Center--
       ``(A) conduct exercises with SLTT entities;
       ``(B) provide operational and technical cybersecurity 
     training to SLTT entities to address cybersecurity risks or 
     incidents, with or without reimbursement, related to--
       ``(i) cyber threat indicators;
       ``(ii) defensive measures;
       ``(iii) cybersecurity risks;
       ``(iv) vulnerabilities; and
       ``(v) incident response and management;
       ``(C) in order to increase situational awareness and help 
     prevent incidents, assist SLTT entities in sharing, in real 
     time, with the Federal Government as well as among SLTT 
     entities, actionable--
       ``(i) cyber threat indicators;
       ``(ii) defensive measures;
       ``(iii) information about cybersecurity risks; and
       ``(iv) information about incidents;
       ``(D) provide SLTT entities notifications containing 
     specific incident and malware information that may affect 
     them or their residents;
       ``(E) provide to, and periodically update, SLTT entities 
     via an easily accessible platform and other means--
       ``(i) information about tools;
       ``(ii) information about products;
       ``(iii) resources;
       ``(iv) policies;
       ``(v) guidelines;
       ``(vi) controls; and
       ``(vii) other cybersecurity standards and best practices 
     and procedures related to information security, including, as 
     appropriate, information produced by other Federal agencies;
       ``(F) work with senior SLTT entity officials, including 
     chief information officers and senior election officials and 
     through national associations, to coordinate the effective 
     implementation by SLTT entities of tools, products, 
     resources, policies, guidelines, controls, and procedures 
     related to information security to secure the information 
     systems, including election systems, of SLTT entities;
       ``(G) provide operational and technical assistance to SLTT 
     entities to implement tools, products, resources, policies, 
     guidelines, controls, and procedures on information security;
       ``(H) assist SLTT entities in developing policies and 
     procedures for coordinating vulnerability disclosures 
     consistent with international and national standards in the 
     information technology industry; and
       ``(I) promote cybersecurity education and awareness through 
     engagements with Federal agencies and non-Federal entities.
       ``(q) Report.--Not later than 1 year after the date of 
     enactment of this subsection, and every 2 years thereafter, 
     the Secretary shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives a report on the services and capabilities 
     that the Agency directly and indirectly provides to SLTT 
     entities.''.
                                 ______
                                 
  SA 4899. Mr. SCHUMER (for Mr. Peters) proposed an amendment to the 
bill S. 2201, to manage supply chain risk through counterintelligence 
training, and for other purposes; as follows:

        Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Supply Chain Security 
     Training Act of 2021''.

     SEC. 2. TRAINING PROGRAM TO MANAGE SUPPLY CHAIN RISK.

       (a) In General.--Not later than 180 days after the date of 
     the enactment of this Act, the Administrator of General 
     Services, through the Federal Acquisition Institute, shall 
     develop a training program for officials with supply chain 
     risk management responsibilities at Federal agencies.
       (b) Content.--The training program shall be designed to 
     prepare such personnel to perform supply chain risk 
     management activities and identify and mitigate supply chain 
     security risks that arise throughout the acquisition 
     lifecycle, including for the acquisition of information and 
     communications technology. The training program shall--
       (1) include, considering the protection of classified and 
     other sensitive information, information on current, specific 
     supply chain security threats and vulnerabilities; and
       (2) be updated as determined to be necessary by the 
     Administrator.
       (c) Coordination and Consultation.--In developing and 
     determining updates to the training program, the 
     Administrator shall--
       (1) coordinate with the Federal Acquisition Security 
     Council, the Secretary of Homeland Security, and the Director 
     of the Office of Personnel Management; and
       (2) consult with the Director of the Department of 
     Defense's Defense Acquisition University, the Director of 
     National Intelligence, and the Director of the National 
     Institute of Standards and Technology.
       (d) Guidance.--
       (1) In general.--Not later than 180 days after the training 
     program is developed under subsection (a), the Director of 
     the Office of Management and Budget shall promulgate guidance 
     to Federal agencies requiring executive agency adoption and 
     use of the training program. Such guidance shall--
       (A) allow executive agencies to incorporate the training 
     program into existing agency training programs; and

[[Page S161]]

       (B) provide guidance on how to identify executive agency 
     officials with supply chain risk management responsibilities.
       (2) Availability.--The Director of the Office of Management 
     and Budget shall make the guidance promulgated under 
     paragraph (1) available to Federal agencies of the 
     legislative and judicial branches.

     SEC. 3. REPORTS ON IMPLEMENTATION OF PROGRAM.

       Not later than 180 days after the completion of the first 
     course, and annually thereafter for the next three years, the 
     Administrator of General Services shall submit to the 
     appropriate congressional committees and leadership a report 
     on implementation of the training program required under 
     section 2.

     SEC. 4. DEFINITIONS.

       In this Act:
       (1) Appropriate congressional committees and leadership.--
     The term ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs and the Committee on Armed Services of the Senate; 
     and
       (B) the Committee on Oversight and Reform and the Committee 
     on Armed Services of the House of Representatives.
       (2) Information and communications technology.--The term 
     ``information and communications technology'' has the meaning 
     given the term in section 4713(k) of title 41, United States 
     Code.
       (3) Executive agency.--The term ``executive agency'' has 
     the meaning given the term in section 133 of title 41, United 
     States Code.
       (4) Federal agency.--The term ``Federal agency'' means any 
     agency, committee, commission, office, or other establishment 
     in the executive, legislative, or judicial branch of the 
     Federal Government.
       (5) Training program.--The term ``training program'' means 
     the training program developed pursuant to section 2(a).

                          ____________________