[House Report 116-478]
[From the U.S. Government Publishing Office]


116th Congress }                                             { Report
                        HOUSE OF REPRESENTATIVES
 2d Session    }                                             { 116-478

======================================================================

 
             STATE AND LOCAL CYBERSECURITY IMPROVEMENT ACT

                                _______
                                

August 18, 2020.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 5823]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 5823) to establish a program to make grants to 
States to address cybersecurity risks and cybersecurity threats 
to information systems of State, local, Tribal, or territorial 
governments, and for other purposes, having considered the 
same, reports favorably thereon with an amendment and 
recommends that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     8
Background and Need for Legislation..............................     9
Hearings.........................................................    10
Committee Consideration..........................................    11
Committee Votes..................................................    12
Committee Oversight Findings.....................................    12
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................    13
Federal Mandates Statement.......................................    14
Duplicative Federal Programs.....................................    14
Statement of General Performance Goals and Objectives............    14
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................    15
Advisory Committee Statement.....................................
Applicability to Legislative Branch..............................
Section-by-Section Analysis of the Legislation...................    15
Changes in Existing Law Made by the Bill, as Reported............    18

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``State and Local Cybersecurity 
Improvement Act''.

SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

  (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new sections:

``SEC. 2215. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

  ``(a) Establishment.--The Secretary, acting through the Director, 
shall establish a program to make grants to States to address 
cybersecurity risks and cybersecurity threats to information systems of 
State, local, Tribal, or territorial governments (referred to as the 
`State and Local Cybersecurity Grant Program' in this section).
  ``(b) Baseline Requirements.--A grant awarded under this section 
shall be used in compliance with the following:
          ``(1) The Cybersecurity Plan required under subsection (d) 
        and approved pursuant to subsection (g).
          ``(2) The Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments required in accordance with section 2210, when 
        issued.
  ``(c) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same program office that 
administers grants made under sections 2003 and 2004.
  ``(d) Eligibility.--
          ``(1) In general.--A State applying for a grant under the 
        State and Local Cybersecurity Grant Program shall submit to the 
        Secretary a Cybersecurity Plan for approval. Such plan shall--
                  ``(A) incorporate, to the extent practicable, any 
                existing plans of such State to protect against 
                cybersecurity risks and cybersecurity threats to 
                information systems of State, local, Tribal, or 
                territorial governments;
                  ``(B) describe, to the extent practicable, how such 
                State shall--
                          ``(i) enhance the preparation, response, and 
                        resiliency of information systems owned or 
                        operated by such State or, if appropriate, by 
                        local, Tribal, or territorial governments, 
                        against cybersecurity risks and cybersecurity 
                        threats;
                          ``(ii) implement a process of continuous 
                        cybersecurity vulnerability assessments and 
                        threat mitigation practices prioritized by 
                        degree of risk to address cybersecurity risks 
                        and cybersecurity threats in information 
                        systems of such State, local, Tribal, or 
                        territorial governments;
                          ``(iii) ensure that State, local, Tribal, and 
                        territorial governments that own or operate 
                        information systems within the State adopt best 
                        practices and methodologies to enhance 
                        cybersecurity, such as the practices set forth 
                        in the cybersecurity framework developed by the 
                        National Institute of Standards and Technology;
                          ``(iv) promote the delivery of safe, 
                        recognizable, and trustworthy online services 
                        by State, local, Tribal, and territorial 
                        governments, including through the use of the 
                        .gov internet domain;
                          ``(v) mitigate any identified gaps in the 
                        State, local, Tribal, or territorial government 
                        cybersecurity workforces, enhance recruitment 
                        and retention efforts for such workforces, and 
                        bolster the knowledge, skills, and abilities of 
                        State, local, Tribal, and territorial 
                        government personnel to address cybersecurity 
                        risks and cybersecurity threats;
                          ``(vi) ensure continuity of communications 
                        and data networks within such State between 
                        such State and local, Tribal, and territorial 
                        governments that own or operate information 
                        systems within such State in the event of an 
                        incident involving such communications or data 
                        networks within such State;
                          ``(vii) assess and mitigate, to the greatest 
                        degree possible, cybersecurity risks and 
                        cybersecurity threats related to critical 
                        infrastructure and key resources, the 
                        degradation of which may impact the performance 
                        of information systems within such State;
                          ``(viii) enhance capability to share cyber 
                        threat indicators and related information 
                        between such State and local, Tribal, and 
                        territorial governments that own or operate 
                        information systems within such State; and
                          ``(ix) develop and coordinate strategies to 
                        address cybersecurity risks and cybersecurity 
                        threats in consultation with--
                                  ``(I) local, Tribal, and territorial 
                                governments within the State; and
                                  ``(II) as applicable--
                                          ``(aa) neighboring States or, 
                                        as appropriate, members of an 
                                        information sharing and 
                                        analysis organization; and
                                          ``(bb) neighboring countries; 
                                        and
                  ``(C) include, to the extent practicable, an 
                inventory of the information technology deployed on the 
                information systems owned or operated by such State or 
                by local, Tribal, or territorial governments within 
                such State, including legacy information technology 
                that is no longer supported by the manufacturer.
  ``(e) Planning Committees.--
          ``(1) In general.--A State applying for a grant under this 
        section shall establish a cybersecurity planning committee to 
        assist in the following:
                  ``(A) The development, implementation, and revision 
                of such State's Cybersecurity Plan required under 
                subsection (d).
                  ``(B) The determination of effective funding 
                priorities for such grant in accordance with subsection 
                (f).
          ``(2) Composition.--Cybersecurity planning committees 
        described in paragraph (1) shall be comprised of 
        representatives from counties, cities, towns, and Tribes within 
        the State receiving a grant under this section, including, as 
        appropriate, representatives of rural, suburban, and high-
        population jurisdictions.
          ``(3) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection may be construed to 
        require that any State establish a cybersecurity planning 
        committee if such State has established and uses a 
        multijurisdictional planning committee or commission that meets 
        the requirements of this paragraph.
  ``(f) Use of Funds.--A State that receives a grant under this section 
shall use the grant to implement such State's Cybersecurity Plan, or to 
assist with activities determined by the Secretary, in consultation 
with the Director, to be integral to address cybersecurity risks and 
cybersecurity threats to information systems of State, local, Tribal, 
or territorial governments, as the case may be.
  ``(g) Approval of Plans.--
          ``(1) Approval as condition of grant.--Before a State may 
        receive a grant under this section, the Secretary, acting 
        through the Director, shall review and approve such State's 
        Cybersecurity Plan required under subsection (d).
          ``(2) Plan requirements.--In approving a Cybersecurity Plan 
        under this subsection, the Director shall ensure such Plan--
                  ``(A) meets the requirements specified in subsection 
                (d); and
                  ``(B) upon issuance of the Homeland Security Strategy 
                to Improve the Cybersecurity of State, Local, Tribal, 
                and Territorial Governments authorized pursuant to 
                section 2210, complies, as appropriate, with the goals 
                and objectives of such Strategy.
          ``(3) Approval of revisions.--The Secretary, acting through 
        the Director, may approve revisions to a Cybersecurity Plan as 
        the Director determines appropriate.
          ``(4) Exception.--Notwithstanding the requirement under 
        subsection (d) to submit a Cybersecurity Plan as a condition of 
        apply for a grant under this section, such a grant may be 
        awarded to a State that has not so submitted a Cybersecurity 
        Plan to the Secretary if--
                  ``(A) such State certifies to the Secretary that it 
                will submit to the Secretary a Cybersecurity Plan for 
                approval by September 30, 2022;
                  ``(B) such State certifies to the Secretary that the 
                activities that will be supported by such grant are 
                integral to the development of such Cybersecurity Plan; 
                or
                  ``(C) such State certifies to the Secretary, and the 
                Director confirms, that the activities that will be 
                supported by the grant will address imminent 
                cybersecurity risks or cybersecurity threats to the 
                information systems of such State or of a local, 
                Tribal, or territorial government in such State.
  ``(h) Limitations on Uses of Funds.--
          ``(1) In general.--A State that receives a grant under this 
        section may not use such grant--
                  ``(A) to supplant State, local, Tribal, or 
                territorial funds;
                  ``(B) for any recipient cost-sharing contribution;
                  ``(C) to pay a demand for ransom in an attempt to 
                regain access to information or an information system 
                of such State or of a local, Tribal, or territorial 
                government in such State;
                  ``(D) for recreational or social purposes; or
                  ``(E) for any purpose that does not directly address 
                cybersecurity risks or cybersecurity threats on an 
                information systems of such State or of a local, 
                Tribal, or territorial government in such State.
          ``(2) Penalties.--In addition to other remedies available, 
        the Secretary may take such actions as are necessary to ensure 
        that a recipient of a grant under this section is using such 
        grant for the purposes for which such grant was awarded.
  ``(i) Opportunity To Amend Applications.--In considering applications 
for grants under this section, the Secretary shall provide applicants 
with a reasonable opportunity to correct defects, if any, in such 
applications before making final awards.
  ``(j) Apportionment.--For fiscal year 2020 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated to carry 
