[Senate Report 116-90]
[From the U.S. Government Publishing Office]
Calendar No. 194
116th Congress } { Report
SENATE
1st Session } { 116-90
_______________________________________________________________________
STATE AND LOCAL GOVERNMENT
CYBERSECURITY ACT OF 2019
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 1846
TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO PROVIDE
FOR ENGAGEMENTS WITH STATE, LOCAL, TRIBAL, AND
TERRITORIAL GOVERNMENTS, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
September 10, 2019.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
Joseph C. Folio III, Chief Counsel
Andrew J. Timm, Professional Staff Member
Michael J.R. Flynn, Senior Counsel
David M. Weinberg, Minority Staff Director
Zachary I. Schram, Minority Chief Counsel
Jeffery D. Rothblum, Minority Fellow
Laura W. Kilbride, Chief Clerk
Calendar No. 194
116th Congress } { Report
SENATE
1st Session } { 116-90
======================================================================
STATE AND LOCAL GOVERNMENT CYBERSECURITY ACT OF 2019
_______
September 10, 2019.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 1846]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 1846) to amend the
Homeland Security Act of 2002 to provide for engagements with
State, local, Tribal and territorial governments, and for other
purposes, having considered the same, reports favorably thereon
with an amendment and recommends that the bill, as amended, do
pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................5
IV. Section-by-Section Analysis......................................6
VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............8
I. Purpose and Summary
The purpose of S. 1846, the State and Local Cybersecurity
Act of 2019, is to improve the cybersecurity posture of state,
local, tribal, and territorial governments (SLTTs) through the
coordination of activities with the Department of Homeland
Security's (DHS or the Department) National Cybersecurity and
Communications Integration Center (NCCIC). Specifically, this
bill requires the NCCIC to coordinate with non-Federal
entities, such as the Multi-State Information Sharing and
Analysis Center (MS-ISAC), for the purpose of engaging with
SLTTs to conduct cybersecurity exercises, provide operational
and technical cybersecurity training, and among other things,
provide notifications of specific incidents and malware
information. The bill also requires the NCCIC to work with
senior Federal and non-Federal, state and local officials,
including state and local Chief Information Officers and senior
election officials, to ensure the effective implementation of
information security processes and procedures.
The bill codifies the NCCIC's ability to provide, on a
voluntary basis, operational and technical assistance to SLTT
governments. The Department is also authorized to enter into
cooperative agreements or contracts to carry out the
responsibilities and coordination activities outlined in this
bill. The Department is required to provide a report to
Congress one year after enactment, and every two years
thereafter on the status of cybersecurity measures in each
state and the largest urban areas of the United States.
Finally, S. 1846 authorizes DHS to establish a voluntary
initiative to deploy technical or analytic capabilities or
services that utilize classified cyber threat indicators or
intelligence on unclassified, non-Federal entities' information
systems to detect and prevent malicious traffic. DHS is
required to provide a report to Congress on the status of this
initiative one year after the enactment of this bill.
II. Background and the Need for Legislation
State and local governments are under siege by an
unprecedented number of cyberattacks perpetrated by malicious
actors and nation-state adversaries exploiting vulnerabilities
in government-operated information systems and elections
systems.\1\ However, state and local governments often lack the
resources and technical capabilities to identify malicious
activity, and protect and secure their information systems from
vulnerabilities that leave them susceptible to potentially
crippling cyberattacks. In May 2019, the cybersecurity firm
Recorded Future released a report in which it found that
ransomware attacks--a type of cyberattack in which cyber
criminals block a victim's access to their computer systems or
data until the victim pays a monetary sum usually in some form
of cryptocurrency--against state and local governments
increased by 39 percent in 2018.\2\ Many states and localities
are faced with the difficult choice of paying the ransom or
refusing to pay the hackers to decrypt their information
systems. In May 2019, the city of Baltimore was attacked by a
ransomware virus known as Robinhood, which affected the city's
phone system and other electronically administered services,
including billing services.\3\ Rather than paying the $76,000
requested by the hackers, the city of Baltimore opted to
decline the hackers' offer to decrypt the systems and expects
to spend an estimated $18 million to harden and protect the
city's information technology infrastructure from future
attacks.\4\
---------------------------------------------------------------------------
\1\Benjamin Freed, State and Local Governments Urged to Beef up
Ransomware Defense, State Scoop (July 29, 2019), https://
statescoop.com/state-local-government-urged-ransomware-defense/;
Benjamin Freed, Report: Ransomware Attacks Against State and Local
Government Are on the Rise, State Scoop (May 13, 2019), https://
statescoop.com/report-ransomware-attacks-against-state-and-local-
government-are-on-the-rise/.
