[House Report 117-48]
[From the U.S. Government Publishing Office]


117th Congress  }                                              {   Report
                          HOUSE OF REPRESENTATIVES
 1st Session    }                                              {   117-48

======================================================================



 
             STATE AND LOCAL CYBERSECURITY IMPROVEMENT ACT

                                _______
                                

  June 1, 2021.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3138]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3138) to amend the Homeland Security Act of 2002 
to authorize a grant program relating to the cybersecurity of 
State and local governments, and for other purposes, having 
considered the same, reports favorably thereon with an 
amendment and recommends that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................    11
Background and Need for Legislation..............................    12
Hearings.........................................................    13
Committee Consideration..........................................    14
Committee Votes..................................................    14
Committee Oversight Findings.....................................    14
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................    15
Federal Mandates Statement.......................................    15
Duplicative Federal Programs.....................................    15
Statement of General Performance Goals and Objectives............    15
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits Advisory Committee Statement..........................    15
Applicability to Legislative Branch..............................    15
Section-by-Section Analysis of the Legislation...................    16
Changes in Existing Law Made by the Bill, as Reported............    19

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``State and Local Cybersecurity 
Improvement Act''.

SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

  (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following new sections:

``SEC. 2220A. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

  ``(a) Definitions.--In this section:
          ``(1) Cyber threat indicator.--The term `cyber threat 
        indicator' has the meaning given the term in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501).
          ``(2) Cybersecurity plan.--The term `Cybersecurity Plan' 
        means a plan submitted by an eligible entity under subsection 
        (e)(1).
          ``(3) Eligible entity.--The term `eligible entity' means--
                  ``(A) a State; or
                  ``(B) an Indian tribe that, not later than 120 days 
                after the date of the enactment of this section or not 
                later than 120 days before the start of any fiscal year 
                in which a grant under this section is awarded--
                          ``(i) notifies the Secretary that the Indian 
                        tribe intends to develop a Cybersecurity Plan; 
                        and
                          ``(ii) agrees to forfeit any distribution 
                        under subsection (n)(2).
          ``(4) Incident.--The term `incident' has the meaning given 
        the term in section 2209.
          ``(5) Indian tribe; tribal organization.--The term `Indian 
        tribe' or `Tribal organization' has the meaning given that term 
        in section 4(e) of the of the Indian Self-Determination and 
        Education Assistance Act (25 U.S.C. 5304(e)).
          ``(6) Information sharing and analysis organization.--The 
        term `information sharing and analysis organization' has the 
        meaning given the term in section 2222.
          ``(7) Information system.--The term `information system' has 
        the meaning given the term in section 102 of the Cybersecurity 
        Act of 2015 (6 U.S.C. 1501).
          ``(8) Online service.--The term `online service' means any 
        internet-facing service, including a website, email, virtual 
        private network, or custom application.
          ``(9) Ransomware incident.--The term `ransomware incident' 
        means an incident that actually or imminently jeopardizes, 
        without lawful authority, the integrity, confidentiality, or 
        availability of information on an information system, or 
        actually or imminently jeopardizes, without lawful authority, 
        an information system for the purpose of coercing the 
        information system's owner, operator, or another person.
          ``(9) State and local cybersecurity grant program.--The term 
        `State and Local Cybersecurity Grant Program' means the program 
        established under subsection (b).
          ``(10) State and local cybersecurity resilience committee.--
        The term `State and Local Cybersecurity Resilience Committee' 
        means the committee established under subsection (o)(1).
  ``(b) Establishment.--
          ``(1) In general.--The Secretary, acting through the 
        Director, shall establish a program, to be known as the `the 
        State and Local Cybersecurity Grant Program', to award grants 
        to eligible entities to address cybersecurity risks and 
        cybersecurity threats to information systems of State, local, 
        or Tribal organizations.
          ``(2) Application.--An eligible entity seeking a grant under 
        the State and Local Cybersecurity Grant Program shall submit to 
        the Secretary an application at such time, in such manner, and 
        containing such information as the Secretary may require.
  ``(c) Baseline Requirements.--An eligible entity or multistate group 
that receives a grant under this section shall use the grant in 
compliance with--
          ``(1)(A) the Cybersecurity Plan of the eligible entity or the 
        Cybersecurity Plans of the eligible entities that comprise the 
        multistate group; and
          ``(B) the Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments developed under section 2210(e)(1); or
          ``(2) activities carried out under paragraphs (3), (4), and 
        (5) of subsection (h).
  ``(d) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same office of the Department that 
administers grants made under sections 2003 and 2004.
  ``(e) Cybersecurity Plans.--
          ``(1) In general.--An eligible entity applying for a grant 
        under this section shall submit to the Secretary a 
        Cybersecurity Plan for approval.
          ``(2) Required elements.--A Cybersecurity Plan of an eligible 
        entity shall--
                  ``(A) incorporate, to the extent practicable, any 
                existing plans of the eligible entity to protect 
                against cybersecurity risks and cybersecurity threats 
                to information systems of State, local, or Tribal 
                organizations;
                  ``(B) describe, to the extent practicable, how the 
                eligible entity will--
                          ``(i) manage, monitor, and track information 
                        systems, applications, and user accounts owned 
                        or operated by or on behalf of the eligible 
                        entity or by local or Tribal organizations 
                        within the jurisdiction of the eligible entity 
                        and the information technology deployed on 
                        those information systems, including legacy 
                        information systems and information technology 
                        that are no longer supported by the 
                        manufacturer of the systems or technology;
                          ``(ii) monitor, audit, and track activity 
                        between information systems, applications, and 
                        user accounts owned or operated by or on behalf 
                        of the eligible entity or by local or Tribal 
                        organizations within the jurisdiction of the 
                        eligible entity and between those information 
                        systems and information systems not owned or 
                        operated by the eligible entity or by local or 
                        Tribal organizations within the jurisdiction of 
                        the eligible entity;
                          ``(iii) enhance the preparation, response, 
                        and resilience of information systems, 
                        applications, and user accounts owned or 
                        operated by or on behalf of the eligible entity 
                        or local or Tribal organizations against 
                        cybersecurity risks and cybersecurity threats;
                          ``(iv) implement a process of continuous 
                        cybersecurity vulnerability assessments and 
                        threat mitigation practices prioritized by 
                        degree of risk to address cybersecurity risks 
                        and cybersecurity threats on information 
                        systems of the eligible entity or local or 
                        Tribal organizations;
                          ``(v) ensure that State, local, and Tribal 
                        organizations that own or operate information 
                        systems that are located within the 
                        jurisdiction of the eligible entity--
                                  ``(I) adopt best practices and 
                                methodologies to enhance cybersecurity, 
                                such as the practices set forth in the 
                                cybersecurity framework developed by, 
                                and the cyber supply chain risk 
                                management best practices identified 
                                by, the National Institute of Standards 
                                and Technology; and
                                  ``(II) utilize knowledge bases of 
                                adversary tools and tactics to assess 
                                risk;
                          ``(vi) promote the delivery of safe, 
                        recognizable, and trustworthy online services 
                        by State, local, and Tribal organizations, 
                        including through the use of the .gov internet 
                        domain;
                          ``(vii) ensure continuity of operations of 
                        the eligible entity and local, and Tribal 
                        organizations in the event of a cybersecurity 
                        incident (including a ransomware incident), 
                        including by conducting exercises to practice 
                        responding to such an incident;
                          ``(viii) use the National Initiative for 
                        Cybersecurity Education Cybersecurity Workforce 
                        Framework developed by the National Institute 
                        of Standards and Technology to identify and 
                        mitigate any gaps in the cybersecurity 
                        workforces of State, local, or Tribal 
                        organizations, enhance recruitment and 
                        retention efforts for such workforces, and 
                        bolster the knowledge, skills, and abilities of 
                        State, local, and Tribal organization personnel 
                        to address cybersecurity risks and 
                        cybersecurity threats, such as through 
                        cybersecurity hygiene training;
                          ``(ix) ensure continuity of communications 
                        and data networks within the jurisdiction of 
                        the eligible entity between the eligible entity 
                        and local and Tribal organizations that own or 
                        operate information systems within the 
                        jurisdiction of the eligible entity in the 
                        event of an incident involving such 
                        communications or data networks within the 
                        jurisdiction of the eligible entity;
                          ``(x) assess and mitigate, to the greatest 
                        degree possible, cybersecurity risks and 
                        cybersecurity threats related to critical 
                        infrastructure and key resources, the 
                        degradation of which may impact the performance 
                        of information systems within the jurisdiction 
                        of the eligible entity;
                          ``(xi) enhance capabilities to share cyber 
                        threat indicators and related information 
                        between the eligible entity and local and 
                        Tribal organizations that own or operate 
                        information systems within the jurisdiction of 
                        the eligible entity, including by expanding 
                        existing information sharing agreements with 
                        the Department;
                          ``(xii) enhance the capability of the 
                        eligible entity to share cyber threat indictors 
                        and related information with the Department;
                          ``(xiii) leverage cybersecurity services 
                        offered by the Department;
                          ``(xiv) develop and coordinate strategies to 
                        address cybersecurity risks and cybersecurity 
                        threats to information systems of the eligible 
                        entity in consultation with--
                                  ``(I) local and Tribal organizations 
                                within the jurisdiction of the eligible 
                                entity; and
                                  ``(II) as applicable--
                                          ``(aa) States that neighbor 
                                        the jurisdiction of the 