out this section among States as follows:
          ``(1) Baseline amount.--The Secretary shall first apportion 
        0.25 percent of such amounts to each of American Samoa, the 
        Commonwealth of the Northern Mariana Islands, Guam, and the 
        Virgin Islands, and 0.75 percent of such amounts to each of the 
        remaining States.
          ``(2) Remainder.--The Secretary shall apportion the remainder 
        of such amounts in the ratio that--
                  ``(A) the population of each State; bears to
                  ``(B) the population of all States.
  ``(k) Federal Share.--The Federal share of the cost of an activity 
carried out using funds made available under the program may not exceed 
the following percentages:
          ``(1) For fiscal year 2021, 90 percent.
          ``(2) For fiscal year 2022, 80 percent.
          ``(3) For fiscal year 2023, 70 percent.
          ``(4) For fiscal year 2024, 60 percent.
          ``(5) For fiscal year 2025 and each subsequent fiscal year, 
        50 percent.
  ``(l) State Responsibilities.--
          ``(1) Certification.--Each State that receives a grant under 
        this section shall certify to the Secretary that the grant will 
        be used for the purpose for which the grant is awarded and in 
        compliance with the Cybersecurity Plan or other purpose 
        approved by the Secretary under subsection (g).
          ``(2) Availability of funds to local, tribal, and territorial 
        governments.--Not later than 45 days after a State receives a 
        grant under this section, such State shall, without imposing 
        unreasonable or unduly burdensome requirements as a condition 
        of receipt, obligate or otherwise make available to local, 
        Tribal, and territorial governments in such State, consistent 
        with the applicable Cybersecurity Plan--
                  ``(A) not less than 80 percent of funds available 
                under such grant;
                  ``(B) with the consent of such local, Tribal, and 
                territorial governments, items, services, capabilities, 
                or activities having a value of not less than 80 
                percent of the amount of the grant; or
                  ``(C) with the consent of the local, Tribal, and 
                territorial governments, grant funds combined with 
                other items, services, capabilities, or activities 
                having the total value of not less than 80 percent of 
                the amount of the grant.
          ``(3) Certifications regarding distribution of grant funds to 
        local, tribal, territorial governments.--A State shall certify 
        to the Secretary that the State has made the distribution to 
        local, Tribal, and territorial governments required under 
        paragraph (2).
          ``(4) Extension of period.--A State may request in writing 
        that the Secretary extend the period of time specified in 
        paragraph (2) for an additional period of time. The Secretary 
        may approve such a request if the Secretary determines such 
        extension is necessary to ensure the obligation and expenditure 
        of grant funds align with the purpose of the grant program.
          ``(5) Exception.--Paragraph (2) shall not apply to the 
        District of Columbia, the Commonwealth of Puerto Rico, American 
        Samoa, the Commonwealth of the Northern Mariana Islands, Guam, 
        or the Virgin Islands.
          ``(6) Direct funding.--If a State does not make the 
        distribution to local, Tribal, or territorial governments in 
        such State required under paragraph (2), such a local, Tribal, 
        or territorial government may petition the Secretary.
          ``(7) Penalties.--In addition to other remedies available to 
        the Secretary, the Secretary may terminate or reduce the amount 
        of a grant awarded under this section to a State or transfer 
        grant funds previously awarded to such State directly to the 
        appropriate local, Tribal, or territorial government if such 
        State violates a requirement of this subsection.
  ``(m) Advisory Committee.--
          ``(1) Establishment.--The Director shall establish a State 
        and Local Cybersecurity Resiliency Committee to provide State, 
        local, Tribal, and territorial stakeholder expertise, 
        situational awareness, and recommendations to the Director, as 
        appropriate, regarding how to--
                  ``(A) address cybersecurity risks and cybersecurity 
                threats to information systems of State, local, Tribal, 
                or territorial governments; and
                  ``(B) improve the ability of such governments to 
                prevent, protect against, respond, mitigate, and 
                recover from cybersecurity risks and cybersecurity 
                threats.
          ``(2) Duties.--The State and Local Cybersecurity Resiliency 
        Committee shall--
                  ``(A) submit to the Director recommendations that may 
                inform guidance for applicants for grants under this 
                section;
                  ``(B) upon the request of the Director, provide to 
                the Director technical assistance to inform the review 
                of Cybersecurity Plans submitted by applicants for 
                grants under this section, and, as appropriate, submit 
                to the Director recommendations to improve such Plans 
                prior to the Director's determination regarding whether 
                to approve such Plans;
                  ``(C) advise and provide to the Director input 
                regarding the Homeland Security Strategy to Improve 
                Cybersecurity for State, Local, Tribal, and Territorial 
                Governments required under section 2210; and
                  ``(D) upon the request of the Director, provide to 
                the Director recommendations, as appropriate, regarding 
                how to--
                          ``(i) address cybersecurity risks and 
                        cybersecurity threats on information systems of 
                        State, local, Tribal, or territorial 
                        governments; and
                          ``(ii) improve the cybersecurity resilience 
                        of such governments.
          ``(3) Membership.--
                  ``(A) Number and appointment.--The State and Local 
                Cybersecurity Resiliency Committee shall be composed of 
                15 members appointed by the Director, as follows:
                          ``(i) Two individuals recommended to the 
                        Director by the National Governors Association.
                          ``(ii) Two individuals recommended to the 
                        Director by the National Association of State 
                        Chief Information Officers.
                          ``(iii) One individual recommended to the 
                        Director by the National Guard Bureau.
                          ``(iv) Two individuals recommended to the 
                        Director by the National Association of 
                        Counties.
                          ``(v) Two individuals recommended to the 
                        Director by the National League of Cities.
                          ``(vi) One individual recommended to the 
                        Director by the United States Conference of 
                        Mayors.
                          ``(vii) One individual recommended to the 
                        Director by the Multi-State Information Sharing 
                        and Analysis Center.
                          ``(viii) Four individuals who have 
                        educational and professional experience related 
                        to cybersecurity analysis or policy.
                  ``(B) Terms.--Each member of the State and Local 
                Cybersecurity Resiliency Committee shall be appointed 
                for a term of two years, except that such term shall be 
                three years only in the case of members who are 
                appointed initially to the Committee upon the 
                establishment of the Committee. Any member appointed to 
                fill a vacancy occurring before the expiration of the 
                term for which the member's predecessor was appointed 
                shall be appointed only for the remainder of such term. 
                A member may serve after the expiration of such 
                member's term until a successor has taken office. A 
                vacancy in the Commission shall be filled in the manner 
                in which the original appointment was made.
                  ``(C) Pay.--Members of the State and Local 
                Cybersecurity Resiliency Committee shall serve without 
                pay.
          ``(4) Chairperson; vice chairperson.--The members of the 
        State and Local Cybersecurity Resiliency Committee shall select 
        a chairperson and vice chairperson from among Committee 
        members.
          ``(5) Federal advisory committee act.--The Federal Advisory 
        Committee Act (5 U.S.C. App.) shall not apply to the State and 
        Local Cybersecurity Resilience Committee.
  ``(n) Reports.--
          ``(1) Annual reports by state grant recipients.--A State that 
        receives a grant under this section shall annually submit to 
        the Secretary a report on the progress of the State in 
        implementing the Cybersecurity Plan approved pursuant to 
        subsection (g). If the State does not have a Cybersecurity Plan 
        approved pursuant to subsection (g), the State shall submit to 
        the Secretary a report describing how grant funds were 
        obligated and expended to develop a Cybersecurity Plan or 
        improve the cybersecurity of information systems owned or 
        operated by State, local, Tribal, or territorial governments in 
        such State. The Secretary, acting through the Director, shall 
        make each such report publicly available, including by making 
        each such report available on the internet website of the 
        Agency, subject to any redactions the Director determines 
        necessary to protect classified or other sensitive information.
          ``(2) Annual reports to congress.--At least once each year, 
        the Secretary, acting through the Director, shall submit to 
        Congress a report on the use of grants awarded under this 
        section and any progress made toward the following:
                  ``(A) Achieving the objectives set forth in the 
                Homeland Security Strategy to Improve the Cybersecurity 
                of State, Local, Tribal, and Territorial Governments, 
                upon the strategy's issuance under section 2210.
                  ``(B) Developing, implementing, or revising 
                Cybersecurity Plans.
                  ``(C) Reducing cybersecurity risks and cybersecurity 
                threats to information systems owned or operated by 
                State, local, Tribal, and territorial governments as a 
                result of the award of such grants.
  ``(o) Authorization of Appropriations.--There are authorized to be 
appropriated for grants under this section--
          ``(1) for each of fiscal years 2021 through 2025, 
        $400,000,000; and
          ``(2) for each subsequent fiscal year, such sums as may be 
        necessary.
  ``(p) Definitions.--In this section:
          ``(1) Critical infrastructure.--The term `critical 
        infrastructure' has the meaning given that term in section 2.
          ``(2) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given such term in section 102 of 
        the Cybersecurity Act of 2015.
          ``(3) Director.--The term `Director' means the Director of 
        the Cybersecurity and Infrastructure Security Agency.
          ``(4) Incident.--The term `incident' has the meaning given 
        such term in section 2209.
          ``(5) Information sharing and analysis organization.--The 
        term `information sharing and analysis organization' has the 
        meaning given such term in section 2222.
          ``(6) Information system.--The term `information system' has 
        the meaning given such term in section 102(9) of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501(9)).
          ``(7) Key resources.--The term `key resources' has the 
        meaning given that term in section 2.
          ``(8) Online service.--The term `online service' means any 
        internet-facing service, including a website, email, virtual 
        private network, or custom application.
          ``(9) State.--The term `State'--
                  ``(A) means each of the several States, the District 
                of Colombia, and the territories and possessions of the 
                United States; and
                  ``(B) includes any federally recognized Indian tribe 
                that notifies the Secretary, not later than 120 days 
                after the date of the enactment of this section or not 
                later than 120 days before the start of any fiscal year 
                in which a grant under this section is awarded, that 
                the tribe intends to develop a Cybersecurity Plan and 
                agrees to forfeit any distribution under subsection 
                (l)(2).