\2\Allan Liska, Early Findings: Review of State and Local
Government Ransomware Attacks, Recorded Future 2 (Apr. 2019), https://
www.recordedfuture.com/state-local-government-ransomware-attacks/.
\3\Benjamin Freed, Baltimore Approves $10 Million for Ransomware
Recovery, State Scoop (July 26, 2019), https://statescoop.com/
baltimore-city-council-approves-10-million-ransomware-recovery/.
\4\Id.
---------------------------------------------------------------------------
To help SLTTs protect their systems from ransomware and
other cyberattacks, DHS's Cybersecurity and Infrastructure
Security Agency and the MS-ISAC, along with a number of other
organizations, released a joint statement urging state and
local governments to make cyber preparedness a priority by
taking pre-emptive measures to secure their networks.\5\
Moreover, in July 2019, the National Governors Association
requested that its members develop robust cyber disruption
response plans that account for, among other things, continuity
of government in a disaster situation.\6\ This follows
Louisiana Governor John Bel Edwards' recent decision to declare
a state of emergency following a series of ransomware attacks
that disabled the computer systems of districts throughout the
state.\7\
---------------------------------------------------------------------------
\5\CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action To
Safeguard Against Ransomware Attacks, https://www.nascio.org/Portals/0/
Ransomware%20Statement.pdf (last visited July 30, 2019).
\6\State Cyber Disruption Response Plans, Nat'l Governors' Assc.
(July 2019), https://www.nga.org/wp-content/uploads/2019/04/
IssueBrief_MG.pdf.
\7\La. Proc. No. 115 JBE 2019 (July 24, 2019), http://
gov.louisiana.gov/assets/EmergencyProclamations/115-JBE-2019-State-of-
Emergency-Cybersecurity-Incident.pdf.
---------------------------------------------------------------------------
In the 115th Congress, to better understand the challenges
Federal and SLTT governments face when protecting and securing
information systems and networks from malicious cyberattacks,
the Committee held a hearing on mitigating cybersecurity
risks.\8\ During the hearing, then-Assistant Secretary for the
Office of Cybersecurity and Communications for the DHS's
National Protection and Programs Directorate Jeanette Manfra
noted that DHS ``recognize[s] that there is a significant
technology deficit across state and local governments, and
State and local election systems, in particular.''\9\ She also
testified that in response to Russian information operations
during the 2016 election, DHS is ``leading the interagency
effort to provide voluntary assistance to State and local
officials'' to defend election infrastructure.\10\ At the same
hearing, Eric Rosenbach, Co-Director of the Belfer Center for
Science and International Affairs at the John F. Kennedy School
of Government Affairs at Harvard University, testified that
``States simply are not equipped to face . . . cyber attacks
from nation-state adversaries who are spending billions of
dollars and dedicating thousands of cyber operators to advance
their national interests.''\11\
---------------------------------------------------------------------------
\8\Mitigating America's Cybersecurity Risk: Hearing Before the S.
Comm. on Homeland Sec. and Governmental Affairs, 115th Cong. 62 (2018)
(testimony of Gregory C. Wilshusen, Director, Information Security
Issues, Government Accountability Office), https://www.govinfo.gov/
content/pkg/CHRG-115shrg32454/pdf/CHRG-115shrg32454.pdf.
\9\Id.
\10\Id.
\11\Id.
---------------------------------------------------------------------------
S. 1846 strengthens the SLTT governments' ability to
mitigate cybersecurity threats by leveraging established
information sharing and coordination mechanisms within the
Federal government, such as the NCCIC. In 2013, to clarify
public and private sector responsibilities in cybersecurity,
the President issued Presidential Policy Directive 21, which
established cybersecurity as a ``shared responsibility among
the [SLTT] entities.''\12\ In 2014, Congress formally
authorized the NCCIC in the National Cybersecurity Protection
Act of 2014.\13\ In 2015, Congress further defined the NCCIC's
role in the Cybersecurity Act of 2015, by tasking the NCCIC
with sharing cyber threat indicators, coordinating information
exchange across the Federal Government, and providing
information and recommendations on security and resilience to
Federal and non-Federal entities.\14\ Currently, the NCCIC
functions as the principle civilian cybersecurity and
communications entity for information-sharing across the SLTT
governments, the Intelligence Community, law enforcement, and
international entities.\15\
---------------------------------------------------------------------------
\12\Press Release, The White House, Presidential Policy Directive--
Critical Infrastructure Security and Resilience (Feb. 12, 2013),
https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/
presidential-policy-directive-critical-infrastructure-security-and-
resil.