                                        eligible entity or, as 
                                        appropriate, members of an 
                                        information sharing and 
                                        analysis organization; and
                                          ``(bb) countries that 
                                        neighbor the jurisdiction of 
                                        the eligible entity; and
                          ``(xv) implement an information technology 
                        and operational technology modernization 
                        cybersecurity review process that ensures 
                        alignment between information technology and 
                        operational technology cybersecurity 
                        objectives;
                  ``(C) describe, to the extent practicable, the 
                individual responsibilities of the eligible entity and 
                local and Tribal organizations within the jurisdiction 
                of the eligible entity in implementing the plan;
                  ``(D) outline, to the extent practicable, the 
                necessary resources and a timeline for implementing the 
                plan; and
                  ``(E) describe how the eligible entity will measure 
                progress towards implementing the plan.
          ``(3) Discretionary elements.--A Cybersecurity Plan of an 
        eligible entity may include a description of--
                  ``(A) cooperative programs developed by groups of 
                local and Tribal organizations within the jurisdiction 
                of the eligible entity to address cybersecurity risks 
                and cybersecurity threats; and
                  ``(B) programs provided by the eligible entity to 
                support local and Tribal organizations and owners and 
                operators of critical infrastructure to address 
                cybersecurity risks and cybersecurity threats.
          ``(4) Management of funds.--An eligible entity applying for a 
        grant under this section shall agree to designate the Chief 
        Information Officer, the Chief Information Security Officer, or 
        an equivalent official of the eligible entity as the primary 
        official for the management and allocation of funds awarded 
        under this section.
  ``(f) Multistate Grants.--
          ``(1) In general.--The Secretary, acting through the 
        Director, may award grants under this section to a group of two 
        or more eligible entities to support multistate efforts to 
        address cybersecurity risks and cybersecurity threats to 
        information systems within the jurisdictions of the eligible 
        entities.
          ``(2) Satisfaction of other requirements.--In order to be 
        eligible for a multistate grant under this subsection, each 
        eligible entity that comprises a multistate group shall submit 
        to the Secretary--
                  ``(A) a Cybersecurity Plan for approval in accordance 
                with subsection (i); and
                  ``(B) a plan for establishing a cybersecurity 
                planning committee under subsection (g).
          ``(3) Application.--
                  ``(A) In general.--A multistate group applying for a 
                multistate grant under paragraph (1) shall submit to 
                the Secretary an application at such time, in such 
                manner, and containing such information as the 
                Secretary may require.
                  ``(B) Multistate project description.--An application 
                of a multistate group under subparagraph (A) shall 
                include a plan describing--
                          ``(i) the division of responsibilities among 
                        the eligible entities that comprise the 
                        multistate group for administering the grant 
                        for which application is being made;
                          ``(ii) the distribution of funding from such 
                        a grant among the eligible entities that 
                        comprise the multistate group; and
                          ``(iii) how the eligible entities that 
                        comprise the multistate group will work 
                        together to implement the Cybersecurity Plan of 
                        each of those eligible entities.
  ``(g) Planning Committees.--
          ``(1) In general.--An eligible entity that receives a grant 
        under this section shall establish a cybersecurity planning 
        committee to--
                  ``(A) assist in the development, implementation, and 
                revision of the Cybersecurity Plan of the eligible 
                entity;
                  ``(B) approve the Cybersecurity Plan of the eligible 
                entity; and
                  ``(C) assist in the determination of effective 
                funding priorities for a grant under this section in 
                accordance with subsection (h).
          ``(2) Composition.--A committee of an eligible entity 
        established under paragraph (1) shall--
                  ``(A) be comprised of representatives from the 
                eligible entity and counties, cities, towns, Tribes, 
                and public educational and health institutions within 
                the jurisdiction of the eligible entity; and
                  ``(B) include, as appropriate, representatives of 
                rural, suburban, and high-population jurisdictions.
          ``(3) Cybersecurity expertise.--Not less than \1/2\ of the 
        representatives of a committee established under paragraph (1) 
        shall have professional experience relating to cybersecurity or 
        information technology.
          ``(4) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection may be construed to 
        require an eligible entity to establish a cybersecurity 
        planning committee if the eligible entity has established and 
        uses a multijurisdictional planning committee or commission 
        that meets, or may be leveraged to meet, the requirements of 
        this subsection.
  ``(h) Use of Funds.--An eligible entity that receives a grant under 
this section shall use the grant to--
          ``(1) implement the Cybersecurity Plan of the eligible 
        entity;
          ``(2) develop or revise the Cybersecurity Plan of the 
        eligible entity; or
          ``(3) assist with activities that address imminent 
        cybersecurity risks or cybersecurity threats to the information 
        systems of the eligible entity or a local or Tribal 
        organization within the jurisdiction of the eligible entity.
  ``(i) Approval of Plans.--
          ``(1) Approval as condition of grant.--Before an eligible 
        entity may receive a grant under this section, the Secretary, 
        acting through the Director, shall review the Cybersecurity 
        Plan, or any revisions thereto, of the eligible entity and 
        approve such plan, or revised plan, if it satisfies the 
        requirements specified in paragraph (2).
          ``(2) Plan requirements.--In approving a Cybersecurity Plan 
        of an eligible entity under this subsection, the Director shall 
        ensure that the Cybersecurity Plan--
                  ``(A) satisfies the requirements of subsection 
                (e)(2);
                  ``(B) upon the issuance of the Homeland Security 
                Strategy to Improve the Cybersecurity of State, Local, 
                Tribal, and Territorial Governments authorized pursuant 
                to section 2210(e), complies, as appropriate, with the 
                goals and objectives of the strategy; and
                  ``(C) has been approved by the cybersecurity planning 
                committee of the eligible entity established under 
                subsection (g).
          ``(3) Approval of revisions.--The Secretary, acting through 
        the Director, may approve revisions to a Cybersecurity Plan as 
        the Director determines appropriate.
          ``(4) Exception.--Notwithstanding subsection (e) and 
        paragraph (1) of this subsection, the Secretary may award a 
        grant under this section to an eligible entity that does not 
        submit a Cybersecurity Plan to the Secretary if--
                  ``(A) the eligible entity certifies to the Secretary 
                that--
                          ``(i) the activities that will be supported 
                        by the grant are integral to the development of 
                        the Cybersecurity Plan of the eligible entity; 
                        and
                          ``(ii) the eligible entity will submit by 
                        September 30, 2023, to the Secretary a 
                        Cybersecurity Plan for review, and if 
                        appropriate, approval; or
                  ``(B) the eligible entity certifies to the Secretary, 
                and the Director confirms, that the eligible entity 
                will use funds from the grant to assist with the 
                activities described in subsection (h)(3).
  ``(j) Limitations on Uses of Funds.--
          ``(1) In general.--An eligible entity that receives a grant 
        under this section may not use the grant--
                  ``(A) to supplant State, local, or Tribal funds;
                  ``(B) for any recipient cost-sharing contribution;
                  ``(C) to pay a demand for ransom in an attempt to--
                          ``(i) regain access to information or an 
                        information system of the eligible entity or of 
                        a local or Tribal organization within the 
                        jurisdiction of the eligible entity; or
                          ``(ii) prevent the disclosure of information 
                        that has been removed without authorization 
                        from an information system of the eligible 
                        entity or of a local or Tribal organization 
                        within the jurisdiction of the eligible entity;
                  ``(D) for recreational or social purposes; or
                  ``(E) for any purpose that does not address 
                cybersecurity risks or cybersecurity threats on 
                information systems of the eligible entity or of a 
                local or Tribal organization within the jurisdiction of 
                the eligible entity.
          ``(2) Penalties.--In addition to any other remedy available, 
        the Secretary may take such actions as are necessary to ensure 
        that a recipient of a grant under this section uses the grant 
        for the purposes for which the grant is awarded.
          ``(3) Rule of construction.--Nothing in paragraph (1) may be 
        construed to prohibit the use of grant funds provided to a 
        State, local, or Tribal organization for otherwise permissible 
        uses under this section on the basis that a State, local, or 
        Tribal organization has previously used State, local, or Tribal 
        funds to support the same or similar uses.
  ``(k) Opportunity to Amend Applications.--In considering applications 
for grants under this section, the Secretary shall provide applicants 
with a reasonable opportunity to correct defects, if any, in such 
applications before making final awards.
  ``(l) Apportionment.--For fiscal year 2022 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated to carry 
out this section among States as follows:
          ``(1) Baseline amount.--The Secretary shall first apportion 
        0.25 percent of such amounts to each of American Samoa, the 
        Commonwealth of the Northern Mariana Islands, Guam, the U.S. 
        Virgin Islands, and 0.75 percent of such amounts to each of the 
        remaining States.
          ``(2) Remainder.--The Secretary shall apportion the remainder 
        of such amounts in the ratio that--
                  ``(A) the population of each eligible entity, bears 
                to
                  ``(B) the population of all eligible entities.
          ``(3) Minimum allocation to indian tribes.--
                  ``(A) In general.--In apportioning amounts under this 
                section, the Secretary shall ensure that, for each 
                fiscal year, directly eligible Tribes collectively 
                receive, from amounts appropriated under the State and 
                Local Cybersecurity Grant Program, not less than an 
                amount equal to three percent of the total amount 
                appropriated for grants under this section.
                  ``(B) Allocation.--Of the amount reserved under 
                subparagraph (A), funds shall be allocated in a manner 
                determined by the Secretary in consultation with Indian 
                tribes.
                  ``(C) Exception.--This paragraph shall not apply in 
                any fiscal year in which the Secretary--
                          ``(i) receives fewer than five applications 
                        from Indian tribes; or
                          ``(ii) does not approve at least two 
                        application from Indian tribes.
  ``(m) Federal Share.--
          ``(1) In general.--The Federal share of the cost of an 
        activity carried out using funds made available with a grant 
        under this section may not exceed--
                  ``(A) in the case of a grant to an eligible entity--
                          ``(i) for fiscal year 2022, 90 percent;
                          ``(ii) for fiscal year 2023, 80 percent;
                          ``(iii) for fiscal year 2024, 70 percent;
                          ``(iv) for fiscal year 2025, 60 percent; and
                          ``(v) for fiscal year 2026 and each 
                        subsequent fiscal year, 50 percent; and
                  ``(B) in the case of a grant to a multistate group--
                          ``(i) for fiscal year 2022, 95 percent;
                          ``(ii) for fiscal year 2023, 85 percent;
                          ``(iii) for fiscal year 2024, 75 percent;