``SEC. 2216. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, LOCAL, 
                    TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.

  ``The Secretary, acting through the Director, shall develop a 
resource guide for use by State, local, Tribal, and territorial 
government officials, including law enforcement officers, to help such 
officials identify, prepare for, detect, protect against, respond to, 
and recover from cybersecurity risks, cybersecurity threats, and 
incidents (as such term is defined in section 2209).''.
  (b) Clerical Amendment.--The table of contents in section 1(b) of the 
Homeland Security Act of 2002 is amended by inserting after the item 
relating to section 2214 the following new items:

``Sec. 2215. State and Local Cybersecurity Grant Program.
``Sec. 2216. Cybersecurity resource guide development for State, local, 
Tribal, and territorial government officials.''.

SEC. 3. STRATEGY.

  (a) Homeland Security Strategy To Improve the Cybersecurity of State, 
Local, Tribal, and Territorial Governments.--Section 2210 of the 
Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at 
the end the following new subsection:
  ``(e) Homeland Security Strategy To Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments.--
          ``(1) In general.--Not later than 270 days after the date of 
        the enactment of this subsection, the Secretary, acting through 
        the Director, shall, in coordination with appropriate Federal 
        departments and agencies, State, local, Tribal, and territorial 
        governments, the State and Local Cybersecurity Resilience 
        Committee (established under section 2215), and other 
        stakeholders, as appropriate, develop and make publicly 
        available a Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments that provides recommendations regarding how the 
        Federal Government should support and promote the ability 
        State, local, Tribal, and territorial governments to identify, 
        protect against, detect respond to, and recover from 
        cybersecurity risks, cybersecurity threats, and incidents (as 
        such term is defined in section 2209) and establishes baseline 
        requirements and principles to which Cybersecurity Plans under 
        such section shall be aligned.
          ``(2) Contents.--The Homeland Security Strategy to Improve 
        the Cybersecurity of State, Local, Tribal, and Territorial 
        Governments required under paragraph (1) shall--
                  ``(A) identify capability gaps in the ability of 
                State, local, Tribal, and territorial governments to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents;
                  ``(B) identify Federal resources and capabilities 
                that are available or could be made available to State, 
                local, Tribal, and territorial governments to help such 
                governments identify, protect against, detect, respond 
                to, and recover from cybersecurity risks, cybersecurity 
                threats, and incidents;
                  ``(C) identify and assess the limitations of Federal 
                resources and capabilities available to State, local, 
                Tribal, and territorial governments to help such 
                governments identify, protect against, detect, respond 
                to, and recover from cybersecurity risks, cybersecurity 
                threats, and incidents, and make recommendations to 
                address such limitations;
                  ``(D) identify opportunities to improve the Agency's 
                coordination with Federal and non-Federal entities, 
                such as the Multi-State Information Sharing and 
                Analysis Center, to improve incident exercises, 
                information sharing and incident notification 
                procedures, the ability for State, local, Tribal, and 
                territorial governments to voluntarily adapt and 
                implement guidance in Federal binding operational 
                directives, and opportunities to leverage Federal 
                schedules for cybersecurity investments under section 
                502 of title 40, United States Code;
                  ``(E) recommend new initiatives the Federal 
                Government should undertake to improve the ability of 
                State, local, Tribal, and territorial governments to 
                help such governments identify, protect against, 
                detect, respond to, and recover from cybersecurity 
                risks, cybersecurity threats, and incidents;
                  ``(F) set short-term and long-term goals that will 
                improve the ability of State, local, Tribal, and 
                territorial governments to help such governments 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents; and
                  ``(G) set dates, including interim benchmarks, as 
                appropriate for State, local, Tribal, territorial 
                governments to establish baseline capabilities to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents.
          ``(3) Considerations.--In developing the Homeland Security 
        Strategy to Improve the Cybersecurity of State, Local, Tribal, 
        and Territorial Governments required under paragraph (1), the 
        Director, in coordination with appropriate Federal departments 
        and agencies, State, local, Tribal, and territorial 
        governments, the State and Local Cybersecurity Resilience 
        Committee, and other stakeholders, as appropriate, shall 
        consider--
                  ``(A) lessons learned from incidents that have 
                affected State, local, Tribal, and territorial 
                governments, and exercises with Federal and non-Federal 
                entities;
                  ``(B) the impact of incidents that have affected 
                State, local, Tribal, and territorial governments, 
                including the resulting costs to such governments;
                  ``(C) the information related to the interest and 
                ability of state and non-state threat actors to 
                compromise information systems owned or operated by 
                State, local, Tribal, and territorial governments;
                  ``(D) emerging cybersecurity risks and cybersecurity 
                threats to State, local, Tribal, and territorial 
                governments resulting from the deployment of new 
                technologies; and
                  ``(E) recommendations made by the State and Local 
                Cybersecurity Resilience Committee.''.
  (b) Responsibilities of the Director of the Cybersecurity and 
Infrastructure Security Agency.--Subsection (c) of section 2202 of the 
Homeland Security Act of 2002 (6 U.S.C. 652) is amended--
          (1) by redesignating paragraphs (6) through (11) as 
        paragraphs (11) through (16), respectively; and
          (2) by inserting after paragraph (5) the following new 
        paragraphs:
          ``(6) develop program guidance, in consultation with the 
        State and Local Government Cybersecurity Resiliency Committee 
        established under section 2215, for the State and Local 
        Cybersecurity Grant Program under such section or any other 
        homeland security assistance administered by the Department to 
        improve cybersecurity;
          ``(7) review, in consultation with the State and Local 
        Cybersecurity Resiliency Committee, all cybersecurity plans of 
        State, local, Tribal, and territorial governments developed 
        pursuant to any homeland security assistance administered by 
        the Department to improve cybersecurity;
          ``(8) provide expertise and technical assistance to State, 
        local, Tribal, and territorial government officials with 
        respect to cybersecurity;
          ``(9) provide education, training, and capacity development 
        to enhance the security and resilience of cybersecurity and 
        infrastructure security;
          ``(10) provide information to State, local, Tribal, and 
        territorial governments on the security benefits of .gov domain 
        name registration services;''.
  (c) Feasibility Study.--Not later than 180 days after the date of the 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency of the Department of Homeland Security 
shall conduct a study to assess the feasibility of implementing a 
short-term rotational program for the detail of approved State, local, 
Tribal, and territorial government employees in cyber workforce 
positions to the Agency.

                          Purpose and Summary

    H.R. 5823, the ``State and Local Cybersecurity Improvement 
Act'' seeks to foster a stronger partnership between the 
Federal government and State and local governments to defend 
their State and local networks against the cyberattacks from 
sophisticated foreign adversaries or cyber criminals. One 
critical provision would authorize a new Department of Homeland 
Security (DHS) grant program to address cybersecurity 
vulnerabilities on State and local government networks. The new 
grant program would be authorized at $400 million with a 
graduating cost-share that incentivizes States to increase 
funding for cybersecurity in their budgets. Under the bill, 
State, tribal, and territorial governments would be required to 
develop comprehensive cybersecurity plans to guide the use of 
grant funds. The bill also requires the Cybersecurity and 
Infrastructure Security Agency (CISA) to develop a strategy to 
improve the cybersecurity of State, local, Tribal, and 
territorial governments, set baseline objectives for State and 
local cybersecurity efforts, and, among other things, identify 
Federal resources that could be made available to State and 
local governments for cybersecurity purposes. CISA would also 
be required to assess the feasibility of implementing a short-
term rotational program for the detail of approved State, 
local, Tribal, and territorial government employees in cyber 
workforce positions at CISA. Lastly, the bill establishes a 
State and Local Cybersecurity Resiliency Committee comprised of 
representatives from State, local, Tribal, and territorial 
governments to advise and provide situational awareness to CISA 
regarding the cybersecurity needs of such governments.

                  Background and Need for Legislation

    Like Federal agencies, State and local governments are rich 
targets for cyber adversaries given the volume of sensitive 
personal data they house and the high cost that a service 
disruption and system failures would impose. However, State and 
local agencies tend to have far fewer resources and 
cybersecurity personnel than their counterparts at the Federal 
level, or compared to similarly-sized private sector 
entities.\1\
---------------------------------------------------------------------------
    \1\National Association of State Chief Information Security 
Officers (NASCIO), 2018 Deloitte-NASCIO Cybersecurity Study: States at 
Risk (Oct. 2018), https://www.nascio.org/Publications/ArtMID/485/
ArticleID/730/2018-Deloitte-NASCIO Cybersecurity-Study-States-at-risk-
Bold-plays-for-change.
---------------------------------------------------------------------------
    At the State level, cybersecurity responsibilities are 
generally carried out by a Chief Information Security Officer 
(CISO). Until recently, CISOs did not exist in many states or 
remained vacant.\2\ Today, every state has an enterprise-level 
CISO recognized in State law or other administrative 
procedures.\3\ Although role of the state CISO has matured 
dramatically, turnover among state CISOs remains high. 
Moreover, CISOs consistently report budgetary and personnel 
shortages as among their top concerns.\4\
---------------------------------------------------------------------------
    \2\Id.
    \3\Id.
    \4\Id.
---------------------------------------------------------------------------
    Cybersecurity challenges are particularly acute at the 
local level, where resources are often scarce. A 2016 survey by 
the International City/County Management Association (ICMA) 
found that nearly 40% of local government Chief Information 
Officers (CIOs) reported having experienced an attack during 
the last 12 months, and 26% reported an attack, incident, or 
breach attempt occurring hourly.\5\ At the same time, many 
local governments are not well prepared to recover from a 
ransomware attack, detect or prevent exfiltration, prefect and 
recover from breaches, or detect attacks.\6\ Moreover, many 
local officials and staff are not sufficiently aware of the 
need for cybersecurity.\7\
---------------------------------------------------------------------------
    \5\International City/County Management Association and University 
of Maryland Baltimore County, Cybersecurity 2016 Survey, https://
icma.org/sites/default/files/
309075_2016%20cybersecurity%20survey_summary%20report_final.pdf.
    \6\Donald Norris, et. al, ``Local Governments'' Cybersecurity 
Crisis in 8 Charts,'' Government Technology (April 30, 2018), https://
www.govtech.com/security/Local-Governments-Cybersecurity-Crisis-in-8-
Charts.html.
    \7\Id.
---------------------------------------------------------------------------
    In 2018, devastating ransomware attacks crippled Atlanta, 
Georgia. The following year, State and local agencies in 
Louisiana, the City of Baltimore, MD, 22 towns in Texas, a 
school district in Syracuse, NY and many other communities 
scattered across the country were impacted by disruptive 
ransomware attacks. One DHS official described the ransomware 
attack in Atlanta as ``one of those red blinking lights that 
people talk about--it's a warning bell,'' and observed that 
``the attack surface is expanding faster . . . than we are 
fixing the legacy IT landscape.''\8\ These attacks can be 
extremely disruptive to vital government services and recovery 
is often far costlier than anticipated--to the tune of nearly 
$20 million, in some cases.\9\
---------------------------------------------------------------------------
    \8\``Atlanta Ransomware Attack a `Warning Bell,' DHS Official 
Says,'' Meritalk (April 28, 2018), https://www.meritalk.com/articles/
atlanta-ransomware-attack-a-warning-bell-dhs-official-says/.
    \9\See Ian Duncan, ``Baltimore Estimates Cost of Ransomware Attack 
at $18.2 Million As Government Begins To Restore Email Accounts,'' The 
Baltimore Sun (May 29, 2019), https://www.baltimoresun.com/maryland/
baltimore-city/bs-md-ci-ransomware-email-20190529-story.html.
---------------------------------------------------------------------------
    Stretched State and local budgets have not adequately 
funded cybersecurity and, with the emergence of the COVID-19 
pandemic in 2020, existing cybersecurity challenges at the 
State and local level have been exacerbated. The global COVID-
19 pandemic changed every aspect of American life. According 
the Brookings Institution, by April 2020, ``up to half of 
American workers are currently working from home.''\10\ That 
includes State and local government employees who may be less 
accustomed to teleworking and less prepared to do it securely, 
making State and local networks more vulnerable to ransomware 
and other cyber attacks. At the same time, the cyber risks to 
State and local networks increased dramatically, particularly 
in the wake of unprecedented demand for online services, such 
as unemployment compensation and human services 
applications.\11\
---------------------------------------------------------------------------
    \10\Katherine Guyot & Isabel V. Sawhill, ``Telecommuting Will 
Likely Continue Long After the Pandemic,'' blog, Brookings Institution 
(Apr. 6, 2020), https://www.brookings.edu/blog/up-front/2020/04/06/
telecommuting-will-likely-continue-long-after-the-pandemic/.
    \11\Letter to Majority Leader Mitch McConnell, Speaker Nancy 
Pelosi, Senate Democratic Leader Chuck Schumer, and House Republican 
Leader Kevin McCarthy from National Governors Association; Government 
Finance Officers Association; Governors Homeland Security Advisors 
Council; International City/County Management Association; National 
Association of Counties; National Association of State Auditors, 
Comptrollers and Treasurers; National Association of State Chief 
Information Officers; National Association of State Treasurers; 
National Conference of State Legislatures; National Emergency 
Management Association; National League of Cities; and The Council of 
State Governments (Apr. 28, 2020).
---------------------------------------------------------------------------
    To address this urgent national security issue, the Federal 
government needs to redouble its efforts at partnering with 
State and local governments to build robust cybersecurity 
defenses. The ``State and Local Cybersecurity Improvement Act'' 
requires both the Federal government and its State partners to 
develop strategies to bolster State and local cybersecurity 
capabilities and provides funding to ensure those strategies 
are implemented. Investing in cybersecurity before a 
cyberattack saves money, protects important data housed on 
State and local networks, and ensures State and local 
governments can continue to provide the important services 
Americans rely on.
    H.R. 5823 has been endorsed by the National Governors 
Association and National Association of State Chief Information 
Security Officers.