\13\National Cybersecurity Protection Act of 2014, Pub. L. No. 113-
282, 128 Stat. 3066.
\14\National Cybersecurity Protection Act of 2014, Consolidated
Appropriations Act, Pub. L. No. 114-113, 129 Stat. 2242 (2015), and
Pub. L. No. 113-282, Sec. 226, 128 Stat. 3067.
\15\Cybersecurity and Infrastructure Sec. Agency, Dep't of Homeland
Sec., Department of Homeland Security Cybersecurity Support to
Nonfederal Levels of Government: State, Local, Tribal, and Territorial
Government Entities (2019), https://www.dhs.gov/sites/default/files/
publications/cisa_-
_dhs_cybersecurity_support_to_nonfederal_levels_of_government.pdf.
---------------------------------------------------------------------------
The NCCIC shares information and coordinates activities
through a variety of means, including via information sharing
and analysis centers (ISACs). In 2010, DHS designated the MS-
ISAC as the cybersecurity ISAC for SLTT governments; the MS-
ISAC is the primary resource for disseminating threat
information, education materials, and cyber support programs
for those entities.\16\ Since the 2010 designation, DHS has
provided funding to the MS-ISAC.\17\ Moreover, to better
leverage and share threat information with SLTT governments,
the MS-ISAC has assigned dedicated staff to the NCCIC's watch
floor.\18\ This enables the MS-ISAC to serve as the focal point
for threat prevention, protection, response, and recovery for
state-level cyber incidents.\19\ As of September 2018, MS-ISAC
membership exceeds 4,200 organizations and includes all 50
states.\20\
---------------------------------------------------------------------------
\16\Information Sharing and Awareness, Dep't of Homeland Sec.,
https://www.dhs.gov/cisa/information-sharing-and-awareness (last
visited July 19, 2019).
\17\Id.
\18\Id.
\19\Id.
\20\Cybersecurity and Infrastructure Sec. Agency, supra note 15, at
13.
---------------------------------------------------------------------------
Since 2012, DHS has funded the MS-ISAC to conduct an annual
self-assessment, which is delivered in the form of a report, to
measure gaps and capabilities of SLTT governments'
cybersecurity programs.\21\ The self-assessment measures SLTT
government respondents' maturity levels based on the functions
defined in the National Institute of Standards and Technology's
Cybersecurity Framework for Critical Infrastructure and divides
respondents into three major categories: state, local, and
tribal governments. The MS-ISAC's FY 2017 report determined
that states are projected to achieve ``the recommended minimum
maturity across all functions in 2023'' and local governments
are expected to achieve minimum maturity 2024.\22\ The report
did not provide an estimate for the tribal government category
attaining the minimum recommended maturity level, but noted
that as a group, tribal governments declined across all
functions by an average of 12 percent in comparison to the
previous year.\23\
---------------------------------------------------------------------------
\21\Id.
\22\Multi-State Info. Sharing & Analysis Ctr., Dep't of Homeland
Sec., Nationwide Cybersecurity Review (2017), https://
www.cisecurity.org/wp-content/uploads/2018/10/NCSR-2017-Final.pdf.
\23\Id. at 7.
---------------------------------------------------------------------------
In June 2016, DHS's Homeland Security Advisory Council,
Cybersecurity Subcommittee also published a report examining
DHS's coordination efforts with SLTT entities, and provided
findings and recommendations focused on evolving these
relationships.\24\ The report recommended DHS enhance its
communication with SLTT governments on the availability of
cybersecurity training focusing on political leadership.
Additionally, the report recommended establishing stronger
directives to ensure that all homeland security grant programs
integrate cyber protections and cyber personnel recognizing
that ``by requiring that a percentage of grant funding be spent
on cybersecurity, DHS could make meaningful steps in increasing
cybersecurity protections in all new technology
purchases.''\25\
---------------------------------------------------------------------------
\24\Homeland Sec. Advisory Council, Dep't of Homeland Sec., Final
Report to the Cybersecurity Subcommittee: Part II--State, Local, Tribal
& Territorial 1 (2016), https://www.dhs.gov/sites/default/files/
publications/HSAC_Cybersecurity_SLTT_FINAL_Report.pdf.