                          ``(iv) for fiscal year 2025, 65 percent; and
                          ``(v) for fiscal year 2026 and each 
                        subsequent fiscal year, 55 percent.
          ``(2) Waiver.--The Secretary may waive or modify the 
        requirements of paragraph (1) for an Indian tribe if the 
        Secretary determines such a waiver is in the public interest.
  ``(n) Responsibilities of Grantees.--
          ``(1) Certification.--Each eligible entity or multistate 
        group that receives a grant under this section shall certify to 
        the Secretary that the grant will be used--
                  ``(A) for the purpose for which the grant is awarded; 
                and
                  ``(B) in compliance with, as the case may be--
                          ``(i) the Cybersecurity Plan of the eligible 
                        entity;
                          ``(ii) the Cybersecurity Plans of the 
                        eligible entities that comprise the multistate 
                        group; or
                          ``(iii) a purpose approved by the Secretary 
                        under subsection (h) or pursuant to an 
                        exception under subsection (i).
          ``(2) Availability of funds to local and tribal 
        organizations.--Not later than 45 days after the date on which 
        an eligible entity or multistate group receives a grant under 
        this section, the eligible entity or multistate group shall, 
        without imposing unreasonable or unduly burdensome requirements 
        as a condition of receipt, obligate or otherwise make available 
        to local and Tribal organizations within the jurisdiction of 
        the eligible entity or the eligible entities that comprise the 
        multistate group, and as applicable, consistent with the 
        Cybersecurity Plan of the eligible entity or the Cybersecurity 
        Plans of the eligible entities that comprise the multistate 
        group--
                  ``(A) not less than 80 percent of funds available 
                under the grant;
                  ``(B) with the consent of the local and Tribal 
                organizations, items, services, capabilities, or 
                activities having a value of not less than 80 percent 
                of the amount of the grant; or
                  ``(C) with the consent of the local and Tribal 
                organizations, grant funds combined with other items, 
                services, capabilities, or activities having the total 
                value of not less than 80 percent of the amount of the 
                grant.
          ``(3) Certifications regarding distribution of grant funds to 
        local and tribal organizations.--An eligible entity or 
        multistate group shall certify to the Secretary that the 
        eligible entity or multistate group has made the distribution 
        to local, Tribal, and territorial governments required under 
        paragraph (2).
          ``(4) Extension of period.--
                  ``(A) In general.--An eligible entity or multistate 
                group may request in writing that the Secretary extend 
                the period of time specified in paragraph (2) for an 
                additional period of time.
                  ``(B) Approval.--The Secretary may approve a request 
                for an extension under subparagraph (A) if the 
                Secretary determines the extension is necessary to 
                ensure that the obligation and expenditure of grant 
                funds align with the purpose of the State and Local 
                Cybersecurity Grant Program.
          ``(5) Exception.--Paragraph (2) shall not apply to the 
        District of Columbia, the Commonwealth of Puerto Rico, American 
        Samoa, the Commonwealth of the Northern Mariana Islands, Guam, 
        the Virgin Islands, or an Indian tribe.
          ``(6) Direct funding.--If an eligible entity does not make a 
        distribution to a local or Tribal organization required in 
        accordance with paragraph (2), the local or Tribal organization 
        may petition the Secretary to request that grant funds be 
        provided directly to the local or Tribal organization.
          ``(7) Penalties.--In addition to other remedies available to 
        the Secretary, the Secretary may terminate or reduce the amount 
        of a grant awarded under this section to an eligible entity or 
        distribute grant funds previously awarded to such eligible 
        entity directly to the appropriate local or Tribal organization 
        as a replacement grant in an amount the Secretary determines 
        appropriate if such eligible entity violates a requirement of 
        this subsection.
  ``(o) Advisory Committee.--
          ``(1) Establishment.--Not later than 120 days after the date 
        of enactment of this section, the Director shall establish a 
        State and Local Cybersecurity Resilience Committee to provide 
        State, local, and Tribal stakeholder expertise, situational 
        awareness, and recommendations to the Director, as appropriate, 
        regarding how to--
                  ``(A) address cybersecurity risks and cybersecurity 
                threats to information systems of State, local, or 
                Tribal organizations; and
                  ``(B) improve the ability of State, local, and Tribal 
                organizations to prevent, protect against, respond to, 
                mitigate, and recover from such cybersecurity risks and 
                cybersecurity threats.
          ``(2) Duties.--The committee established under paragraph (1) 
        shall--
                  ``(A) submit to the Director recommendations that may 
                inform guidance for applicants for grants under this 
                section;
                  ``(B) upon the request of the Director, provide to 
                the Director technical assistance to inform the review 
                of Cybersecurity Plans submitted by applicants for 
                grants under this section, and, as appropriate, submit 
                to the Director recommendations to improve those plans 
                prior to the approval of the plans under subsection 
                (i);
                  ``(C) advise and provide to the Director input 
                regarding the Homeland Security Strategy to Improve 
                Cybersecurity for State, Local, Tribal, and Territorial 
                Governments required under section 2210;
                  ``(D) upon the request of the Director, provide to 
                the Director recommendations, as appropriate, regarding 
                how to--
                          ``(i) address cybersecurity risks and 
                        cybersecurity threats on information systems of 
                        State, local, or Tribal organizations; and
                          ``(ii) improve the cybersecurity resilience 
                        of State, local, or Tribal organizations; and
                  ``(E) regularly coordinate with the State, Local, 
                Tribal and Territorial Government Coordinating Council, 
                within the Critical Infrastructure Partnership Advisory 
                Council, established under section 871.
          ``(3) Membership.--
                  ``(A) Number and appointment.--The State and Local 
                Cybersecurity Resilience Committee established pursuant 
                to paragraph (1) shall be composed of 15 members 
                appointed by the Director, as follows:
                          ``(i) Two individuals recommended to the 
                        Director by the National Governors Association.
                          ``(ii) Two individuals recommended to the 
                        Director by the National Association of State 
                        Chief Information Officers.
                          ``(iii) One individual recommended to the 
                        Director by the National Guard Bureau.
                          ``(iv) Two individuals recommended to the 
                        Director by the National Association of 
                        Counties.
                          ``(v) One individual recommended to the 
                        Director by the National League of Cities.
                          ``(vi) One individual recommended to the 
                        Director by the United States Conference of 
                        Mayors.
                          ``(vii) One individual recommended to the 
                        Director by the Multi-State Information Sharing 
                        and Analysis Center.
                          ``(viii) One individual recommended to the 
                        Director by the National Congress of American 
                        Indians.
                          ``(viii) Four individuals who have 
                        educational and professional experience 
                        relating to cybersecurity work or cybersecurity 
                        policy.
                  ``(B) Terms.--
                          ``(i) In general.--Subject to clause (ii), 
                        each member of the State and Local 
                        Cybersecurity Resilience Committee shall be 
                        appointed for a term of two years.
                          ``(ii) Requirement.--At least two members of 
                        the State and Local Cybersecurity Resilience 
                        Committee shall also be members of the State, 
                        Local, Tribal and Territorial Government 
                        Coordinating Council, within the Critical 
                        Infrastructure Partnership Advisory Council, 
                        established under section 871.
                          ``(iii) Exception.--A term of a member of the 
                        State and Local Cybersecurity Resilience 
                        Committee shall be three years if the member is 
                        appointed initially to the Committee upon the 
                        establishment of the Committee.
                          ``(iv) Term remainders.--Any member of the 
                        State and Local Cybersecurity Resilience 
                        Committee appointed to fill a vacancy occurring 
                        before the expiration of the term for which the 
                        member's predecessor was appointed shall be 
                        appointed only for the remainder of such term. 
                        A member may serve after the expiration of such 
                        member's term until a successor has taken 
                        office.
                          ``(v) Vacancies.--A vacancy in the State and 
                        Local Cybersecurity Resilience Committee shall 
                        be filled in the manner in which the original 
                        appointment was made.
                  ``(C) Pay.--Members of the State and Local 
                Cybersecurity Resilience Committee shall serve without 
                pay.
          ``(4) Chairperson; vice chairperson.--The members of the 
        State and Local Cybersecurity Resilience Committee shall select 
        a chairperson and vice chairperson from among members of the 
        committee.
          ``(5) Permanent authority.--Notwithstanding section 14 of the 
        Federal Advisory Committee Act (5 U.S.C. App.), the State and 
        Local Cybersecurity Resilience Committee shall be a permanent 
        authority.
  ``(p) Reports.--
          ``(1) Annual reports by grant recipients.--
                  ``(A) In general.--Not later than one year after an 
                eligible entity or multistate group receives funds 
                under this section, the eligible entity or multistate 
                group shall submit to the Secretary a report on the 
                progress of the eligible entity or multistate group in 
                implementing the Cybersecurity Plan of the eligible 
                entity or Cybersecurity Plans of the eligible entities 
                that comprise the multistate group, as the case may be.
                  ``(B) Absence of plan.--Not later than 180 days after 
                an eligible entity that does not have a Cybersecurity 
                Plan receives funds under this section for developing 
                its Cybersecurity Plan, the eligible entity shall 
                submit to the Secretary a report describing how the 
                eligible entity obligated and expended grant funds 
                during the fiscal year to--
                          ``(i) so develop such a Cybersecurity Plan; 
                        or
                          ``(ii) assist with the activities described 
                        in subsection (h)(3).
          ``(2) Annual reports to congress.--Not less frequently than 
        once per year, the Secretary, acting through the Director, 
        shall submit to Congress a report on the use of grants awarded 
        under this section and any progress made toward the following:
                  ``(A) Achieving the objectives set forth in the 
                Homeland Security Strategy to Improve the Cybersecurity 
                of State, Local, Tribal, and Territorial Governments, 
                upon the date on which the strategy is issued under 
                section 2210.
                  ``(B) Developing, implementing, or revising 
                Cybersecurity Plans.
                  ``(C) Reducing cybersecurity risks and cybersecurity 
                threats to information systems, applications, and user 
                accounts owned or operated by or on behalf of State, 
                local, and Tribal organizations as a result of the 
                award of such grants.
  ``(q) Authorization of Appropriations.--There are authorized to be 
appropriated for grants under this section--
          ``(1) for each of fiscal years 2022 through 2026, 
        $500,000,000; and
          ``(2) for each subsequent fiscal year, such sums as may be 
        necessary.