                                Hearings

    For the purposes of section 103(i) of H. Res 6. of the 
116th Congress, the following hearing was used to develop H.R. 
5823:
           On Tuesday, June 25, 2019, the Subcommittee 
        on Cybersecurity, Infrastructure Protection, and 
        Innovation held a hearing entitled: ``Cybersecurity 
        Challenges for State and Local Governments: Assessing 
        How the Federal Government Can Help.'' The following 
        witnesses testified: Hon. Keisha Lance Bottoms, Mayor 
        of Atlanta, Georgia; Mr. Thomas Duffy, Senior Vice 
        President of Operations, Center for Internet Security, 
        and Chair of the Multi-State Information Sharing and 
        Analysis Center (MS-ISAC); Mr. Ahmad Sultan, Associate 
        Director, Anti-Defamation League Center for Technology 
        and Society, and former Fellow at the Center for Long 
        Term Cybersecurity, University of California Berkeley; 
        Mr. Frank J. Cilluffo, Director, McCrary Institute for 
        Cyber and Critical Infrastructure, Auburn University.

                        Committee Consideration

    The Committee met on February 12, 2020, with a quorum being 
present, to consider H.R. 5823 and ordered the measure to be 
reported to the House with a favorable recommendation, with 
amendments, by unanimous consent.
    The following amendments were offered:
    An amendment offered by Mr. Katko.
    Page 2, line 5, strike ``section'' and insert ``sections''.
    Page 21, line 4, strike the closing quotes and the second 
period.
    Page 21, after line 4, insert the following:

``SEC. 2216. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, LOCAL, 
                    TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.

    ``The Secretary, acting through the Director, shall develop 
a resource guide for use by State, local, Tribal, and 
territorial government officials, including law enforcement 
officers, to help such officials identify, prepare for, detect, 
protect against, respond to, and recover from cybersecurity 
risks, cybersecurity threats, and incidents (as such term is 
defined in section 2209).''.

    Page 21, beginning line 5, strike subsection (b) and insert 
the following:

    (b) Clerical Amendment.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 is amended by 
inserting after the item relating to section 2214 the following 
new items:
    ``Sec. 2215. State and Local Cybersecurity Grant Program.
    ``Sec. 2216. Cybersecurity resource guide development for 
State, local, Tribal, and territorial government officials.''.

    An amendment offered by Mr. Langevin.
    Page 4, beginning line 11, insert the following:

                          ``(iv) promote the delivery of safe, 
                        recognizable, and trustworthy online 
                        services by State, local, Tribal, and 
                        territorial governments, including 
                        through the use of the .gov internet 
                        domain;''.

    Page 20, beginning line 17, insert the following:

          ``(9) Online service.--The term `online service' 
        means any internet-facing service, including a website, 
        email, virtual private network, or custom 
        application.''.

    Page 26, beginning line 5, strike ``paragraphs (6) through 
(11) as paragraphs (10) through (15)'' and insert ``paragraphs 
(6) through (11) as paragraphs (11) through (16)''.
    Page 27, line 3, strike the closing quotes and the second 
period.
    Page 27, beginning line 4, insert the following:

          ``(10) provide information to State, local, tribal, 
        and territorial governments on the security benefits of 
        .gov domain name registration services;''.

    An amendment offered by Mr. Richmond.
    Page 5, line 17, insert ``and cybersecurity threats'' after 
``cybersecurity risks''.
    Page 19, strike lines 21 through 23.
    Page 22, line 7, strike ``prepare for, detect, protect 
against'' and insert ``protect against, detect''.
    Page 22, line 19, strike ``prepare for, detect, protect 
against'' and insert ``protect against, detect''.
    Page 23, line 2, strike ``prepare for, detect, protect 
against'' and insert ``protect against, detect''.
    Page 23, beginning line 8, strike ``prepare for, detect, 
protect against'' and insert ``protect against, detect''.
    Page 24, line 5, strike ``prepare for, detect, protect 
against'' and insert ``protect against, detect''.
    Page 24, beginning line 11, strike ``prepare for, detect, 
protect against'' and insert ``protect against, detect''.
    Page 24, beginning line 18, strike ``prepare for, detect, 
protect against'' and insert ``protect against, detect''.
    Page 25, line 19, insert ``and cybersecurity threats'' 
after ``cybersecurity risks''.
    An amendment offered by Ms. Slotkin.
    Page 6, beginning line 10, insert the following:

          (2) Discretionary elements.--The Cybersecurity Plan 
        of a State described in paragraph (1) may include--
                  (A) cooperative programs developed by groups 
                of local, Tribal, and territorial governments 
                within such State to address cybersecurity 
                risks and cybersecurity threats; and
                  (B) programs provided by such State to 
                support local, Tribal, and territorial 
                governments and critical infrastructure owners 
                and operators to address cybersecurity risks 
                and cybersecurity threats.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R. 5823.

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the Committee advises that the 
findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

Congressional Budget Office Estimate, New Budget Authority, Entitlement 
                    Authority, and Tax Expenditures

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause (3)(c)(3) of rule XIII of the Rules 
of the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, the Committee adopts as its 
own the estimate of the estimate of new budget authority, 
entitlement authority, or tax expenditures or revenues 
contained in the cost estimate prepared by the Director of the 
Congressional Budget Office.

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, March 10, 2020.
Hon. Bennie G. Thompson,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 5823, the State 
and Local Cybersecurity Improvement Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    H.R. 5823 would authorize the appropriation of $400 million 
annually over the 2021-2025 period for the Department of 
Homeland Security (DHS) to award grants to state and local 
governments. Grant recipients would use those funds to address 
cybersecurity threats and risks to their information systems. 
The bill also would establish the process through which DHS 
would assess grant applications, review cybersecurity plans, 
and monitor the performance of grant recipients.
    Based on historical spending patterns for similar grant 
programs, CBO estimates that implementing H.R. 5823 would cost 
$872 million over the 2020-2025 period (detailed in Table 1). 
Such spending would be subject to the appropriationof the 
specified and estimated amounts. That estimate includes $15 
million in salaries and expenses over the 2020-2025 period for 
administrative costs of reviewing grant applications and 
cybersecurity plans, and communicating with state and local 
governments. It also includes $5 million for the costs of 
establishing an external advisory committee.
    For this estimate, CBO assumes that the bill will be 
enacted in fiscal year 2020. Under that assumption, the agency 
could incur some costs in 2020, but CBO expects that most of 
the costs would be incurred in 2021 and later.

               TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER H.R. 5823
----------------------------------------------------------------------------------------------------------------
                                                                 By fiscal year, millions of dollars--
                                                      ----------------------------------------------------------
                                                        2020    2021    2022    2023    2024    2025   2020-2025
----------------------------------------------------------------------------------------------------------------
Cybersecurity Grants:
    Authorization....................................       0     400     400     400     400     400     2,000
    Estimated Outlays................................       0      12      84     164     256     336       852
Administrative Costs:
    Estimated Authorization..........................       *       2       2       3       4       4        15
    Estimated Outlays................................       *       2       2       3       4       4        15
Advisory Committee:
    Estimated Authorization..........................       *       1       1       1       1       1         5
    Estimated Outlays................................       *       1       1       1       1       1         5
    Total Changes:
        Estimated Authorization......................       *     403     403     404     405     405     2,020
        Estimated Outlays............................       *      15      87     168     261     341       872
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.

    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 5823 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

                    Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, the objective of H.R. 5823 is to 
direct the Department of Homeland Security to help State and 
local governments improve the cybersecurity posture of State, 
local, Tribal, and territorial governments. To achieve this 
objective, the Department will be required to engage with 
appropriate stakeholders to develop a comprehensive Homeland 
Security Strategy to Improve the Cybersecurity of State, Local, 
Tribal, and Territorial Governments to which grantees can align 
their cybersecurity plans.

                          Advisory on Earmarks

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule 
XXI.

             Section-By-Section Analysis of the Legislation


Section 1. Short title

    This section provides that this bill may be cited as the 
``State and Local Cybersecurity Grant Program.''