\25\Id. at 11.
---------------------------------------------------------------------------
S. 1846, the State and Local Government Cybersecurity Act
of 2019, allows the Secretary to award grants to and enter into
cooperative agreements and contracts with states, local
governments, and non-Federal entities. Additionally, the bill
requires that the NCCIC, in coordination with Federal and non-
Federal entities, such as the MS-ISAC, conduct exercises,
provide operational and technical cybersecurity training to
address cybersecurity risks or incidents, and provide, upon
request, operational, technical, or material support to secure
and ensure the resilience of Federal and non-Federal
information and election systems.
Finally, the bill would allow the Secretary, at the
voluntary request of the non-Federal entity, to deploy
technical or analytic capabilities or services utilizing
classified cyber threat indicators or intelligence to detect or
prevent malicious network traffic on unclassified non-Federal
information systems. This provision augments DHS's Enhanced
Cybersecurity Services (ECS) program, which is an intrusion
prevention capability offered by the Department.\26\
---------------------------------------------------------------------------
\26\Cybersecurity and Infrastructure Sec. Agency, Enhanced
Cybersecurity Services (ECS), https://www.dhs.gov/cisa/enhanced-
cybersecurity-services-ecs (last visited Aug. 6, 2019).
---------------------------------------------------------------------------
III. Legislative History
Ranking Member Peters (D-MI) introduced S. 1846 on June 13,
2019, with Senator Rob Portman (R-OH). The bill was referred to
the Committee on Homeland Security and Governmental Affairs.
The Committee considered S. 1846 at a business meeting on
June 19, 2019. During the business meeting, an amendment was
offered by Senators Peters and Portman making technical
changes. The Committee ordered the bill, as amended, reported
favorably by voice vote en bloc. Senators present for both the
vote on the amendment and the bill as amended were: Johnson,
Portman, Paul, Lankford, Romney, Scott, Enzi, Hawley, Peters,
Carper, Hassan, Sinema, and Rosen.
IV. Section-by-Section Anaylsis of the Bill, as Reported
Section 1. Short title
This section would establish the bill may be cited as the
``State and Local Government Cybersecurity Act of 2019.''
Section 2. Amendments to the Homeland Security Act of 2002
Paragraph (1) amends Subtitle A of title XXII of the
Homeland Security Act of 2002 to broaden the definition of the
term ``entity'' to include domestic or foreign-owned
associations, corporations, including for-profit and nonprofits
corporations, partnerships, proprietorships, organizations,
institutions, establishments, or individuals who are legally
able to enter into agreements or contracts with the United
States.
Paragraph (2) allows the Secretary of the Department of
Homeland Security (DHS) authority to make grants and enter into
cooperative agreements or contracts with States, local
governments, and other non-Federal entities to carry out the
Secretary's responsibilities related to cybersecurity and
infrastructure protection including providing assistance and
education related to cyber threat indicators, defensive
measures and cybersecurity technologies, cybersecurity risks,
incidents, analysis, and warnings.
Paragraph (3) directs the National Cybersecurity and
Communications Integration Center (NCCIC) to coordinate with
Federal and non-Federal agencies, through such organizations as
the Multi-State Information Sharing and Analysis Center, to
conduct exercises, provide operational and technical training,
and share cyber threat indicators, if requested. Paragraph (3)
also directs the NCCIC to provide notifications on incident and
malware information specific to their customers and residents;
provide and periodically update cybersecurity resources,
standards, and best practices and procedures related to
information security; work with Federal and non-Federal
officials, including State and local Chief Information
Officers, senior election officials, and national associations
to secure and ensure the resilience of Federal and non-Federal
information systems, including election systems; provide
operational and technical assistance to detect cybersecurity
risks and incidents, including through the deployment and
sustainment of cybersecurity technologies, if requested; assist
in the development of policies and procedures for the
coordinated vulnerability disclosures; ensure awareness at the
State and local level of DHS resources on information security
for civilian information systems; promote cybersecurity
education and awareness through engagement.
Paragraph (3) also directs the Secretary to submit a report
to the Senate Homeland Security and Governmental Affairs
Committee and the House Homeland Security Committee on the
status of cybersecurity measures in place and any gaps that
exist in each State and the largest urban areas of the United
States.
