[Senate Report 116-90] [From the U.S. Government Publishing Office] Calendar No. 194 116th Congress } { Report SENATE 1st Session } { 116-90 _______________________________________________________________________ STATE AND LOCAL GOVERNMENT CYBERSECURITY ACT OF 2019 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 1846 TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO PROVIDE FOR ENGAGEMENTS WITH STATE, LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENTS, AND FOR OTHER PURPOSES [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] September 10, 2019.--Ordered to be printed __________ U.S. GOVERNMENT PUBLISHING OFFICE 89-010 WASHINGTON : 2019 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman ROB PORTMAN, Ohio GARY C. PETERS, Michigan RAND PAUL, Kentucky THOMAS R. CARPER, Delaware JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire MITT ROMNEY, Utah KAMALA D. HARRIS, California RICK SCOTT, Florida KYRSTEN SINEMA, Arizona MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada JOSH HAWLEY, Missouri Gabrielle D'Adamo Singer, Staff Director Joseph C. Folio III, Chief Counsel Andrew J. Timm, Professional Staff Member Michael J.R. Flynn, Senior Counsel David M. Weinberg, Minority Staff Director Zachary I. Schram, Minority Chief Counsel Jeffery D. Rothblum, Minority Fellow Laura W. Kilbride, Chief Clerk Calendar No. 194 116th Congress } { Report SENATE 1st Session } { 116-90 ====================================================================== STATE AND LOCAL GOVERNMENT CYBERSECURITY ACT OF 2019 _______ September 10, 2019.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 1846] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 1846) to amend the Homeland Security Act of 2002 to provide for engagements with State, local, Tribal and territorial governments, and for other purposes, having considered the same, reports favorably thereon with an amendment and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Legislative History..............................................5 IV. Section-by-Section Analysis......................................6 VI. Congressional Budget Office Cost Estimate........................7 VII. Changes in Existing Law Made by the Bill, as Reported............8 I. Purpose and Summary The purpose of S. 1846, the State and Local Cybersecurity Act of 2019, is to improve the cybersecurity posture of state, local, tribal, and territorial governments (SLTTs) through the coordination of activities with the Department of Homeland Security's (DHS or the Department) National Cybersecurity and Communications Integration Center (NCCIC). Specifically, this bill requires the NCCIC to coordinate with non-Federal entities, such as the Multi-State Information Sharing and Analysis Center (MS-ISAC), for the purpose of engaging with SLTTs to conduct cybersecurity exercises, provide operational and technical cybersecurity training, and among other things, provide notifications of specific incidents and malware information. The bill also requires the NCCIC to work with senior Federal and non-Federal, state and local officials, including state and local Chief Information Officers and senior election officials, to ensure the effective implementation of information security processes and procedures. The bill codifies the NCCIC's ability to provide, on a voluntary basis, operational and technical assistance to SLTT governments. The Department is also authorized to enter into cooperative agreements or contracts to carry out the responsibilities and coordination activities outlined in this bill. The Department is required to provide a report to Congress one year after enactment, and every two years thereafter on the status of cybersecurity measures in each state and the largest urban areas of the United States. Finally, S. 1846 authorizes DHS to establish a voluntary initiative to deploy technical or analytic capabilities or services that utilize classified cyber threat indicators or intelligence on unclassified, non-Federal entities' information systems to detect and prevent malicious traffic. DHS is required to provide a report to Congress on the status of this initiative one year after the enactment of this bill. II. Background and the Need for Legislation State and local governments are under siege by an unprecedented number of cyberattacks perpetrated by malicious actors and nation-state adversaries exploiting vulnerabilities in government-operated information systems and elections systems.\1\ However, state and local governments often lack the resources and technical capabilities to identify malicious activity, and protect and secure their information systems from vulnerabilities that leave them susceptible to potentially crippling cyberattacks. In May 2019, the cybersecurity firm Recorded Future released a report in which it found that ransomware attacks--a type of cyberattack in which cyber criminals block a victim's access to their computer systems or data until the victim pays a monetary sum usually in some form of cryptocurrency--against state and local governments increased by 39 percent in 2018.