Sec. 2. State and Local Cybersecurity Grant Program

    This section directs the Secretary of Homeland Security, 
acting through the Director of the Cybersecurity and 
Infrastructure Security Agency, to establish a program to make 
grants to States to address cybersecurity risks and 
cybersecurity threats to information systems of State, local, 
Tribal, or territorial governments that is administered by the 
Federal Emergency Management Agency. The program will be 
referred to as the State and Local Cybersecurity Grant Program.
    This section further requires each State seeking funds 
under the State and Local Cybersecurity Grant Program to 
develop and submit to the Secretary for approval a 
cybersecurity plan and establishes the baseline requirements 
for cybersecurity plans.
    This section further requires each State seeking funds 
under the State and Local Cybersecurity Grant Program to 
establish a cybersecurity planning committee to assist in the 
development and implementation of cybersecurity plans and in 
prioritizing State and Local Cybersecurity Grant Program 
investments. The cybersecurity planning committees shall be 
comprised of representatives from counties, cities, towns, and 
Tribes within the State receiving a grant, including, as 
appropriate, representatives of rural, suburban, and high-
population jurisdictions.
    This section further describes permissible uses of grants 
awarded under the State and Local Cybersecurity Grant Program 
to include implementing a State's cybersecurity plan, or 
assisting with activities determined by the Secretary, in 
consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency, to be integral to address 
cybersecurity risks and cybersecurity threats to information 
systems of State, local, Tribal, or territorial governments, as 
the case may be.
    This section requires the Secretary, acting through the 
Director of the Cybersecurity and Infrastructure Agency, to 
review State cybersecurity plans to ensure they comport with 
the baseline requirements set forth in the section and the 
Homeland Security Strategy to Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments. State 
cybersecurity plans must be approved by the Secretary before a 
State may receive grant funds, unless the State certifies that 
it will submit a cybersecurity plan by September 30, 2020, and 
grant funds will be used to develop the cybersecurity plan or 
the grant will address imminent cybersecurity risks or 
cybersecurity threats.
    This section bars the use of State and Local Cybersecurity 
Grant Program funds to supplant State, local, Tribal, or 
territorial funds; for any recipient cost-sharing contribution; 
to pay a demand for ransom in an attempt to regain access to 
information or an information system of such State or of a 
local, Tribal, or territorial government in such State; for 
recreational or social purposes; or for any purpose that does 
not directly address cybersecurity risks or cybersecurity 
threats on an information systems of such State or of a local, 
Tribal, or territorial government in such State. States must 
certify that it will use grant funds for an appropriate 
purpose. The Secretary is authorized to take such enforcement 
actions necessary.
    This section also authorizes States to amend grant 
applications to correct defects, sets forth the formula the 
Secretary shall use to apportion grant awards to eligible 
grantees, and establishes a State cost-share that increases 
over time to incentivize States to invest in cybersecurity.
    This section requires States (but not territories) to make 
80 percent grant funds available to local and Tribal 
governments within 45 days of receiving the grant award, with 
certain exceptions. States are required to certify compliance 
with distribution requirements to the Secretary. If a State 
fails to make funds available to local and Tribal governments 
in compliance with this Act, local and Tribal governments may 
seek direct funding from the Secretary. The Secretary may 
impose appropriate penalties to enforce this provision.
    This section directs the Director of the Cybersecurity and 
Infrastructure Security Agency to establish a State and Local 
Cybersecurity Resilience Committee to advise the Director on 
matters relating to cybersecurity matters particular to State 
and Local governments, help review State cybersecurity plans, 
provide feedback on the Homeland Security Strategy to Improve 
Cybersecurity for State, Local, Tribal, an Territorial 
Governments, and to assist in the development of State and 
Local Cybersecurity Grant guidance. This section also describes 
the membership and terms of the State and Local Cybersecurity 
Resilience Committee, and provides that the members shall not 
receive compensation.
    This section requires States receiving a grant to annually 
submit a report on the progress of the State in implementing 
the approved cybersecurity plan to the Secretary. If the State 
does not have an approved cybersecurity plan, the State shall 
submit to the Secretary a report describing how grant funds 
were obligated and expended to develop a cybersecurity plan or 
improve the cybersecurity of information systems owned or 
operated by State, local, Tribal, or territorial governments in 
such State. The Secretary, acting through the Director, shall 
make each such report publicly available, including by making 
each such report available on the internet website of the 
Agency, subject to any redactions the Director determines 
necessary to protect classified or other sensitive information. 
The Committee expects the Secretary to establish consist 
framework for the annual report, including consistent metrics 
and categories of analysis, so Congress is able assess how 
grant funds are supporting the improvement in the cybersecurity 
posture of State, local, Tribal, and territorial governments. 
The Committee further expects the report to include information 
on the use, or barriers to use, of .gov domain services by 
State, local, Tribal, and territorial governments.
    This section requires the Secretary to submit a report to 
Congress annually on the use of grant funds and progress 
achieving the objectives set forth in the Homeland Security 
Strategy to Improve the Cybersecurity of State, Local, Tribal, 
and Territorial Governments, among other things.
    This section authorizes $400,000,000 in appropriations for 
this grant program from FY 2021 through FY 2025, and such sums 
necessary thereafter.

Sec. 3. Strategy

    This section requires the Secretary, acting through the 
Director of the Cybersecurity and Infrastructure Security 
Agency, to develop a resource guide for use by State, local, 
Tribal, and territorial government officials, including law 
enforcement officers, to help such officials identify, prepare 
for, detect, protect against, respond to, and recover from 
cybersecurity risks, cybersecurity threats, and incidents.
    This section requires that, not later than 270 days after 
the date of the enactment, the Secretary, acting through the 
Director, to develop and make publicly available, in 
coordination with appropriate Federal departments and agencies, 
State, local, Tribal, and territorial governments, the State 
and Local Cybersecurity Resilience Committee, and other 
stakeholders, as appropriate, a Homeland Security Strategy to 
Improve the Cybersecurity of State, Local, Tribal, and 
Territorial Governments that provides recommendations regarding 
how the Federal Government should support and promote the 
ability of State, local, Tribal, and territorial governments to 
identify, protect against, detect, respond to, and recover from 
cybersecurity risks, cybersecurity threats, and incidents and 
establishes baseline requirements and principles to which State 
cybersecurity plans under such section shall be aligned. The 
Committee expects the Department of Homeland Security to submit 
budget or legislative proposals, as necessary, to address any 
resource or authority gaps identified.
    This section further describes the contents of the Homeland 
Security Strategy to Improve the Cybersecurity of State, Local 
Tribal, and Territorial Governments, as well as considerations 
that should inform the strategy. The Committee expects the 
Cybersecurity and Infrastructure Security Agency to emphasize 
to State, local, Tribal, and territorial governments the 
benefits of .gov domain services.
    This section amends the responsibilities of the Director of 
the Cybersecurity and Infrastructure Security Agency related to 
the Director's responsibilities related to improving the 
cybersecurity of State and local governments.
    This section requires the Director of the Cybersecurity and 
Infrastructure Security Agency to, not later than 180 days 
after the date of the enactment of this Act, conduct a study to 
assess the feasibility of implementing a short-term rotational 
program for the detail of approved State, local, Tribal, and 
territorial government employees in cyber workforce positions 
to the Agency.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italics, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

Sec. 1. Short title; table of contents.
     * * * * * * *

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

          Subtitle A--Cybersecurity and Infrastructure Security

     * * * * * * *
Sec. 2215. State and Local Cybersecurity Grant Program.
Sec. 2216. Cybersecurity resource guide development for State, local, 
          Tribal, and territorial government officials.