Paragraph (3) also authorizes the Secretary to establish an
initiative to deploy capabilities or services using classified
cyber threat indicators or intelligence to detect and prevent
malicious traffic on unclassified non-Federal information
systems. Participation in the initiative is voluntary and at
the request of the non-Federal entity. This section also
requires the Secretary to submit a report not later than one
year after the establishment of the initiative containing an
assessment of the status, the rate of participation,
effectiveness, and recommendations for improvement of this
program.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, July 19, 2019.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 1846, the State and
Local Cybersecurity Act of 2019.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
No S. 1846 would authorize the Department of Homeland
Security (DHS) to continue to coordinate with state and local
governments to enhance the cybersecurity of their information
systems. Under the bill, the DHS National Cybersecurity and
Communications Integration Center (NCCIC) would continue to
provide assistance to state and local governments including
conducting cybersecurity exercises, providing training, and
notifying them of cybersecurity threats. The bill also would
authorize DHS to implement an initiative to help state and
local governments detect and prevent malicious network traffic
on nonfederal information systems. Those governments could
choose not to participate in that initiative.
The NCCIC is already performing most of the coordination
activities authorized in S. 1846. Implementing the voluntary
initiative would require hiring additional cybersecurity
advisors, deploying sensors to nonfederal networks, and sharing
classified information on cybersecurity threats with state and
local partners. Using information from DHS, CBO expects that
implementing the provision would require, on average, 15 full-
time equivalent employees in each year beginning in 2020, at an
average annual rate of about $150,000 per employee. On the
basis of similar programs, CBO also expects that deploying
sensors to state and local governments and sharing classified
cybersecurity threats at an unclassified level would cost $20
million. In total, CBO estimates that enacting S. 1846 would
cost $31 million over the 2019-2024 period (see Table 1). Such
spending would be subject to availability of appropriated
funds.
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 1846
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------
2019 2020 2021 2022 2023 2024 2019-2024
----------------------------------------------------------------------------------------------------------------
Estimated Authorization.................................... 0 21 1 3 3 4 32
Estimated Outlays.......................................... 0 20 1 3 3 4 31
----------------------------------------------------------------------------------------------------------------
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Assistant Director
for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the following changes in existing
law made by the bill, as reported, are shown as follows:
(existing law proposed to be omitted is enclosed in black
brackets, new matter is printed in italic, existing law in
which no change is proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
* * * * * * *
Subtitle A--Cybersecurity and Infrastructure Security
* * * * * * *
SEC. 2201. DEFINITIONS.
(1) * * *
* * * * * * *
(4) Entity.--The term ``entity'' shall include--
(A) an association, corporation, whether for-
profit or nonprofit, partnership,
proprietorship, organization, institution,
establishment, or individual, whether
domestically or foreign owned, that has the
legal capacity to enter into agreements or
contracts, assume obligations, incur and pay
debts, sue and be sued in its own right in a
court of competent jurisdiction in the United
States, and to be held responsible for its
actions;
(B) a governmental agency or other
governmental entity, including State, local,
Tribal, and territorial government entities;
and
(C) the general public.
[(4)] (5) * * *
[(5)] (6) * * *
[(6)] (7) * * *
SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.
(a) * * *
(b) * * *
(c) Responsibilities.--The Director shall--
(1) * * *
* * * * * * *
(10) carry out cybersecurity, infrastructure
security, and emergency communications stakeholder
outreach and engagement and coordinate that outreach
and engagement with critical infrastructure Sector-
Specific Agencies, as appropriate; [and]
(11) carry out the authority of the Secretary under
subsection (e)(1)(R); and
[(11)] (12) carry out such other duties and powers
prescribed by law or delegated by the Secretary.
* * * * * * *
(e) Cybersecurity and Infrastructure Security Authorities
of the Secretary.--
(1) In general.--The responsibilities of the
Secretary relating to cybersecurity and infrastructure
security shall include the following:
(A) * * *
* * * * * * *
(R) To make grants to and enter into
cooperative agreements or contracts with
States, local governments, and other non-
Federal entities as the Secretary determines
necessary to carry out the responsibilities of
the Secretary related to cybersecurity and
infrastructure security under this Act and any
other provision of law, including grants,
cooperative agreements, and contracts that
provide assistance and education related to
cyber threat indicators, defensive measures and
cybersecurity technologies, cybersecurity
risks, incidents, analysis, and warnings.