\2\ Many states and localities are faced with the difficult choice of paying the ransom or refusing to pay the hackers to decrypt their information systems. In May 2019, the city of Baltimore was attacked by a ransomware virus known as Robinhood, which affected the city's phone system and other electronically administered services, including billing services.\3\ Rather than paying the $76,000 requested by the hackers, the city of Baltimore opted to decline the hackers' offer to decrypt the systems and expects to spend an estimated $18 million to harden and protect the city's information technology infrastructure from future attacks.\4\ --------------------------------------------------------------------------- \1\Benjamin Freed, State and Local Governments Urged to Beef up Ransomware Defense, State Scoop (July 29, 2019), https:// statescoop.com/state-local-government-urged-ransomware-defense/; Benjamin Freed, Report: Ransomware Attacks Against State and Local Government Are on the Rise, State Scoop (May 13, 2019), https:// statescoop.com/report-ransomware-attacks-against-state-and-local- government-are-on-the-rise/. \2\Allan Liska, Early Findings: Review of State and Local Government Ransomware Attacks, Recorded Future 2 (Apr. 2019), https:// www.recordedfuture.com/state-local-government-ransomware-attacks/. \3\Benjamin Freed, Baltimore Approves $10 Million for Ransomware Recovery, State Scoop (July 26, 2019), https://statescoop.com/ baltimore-city-council-approves-10-million-ransomware-recovery/. \4\Id. --------------------------------------------------------------------------- To help SLTTs protect their systems from ransomware and other cyberattacks, DHS's Cybersecurity and Infrastructure Security Agency and the MS-ISAC, along with a number of other organizations, released a joint statement urging state and local governments to make cyber preparedness a priority by taking pre-emptive measures to secure their networks.\5\ Moreover, in July 2019, the National Governors Association requested that its members develop robust cyber disruption response plans that account for, among other things, continuity of government in a disaster situation.\6\ This follows Louisiana Governor John Bel Edwards' recent decision to declare a state of emergency following a series of ransomware attacks that disabled the computer systems of districts throughout the state.\7\ --------------------------------------------------------------------------- \5\CISA, MS-ISAC, NGA & NASCIO Recommend Immediate Action To Safeguard Against Ransomware Attacks, https://www.nascio.org/Portals/0/ Ransomware%20Statement.pdf (last visited July 30, 2019). \6\State Cyber Disruption Response Plans, Nat'l Governors' Assc. (July 2019), https://www.nga.org/wp-content/uploads/2019/04/ IssueBrief_MG.pdf. \7\La. Proc. No. 115 JBE 2019 (July 24, 2019), http:// gov.louisiana.gov/assets/EmergencyProclamations/115-JBE-2019-State-of- Emergency-Cybersecurity-Incident.pdf. --------------------------------------------------------------------------- In the 115th Congress, to better understand the challenges Federal and SLTT governments face when protecting and securing information systems and networks from malicious cyberattacks, the Committee held a hearing on mitigating cybersecurity risks.\8\ During the hearing, then-Assistant Secretary for the Office of Cybersecurity and Communications for the DHS's National Protection and Programs Directorate Jeanette Manfra noted that DHS ``recognize[s] that there is a significant technology deficit across state and local governments, and State and local election systems, in particular.''\9\ She also testified that in response to Russian information operations during the 2016 election, DHS is ``leading the interagency effort to provide voluntary assistance to State and local officials'' to defend election infrastructure.\10\ At the same hearing, Eric Rosenbach, Co-Director of the Belfer Center for Science and International Affairs at the John F. Kennedy School of Government Affairs at Harvard University, testified that ``States simply are not equipped to face . . . cyber attacks from nation-state adversaries who are spending billions of dollars and dedicating thousands of cyber operators to advance their national interests.''\11\ --------------------------------------------------------------------------- \8\Mitigating America's Cybersecurity Risk: Hearing Before the S. Comm. on Homeland Sec. and Governmental Affairs, 115th Cong. 62 (2018) (testimony of Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office), https://www.govinfo.gov/ content/pkg/CHRG-115shrg32454/pdf/CHRG-115shrg32454.pdf. \9\Id. \10\Id. \11\Id. --------------------------------------------------------------------------- S. 1846 strengthens the SLTT governments' ability to mitigate cybersecurity threats by leveraging established information sharing and coordination mechanisms within the Federal government, such as the NCCIC. In 2013, to clarify public and private sector responsibilities in cybersecurity, the President issued Presidential Policy Directive 21, which established cybersecurity as a ``shared responsibility among the [SLTT] entities.''\12\ In 2014, Congress formally authorized the NCCIC in the National Cybersecurity Protection Act of 2014.\13\ In 2015, Congress further defined the NCCIC's role in the Cybersecurity Act of 2015, by tasking the NCCIC with sharing cyber threat indicators, coordinating information exchange across the Federal Government, and providing information and recommendations on security and resilience to Federal and non-Federal entities.