           *       *       *       *       *       *       *


      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

  (a) Redesignation.--
          (1) In general.--The National Protection and Programs 
        Directorate of the Department shall, on and after the 
        date of the enactment of this subtitle, be known as the 
        ``Cybersecurity and Infrastructure Security Agency'' 
        (in this subtitle referred to as the ``Agency'').
          (2) References.--Any reference to the National 
        Protection and Programs Directorate of the Department 
        in any law, regulation, map, document, record, or other 
        paper of the United States shall be deemed to be a 
        reference to the Cybersecurity and Infrastructure 
        Security Agency of the Department.
  (b) Director.--
          (1) In general.--The Agency shall be headed by a 
        Director of Cybersecurity and Infrastructure Security 
        (in this subtitle referred to as the ``Director''), who 
        shall report to the Secretary.
          (2) Reference.--Any reference to an Under Secretary 
        responsible for overseeing critical infrastructure 
        protection, cybersecurity, and any other related 
        program of the Department as described in section 
        103(a)(1)(H) as in effect on the day before the date of 
        enactment of this subtitle in any law, regulation, map, 
        document, record, or other paper of the United States 
        shall be deemed to be a reference to the Director of 
        Cybersecurity and Infrastructure Security of the 
        Department.
  (c) Responsibilities.--The Director shall--
          (1) lead cybersecurity and critical infrastructure 
        security programs, operations, and associated policy 
        for the Agency, including national cybersecurity asset 
        response activities;
          (2) coordinate with Federal entities, including 
        Sector-Specific Agencies, and non-Federal entities, 
        including international entities, to carry out the 
        cybersecurity and critical infrastructure activities of 
        the Agency, as appropriate;
          (3) carry out the responsibilities of the Secretary 
        to secure Federal information and information systems 
        consistent with law, including subchapter II of chapter 
        35 of title 44, United States Code, and the 
        Cybersecurity Act of 2015 (contained in division N of 
        the Consolidated Appropriations Act, 2016 (Public Law 
        114-113));
          (4) coordinate a national effort to secure and 
        protect against critical infrastructure risks, 
        consistent with subsection (e)(1)(E);
          (5) upon request, provide analyses, expertise, and 
        other technical assistance to critical infrastructure 
        owners and operators and, where appropriate, provide 
        those analyses, expertise, and other technical 
        assistance in coordination with Sector-Specific 
        Agencies and other Federal departments and agencies;
          (6) develop program guidance, in consultation with 
        the State and Local Government Cybersecurity Resiliency 
        Committee established under section 2215, for the State 
        and Local Cybersecurity Grant Program under such 
        section or any other homeland security assistance 
        administered by the Department to improve 
        cybersecurity;
          (7) review, in consultation with the State and Local 
        Cybersecurity Resiliency Committee, all cybersecurity 
        plans of State, local, Tribal, and territorial 
        governments developed pursuant to any homeland security 
        assistance administered by the Department to improve 
        cybersecurity;
          (8) provide expertise and technical assistance to 
        State, local, Tribal, and territorial government 
        officials with respect to cybersecurity;
          (9) provide education, training, and capacity 
        development to enhance the security and resilience of 
        cybersecurity and infrastructure security;
          (10) provide information to State, local, Tribal, and 
        territorial governments on the security benefits of 
        .gov domain name registration services;
          [(6)] (11) develop and utilize mechanisms for active 
        and frequent collaboration between the Agency and 
        Sector-Specific Agencies to ensure appropriate 
        coordination, situational awareness, and communications 
        with Sector-Specific Agencies;
          [(7)] (12) maintain and utilize mechanisms for the 
        regular and ongoing consultation and collaboration 
        among the Divisions of the Agency to further 
        operational coordination, integrated situational 
        awareness, and improved integration across the Agency 
        in accordance with this Act;
          [(8)] (13) develop, coordinate, and implement--
                  (A) comprehensive strategic plans for the 
                activities of the Agency; and
                  (B) risk assessments by and for the Agency;
          [(9)] (14) carry out emergency communications 
        responsibilities, in accordance with title XVIII;
          [(10)] (15) carry out cybersecurity, infrastructure 
        security, and emergency communications stakeholder 
        outreach and engagement and coordinate that outreach 
        and engagement with critical infrastructure Sector-
        Specific Agencies, as appropriate; and
          [(11)] (16) carry out such other duties and powers 
        prescribed by law or delegated by the Secretary.
  (d) Deputy Director.--There shall be in the Agency a Deputy 
Director of Cybersecurity and Infrastructure Security who 
shall--
          (1) assist the Director in the management of the 
        Agency; and
          (2) report to the Director.
  (e) Cybersecurity and Infrastructure Security Authorities of 
the Secretary.--
          (1) In general.--The responsibilities of the 
        Secretary relating to cybersecurity and infrastructure 
        security shall include the following:
                  (A) To access, receive, and analyze law 
                enforcement information, intelligence 
                information, and other information from Federal 
                Government agencies, State, local, tribal, and 
                territorial government agencies, including law 
                enforcement agencies, and private sector 
                entities, and to integrate that information, in 
                support of the mission responsibilities of the 
                Department, in order to--
                          (i) identify and assess the nature 
                        and scope of terrorist threats to the 
                        homeland;
                          (ii) detect and identify threats of 
                        terrorism against the United States; 
                        and
                          (iii) understand those threats in 
                        light of actual and potential 
                        vulnerabilities of the homeland.
                  (B) To carry out comprehensive assessments of 
                the vulnerabilities of the key resources and 
                critical infrastructure of the United States, 
                including the performance of risk assessments 
                to determine the risks posed by particular 
                types of terrorist attacks within the United 
                States, including an assessment of the 
                probability of success of those attacks and the 
                feasibility and potential efficacy of various 
                countermeasures to those attacks. At the 
                discretion of the Secretary, such assessments 
                may be carried out in coordination with Sector-
                Specific Agencies.
                  (C) To integrate relevant information, 
                analysis, and vulnerability assessments, 
                regardless of whether the information, 
                analysis, or assessments are provided or 
                produced by the Department, in order to make 
                recommendations, including prioritization, for 
                protective and support measures by the 
                Department, other Federal Government agencies, 
                State, local, tribal, and territorial 
                government agencies and authorities, the 
                private sector, and other entities regarding 
                terrorist and other threats to homeland 
                security.
                  (D) To ensure, pursuant to section 202, the 
                timely and efficient access by the Department 
                to all information necessary to discharge the 
                responsibilities under this title, including 
                obtaining that information from other Federal 
                Government agencies.
                  (E) To develop, in coordination with the 
                Sector-Specific Agencies with available 
                expertise, a comprehensive national plan for 
                securing the key resources and critical 
                infrastructure of the United States, including 
                power production, generation, and distribution 
                systems, information technology and 
                telecommunications systems (including 
                satellites), electronic financial and property 
                record storage and transmission systems, 
                emergency communications systems, and the 
                physical and technological assets that support 
                those systems.
                  (F) To recommend measures necessary to 
                protect the key resources and critical 
                infrastructure of the United States in 
                coordination with other Federal Government 
                agencies, including Sector-Specific Agencies, 
                and in cooperation with State, local, tribal, 
                and territorial government agencies and 
                authorities, the private sector, and other 
                entities.
                  (G) To review, analyze, and make 
                recommendations for improvements to the 
                policies and procedures governing the sharing 
                of information relating to homeland security 
                within the Federal Government and between 
                Federal Government agencies and State, local, 
                tribal, and territorial government agencies and 
                authorities.
                  (H) To disseminate, as appropriate, 
                information analyzed by the Department within 
                the Department to other Federal Government 
                agencies with responsibilities relating to 
                homeland security and to State, local, tribal, 
                and territorial government agencies and private 
                sector entities with those responsibilities in 
                order to assist in the deterrence, prevention, 
                or preemption of, or response to, terrorist 
                attacks against the United States.
                  (I) To consult with State, local, tribal, and 
                territorial government agencies and private 
                sector entities to ensure appropriate exchanges 
                of information, including law enforcement-
                related information, relating to threats of 
                terrorism against the United States.
                  (J) To ensure that any material received 
                pursuant to this Act is protected from 
                unauthorized disclosure and handled and used 
                only for the performance of official duties.
                  (K) To request additional information from 
                other Federal Government agencies, State, 
                local, tribal, and territorial government 
                agencies, and the private sector relating to 
                threats of terrorism in the United States, or 
                relating to other areas of responsibility 
                assigned by the Secretary, including the entry 
                into cooperative agreements through the 
                Secretary to obtain such information.
                  (L) To establish and utilize, in conjunction 
                with the Chief Information Officer of the 
                Department, a secure communications and 
                information technology infrastructure, 
                including data-mining and other advanced 
                analytical tools, in order to access, receive, 
                and analyze data and information in furtherance 
                of the responsibilities under this section, and 
                to disseminate information acquired and 
                analyzed by the Department, as appropriate.
                  (M) To coordinate training and other support 
                to the elements and personnel of the 
                Department, other Federal Government agencies, 
                and State, local, tribal, and territorial 
                government agencies that provide information to 
                the Department, or are consumers of information 
                provided by the Department, in order to 
                facilitate the identification and sharing of 
                information revealed in their ordinary duties 
                and the optimal utilization of information 
                received from the Department.
                  (N) To coordinate with Federal, State, local, 
                tribal, and territorial law enforcement 
                agencies, and the private sector, as 
                appropriate.
                  (O) To exercise the authorities and oversight 
                of the functions, personnel, assets, and 
                liabilities of those components transferred to 
                the Department pursuant to section 201(g).
                  (P) To carry out the functions of the 
                national cybersecurity and communications 
                integration center under section 2209.
                  (Q) To carry out the requirements of the 
                Chemical Facility Anti-Terrorism Standards 
                Program established under title XXI and the 
                secure handling of ammonium nitrate program 
                established under subtitle J of title VIII, or 
                any successor programs.
          (2) Reallocation.--The Secretary may reallocate 
        within the Agency the functions specified in sections 
        2203(b) and 2204(b), consistent with the 
        responsibilities provided in paragraph (1), upon 
        certifying to and briefing the appropriate 
        congressional committees, and making available to the 
        public, at least 60 days prior to the reallocation that 
        the reallocation is necessary for carrying out the 
        activities of the Agency.
          (3) Staff.--
                  (A) In general.--The Secretary shall provide 
                the Agency with a staff of analysts having 
                appropriate expertise and experience to assist 
                the Agency in discharging the responsibilities 
                of the Agency under this section.
                  (B) Private sector analysts.--Analysts under 
                this subsection may include analysts from the 
                private sector.
                  (C) Security clearances.--Analysts under this 
                subsection shall possess security clearances 
                appropriate for their work under this section.
          (4) Detail of personnel.--
                  (A) In general.--In order to assist the 
                Agency in discharging the responsibilities of 
                the Agency under this section, personnel of the 
                Federal agencies described in subparagraph (B) 
                may be detailed to the Agency for the 
                performance of analytic functions and related 
                duties.
                  (B) Agencies.--The Federal agencies described 
                in this subparagraph are--
                          (i) the Department of State;
                          (ii) the Central Intelligence Agency;
                          (iii) the Federal Bureau of 
                        Investigation;
                          (iv) the National Security Agency;
                          (v) the National Geospatial-
                        Intelligence Agency;
                          (vi) the Defense Intelligence Agency;
                          (vii) Sector-Specific Agencies; and
                          (viii) any other agency of the 
                        Federal Government that the President 
                        considers appropriate.
                  (C) Interagency agreements.--The Secretary 
                and the head of a Federal agency described in 
                subparagraph (B) may enter into agreements for 
                the purpose of detailing personnel under this 
                paragraph.
                  (D) Basis.--The detail of personnel under 
                this paragraph may be on a reimbursable or non-
                reimbursable basis.
  (f) Composition.--The Agency shall be composed of the 
following divisions:
          (1) The Cybersecurity Division, headed by an 
        Assistant Director.
          (2) The Infrastructure Security Division, headed by 
        an Assistant Director.
          (3) The Emergency Communications Division under title 
        XVIII, headed by an Assistant Director.
  (g) Co-location.--
          (1) In general.--To the maximum extent practicable, 
        the Director shall examine the establishment of central 
        locations in geographical regions with a significant 
        Agency presence.
          (2) Coordination.--When establishing the central 
        locations described in paragraph (1), the Director 
        shall coordinate with component heads and the Under 
        Secretary for Management to co-locate or partner on any 
        new real property leases, renewing any occupancy 
        agreements for existing leases, or agreeing to extend 
        or newly occupy any Federal space or new construction.
  (h) Privacy.--
          (1) In general.--There shall be a Privacy Officer of 
        the Agency with primary responsibility for privacy 
        policy and compliance for the Agency.
          (2) Responsibilities.--The responsibilities of the 
        Privacy Officer of the Agency shall include--
                  (A) assuring that the use of technologies by 
                the Agency sustain, and do not erode, privacy 
                protections relating to the use, collection, 
                and disclosure of personal information;
                  (B) assuring that personal information 
                contained in systems of records of the Agency 
                is handled in full compliance as specified in 
                section 552a of title 5, United States Code 
                (commonly known as the ``Privacy Act of 
                1974'');
                  (C) evaluating legislative and regulatory 
                proposals involving collection, use, and 
                disclosure of personal information by the 
                Agency; and
                  (D) conducting a privacy impact assessment of 
                proposed rules of the Agency on the privacy of 
                personal information, including the type of 
                personal information collected and the number 
                of people affected.
  (i) Savings.--Nothing in this title may be construed as 
affecting in any manner the authority, existing on the day 
before the date of enactment of this title, of any other 
component of the Department or any other Federal department or 
agency, including the authority provided to the Sector-Specific 
Agency specified in section 61003(c) of division F of the 
Fixing America's Surface Transportation Act (6 U.S.C. 121 note; 
Public Law 114-94).

           *       *       *       *       *       *       *


SEC. 2210. CYBERSECURITY PLANS.