``SEC. 2220B. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, 
                    LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENT 
                    OFFICIALS.

  ``The Secretary, acting through the Director, shall develop, 
regularly update, and maintain a resource guide for use by State, 
local, Tribal, and territorial government officials, including law 
enforcement officers, to help such officials identify, prepare for, 
detect, protect against, respond to, and recover from cybersecurity 
risks (as such term is defined in section 2209), cybersecurity threats, 
and incidents (as such term is defined in section 2209).''.
  (b) Clerical Amendment.--The table of contents in section 1(b) of the 
Homeland Security Act of 2002, as amended by section 4, is further 
amended by inserting after the item relating to section 2220 the 
following new items:

``Sec. 2220A. State and Local Cybersecurity Grant Program.
``Sec. 2220B. Cybersecurity resource guide development for State, 
local, Tribal, and territorial government officials.''.

SEC. 3. STRATEGY.

  (a) Homeland Security Strategy to Improve the Cybersecurity of State, 
Local, Tribal, and Territorial Governments.--Section 2210 of the 
Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at 
the end the following new subsection:
  ``(e) Homeland Security Strategy to Improve the Cybersecurity of 
State, Local, Tribal, and Territorial Governments.--
          ``(1) In general.--
                  ``(A) Requirement.--Not later than one year after the 
                date of the enactment of this subsection, the 
                Secretary, acting through the Director, shall, in 
                coordination with the heads of appropriate Federal 
                agencies, State, local, Tribal, and territorial 
                governments, the State and Local Cybersecurity 
                Resilience Committee established under section 2220A, 
                and other stakeholders, as appropriate, develop and 
                make publicly available a Homeland Security Strategy to 
                Improve the Cybersecurity of State, Local, Tribal, and 
                Territorial Governments.
                  ``(B) Recommendations and requirements.--The strategy 
                required under subparagraph (A) shall--
                          ``(i) provide recommendations relating to the 
                        ways in which the Federal Government should 
                        support and promote the ability of State, 
                        local, Tribal, and territorial governments to 
                        identify, mitigate against, protect against, 
                        detect, respond to, and recover from 
                        cybersecurity risks (as such term is defined in 
                        section 2209), cybersecurity threats, and 
                        incidents (as such term is defined in section 
                        2209); and
                          ``(ii) establish baseline requirements for 
                        cybersecurity plans under this section and 
                        principles with which such plans shall align.
          ``(2) Contents.--The strategy required under paragraph (1) 
        shall--
                  ``(A) identify capability gaps in the ability of 
                State, local, Tribal, and territorial governments to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents;
                  ``(B) identify Federal resources and capabilities 
                that are available or could be made available to State, 
                local, Tribal, and territorial governments to help 
                those governments identify, protect against, detect, 
                respond to, and recover from cybersecurity risks, 
                cybersecurity threats, incidents, and ransomware 
                incidents;
                  ``(C) identify and assess the limitations of Federal 
                resources and capabilities available to State, local, 
                Tribal, and territorial governments to help those 
                governments identify, protect against, detect, respond 
                to, and recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents and make 
                recommendations to address such limitations;
                  ``(D) identify opportunities to improve the 
                coordination of the Agency with Federal and non-Federal 
                entities, such as the Multi-State Information Sharing 
                and Analysis Center, to improve--
                          ``(i) incident exercises, information sharing 
                        and incident notification procedures;
                          ``(ii) the ability for State, local, Tribal, 
                        and territorial governments to voluntarily 
                        adapt and implement guidance in Federal binding 
                        operational directives; and
                          ``(iii) opportunities to leverage Federal 
                        schedules for cybersecurity investments under 
                        section 502 of title 40, United States Code;
                  ``(E) recommend new initiatives the Federal 
                Government should undertake to improve the ability of 
                State, local, Tribal, and territorial governments to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents;
                  ``(F) set short-term and long-term goals that will 
                improve the ability of State, local, Tribal, and 
                territorial governments to identify, protect against, 
                detect, respond to, and recover from cybersecurity 
                risks, cybersecurity threats, incidents, and ransomware 
                incidents; and
                  ``(G) set dates, including interim benchmarks, as 
                appropriate for State, local, Tribal, and territorial 
                governments to establish baseline capabilities to 
                identify, protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents.
          ``(3) Considerations.--In developing the strategy required 
        under paragraph (1), the Director, in coordination with the 
        heads of appropriate Federal agencies, State, local, Tribal, 
        and territorial governments, the State and Local Cybersecurity 
        Resilience Committee established under section 2220A, and other 
        stakeholders, as appropriate, shall consider--
                  ``(A) lessons learned from incidents that have 
                affected State, local, Tribal, and territorial 
                governments, and exercises with Federal and non-Federal 
                entities;
                  ``(B) the impact of incidents that have affected 
                State, local, Tribal, and territorial governments, 
                including the resulting costs to such governments;
                  ``(C) the information related to the interest and 
                ability of state and non-state threat actors to 
                compromise information systems (as such term is defined 
                in section 102 of the Cybersecurity Act of 2015 (6 
                U.S.C. 1501)) owned or operated by State, local, 
                Tribal, and territorial governments;
                  ``(D) emerging cybersecurity risks and cybersecurity 
                threats to State, local, Tribal, and territorial 
                governments resulting from the deployment of new 
                technologies; and
                  ``(E) recommendations made by the State and Local 
                Cybersecurity Resilience Committee established under 
                section 2220A.
          ``(4) Exemption.--Chapter 35 of title 44, United States Code 
        (commonly known as the `Paperwork Reduction Act'), shall not 
        apply to any action to implement this subsection.''.
  (b) Responsibilities of the Director of the Cybersecurity and 
Infrastructure Security Agency.--Section 2202 of the Homeland Security 
Act of 2002 (6 U.S.C. 652) is amended--
          (1) by redesignating subsections (d) through (i) as 
        subsections (e) through (j), respectively; and
          (2) by inserting after subsection (c) the following new 
        subsection:
  ``(d) Additional Responsibilities.--In addition to the 
responsibilities under subsection (c), the Director shall--
          ``(1) develop program guidance, in consultation with the 
        State and Local Government Cybersecurity Resilience Committee 
        established under section 2220A, for the State and Local 
        Cybersecurity Grant Program under such section or any other 
        homeland security assistance administered by the Department to 
        improve cybersecurity;
          ``(2) review, in consultation with the State and Local 
        Cybersecurity Resilience Committee, all cybersecurity plans of 
        State, local, Tribal, and territorial governments developed 
        pursuant to any homeland security assistance administered by 
        the Department to improve cybersecurity;
          ``(3) provide expertise and technical assistance to State, 
        local, Tribal, and territorial government officials with 
        respect to cybersecurity; and
          ``(4) provide education, training, and capacity development 
        to enhance the security and resilience of cybersecurity and 
        infrastructure security.''.
  (c) Feasibility Study.--Not later than 270 days after the date of the 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security of the Department of Homeland Security shall 
conduct a study to assess the feasibility of implementing a short-term 
rotational program for the detail to the Agency of approved State, 
local, Tribal, and territorial government employees in cyber workforce 
positions.

SEC. 4. TITLE XXII TECHNICAL AND CLERICAL AMENDMENTS.

  (a) Technical Amendments.--
          (1) Homeland security act of 2002.--Subtitle A of title XXII 
        of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is 
        amended--
                  (A) in the first section 2215 (6 U.S.C. 665; relating 
                to the duties and authorities relating to .gov internet 
                domain), by amending the section enumerator and heading 
                to read as follows:

``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET 
                    DOMAIN.'';

                  (B) in the second section 2215 (6 U.S.C. 665b; 
                relating to the joint cyber planning office), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';

                  (C) in the third section 2215 (6 U.S.C. 665c; 
                relating to the Cybersecurity State Coordinator), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';

                  (D) in the fourth section 2215 (6 U.S.C. 665d; 
                relating to Sector Risk Management Agencies), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';

                  (E) in section 2216 (6 U.S.C. 665e; relating to the 
                Cybersecurity Advisory Committee), by amending the 
                section enumerator and heading to read as follows:

``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.''; AND

                  (F) in section 2217 (6 U.S.C. 665f; relating to 
                Cybersecurity Education and Training Programs), by 
                amending the section enumerator and heading to read as 
                follows:

``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.''.

          (2) Consolidated appropriations act, 2021.--Paragraph (1) of 
        section 904(b) of division U of the Consolidated Appropriations 
        Act, 2021 (Public Law 116-260) is amended, in the matter 
        preceding subparagraph (A), by inserting ``of 2002'' after 
        ``Homeland Security Act''.
  (b) Clerical Amendment.--The table of contents in section 1(b) of the 
Homeland Security Act of 2002 is amended by striking the items relating 
to sections 2214 through 2217 and inserting the following new items:

``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.

                          Purpose and Summary

    H.R. 3138, the ``State and Local Cybersecurity Act,'' seeks 
to foster stronger partnerships between the Federal government 
and State and local governments to defend State and local 
networks against cyber attacks from sophisticated foreign 
adversaries or cyber criminals. It does so by authorizing a new 
Department of Homeland Security (DHS) grant program to address 
cybersecurity vulnerabilities on State and local government 
networks. This new $500 million grant program includes a 
graduating cost-share to incentivize States to increase funding 
for cybersecurity in their budgets. Under the bill, State, 
Tribal, and Territorial governments would be required to 
develop comprehensive cybersecurity plans to guide the use of 
grant funds. The bill also requires the Cybersecurity and 
Infrastructure Security Agency (CISA) to develop a strategy to 
improve the cybersecurity of State, local, Tribal, and 
Territorial governments, set baseline objectives for State and 
local cybersecurity efforts, and, among other things, identify 
Federal resources that could be made available to State and 
local governments for cybersecurity purposes. CISA would also 
be required to assess the feasibility of a short-term 
rotational program for certain cybersecurity professionals in 
State, local, Tribal, and Territorial workforces to be detailed 
to the Agency. Lastly, H.R. 3138 establishes a State and Local 
Cybersecurity Resilience Committee comprised of representatives 
from State, local, Tribal, and Territorial governments to 
advise and provide situational awareness to CISA regarding the 
cybersecurity needs of such governments.