\14\ Currently, the NCCIC functions as the principle civilian cybersecurity and communications entity for information-sharing across the SLTT governments, the Intelligence Community, law enforcement, and international entities.\15\ --------------------------------------------------------------------------- \12\Press Release, The White House, Presidential Policy Directive-- Critical Infrastructure Security and Resilience (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/ presidential-policy-directive-critical-infrastructure-security-and- resil. \13\National Cybersecurity Protection Act of 2014, Pub. L. No. 113- 282, 128 Stat. 3066. \14\National Cybersecurity Protection Act of 2014, Consolidated Appropriations Act, Pub. L. No. 114-113, 129 Stat. 2242 (2015), and Pub. L. No. 113-282, Sec. 226, 128 Stat. 3067. \15\Cybersecurity and Infrastructure Sec. Agency, Dep't of Homeland Sec., Department of Homeland Security Cybersecurity Support to Nonfederal Levels of Government: State, Local, Tribal, and Territorial Government Entities (2019), https://www.dhs.gov/sites/default/files/ publications/cisa_- _dhs_cybersecurity_support_to_nonfederal_levels_of_government.pdf. --------------------------------------------------------------------------- The NCCIC shares information and coordinates activities through a variety of means, including via information sharing and analysis centers (ISACs). In 2010, DHS designated the MS- ISAC as the cybersecurity ISAC for SLTT governments; the MS- ISAC is the primary resource for disseminating threat information, education materials, and cyber support programs for those entities.\16\ Since the 2010 designation, DHS has provided funding to the MS-ISAC.\17\ Moreover, to better leverage and share threat information with SLTT governments, the MS-ISAC has assigned dedicated staff to the NCCIC's watch floor.\18\ This enables the MS-ISAC to serve as the focal point for threat prevention, protection, response, and recovery for state-level cyber incidents.\19\ As of September 2018, MS-ISAC membership exceeds 4,200 organizations and includes all 50 states.\20\ --------------------------------------------------------------------------- \16\Information Sharing and Awareness, Dep't of Homeland Sec., https://www.dhs.gov/cisa/information-sharing-and-awareness (last visited July 19, 2019). \17\Id. \18\Id. \19\Id. \20\Cybersecurity and Infrastructure Sec. Agency, supra note 15, at 13. --------------------------------------------------------------------------- Since 2012, DHS has funded the MS-ISAC to conduct an annual self-assessment, which is delivered in the form of a report, to measure gaps and capabilities of SLTT governments' cybersecurity programs.\21\ The self-assessment measures SLTT government respondents' maturity levels based on the functions defined in the National Institute of Standards and Technology's Cybersecurity Framework for Critical Infrastructure and divides respondents into three major categories: state, local, and tribal governments. The MS-ISAC's FY 2017 report determined that states are projected to achieve ``the recommended minimum maturity across all functions in 2023'' and local governments are expected to achieve minimum maturity 2024.\22\ The report did not provide an estimate for the tribal government category attaining the minimum recommended maturity level, but noted that as a group, tribal governments declined across all functions by an average of 12 percent in comparison to the previous year.\23\ --------------------------------------------------------------------------- \21\Id. \22\Multi-State Info. Sharing & Analysis Ctr., Dep't of Homeland Sec., Nationwide Cybersecurity Review (2017), https:// www.cisecurity.org/wp-content/uploads/2018/10/NCSR-2017-Final.pdf. \23\Id. at 7. --------------------------------------------------------------------------- In June 2016, DHS's Homeland Security Advisory Council, Cybersecurity Subcommittee also published a report examining DHS's coordination efforts with SLTT entities, and provided findings and recommendations focused on evolving these relationships.\24\ The report recommended DHS enhance its communication with SLTT governments on the availability of cybersecurity training focusing on political leadership. Additionally, the report recommended establishing stronger directives to ensure that all homeland security grant programs integrate cyber protections and cyber personnel recognizing that ``by requiring that a percentage of grant funding be spent on cybersecurity, DHS could make meaningful steps in increasing cybersecurity protections in all new technology purchases.''