* * * * * * *
SEC. 2209. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION
CENTER.
(a) * * *
(b) * * *
(c) Functions.--The cybersecurity functions of the Center
shall include--
(1) ** * *
* * * * * * *
(6) upon request, providing timely operational and
technical assistance, risk management support, and
incident response capabilities to Federal and non-
Federal entities with respect to cyber threat
indicators, defensive measures, cybersecurity risks,
and incidents, which may include attribution,
mitigation, and remediation;
* * * * * * *
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) appropriate representatives of Federal
entities, such as--
* * * * * * *
(E) an entity that collaborates with State
and local government, including an entity that
collaborates with election officials, on
cybersecurity risks and incidents, and has
entered into a voluntary information sharing
relationship with the Center; and
* * * * * * *
(n) Coordination on Cybersecurity for Federal and Non-
Federal Entities.--
(1) Coordination.--The Center shall, to the extent
practicable, and in coordination as appropriate with
Federal and non-Federal entities, such as the Multi-
State Information Sharing and Analysis Center--
(A) conduct exercises with Federal and non-
Federal entities;
(B) provide operational and technical
cybersecurity training related to cyber threat
indicators, defensive measures, cybersecurity
risks, and incidents to Federal and non-Federal
entities to address cybersecurity risks or
incidents, with or without reimbursement;
(C) assist Federal and non-Federal entities,
upon request, in sharing cyber threat
indicators, defensive measures, cybersecurity
risks, and incidents from and to the Federal
Government as well as among Federal and non-
Federal entities, in order to increase
situational awareness and help prevent
incidents;
(D) provide notifications containing specific
incident and malware information that may
affect them or their customers and residents;
(E) provide and periodically update via a web
portal and other means tools, products,
resources, policies, guidelines, controls, and
other cybersecurity standards and best
practices and procedures related to information
security;
(F) work with senior Federal and non-Federal
officials, including State and local Chief
Information Officers, senior election
officials, and through national associations,
to coordinate a nationwide effort to ensure
effective implementation of tools, products,
resources, policies, guidelines, controls, and
procedures related to information security to
secure and ensure the resiliency of Federal and
non-Federal information systems and including
election systems;
(G) provide, upon request, operational and
technical assistance to Federal and non-Federal
entities to implement tools, products,
resources, policies, guidelines, controls, and
procedures on information security, including
by, as appropriate, deploying and sustaining
cybersecurity technologies, such as an
intrusion detection capability, to assist those
Federal and non-Federal entities in detecting
cybersecurity risks and incidents;
(H) assist Federal and non-Federal entities
in developing policies and procedures for
coordinating vulnerability disclosures, to the
extent practicable, consistent with
international and national standards in the
information technology industry;
(I) ensure that Federal and non-Federal
entities, as appropriate, are made aware of the
tools, products, resources, policies,
guidelines, controls, and procedures on
information security developed by the
Department and other appropriate Federal
departments and agencies for ensuring the
security and resiliency of civilian information
systems; and
(J) promote cybersecurity education and
awareness through engagements with Federal and
non-Federal entities.
(o) Report.--Not later than 1 year after the date of
enactment of this subsection, and every 2 years thereafter, the
Secretary shall submit to the Committee on Homeland Security
and Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report on
the status of cybersecurity measures that are in place, and any
gaps that exist, in each State and in the largest urban areas
of the United States.
(p) Deployment of Enhanced Capabilities.--
(1) Establishment.--Not later than 180 days after the
date of enactment of this subsection, the Secretary may
establish an initiative to enhance efforts to deploy
technical or analytic capabilities or services that
utilize classified threat indicators or intelligence
for the purpose of detecting or preventing malicious
network traffic on unclassified non-Federal information
systems.
(2) Voluntary participation.--Activities conducted
under this subsection may only be carried out on a
voluntary basis upon request of the non-Federal entity.
(3) Report.--Not later than 1 year after the date on
which the Secretary establishes the initiative under
this subsection, the Secretary shall submit to the
Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Homeland Security of
the House of Representatives a report on the
initiative, which shall include--
(A) the status of the initiative;
(B) the rate of voluntary participation in
the initiative;
(C) the effectiveness of the initiative; and
(D) recommendations for expanding the use of
classified cyber threat indicators to protect
non-Federal entities.