                  Background and Need for Legislation

    Like Federal agencies, State and local governments are rich 
targets for cyber adversaries given the volume of sensitive 
personal data they house and the high cost that service 
disruptions and system failures would impose. However, State 
and local agencies often have far fewer resources and 
cybersecurity personnel than their Federal counterparts or 
similarly sized private sector entities.
    At the State level, cybersecurity responsibilities are 
generally carried out by a Chief Information Security Officer 
(CISO). In a survey as part of the National Association of 
State Chief Information Security Officers' (NASCIO) 2020 
Cybersecurity Study, CISOs overwhelmingly report a lack of a 
sufficient, reliable budgets to develop their statewide 
security program. In most States, cybersecurity funding is 
derived from the State's IT budget and is not designated as a 
separate line item. Further, the percentage of State enterprise 
IT budgets allocated to enterprise cybersecurity is only 1-3 
percent--far lower than the Federal government or private 
industries, such as the financial services sector, which spends 
10.9 percent of its IT budget on cybersecurity.
    Cybersecurity challenges are particularly acute at the 
local level, where resources are often scarce. A 2016 survey by 
the International City/County Management Association (ICMA) 
found that nearly 40 percent of local government Chief 
Information Officers (CIOs) reported having experienced an 
attack during the last 12 months, and 26 percent reported an 
attack, incident, or breach attempt occurring hourly. At the 
same time, many local governments are not well prepared to 
recover from a ransomware attack, detect or prevent 
exfiltration, recover from breaches, or detect attacks. 
Moreover, many local officials and staff are not sufficiently 
aware of the need for cybersecurity.
    According to an August 2020 report issued by cybersecurity 
firm BlueVoyant, cyber attacks against State and local 
governments rose 50 percent between 2017 and 2020. Most attacks 
were not complicated, but rather could be prevented by improved 
cyber hygiene and adoption of multifactor authentication. In 
2018, devastating ransomware attacks crippled Atlanta, Georgia. 
The following year, ransomware attacks disrupted State and 
local agencies in Louisiana; the City of Baltimore, Maryland; 
22 towns in Texas; a school district in Syracuse, New York; and 
many other communities across the country. In a growing number 
of ransomware attacks, the perpetrators engage in ``double 
extortion'' where they threaten to release sensitive data 
publicly if a ransom payment is not made. In April 2021, the 
Washington, DC, police department was hit by a ransomware 
attack that included the release of detailed background reports 
on multiple current or former police officers and the threat to 
release files related to police informants. One DHS official 
described the ransomware attack in Atlanta as ``one of those 
red blinking lights that people talk about--it's a warning 
bell,'' and observed that ``the attack surface is expanding 
faster. . .than we are fixing the legacy IT landscape.'' These 
attacks can be extremely disruptive to vital government 
services, and recovery is often far costlier than anticipated--
to the tune of nearly $20 million, in some cases.
    Stretched State and local budgets have not adequately 
funded cybersecurity, and the emergence of the COVID-19 
pandemic in 2020 further highlighted existing cybersecurity 
challenges at the State and local level. According to the 
Brookings Institution, by April 2020, the pandemic led to, ``up 
to half of American workers [. . .] working from home.'' That 
includes State and local government employees, who may be less 
accustomed to teleworking and less prepared to do it securely, 
making State and local networks more vulnerable to ransomware 
and other cyber attacks. At the same time, the cyber risks to 
State and local networks increased dramatically, particularly 
in the wake of unprecedented demand for online services, such 
as unemployment compensation and human services applications.
    To address this urgent national security issue, the Federal 
government needs to redouble its efforts to partner with State 
and local governments to build robust cybersecurity defenses. 
The ``State and Local Cybersecurity Improvement Act'' requires 
both the Federal government and its State partners to develop 
strategies to bolster State and local cybersecurity 
capabilities and authorizes funding to ensure those strategies 
are implemented. Investing in cybersecurity before a cyber 
attack saves money, protects important data housed on State and 
local networks, and ensures State and local governments can 
continue to provide the important services Americans rely on.
    H.R. 3138 has been endorsed by NASCIO. Additionally, on May 
20, 2021, the following groups urged that H.R. 3138 be included 
in any infrastructure package advanced by Congress: Rapid7, 
Alliance for Digital Innovation, Avast, Broadcom, Bugcrowd, 
Citrix, Cybereason, Cybersecurity Coalition, Cyber Threat 
Alliance, Disclose.io, Global Cyber Alliance, GRIMM, ICS 
Village, Institute for Security and Technology, Luta, McAfee, 
SCYTHE, Security Scorecard, and Tenable.
    A similar measure, H.R. 5823, passed the House of 
Representatives in the 116th Congress by voice vote on 
September 30, 2020.

                                Hearings

    For the purposes of clause 3(c)(6) of rule XIII, the 
following hearings were used to develop H.R. 3138:
    The Committee did not hold a legislative hearing on H.R. 
3138 in the 117th Congress. However, the legislation was 
informed by several oversight hearings.
    On February 10, 2021, the Full Committee held a hearing 
entitled, ``Homeland Cybersecurity: Assessing Cyber Threats and 
Building Resilience.'' The following witnesses testified: Susan 
Gordon, former Principal Deputy Director of National 
Intelligence, Office of the Director of National Intelligence; 
Christopher Krebs, former Director, Cybersecurity and 
Infrastructure Security Agency (CISA), Department of Homeland 
Security; Michael Daniel, President & CEO, Cyber Threat 
Alliance, former White House Cybersecurity Coordinator; and 
Dmitri Alperovitch, Executive Chairman, Silverado Policy 
Accelerator.
    On April 28, 2021, the Subcommittee on Emergency 
Preparedness, Response, and Resilience held a hearing entitled, 
``State and Local on DHS Preparedness Grant Programs.'' The 
following witnesses testified: The Honorable David Ige, 
Governor, Hawaii; Jared Maples, Director, New Jersey Office of 
Homeland Security and Preparedness; Orlando Rolon, Police 
Chief, City of Orlando, Florida; Robert Altman, Battalion 
Chief, Ocala Fire Rescue.
    On May 5, 2021, the Subcommittee on Cybersecurity, 
Infrastructure Protection, and Innovation held a hearing 
entitled, ``Responding to Ransomware: Exploring Policy 
Solutions to a Cybersecurity Crisis.'' The following witnesses 
testified: Maj. Gen. John Davis (Ret.), Vice President and 
Federal Chief Security Officer at Palo Alto Networks; Megan 
Stifel, Executive Director, Americas at the Global Cyber 
Alliance; Denis Goulet, Commissioner, Department of Information 
Technology and Chief Information Officer, State of New 
Hampshire (on behalf of the National Association of State Chief 
Information Officers); and Christopher Krebs, former Director, 
Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security.

                        Committee Consideration

    The Committee met on May 18, 2021, with a quorum being 
present, to consider H.R. 3138 and ordered the measure to be 
reported to the House with a favorable recommendation, as 
amended, by unanimous consent.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during consideration of 
H.R. 3138.

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the Committee advises that the 
findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

Congressional Budget Office Estimate, New Budget Authority, Entitlement 
                    Authority, and Tax Expenditures

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974, and with 
respect to the requirements of clause 3(c)(3) of rule XIII of 
the Rules of the House of Representatives and section 402 of 
the Congressional Budget Act of 1974, the Committee has 
requested but not received from the Director of the 
Congressional Budget Office a statement as to whether this bill 
contains any new budget authority, spending authority, credit 
authority, or an increase or decrease in revenues or tax 
expenditures.

                       Federal Mandates Statement

    An estimate of Federal mandates prepared by the Director of 
the Congressional Budget Office pursuant to section 423 of the 
Unfunded Mandates Reform Act was not made available to the 
Committee in time for the filing of this report. The Chairman 
of the Committee shall cause such estimate to be printed in the 
Congressional Record upon its receipt by the Committee.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3138 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, the objective of H.R. 3138 is to 
direct the Department of Homeland Security to help State and 
local governments improve the cybersecurity posture of State, 
local, Tribal, and Territorial governments. To achieve this 
objective, the Department will be required to engage with 
appropriate stakeholders to develop a comprehensive ``Homeland 
Security Strategy to Improve the Cybersecurity of State, Local, 
Tribal, and Territorial Governments'' to which grantees can 
align their cybersecurity plans.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                 Benefits Advisory Committee Statement

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule 
XXI.

                  Applicability to Legislative Branch

    The Committee finds that H.R. 3138 does not relate to the 
terms and conditions of employment or access to public services 
or accommodations within the meaning of section 102(b)(3) of 
the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1. Short Title.

    This section provides that this bill may be cited as the 
``State and Local Cybersecurity Improvement Act.''

Sec. 2. State and Local Cybersecurity Grant Program.