  (a) Definitions.--In this section--
          (1) the term ``agency information system'' means an 
        information system used or operated by an agency or by 
        another entity on behalf of an agency;
          (2) the terms ``cybersecurity risk'' and 
        ``information system'' have the meanings given those 
        terms in section 2209;
          (3) the term ``intelligence community'' has the 
        meaning given the term in section 3(4) of the National 
        Security Act of 1947 (50 U.S.C. 3003(4)); and
          (4) the term ``national security system'' has the 
        meaning given the term in section 11103 of title 40, 
        United States Code.
  (b) Intrusion Assessment Plan.--
          (1) Requirement.--The Secretary, in coordination with 
        the Director of the Office of Management and Budget, 
        shall--
                  (A) develop and implement an intrusion 
                assessment plan to proactively detect, 
                identify, and remove intruders in agency 
                information systems on a routine basis; and
                  (B) update such plan as necessary.
          (2) Exception.--The intrusion assessment plan 
        required under paragraph (1) shall not apply to the 
        Department of Defense, a national security system, or 
        an element of the intelligence community.
  (c) Cyber Incident Response Plan.--The Director of 
Cybersecurity and InfrastructureSecurity shall, in coordination 
with appropriate Federal departments and agencies, State and 
local governments, sector coordinating councils, information 
sharing and analysis organizations (as defined in section 
2222(5)), owners and operators of critical infrastructure, and 
other appropriate entities and individuals, develop, regularly 
update, maintain, and exercise adaptable cyber incident 
response plans to address cybersecurity risks (as defined in 
section 2209) to critical infrastructure.
  (d) National Response Framework.--The Secretary, in 
coordination with the heads of other appropriate Federal 
departments and agencies, and in accordance with the National 
Cybersecurity Incident Response Plan required under subsection 
(c), shall regularly update, maintain, and exercise the Cyber 
Incident Annex to the National Response Framework of the 
Department.
  (e) Homeland Security Strategy To Improve the Cybersecurity 
of State, Local, Tribal, and Territorial Governments.--
          (1) In general.--Not later than 270 days after the 
        date of the enactment of this subsection, the 
        Secretary, acting through the Director, shall, in 
        coordination with appropriate Federal departments and 
        agencies, State, local, Tribal, and territorial 
        governments, the State and Local Cybersecurity 
        Resilience Committee (established under section 2215), 
        and other stakeholders, as appropriate, develop and 
        make publicly available a Homeland Security Strategy to 
        Improve the Cybersecurity of State, Local, Tribal, and 
        Territorial Governments that provides recommendations 
        regarding how the Federal Government should support and 
        promote the ability State, local, Tribal, and 
        territorial governments to identify, protect against, 
        detect respond to, and recover from cybersecurity 
        risks, cybersecurity threats, and incidents (as such 
        term is defined in section 2209) and establishes 
        baseline requirements and principles to which 
        Cybersecurity Plans under such section shall be 
        aligned.
          (2) Contents.--The Homeland Security Strategy to 
        Improve the Cybersecurity of State, Local, Tribal, and 
        Territorial Governments required under paragraph (1) 
        shall--
                  (A) identify capability gaps in the ability 
                of State, local, Tribal, and territorial 
                governments to identify, protect against, 
                detect, respond to, and recover from 
                cybersecurity risks, cybersecurity threats, and 
                incidents;
                  (B) identify Federal resources and 
                capabilities that are available or could be 
                made available to State, local, Tribal, and 
                territorial governments to help such 
                governments identify, protect against, detect, 
                respond to, and recover from cybersecurity 
                risks, cybersecurity threats, and incidents;
                  (C) identify and assess the limitations of 
                Federal resources and capabilities available to 
                State, local, Tribal, and territorial 
                governments to help such governments identify, 
                protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, and incidents, and make 
                recommendations to address such limitations;
                  (D) identify opportunities to improve the 
                Agency's coordination with Federal and non-
                Federal entities, such as the Multi-State 
                Information Sharing and Analysis Center, to 
                improve incident exercises, information sharing 
                and incident notification procedures, the 
                ability for State, local, Tribal, and 
                territorial governments to voluntarily adapt 
                and implement guidance in Federal binding 
                operational directives, and opportunities to 
                leverage Federal schedules for cybersecurity 
                investments under section 502 of title 40, 
                United States Code;
                  (E) recommend new initiatives the Federal 
                Government should undertake to improve the 
                ability of State, local, Tribal, and 
                territorial governments to help such 
                governments identify, protect against, detect, 
                respond to, and recover from cybersecurity 
                risks, cybersecurity threats, and incidents;
                  (F) set short-term and long-term goals that 
                will improve the ability of State, local, 
                Tribal, and territorial governments to help 
                such governments identify, protect against, 
                detect, respond to, and recover from 
                cybersecurity risks, cybersecurity threats, and 
                incidents; and
                  (G) set dates, including interim benchmarks, 
                as appropriate for State, local, Tribal, 
                territorial governments to establish baseline 
                capabilities to identify, protect against, 
                detect, respond to, and recover from 
                cybersecurity risks, cybersecurity threats, and 
                incidents.
          (3) Considerations.--In developing the Homeland 
        Security Strategy to Improve the Cybersecurity of 
        State, Local, Tribal, and Territorial Governments 
        required under paragraph (1), the Director, in 
        coordination with appropriate Federal departments and 
        agencies, State, local, Tribal, and territorial 
        governments, the State and Local Cybersecurity 
        Resilience Committee, and other stakeholders, as 
        appropriate, shall consider--
                  (A) lessons learned from incidents that have 
                affected State, local, Tribal, and territorial 
                governments, and exercises with Federal and 
                non-Federal entities;
                  (B) the impact of incidents that have 
                affected State, local, Tribal, and territorial 
                governments, including the resulting costs to 
                such governments;
                  (C) the information related to the interest 
                and ability of state and non-state threat 
                actors to compromise information systems owned 
                or operated by State, local, Tribal, and 
                territorial governments;
                  (D) emerging cybersecurity risks and 
                cybersecurity threats to State, local, Tribal, 
                and territorial governments resulting from the 
                deployment of new technologies; and
                  (E) recommendations made by the State and 
                Local Cybersecurity Resilience Committee.