\25\ --------------------------------------------------------------------------- \24\Homeland Sec. Advisory Council, Dep't of Homeland Sec., Final Report to the Cybersecurity Subcommittee: Part II--State, Local, Tribal & Territorial 1 (2016), https://www.dhs.gov/sites/default/files/ publications/HSAC_Cybersecurity_SLTT_FINAL_Report.pdf. \25\Id. at 11. --------------------------------------------------------------------------- S. 1846, the State and Local Government Cybersecurity Act of 2019, allows the Secretary to award grants to and enter into cooperative agreements and contracts with states, local governments, and non-Federal entities. Additionally, the bill requires that the NCCIC, in coordination with Federal and non- Federal entities, such as the MS-ISAC, conduct exercises, provide operational and technical cybersecurity training to address cybersecurity risks or incidents, and provide, upon request, operational, technical, or material support to secure and ensure the resilience of Federal and non-Federal information and election systems. Finally, the bill would allow the Secretary, at the voluntary request of the non-Federal entity, to deploy technical or analytic capabilities or services utilizing classified cyber threat indicators or intelligence to detect or prevent malicious network traffic on unclassified non-Federal information systems. This provision augments DHS's Enhanced Cybersecurity Services (ECS) program, which is an intrusion prevention capability offered by the Department.\26\ --------------------------------------------------------------------------- \26\Cybersecurity and Infrastructure Sec. Agency, Enhanced Cybersecurity Services (ECS), https://www.dhs.gov/cisa/enhanced- cybersecurity-services-ecs (last visited Aug. 6, 2019). --------------------------------------------------------------------------- III. Legislative History Ranking Member Peters (D-MI) introduced S. 1846 on June 13, 2019, with Senator Rob Portman (R-OH). The bill was referred to the Committee on Homeland Security and Governmental Affairs. The Committee considered S. 1846 at a business meeting on June 19, 2019. During the business meeting, an amendment was offered by Senators Peters and Portman making technical changes. The Committee ordered the bill, as amended, reported favorably by voice vote en bloc. Senators present for both the vote on the amendment and the bill as amended were: Johnson, Portman, Paul, Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan, Sinema, and Rosen. IV. Section-by-Section Anaylsis of the Bill, as Reported Section 1. Short title This section would establish the bill may be cited as the ``State and Local Government Cybersecurity Act of 2019.'' Section 2. Amendments to the Homeland Security Act of 2002 Paragraph (1) amends Subtitle A of title XXII of the Homeland Security Act of 2002 to broaden the definition of the term ``entity'' to include domestic or foreign-owned associations, corporations, including for-profit and nonprofits corporations, partnerships, proprietorships, organizations, institutions, establishments, or individuals who are legally able to enter into agreements or contracts with the United States. Paragraph (2) allows the Secretary of the Department of Homeland Security (DHS) authority to make grants and enter into cooperative agreements or contracts with States, local governments, and other non-Federal entities to carry out the Secretary's responsibilities related to cybersecurity and infrastructure protection including providing assistance and education related to cyber threat indicators, defensive measures and cybersecurity technologies, cybersecurity risks, incidents, analysis, and warnings. Paragraph (3) directs the National Cybersecurity and Communications Integration Center (NCCIC) to coordinate with Federal and non-Federal agencies, through such organizations as the Multi-State Information Sharing and Analysis Center, to conduct exercises, provide operational and technical training, and share cyber threat indicators, if requested. Paragraph (3) also directs the NCCIC to provide notifications on incident and malware information specific to their customers and residents; provide and periodically update cybersecurity resources, standards, and best practices and procedures related to information security; work with Federal and non-Federal officials, including State and local Chief Information Officers, senior election officials, and national associations to secure and ensure the resilience of Federal and non-Federal information systems, including election systems; provide operational and technical assistance to detect cybersecurity risks and incidents, including through the deployment and sustainment of cybersecurity technologies, if requested; assist in the development of policies and procedures for the coordinated vulnerability disclosures; ensure awareness at the State and local level of DHS resources on information security for civilian information systems; promote cybersecurity education and awareness through engagement. Paragraph (3) also directs the Secretary to submit a report to the Senate Homeland Security and Governmental Affairs Committee and the House Homeland Security Committee on the status of cybersecurity measures in place and any gaps that exist in each State and the largest urban areas of the United States. Paragraph (3) also authorizes the Secretary to establish an initiative to deploy capabilities or services using classified cyber threat indicators or intelligence to detect and prevent malicious traffic on unclassified non-Federal information systems. Participation in the initiative is voluntary and at the request of the non-Federal entity. This section also requires the Secretary to submit a report not later than one year after the establishment of the initiative containing an assessment of the status, the rate of participation, effectiveness, and recommendations for improvement of this program. V. Evaluation of Regulatory Impact Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. Congressional Budget Office Cost Estimate U.S. Congress, Congressional Budget Office, Washington, DC, July 19, 2019. Hon. Ron Johnson, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 1846, the State and Local Cybersecurity Act of 2019. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Aldo Prosperi. Sincerely, Phillip L. Swagel, Director. Enclosure.No S. 1846 would authorize the Department of Homeland Security (DHS) to continue to coordinate with state and local governments to enhance the cybersecurity of their information systems. Under the bill, the DHS National Cybersecurity and Communications Integration Center (NCCIC) would continue to provide assistance to state and local governments including conducting cybersecurity exercises, providing training, and notifying them of cybersecurity threats. The bill also would authorize DHS to implement an initiative to help state and local governments detect and prevent malicious network traffic on nonfederal information systems. Those governments could choose not to participate in that initiative. The NCCIC is already performing most of the coordination activities authorized in S. 1846. Implementing the voluntary initiative would require hiring additional cybersecurity advisors, deploying sensors to nonfederal networks, and sharing classified information on cybersecurity threats with state and local partners. Using information from DHS, CBO expects that implementing the provision would require, on average, 15 full- time equivalent employees in each year beginning in 2020, at an average annual rate of about $150,000 per employee. On the basis of similar programs, CBO also expects that deploying sensors to state and local governments and sharing classified cybersecurity threats at an unclassified level would cost $20 million. In total, CBO estimates that enacting S. 1846 would cost $31 million over the 2019-2024 period (see Table 1). Such spending would be subject to availability of appropriated funds. TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 1846 ---------------------------------------------------------------------------------------------------------------- By fiscal year, millions of dollars-- ---------------------------------------------------- 2019 2020 2021 2022 2023 2024 2019-2024 ---------------------------------------------------------------------------------------------------------------- Estimated Authorization.................................... 0 21 1 3 3 4 32 Estimated Outlays.......................................... 0 20 1 3 3 4 31 ---------------------------------------------------------------------------------------------------------------- The CBO staff contact for this estimate is Aldo Prosperi. The estimate was reviewed by Leo Lex, Deputy Assistant Director for Budget Analysis. VII. Changes in Existing Law Made by the Bill, as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the following changes in existing law made by the bill, as reported, are shown as follows: (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 * * * * * * * TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY * * * * * * * Subtitle A--Cybersecurity and Infrastructure Security * * * * * * * SEC. 2201. DEFINITIONS. (1) * * * * * * * * * * (4) Entity.--The term ``entity'' shall include-- (A) an association, corporation, whether for- profit or nonprofit, partnership, proprietorship, organization, institution, establishment, or individual, whether domestically or foreign owned, that has the legal capacity to enter into agreements or contracts, assume obligations, incur and pay debts, sue and be sued in its own right in a court of competent jurisdiction in the United States, and to be held responsible for its actions; (B) a governmental agency or other governmental entity, including State, local, Tribal, and territorial government entities; and (C) the general public. [(4)] (5) * * * [(5)] (6) * * * [(6)] (7) * * * SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY. (a) * * * (b) * * * (c) Responsibilities.--The Director shall-- (1) * * * * * * * * * * (10) carry out cybersecurity, infrastructure security, and emergency communications stakeholder outreach and engagement and coordinate that outreach and engagement with critical infrastructure Sector- Specific Agencies, as appropriate; [and] (11) carry out the authority of the Secretary under subsection (e)(1)(R); and [(11)] (12) carry out such other duties and powers prescribed by law or delegated by the Secretary. * * * * * * * (e) Cybersecurity and Infrastructure Security Authorities of the Secretary.-- (1) In general.--The responsibilities of the Secretary relating to cybersecurity and infrastructure security shall include the following: (A) * * * * * * * * * * (R) To make grants to and enter into cooperative agreements or contracts with States, local governments, and other non- Federal entities as the Secretary determines necessary to carry out the responsibilities of the Secretary related to cybersecurity and infrastructure security under this Act and any other provision of law, including grants, cooperative agreements, and contracts that provide assistance and education related to cyber threat indicators, defensive measures and cybersecurity technologies, cybersecurity risks, incidents, analysis, and warnings. * * * * * * * SEC. 2209. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER. (a) * * * (b) * * * (c) Functions.--The cybersecurity functions of the Center shall include-- (1) ** * * * * * * * * * (6) upon request, providing timely operational and technical assistance, risk management support, and incident response capabilities to Federal and non- Federal entities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents, which may include attribution, mitigation, and remediation; * * * * * * * (d) Composition.-- (1) In general.--The Center shall be composed of-- (A) appropriate representatives of Federal entities, such as-- * * * * * * * (E) an entity that collaborates with State and local government, including an entity that collaborates with election officials, on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the Center; and * * * * * * * (n) Coordination on Cybersecurity for Federal and Non- Federal Entities.-- (1) Coordination.--The Center shall, to the extent practicable, and in coordination as appropriate with Federal and non-Federal entities, such as the Multi- State Information Sharing and Analysis Center-- (A) conduct exercises with Federal and non- Federal entities; (B) provide operational and technical cybersecurity training related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents to Federal and non-Federal entities to address cybersecurity risks or incidents, with or without reimbursement; (C) assist Federal and non-Federal entities, upon request, in sharing cyber threat indicators, defensive measures, cybersecurity risks, and incidents from and to the Federal Government as well as among Federal and non- Federal entities, in order to increase situational awareness and help prevent incidents; (D) provide notifications containing specific incident and malware information that may affect them or their customers and residents; (E) provide and periodically update via a web portal and other means tools, products, resources, policies, guidelines, controls, and other cybersecurity standards and best practices and procedures related to information security; (F) work with senior Federal and non-Federal officials, including State and local Chief Information Officers, senior election officials, and through national associations, to coordinate a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, controls, and procedures related to information security to secure and ensure the resiliency of Federal and non-Federal information systems and including election systems; (G) provide, upon request, operational and technical assistance to Federal and non-Federal entities to implement tools, products, resources, policies, guidelines, controls, and procedures on information security, including by, as appropriate, deploying and sustaining cybersecurity technologies, such as an intrusion detection capability, to assist those Federal and non-Federal entities in detecting cybersecurity risks and incidents; (H) assist Federal and non-Federal entities in developing policies and procedures for coordinating vulnerability disclosures, to the extent practicable, consistent with international and national standards in the information technology industry; (I) ensure that Federal and non-Federal entities, as appropriate, are made aware of the tools, products, resources, policies, guidelines, controls, and procedures on information security developed by the Department and other appropriate Federal departments and agencies for ensuring the security and resiliency of civilian information systems; and (J) promote cybersecurity education and awareness through engagements with Federal and non-Federal entities. (o) Report.--Not later than 1 year after the date of enactment of this subsection, and every 2 years thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the status of cybersecurity measures that are in place, and any gaps that exist, in each State and in the largest urban areas of the United States. (p) Deployment of Enhanced Capabilities.-- (1) Establishment.--Not later than 180 days after the date of enactment of this subsection, the Secretary may establish an initiative to enhance efforts to deploy technical or analytic capabilities or services that utilize classified threat indicators or intelligence for the purpose of detecting or preventing malicious network traffic on unclassified non-Federal information systems. (2) Voluntary participation.--Activities conducted under this subsection may only be carried out on a voluntary basis upon request of the non-Federal entity. (3) Report.--Not later than 1 year after the date on which the Secretary establishes the initiative under this subsection, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the initiative, which shall include-- (A) the status of the initiative; (B) the rate of voluntary participation in the initiative; (C) the effectiveness of the initiative; and (D) recommendations for expanding the use of classified cyber threat indicators to protect non-Federal entities.