    Adds Sections 2220A and 2220B to Title XXII of the Homeland 
Security Act of 2002.
    Section 2220A. State and Local Cybersecurity Grant Program.
             (a) Definitions.--Provides definitions for ``cyber 
        threat indicator,'' ``cybersecurity plan,'' ``eligible 
        entity,'' ``incident,'' ``Indian Tribe,'' ``information 
        sharing and analysis organization,'' ``information 
        system,'' ``online service,'' ``ransomware incident,'' 
        ``State and Local Cybersecurity Grant Program,'' and 
        ``State and Local Cybersecurity Resilience Committee.''
             (b) Establishment.--Directs the Secretary of 
        Homeland Security, acting through the Director of the 
        Cybersecurity and Infrastructure Security Agency, to 
        establish a program to make grants to eligible entities 
        (States, the District of Columbia, and U.S. 
        Territories, as well as Federally recognized Tribes 
        that elect to participate) to address cybersecurity 
        risks and cybersecurity threats to information systems 
        of State, local, Tribal, or Territorial governments. 
        The program will be referred to as the State and Local 
        Cybersecurity Grant Program.
             (c) Baseline Requirements.--Requires each eligible 
        entity or multistate group receiving a grant under the 
        State and Local Cybersecurity Grant Program to meet 
        baseline requirements of complying with their 
        Cybersecurity Plan and the ``Homeland Security Strategy 
        to Improve the Cybersecurity of State, Local, Tribal, 
        and Territorial Governments.''
             (d) Administration.--Directs that the State and 
        Local Cybersecurity Grant Program shall be administered 
        by the same office that administers grants for the 
        Urban Area Security Initiative and the State Homeland 
        Security Grant Program.
             (e) Cybersecurity Plans.--Requires each eligible 
        entity applying for a grant to submit a Cybersecurity 
        Plan and describes the required and discretionary 
        elements of Cybersecurity Plans.
             (f) Multistate Grants.--Allows grants to a group 
        of two or more eligible entities to support multistate 
        efforts to address cybersecurity risks and 
        cybersecurity threats to information systems within the 
        jurisdictions of the eligible entities. Each eligible 
        entity must submit a Cybersecurity Plan and establish a 
        cybersecurity planning committee, as otherwise required 
        by the Act. A multistate group must further apply to 
        the Secretary for a multistate grant and include a 
        multistate project description that includes the 
        division of responsibilities for administering the 
        grant, the distribution of funding among the eligible 
        entities, and how the eligible entities that comprise 
        the multistate group with work together to implement 
        the Cybersecurity Plan of each of those eligible 
        entities.
             (g) Planning Committees.--Requires each eligible 
        entity receiving funds under the State and Local 
        Cybersecurity Grant Program to establish a 
        cybersecurity planning committee to assist in the 
        development and implementation of Cybersecurity Plans 
        and in prioritizing State and Local Cybersecurity Grant 
        Program investments. The cybersecurity planning 
        committees shall be comprised of representatives from 
        counties, cities, towns, Tribes, and public educational 
        and health institutions within the eligible entity 
        receiving a grant, including, as appropriate, 
        representatives of rural, suburban, and high-population 
        jurisdictions.
             (h) Use of Funds.--Describes the permissible use 
        of funds awarded under the State and Local 
        Cybersecurity Grant Program to include implementing an 
        eligible entity's Cybersecurity Plan, developing or 
        revising a Cybersecurity Plan, or to assist with 
        activities that address imminent cybersecurity risks 
        and cybersecurity threats to information systems of 
        State, local, Tribal, or Territorial governments, as 
        the case may be.
             (i) Approval of Plans.--Requires the Secretary of 
        Homeland Security, acting through the Director of the 
        Cybersecurity and Infrastructure Agency, to review 
        Cybersecurity Plans to ensure they comport with the 
        baseline requirements set forth in the section and the 
        ``Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments.'' Cybersecurity Plans must be approved by 
        the Secretary before an eligible entity may receive 
        grant funds, unless the eligible entity certifies that 
        it will submit a Cybersecurity Plan by September 30, 
        2023, and grant funds will be used to develop the 
        Cybersecurity Plan or the grant will address imminent 
        cybersecurity risks or cybersecurity threats.
             (j) Limitation on Uses of Funds.--Bars the use of 
        funds to supplant State, local, Tribal, or Territorial 
        funds; for any recipient cost-sharing contribution; to 
        pay a demand for ransom in an attempt to regain access 
        to information or an information system of such 
        eligible entity or of a local or Tribal government in 
        such eligible entity or to prevent disclosure of 
        information removed without authorization; for 
        recreational or social purposes; or for any purpose 
        that does not directly address cybersecurity risks or 
        cybersecurity threats on an information systems of such 
        eligible entity or of a local or Tribal government in 
        such eligible entity. Eligible entities must certify 
        that they will use grant dollars for an appropriate 
        purpose. The Secretary is authorized to take such 
        enforcement actions necessary.
             (k) Opportunity to Amend Applications.--Authorizes 
        eligible entities to amend grant applications to 
        correct defects.
             (l) Apportionment.--Sets forth the formula the 
        Secretary shall use to apportion grant awards to 
        eligible grantees. Three percent of the grant funds are 
        reserved for Indian tribes.
             (m) Federal Share.--Establishes a cost-share for 
        eligible entities that increases over time to 
        incentivize eligible entities to invest in 
        cybersecurity. There is a lower cost share for 
        multistate groups. The Secretary may waive cost share 
        requirements for Indian tribes.
             (n) Responsibilities of Grantees.--Requires States 
        (but not Territories or Tribes) to make 80 percent of 
        grant funds available to local and Tribal governments 
        within 45 days of receiving the grant award, with 
        certain exceptions. States must certify to the 
        Secretary that it has made such distributions of grant 
        awards. If a State fails to make funds available to 
        local and Tribal governments, local and Tribal 
        governments may seek direct funding from the Secretary. 
        The Secretary may impose appropriate penalties to 
        enforce this provision.
             (o) Advisory Committee.--Directs the Director of 
        the Cybersecurity and Infrastructure Security Agency to 
        establish a State and Local Cybersecurity Resilience 
        Committee to advise the Director on matters relating to 
        cybersecurity matters particular to State and local 
        governments, help review State Cybersecurity Plans, 
        provide feedback on the Homeland Security Strategy to 
        Improve Cybersecurity for State, Local, Tribal, an 
        Territorial Governments, and to assist in the develop 
        State and Local Cybersecurity Grant guidance. This 
        section also describes the membership and terms of the 
        State and Local Cybersecurity Resilience Committee and 
        provides that the members shall not receive 
        compensation.
             (p) Reports.--Requires eligible entities receiving 
        a grant to annually submit to the Secretary of Homeland 
        Security a report on the progress of the State in 
        implementing the approved Cybersecurity Plan. If the 
        eligible entity does not have an approved Cybersecurity 
        Plan, the eligible entity shall submit to the Secretary 
        a report describing how grant funds were obligated and 
        expended to develop a Cybersecurity Plan or improve the 
        cybersecurity of information systems owned or operated 
        by State, local, Tribal, or Territorial governments in 
        such State. The Committee expects the Secretary to 
        establish a consistent framework for the annual report, 
        including consistent metrics and categories of 
        analysis, so Congress is able assess how grant funds 
        are supporting the improvement in the cybersecurity 
        posture of State, local, Tribal, and Territorial 
        governments. This section requires the Secretary of 
        Homeland Security to submit a report to Congress 
        annually on the use of grant funds and progress 
        achieving the objectives set forth in the Homeland 
        Security Strategy to Improve the Cybersecurity of 
        State, Local, Tribal, and Territorial Governments, 
        among other things.
             (q) Authorization of Appropriations.--Authorizes 
        $500,000,000 in annual appropriations for this grant 
        program from FY 2022 through FY 2026, and such sums 
        necessary thereafter.
    Sec. 2220B. Cybersecurity Resources Guide Development for 
State, Local, Tribal, and Territorial Government Officials.
          Requires the Secretary of Homeland Security, acting 
        through the Director of the Cybersecurity and 
        Infrastructure Security Agency, to develop a resource 
        guide for use by State, local, Tribal, and Territorial 
        government officials, including law enforcement 
        officers, to help such officials identify, prepare for, 
        detect, protect against, respond to, and recover from 
        cybersecurity risks, cybersecurity threats, and 
        incidents.

Sec. 3. Strategy.

         (a) Homeland Security Strategy to Improve the 
Cybersecurity of State, Local Tribal, and Territorial 
Governments.--Requires that, not later than one year after the 
date of the enactment, the Secretary, acting through the 
Director, shall, in coordination with appropriate Federal 
departments and agencies, State, local, Tribal, and Territorial 
governments, the State and Local Cybersecurity Resilience 
Committee, and other stakeholders, as appropriate, develop and 
make publicly available a Homeland Security Strategy to Improve 
the Cybersecurity of State, Local, Tribal, and Territorial 
Governments that provides recommendations regarding how the 
Federal Government should support and promote the ability 
State, local, Tribal, and Territorial governments to identify, 
mitigate against, protect against, detect respond to, and 
recover from cybersecurity risks, cybersecurity threats, and 
incidents and establishes baseline requirements and principles 
to which State Cybersecurity Plans under such section shall be 
aligned. The Committee expects the Department of Homeland 
Security to submit budget or legislative proposals, as 
necessary, to address any resource or authority gaps 
identified. This section further describes the contents of the 
``Homeland Security Strategy to Improve the Cybersecurity of 
State, Local Tribal, and Territorial Governments,'' as well as 
considerations that should inform the Strategy. The strategy is 
exempt from the requirements of the Paperwork Reduction Act.
         (b) Responsibilities of the Director of the 
Cybersecurity and Infrastructure Security Agency.--Amends the 
responsibilities of the Director of the Cybersecurity and 
Infrastructure Security Agency related to the Director's 
responsibilities related to improving the cybersecurity of 
State and local governments.
         (c) Feasibility Study.--Requires the Director of the 
Cybersecurity and Infrastructure Security Agency to, not later 
than 260 days after the date of the enactment of this Act, 
conduct a study to assess the feasibility of implementing a 
short-term rotational program for the detail of approved State, 
local, Tribal, and Territorial government employees in cyber 
workforce positions to the Agency.

Sec. 4. Title XXII Technical and Clerical Amendments.

    This section makes technical corrections to the section 
enumerators of title XXII of the Homeland Security Act of 2002.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italics, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

Sec. 1. Short title; table of contents.
     * * * * * * *

      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

          Subtitle A--Cybersecurity and Infrastructure Security

     * * * * * * *
[Sec. 2214. National Asset Database.
[Sec. 2215. Sector Risk Management Agencies.
[Sec. 2215. Cybersecurity State Coordinator.
[Sec. 2215. Joint cyber planning office.
[Sec. 2215. Duties and authorities relating to.gov internet domain.
[Sec. 2216. Cybersecurity Advisory Committee.
[Sec. 2217. Cybersecurity Education and Training Programs.]
Sec. 2214. National Asset Database.
Sec. 2215. Duties and authorities relating to.gov internet domain.
Sec. 2216. Joint cyber planning office.
Sec. 2217. Cybersecurity State Coordinator.
Sec. 2218. Sector Risk Management Agencies.
Sec. 2219. Cybersecurity Advisory Committee.
Sec. 2220. Cybersecurity Education and Training Programs.
Sec. 2220A. State and Local Cybersecurity Grant Program.
Sec. 2220B. Cybersecurity resource guide development for State, local, 
          Tribal, and territorial government officials.

           *       *       *       *       *       *       *


      TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

Subtitle A--Cybersecurity and Infrastructure Security

           *       *       *       *       *       *       *


SEC. 2202. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.