           *       *       *       *       *       *       *


SEC. 2215. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

  (a) Establishment.--The Secretary, acting through the 
Director, shall establish a program to make grants to States to 
address cybersecurity risks and cybersecurity threats to 
information systems of State, local, Tribal, or territorial 
governments (referred to as the ``State and Local Cybersecurity 
Grant Program'' in this section).
  (b) Baseline Requirements.--A grant awarded under this 
section shall be used in compliance with the following:
          (1) The Cybersecurity Plan required under subsection 
        (d) and approved pursuant to subsection (g).
          (2) The Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments required in accordance with section 2210, 
        when issued.
  (c) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same program office that 
administers grants made under sections 2003 and 2004.
  (d) Eligibility.--
          (1) In general.--A State applying for a grant under 
        the State and Local Cybersecurity Grant Program shall 
        submit to the Secretary a Cybersecurity Plan for 
        approval. Such plan shall--
                  (A) incorporate, to the extent practicable, 
                any existing plans of such State to protect 
                against cybersecurity risks and cybersecurity 
                threats to information systems of State, local, 
                Tribal, or territorial governments;
                  (B) describe, to the extent practicable, how 
                such State shall--
                          (i) enhance the preparation, 
                        response, and resiliency of information 
                        systems owned or operated by such State 
                        or, if appropriate, by local, Tribal, 
                        or territorial governments, against 
                        cybersecurity risks and cybersecurity 
                        threats;
                          (ii) implement a process of 
                        continuous cybersecurity vulnerability 
                        assessments and threat mitigation 
                        practices prioritized by degree of risk 
                        to address cybersecurity risks and 
                        cybersecurity threats in information 
                        systems of such State, local, Tribal, 
                        or territorial governments;
                          (iii) ensure that State, local, 
                        Tribal, and territorial governments 
                        that own or operate information systems 
                        within the State adopt best practices 
                        and methodologies to enhance 
                        cybersecurity, such as the practices 
                        set forth in the cybersecurity 
                        framework developed by the National 
                        Institute of Standards and Technology;
                          (iv) promote the delivery of safe, 
                        recognizable, and trustworthy online 
                        services by State, local, Tribal, and 
                        territorial governments, including 
                        through the use of the .gov internet 
                        domain;
                          (v) mitigate any identified gaps in 
                        the State, local, Tribal, or 
                        territorial government cybersecurity 
                        workforces, enhance recruitment and 
                        retention efforts for such workforces, 
                        and bolster the knowledge, skills, and 
                        abilities of State, local, Tribal, and 
                        territorial government personnel to 
                        address cybersecurity risks and 
                        cybersecurity threats;
                          (vi) ensure continuity of 
                        communications and data networks within 
                        such State between such State and 
                        local, Tribal, and territorial 
                        governments that own or operate 
                        information systems within such State 
                        in the event of an incident involving 
                        such communications or data networks 
                        within such State;
                          (vii) assess and mitigate, to the 
                        greatest degree possible, cybersecurity 
                        risks and cybersecurity threats related 
                        to critical infrastructure and key 
                        resources, the degradation of which may 
                        impact the performance of information 
                        systems within such State;
                          (viii) enhance capability to share 
                        cyber threat indicators and related 
                        information between such State and 
                        local, Tribal, and territorial 
                        governments that own or operate 
                        information systems within such State; 
                        and
                          (ix) develop and coordinate 
                        strategies to address cybersecurity 
                        risks and cybersecurity threats in 
                        consultation with--
                                  (I) local, Tribal, and 
                                territorial governments within 
                                the State; and
                                  (II) as applicable--
                                          (aa) neighboring 
                                        States or, as 
                                        appropriate, members of 
                                        an information sharing 
                                        and analysis 
                                        organization; and
                                          (bb) neighboring 
                                        countries; and
                  (C) include, to the extent practicable, an 
                inventory of the information technology 
                deployed on the information systems owned or 
                operated by such State or by local, Tribal, or 
                territorial governments within such State, 
                including legacy information technology that is 
                no longer supported by the manufacturer.
  (e) Planning Committees.--
          (1) In general.--A State applying for a grant under 
        this section shall establish a cybersecurity planning 
        committee to assist in the following:
                  (A) The development, implementation, and 
                revision of such State's Cybersecurity Plan 
                required under subsection (d).
                  (B) The determination of effective funding 
                priorities for such grant in accordance with 
                subsection (f).
          (2) Composition.--Cybersecurity planning committees 
        described in paragraph (1) shall be comprised of 
        representatives from counties, cities, towns, and 
        Tribes within the State receiving a grant under this 
        section, including, as appropriate, representatives of 
        rural, suburban, and high-population jurisdictions.
          (3) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection may be 
        construed to require that any State establish a 
        cybersecurity planning committee if such State has 
        established and uses a multijurisdictional planning 
        committee or commission that meets the requirements of 
        this paragraph.
  (f) Use of Funds.--A State that receives a grant under this 
section shall use the grant to implement such State's 
Cybersecurity Plan, or to assist with activities determined by 
the Secretary, in consultation with the Director, to be 
integral to address cybersecurity risks and cybersecurity 
threats to information systems of State, local, Tribal, or 
territorial governments, as the case may be.
  (g) Approval of Plans.--
          (1) Approval as condition of grant.--Before a State 
        may receive a grant under this section, the Secretary, 
        acting through the Director, shall review and approve 
        such State's Cybersecurity Plan required under 
        subsection (d).
          (2) Plan requirements.--In approving a Cybersecurity 
        Plan under this subsection, the Director shall ensure 
        such Plan--
                  (A) meets the requirements specified in 
                subsection (d); and
                  (B) upon issuance of the Homeland Security 
                Strategy to Improve the Cybersecurity of State, 
                Local, Tribal, and Territorial Governments 
                authorized pursuant to section 2210, complies, 
                as appropriate, with the goals and objectives 
                of such Strategy.
          (3) Approval of revisions.--The Secretary, acting 
        through the Director, may approve revisions to a 
        Cybersecurity Plan as the Director determines 
        appropriate.
          (4) Exception.--Notwithstanding the requirement under 
        subsection (d) to submit a Cybersecurity Plan as a 
        condition of apply for a grant under this section, such 
        a grant may be awarded to a State that has not so 
        submitted a Cybersecurity Plan to the Secretary if--
                  (A) such State certifies to the Secretary 
                that it will submit to the Secretary a 
                Cybersecurity Plan for approval by September 
                30, 2022;
                  (B) such State certifies to the Secretary 
                that the activities that will be supported by 
                such grant are integral to the development of 
                such Cybersecurity Plan; or
                  (C) such State certifies to the Secretary, 
                and the Director confirms, that the activities 
                that will be supported by the grant will 
                address imminent cybersecurity risks or 
                cybersecurity threats to the information 
                systems of such State or of a local, Tribal, or 
                territorial government in such State.
  (h) Limitations on Uses of Funds.--
          (1) In general.--A State that receives a grant under 
        this section may not use such grant--
                  (A) to supplant State, local, Tribal, or 
                territorial funds;
                  (B) for any recipient cost-sharing 
                contribution;
                  (C) to pay a demand for ransom in an attempt 
                to regain access to information or an 
                information system of such State or of a local, 
                Tribal, or territorial government in such 
                State;
                  (D) for recreational or social purposes; or
                  (E) for any purpose that does not directly 
                address cybersecurity risks or cybersecurity 
                threats on an information systems of such State 
                or of a local, Tribal, or territorial 
                government in such State.
          (2) Penalties.--In addition to other remedies 
        available, the Secretary may take such actions as are 
        necessary to ensure that a recipient of a grant under 
        this section is using such grant for the purposes for 
        which such grant was awarded.
  (i) Opportunity To Amend Applications.--In considering 
applications for grants under this section, the Secretary shall 
provide applicants with a reasonable opportunity to correct 
defects, if any, in such applications before making final 
awards.
  (j) Apportionment.--For fiscal year 2020 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated 
to carry out this section among States as follows:
          (1) Baseline amount.--The Secretary shall first 
        apportion 0.25 percent of such amounts to each of 
        American Samoa, the Commonwealth of the Northern 
        Mariana Islands, Guam, and the Virgin Islands, and 0.75 
        percent of such amounts to each of the remaining 
        States.
          (2) Remainder.--The Secretary shall apportion the 
        remainder of such amounts in the ratio that--
                  (A) the population of each State; bears to
                  (B) the population of all States.
  (k) Federal Share.--The Federal share of the cost of an 
activity carried out using funds made available under the 
program may not exceed the following percentages:
          (1) For fiscal year 2021, 90 percent.
          (2) For fiscal year 2022, 80 percent.
          (3) For fiscal year 2023, 70 percent.
          (4) For fiscal year 2024, 60 percent.
          (5) For fiscal year 2025 and each subsequent fiscal 
        year, 50 percent.
  (l) State Responsibilities.--
          (1) Certification.--Each State that receives a grant 
        under this section shall certify to the Secretary that 
        the grant will be used for the purpose for which the 
        grant is awarded and in compliance with the 
        Cybersecurity Plan or other purpose approved by the 
        Secretary under subsection (g).
          (2) Availability of funds to local, tribal, and 
        territorial governments.--Not later than 45 days after 
        a State receives a grant under this section, such State 
        shall, without imposing unreasonable or unduly 
        burdensome requirements as a condition of receipt, 
        obligate or otherwise make available to local, Tribal, 
        and territorial governments in such State, consistent 
        with the applicable Cybersecurity Plan--
                  (A) not less than 80 percent of funds 
                available under such grant;
                  (B) with the consent of such local, Tribal, 
                and territorial governments, items, services, 
                capabilities, or activities having a value of 
                not less than 80 percent of the amount of the 
                grant; or
                  (C) with the consent of the local, Tribal, 
                and territorial governments, grant funds 
                combined with other items, services, 
                capabilities, or activities having the total 
                value of not less than 80 percent of the amount 
                of the grant.
          (3) Certifications regarding distribution of grant 
        funds to local, tribal, territorial governments.--A 
        State shall certify to the Secretary that the State has 
        made the distribution to local, Tribal, and territorial 
        governments required under paragraph (2).
          (4) Extension of period.--A State may request in 
        writing that the Secretary extend the period of time 
        specified in paragraph (2) for an additional period of 
        time. The Secretary may approve such a request if the 
        Secretary determines such extension is necessary to 
        ensure the obligation and expenditure of grant funds 
        align with the purpose of the grant program.
          (5) Exception.--Paragraph (2) shall not apply to the 
        District of Columbia, the Commonwealth of Puerto Rico, 
        American Samoa, the Commonwealth of the Northern 
        Mariana Islands, Guam, or the Virgin Islands.
          (6) Direct funding.--If a State does not make the 
        distribution to local, Tribal, or territorial 
        governments in such State required under paragraph (2), 
        such a local, Tribal, or territorial government may 
        petition the Secretary.
          (7) Penalties.--In addition to other remedies 
        available to the Secretary, the Secretary may terminate 
        or reduce the amount of a grant awarded under this 
        section to a State or transfer grant funds previously 
        awarded to such State directly to the appropriate 
        local, Tribal, or territorial government if such State 
        violates a requirement of this subsection.
  (m) Advisory Committee.--
          (1) Establishment.--The Director shall establish a 
        State and Local Cybersecurity Resiliency Committee to 
        provide State, local, Tribal, and territorial 
        stakeholder expertise, situational awareness, and 
        recommendations to the Director, as appropriate, 
        regarding how to--
                  (A) address cybersecurity risks and 
                cybersecurity threats to information systems of 
                State, local, Tribal, or territorial 
                governments; and
                  (B) improve the ability of such governments 
                to prevent, protect against, respond, mitigate, 
                and recover from cybersecurity risks and 
                cybersecurity threats.
          (2) Duties.--The State and Local Cybersecurity 
        Resiliency Committee shall--
                  (A) submit to the Director recommendations 
                that may inform guidance for applicants for 
                grants under this section;
                  (B) upon the request of the Director, provide 
                to the Director technical assistance to inform 
                the review of Cybersecurity Plans submitted by 
                applicants for grants under this section, and, 
                as appropriate, submit to the Director 
                recommendations to improve such Plans prior to 
                the Director's determination regarding whether 
                to approve such Plans;
                  (C) advise and provide to the Director input 
                regarding the Homeland Security Strategy to 
                Improve Cybersecurity for State, Local, Tribal, 
                and Territorial Governments required under 
                section 2210; and
                  (D) upon the request of the Director, provide 
                to the Director recommendations, as 
                appropriate, regarding how to--
                          (i) address cybersecurity risks and 
                        cybersecurity threats on information 
                        systems of State, local, Tribal, or 
                        territorial governments; and
                          (ii) improve the cybersecurity 
                        resilience of such governments.
          (3) Membership.--
                  (A) Number and appointment.--The State and 
                Local Cybersecurity Resiliency Committee shall 
                be composed of 15 members appointed by the 
                Director, as follows:
                          (i) Two individuals recommended to 
                        the Director by the National Governors 
                        Association.
                          (ii) Two individuals recommended to 
                        the Director by the National 
                        Association of State Chief Information 
                        Officers.
                          (iii) One individual recommended to 
                        the Director by the National Guard 
                        Bureau.
                          (iv) Two individuals recommended to 
                        the Director by the National 
                        Association of Counties.
                          (v) Two individuals recommended to 
                        the Director by the National League of 
                        Cities.
                          (vi) One individual recommended to 
                        the Director by the United States 
                        Conference of Mayors.
                          (vii) One individual recommended to 
                        the Director by the Multi-State 
                        Information Sharing and Analysis 
                        Center.
                          (viii) Four individuals who have 
                        educational and professional experience 
                        related to cybersecurity analysis or 
                        policy.
                  (B) Terms.--Each member of the State and 
                Local Cybersecurity Resiliency Committee shall 
                be appointed for a term of two years, except 
                that such term shall be three years only in the 
                case of members who are appointed initially to 
                the Committee upon the establishment of the 
                Committee. Any member appointed to fill a 
                vacancy occurring before the expiration of the 
                term for which the member's predecessor was 
                appointed shall be appointed only for the 
                remainder of such term. A member may serve 
                after the expiration of such member's term 
                until a successor has taken office. A vacancy 
                in the Commission shall be filled in the manner 
                in which the original appointment was made.
                  (C) Pay.--Members of the State and Local 
                Cybersecurity Resiliency Committee shall serve 
                without pay.
          (4) Chairperson; vice chairperson.--The members of 
        the State and Local Cybersecurity Resiliency Committee 
        shall select a chairperson and vice chairperson from 
        among Committee members.
          (5) Federal advisory committee act.--The Federal 
        Advisory Committee Act (5 U.S.C. App.) shall not apply 
        to the State and Local Cybersecurity Resilience 
        Committee.
  (n) Reports.--
          (1) Annual reports by state grant recipients.--A 
        State that receives a grant under this section shall 
        annually submit to the Secretary a report on the 
        progress of the State in implementing the Cybersecurity 
        Plan approved pursuant to subsection (g). If the State 
        does not have a Cybersecurity Plan approved pursuant to 
        subsection (g), the State shall submit to the Secretary 
        a report describing how grant funds were obligated and 
        expended to develop a Cybersecurity Plan or improve the 
        cybersecurity of information systems owned or operated 
        by State, local, Tribal, or territorial governments in 
        such State. The Secretary, acting through the Director, 
        shall make each such report publicly available, 
        including by making each such report available on the 
        internet website of the Agency, subject to any 
        redactions the Director determines necessary to protect 
        classified or other sensitive information.
          (2) Annual reports to congress.--At least once each 
        year, the Secretary, acting through the Director, shall 
        submit to Congress a report on the use of grants 
        awarded under this section and any progress made toward 
        the following:
                  (A) Achieving the objectives set forth in the 
                Homeland Security Strategy to Improve the 
                Cybersecurity of State, Local, Tribal, and 
                Territorial Governments, upon the strategy's 
                issuance under section 2210.
                  (B) Developing, implementing, or revising 
                Cybersecurity Plans.
                  (C) Reducing cybersecurity risks and 
                cybersecurity threats to information systems 
                owned or operated by State, local, Tribal, and 
                territorial governments as a result of the 
                award of such grants.
  (o) Authorization of Appropriations.--There are authorized to 
be appropriated for grants under this section--
          (1) for each of fiscal years 2021 through 2025, 
        $400,000,000; and
          (2) for each subsequent fiscal year, such sums as may 
        be necessary.
  (p) Definitions.--In this section:
          (1) Critical infrastructure.--The term ``critical 
        infrastructure'' has the meaning given that term in 
        section 2.
          (2) Cyber threat indicator.--The term ``cyber threat 
        indicator'' has the meaning given such term in section 
        102 of the Cybersecurity Act of 2015.
          (3) Director.--The term ``Director'' means the 
        Director of the Cybersecurity and Infrastructure 
        Security Agency.
          (4) Incident.--The term ``incident'' has the meaning 
        given such term in section 2209.
          (5) Information sharing and analysis organization.--
        The term ``information sharing and analysis 
        organization'' has the meaning given such term in 
        section 2222.
          (6) Information system.--The term ``information 
        system'' has the meaning given such term in section 
        102(9) of the Cybersecurity Act of 2015 (6 U.S.C. 
        1501(9)).
          (7) Key resources.--The term ``key resources'' has 
        the meaning given that term in section 2.
          (8) Online service.--The term ``online service'' 
        means any internet-facing service, including a website, 
        email, virtual private network, or custom application.
          (9) State.--The term ``State''--
                  (A) means each of the several States, the 
                District of Colombia, and the territories and 
                possessions of the United States; and
                  (B) includes any federally recognized Indian 
                tribe that notifies the Secretary, not later 
                than 120 days after the date of the enactment 
                of this section or not later than 120 days 
                before the start of any fiscal year in which a 
                grant under this section is awarded, that the 
                tribe intends to develop a Cybersecurity Plan 
                and agrees to forfeit any distribution under 
                subsection (l)(2).

SEC. 2216. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, LOCAL, 
                    TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.

  The Secretary, acting through the Director, shall develop a 
resource guide for use by State, local, Tribal, and territorial 
government officials, including law enforcement officers, to 
help such officials identify, prepare for, detect, protect 
against, respond to, and recover from cybersecurity risks, 
cybersecurity threats, and incidents (as such term is defined 
in section 2209).

           *       *       *       *       *       *       *