  (a) Redesignation.--
          (1) In general.--The National Protection and Programs 
        Directorate of the Department shall, on and after the 
        date of the enactment of this subtitle, be known as the 
        ``Cybersecurity and Infrastructure Security Agency'' 
        (in this subtitle referred to as the ``Agency'').
          (2) References.--Any reference to the National 
        Protection and Programs Directorate of the Department 
        in any law, regulation, map, document, record, or other 
        paper of the United States shall be deemed to be a 
        reference to the Cybersecurity and Infrastructure 
        Security Agency of the Department.
  (b) Director.--
          (1) In general.--The Agency shall be headed by a 
        Director of Cybersecurity and Infrastructure Security 
        (in this subtitle referred to as the ``Director''), who 
        shall report to the Secretary.
          (2) Qualifications.--
                  (A) In general.--The Director shall be 
                appointed from among individuals who have--
                          (i) extensive knowledge in at least 
                        two of the areas specified in 
                        subparagraph (B); and
                          (ii) not fewer than five years of 
                        demonstrated experience in efforts to 
                        foster coordination and collaboration 
                        between the Federal Government, the 
                        private sector, and other entities on 
                        issues related to cybersecurity, 
                        infrastructure security, or security 
                        risk management.
                  (B) Specified areas.--The areas specified in 
                this subparagraph are the following:
                          (i) Cybersecurity.
                          (ii) Infrastructure security.
                          (iii) Security risk management.
          (3) Reference.--Any reference to an Under Secretary 
        responsible for overseeing critical infrastructure 
        protection, cybersecurity, and any other related 
        program of the Department as described in section 
        103(a)(1)(H) as in effect on the day before the date of 
        enactment of this subtitle in any law, regulation, map, 
        document, record, or other paper of the United States 
        shall be deemed to be a reference to the Director of 
        Cybersecurity and Infrastructure Security of the 
        Department.
  (c) Responsibilities.--The Director shall--
          (1) lead cybersecurity and critical infrastructure 
        security programs, operations, and associated policy 
        for the Agency, including national cybersecurity asset 
        response activities;
          (2) coordinate with Federal entities, including 
        Sector-Specific Agencies, and non-Federal entities, 
        including international entities, to carry out the 
        cybersecurity and critical infrastructure activities of 
        the Agency, as appropriate;
          (3) carry out the responsibilities of the Secretary 
        to secure Federal information and information systems 
        consistent with law, including subchapter II of chapter 
        35 of title 44, United States Code, and the 
        Cybersecurity Act of 2015 (contained in division N of 
        the Consolidated Appropriations Act, 2016 (Public Law 
        114-113));
          (4) coordinate a national effort to secure and 
        protect against critical infrastructure risks, 
        consistent with subsection (e)(1)(E);
          (5) upon request, provide analyses, expertise, and 
        other technical assistance to critical infrastructure 
        owners and operators and, where appropriate, provide 
        those analyses, expertise, and other technical 
        assistance in coordination with Sector-Specific 
        Agencies and other Federal departments and agencies;
          (6) develop and utilize mechanisms for active and 
        frequent collaboration between the Agency and Sector-
        Specific Agencies to ensure appropriate coordination, 
        situational awareness, and communications with Sector-
        Specific Agencies;
          (7) maintain and utilize mechanisms for the regular 
        and ongoing consultation and collaboration among the 
        Divisions of the Agency to further operational 
        coordination, integrated situational awareness, and 
        improved integration across the Agency in accordance 
        with this Act;
          (8) develop, coordinate, and implement--
                  (A) comprehensive strategic plans for the 
                activities of the Agency; and
                  (B) risk assessments by and for the Agency;
          (9) carry out emergency communications 
        responsibilities, in accordance with title XVIII;
          (10) carry out cybersecurity, infrastructure 
        security, and emergency communications stakeholder 
        outreach and engagement and coordinate that outreach 
        and engagement with critical infrastructure Sector-
        Specific Agencies, as appropriate;
          (11) provide education, training, and capacity 
        development to Federal and non-Federal entities to 
        enhance the security and resiliency of domestic and 
        global cybersecurity and infrastructure security; and
          (12) appoint a Cybersecurity State Coordinator in 
        each State, as described in section 2215; and
          (12) carry out the duties and authorities relating to 
        the.gov internet domain, as described in section 2215; 
        and
          (12) carry out such other duties and powers 
        prescribed by law or delegated by the Secretary.
  (d) Additional Responsibilities.--In addition to the 
responsibilities under subsection (c), the Director shall--
          (1) develop program guidance, in consultation with 
        the State and Local Government Cybersecurity Resilience 
        Committee established under section 2220A, for the 
        State and Local Cybersecurity Grant Program under such 
        section or any other homeland security assistance 
        administered by the Department to improve 
        cybersecurity;
          (2) review, in consultation with the State and Local 
        Cybersecurity Resilience Committee, all cybersecurity 
        plans of State, local, Tribal, and territorial 
        governments developed pursuant to any homeland security 
        assistance administered by the Department to improve 
        cybersecurity;
          (3) provide expertise and technical assistance to 
        State, local, Tribal, and territorial government 
        officials with respect to cybersecurity; and
          (4) provide education, training, and capacity 
        development to enhance the security and resilience of 
        cybersecurity and infrastructure security.
  [(d)] (e) Deputy Director.--There shall be in the Agency a 
Deputy Director of Cybersecurity and Infrastructure Security 
who shall--
          (1) assist the Director in the management of the 
        Agency; and
          (2) report to the Director.
  [(e)] (f) Cybersecurity and Infrastructure Security 
Authorities of the Secretary.--
          (1) In general.--The responsibilities of the 
        Secretary relating to cybersecurity and infrastructure 
        security shall include the following:
                  (A) To access, receive, and analyze law 
                enforcement information, intelligence 
                information, and other information from Federal 
                Government agencies, State, local, tribal, and 
                territorial government agencies, including law 
                enforcement agencies, and private sector 
                entities, and to integrate that information, in 
                support of the mission responsibilities of the 
                Department, in order to--
                          (i) identify and assess the nature 
                        and scope of terrorist threats to the 
                        homeland;
                          (ii) detect and identify threats of 
                        terrorism against the United States; 
                        and
                          (iii) understand those threats in 
                        light of actual and potential 
                        vulnerabilities of the homeland.
                  (B) To carry out comprehensive assessments of 
                the vulnerabilities of the key resources and 
                critical infrastructure of the United States, 
                including the performance of risk assessments 
                to determine the risks posed by particular 
                types of terrorist attacks within the United 
                States, including an assessment of the 
                probability of success of those attacks and the 
                feasibility and potential efficacy of various 
                countermeasures to those attacks. At the 
                discretion of the Secretary, such assessments 
                may be carried out in coordination with Sector-
                Specific Agencies.
                  (C) To integrate relevant information, 
                analysis, and vulnerability assessments, 
                regardless of whether the information, 
                analysis, or assessments are provided or 
                produced by the Department, in order to make 
                recommendations, including prioritization, for 
                protective and support measures by the 
                Department, other Federal Government agencies, 
                State, local, tribal, and territorial 
                government agencies and authorities, the 
                private sector, and other entities regarding 
                terrorist and other threats to homeland 
                security.
                  (D) To ensure, pursuant to section 202, the 
                timely and efficient access by the Department 
                to all information necessary to discharge the 
                responsibilities under this title, including 
                obtaining that information from other Federal 
                Government agencies.
                  (E) To develop, in coordination with the 
                Sector-Specific Agencies with available 
                expertise, a comprehensive national plan for 
                securing the key resources and critical 
                infrastructure of the United States, including 
                power production, generation, and distribution 
                systems, information technology and 
                telecommunications systems (including 
                satellites), electronic financial and property 
                record storage and transmission systems, 
                emergency communications systems, and the 
                physical and technological assets that support 
                those systems.
                  (F) To recommend measures necessary to 
                protect the key resources and critical 
                infrastructure of the United States in 
                coordination with other Federal Government 
                agencies, including Sector-Specific Agencies, 
                and in cooperation with State, local, tribal, 
                and territorial government agencies and 
                authorities, the private sector, and other 
                entities.
                  (G) To review, analyze, and make 
                recommendations for improvements to the 
                policies and procedures governing the sharing 
                of information relating to homeland security 
                within the Federal Government and between 
                Federal Government agencies and State, local, 
                tribal, and territorial government agencies and 
                authorities.
                  (H) To disseminate, as appropriate, 
                information analyzed by the Department within 
                the Department to other Federal Government 
                agencies with responsibilities relating to 
                homeland security and to State, local, tribal, 
                and territorial government agencies and private 
                sector entities with those responsibilities in 
                order to assist in the deterrence, prevention, 
                or preemption of, or response to, terrorist 
                attacks against the United States.
                  (I) To consult with State, local, tribal, and 
                territorial government agencies and private 
                sector entities to ensure appropriate exchanges 
                of information, including law enforcement-
                related information, relating to threats of 
                terrorism against the United States.
                  (J) To ensure that any material received 
                pursuant to this Act is protected from 
                unauthorized disclosure and handled and used 
                only for the performance of official duties.
                  (K) To request additional information from 
                other Federal Government agencies, State, 
                local, tribal, and territorial government 
                agencies, and the private sector relating to 
                threats of terrorism in the United States, or 
                relating to other areas of responsibility 
                assigned by the Secretary, including the entry 
                into cooperative agreements through the 
                Secretary to obtain such information.
                  (L) To establish and utilize, in conjunction 
                with the Chief Information Officer of the 
                Department, a secure communications and 
                information technology infrastructure, 
                including data-mining and other advanced 
                analytical tools, in order to access, receive, 
                and analyze data and information in furtherance 
                of the responsibilities under this section, and 
                to disseminate information acquired and 
                analyzed by the Department, as appropriate.
                  (M) To coordinate training and other support 
                to the elements and personnel of the 
                Department, other Federal Government agencies, 
                and State, local, tribal, and territorial 
                government agencies that provide information to 
                the Department, or are consumers of information 
                provided by the Department, in order to 
                facilitate the identification and sharing of 
                information revealed in their ordinary duties 
                and the optimal utilization of information 
                received from the Department.
                  (N) To coordinate with Federal, State, local, 
                tribal, and territorial law enforcement 
                agencies, and the private sector, as 
                appropriate.
                  (O) To exercise the authorities and oversight 
                of the functions, personnel, assets, and 
                liabilities of those components transferred to 
                the Department pursuant to section 201(g).
                  (P) To carry out the functions of the 
                national cybersecurity and communications 
                integration center under section 2209.
                  (Q) To carry out the requirements of the 
                Chemical Facility Anti-Terrorism Standards 
                Program established under title XXI and the 
                secure handling of ammonium nitrate program 
                established under subtitle J of title VIII, or 
                any successor programs.
                  (R) To encourage and build cybersecurity 
                awareness and competency across the United 
                States and to develop, attract, and retain the 
                cybersecurity workforce necessary for the 
                cybersecurity related missions of the 
                Department, including by--
                          (i) overseeing elementary and 
                        secondary cybersecurity education and 
                        awareness related programs at the 
                        Agency;
                          (ii) leading efforts to develop, 
                        attract, and retain the cybersecurity 
                        workforce necessary for the 
                        cybersecurity related missions of the 
                        Department;
                          (iii) encouraging and building 
                        cybersecurity awareness and competency 
                        across the United States; and
                          (iv) carrying out cybersecurity 
                        related workforce development 
                        activities, including through--
                                  (I) increasing the pipeline 
                                of future cybersecurity 
                                professionals through programs 
                                focused on elementary and 
                                secondary education, 
                                postsecondary education, and 
                                workforce development; and
                                  (II) building awareness of 
                                and competency in cybersecurity 
                                across the civilian Federal 
                                Government workforce.
          (2) Reallocation.--The Secretary may reallocate 
        within the Agency the functions specified in sections 
        2203(b) and 2204(b), consistent with the 
        responsibilities provided in paragraph (1), upon 
        certifying to and briefing the appropriate 
        congressional committees, and making available to the 
        public, at least 60 days prior to the reallocation that 
        the reallocation is necessary for carrying out the 
        activities of the Agency.
          (3) Staff.--
                  (A) In general.--The Secretary shall provide 
                the Agency with a staff of analysts having 
                appropriate expertise and experience to assist 
                the Agency in discharging the responsibilities 
                of the Agency under this section.
                  (B) Private sector analysts.--Analysts under 
                this subsection may include analysts from the 
                private sector.
                  (C) Security clearances.--Analysts under this 
                subsection shall possess security clearances 
                appropriate for their work under this section.
          (4) Detail of personnel.--
                  (A) In general.--In order to assist the 
                Agency in discharging the responsibilities of 
                the Agency under this section, personnel of the 
                Federal agencies described in subparagraph (B) 
                may be detailed to the Agency for the 
                performance of analytic functions and related 
                duties.
                  (B) Agencies.--The Federal agencies described 
                in this subparagraph are--
                          (i) the Department of State;
                          (ii) the Central Intelligence Agency;
                          (iii) the Federal Bureau of 
                        Investigation;
                          (iv) the National Security Agency;
                          (v) the National Geospatial-
                        Intelligence Agency;
                          (vi) the Defense Intelligence Agency;
                          (vii) Sector-Specific Agencies; and
                          (viii) any other agency of the 
                        Federal Government that the President 
                        considers appropriate.
                  (C) Interagency agreements.--The Secretary 
                and the head of a Federal agency described in 
                subparagraph (B) may enter into agreements for 
                the purpose of detailing personnel under this 
                paragraph.
                  (D) Basis.--The detail of personnel under 
                this paragraph may be on a reimbursable or non-
                reimbursable basis.
  [(f)] (g) Composition.--The Agency shall be composed of the 
following divisions:
          (1) The Cybersecurity Division, headed by an 
        Assistant Director.
          (2) The Infrastructure Security Division, headed by 
        an Assistant Director.
          (3) The Emergency Communications Division under title 
        XVIII, headed by an Assistant Director.
  [(g)] (h) Co-location.--
          (1) In general.--To the maximum extent practicable, 
        the Director shall examine the establishment of central 
        locations in geographical regions with a significant 
        Agency presence.
          (2) Coordination.--When establishing the central 
        locations described in paragraph (1), the Director 
        shall coordinate with component heads and the Under 
        Secretary for Management to co-locate or partner on any 
        new real property leases, renewing any occupancy 
        agreements for existing leases, or agreeing to extend 
        or newly occupy any Federal space or new construction.
  [(h)] (i) Privacy.--
          (1) In general.--There shall be a Privacy Officer of 
        the Agency with primary responsibility for privacy 
        policy and compliance for the Agency.
          (2) Responsibilities.--The responsibilities of the 
        Privacy Officer of the Agency shall include--
                  (A) assuring that the use of technologies by 
                the Agency sustain, and do not erode, privacy 
                protections relating to the use, collection, 
                and disclosure of personal information;
                  (B) assuring that personal information 
                contained in systems of records of the Agency 
                is handled in full compliance as specified in 
                section 552a of title 5, United States Code 
                (commonly known as the ``Privacy Act of 
                1974'');
                  (C) evaluating legislative and regulatory 
                proposals involving collection, use, and 
                disclosure of personal information by the 
                Agency; and
                  (D) conducting a privacy impact assessment of 
                proposed rules of the Agency on the privacy of 
                personal information, including the type of 
                personal information collected and the number 
                of people affected.
  [(i)] (j) Savings.--Nothing in this title may be construed as 
affecting in any manner the authority, existing on the day 
before the date of enactment of this title, of any other 
component of the Department or any other Federal department or 
agency, including the authority provided to the Sector Risk 
Management Agency specified in section 61003(c) of division F 
of the Fixing America's Surface Transportation Act (6 U.S.C. 
121 note; Public Law 114-94).

           *       *       *       *       *       *       *


SEC. 2210. CYBERSECURITY PLANS.

  (a) Definitions.--In this section--
          (1) the term ``agency information system'' means an 
        information system used or operated by an agency or by 
        another entity on behalf of an agency;
          (2) the terms ``cybersecurity risk'' and 
        ``information system'' have the meanings given those 
        terms in section 2209;
          (3) the term ``intelligence community'' has the 
        meaning given the term in section 3(4) of the National 
        Security Act of 1947 (50 U.S.C. 3003(4)); and
          (4) the term ``national security system'' has the 
        meaning given the term in section 11103 of title 40, 
        United States Code.
  (b) Intrusion Assessment Plan.--
          (1) Requirement.--The Secretary, in coordination with 
        the Director of the Office of Management and Budget, 
        shall--
                  (A) develop and implement an intrusion 
                assessment plan to proactively detect, 
                identify, and remove intruders in agency 
                information systems on a routine basis; and
                  (B) update such plan as necessary.
          (2) Exception.--The intrusion assessment plan 
        required under paragraph (1) shall not apply to the 
        Department of Defense, a national security system, or 
        an element of the intelligence community.
  (c) Cyber Incident Response Plan.--The Director of 
Cybersecurity and InfrastructureSecurity shall, in coordination 
with appropriate Federal departments and agencies, State and 
local governments, sector coordinating councils, information 
sharing and analysis organizations (as defined in section 
2222(5)), owners and operators of critical infrastructure, and 
other appropriate entities and individuals, develop, regularly 
update, maintain, and exercise adaptable cyber incident 
response plans to address cybersecurity risks (as defined in 
section 2209) to critical infrastructure.
  (d) National Response Framework.--The Secretary, in 
coordination with the heads of other appropriate Federal 
departments and agencies, and in accordance with the National 
Cybersecurity Incident Response Plan required under subsection 
(c), shall regularly update, maintain, and exercise the Cyber 
Incident Annex to the National Response Framework of the 
Department.
  (e) Homeland Security Strategy to Improve the Cybersecurity 
of State, Local, Tribal, and Territorial Governments.--
          (1) In general.--
                  (A) Requirement.--Not later than one year 
                after the date of the enactment of this 
                subsection, the Secretary, acting through the 
                Director, shall, in coordination with the heads 
                of appropriate Federal agencies, State, local, 
                Tribal, and territorial governments, the State 
                and Local Cybersecurity Resilience Committee 
                established under section 2220A, and other 
                stakeholders, as appropriate, develop and make 
                publicly available a Homeland Security Strategy 
                to Improve the Cybersecurity of State, Local, 
                Tribal, and Territorial Governments.
                  (B) Recommendations and requirements.--The 
                strategy required under subparagraph (A) 
                shall--
                          (i) provide recommendations relating 
                        to the ways in which the Federal 
                        Government should support and promote 
                        the ability of State, local, Tribal, 
                        and territorial governments to 
                        identify, mitigate against, protect 
                        against, detect, respond to, and 
                        recover from cybersecurity risks (as 
                        such term is defined in section 2209), 
                        cybersecurity threats, and incidents 
                        (as such term is defined in section 
                        2209); and
                          (ii) establish baseline requirements 
                        for cybersecurity plans under this 
                        section and principles with which such 
                        plans shall align.
          (2) Contents.--The strategy required under paragraph 
        (1) shall--
                  (A) identify capability gaps in the ability 
                of State, local, Tribal, and territorial 
                governments to identify, protect against, 
                detect, respond to, and recover from 
                cybersecurity risks, cybersecurity threats, 
                incidents, and ransomware incidents;
                  (B) identify Federal resources and 
                capabilities that are available or could be 
                made available to State, local, Tribal, and 
                territorial governments to help those 
                governments identify, protect against, detect, 
                respond to, and recover from cybersecurity 
                risks, cybersecurity threats, incidents, and 
                ransomware incidents;
                  (C) identify and assess the limitations of 
                Federal resources and capabilities available to 
                State, local, Tribal, and territorial 
                governments to help those governments identify, 
                protect against, detect, respond to, and 
                recover from cybersecurity risks, cybersecurity 
                threats, incidents, and ransomware incidents 
                and make recommendations to address such 
                limitations;
                  (D) identify opportunities to improve the 
                coordination of the Agency with Federal and 
                non-Federal entities, such as the Multi-State 
                Information Sharing and Analysis Center, to 
                improve--
                          (i) incident exercises, information 
                        sharing and incident notification 
                        procedures;
                          (ii) the ability for State, local, 
                        Tribal, and territorial governments to 
                        voluntarily adapt and implement 
                        guidance in Federal binding operational 
                        directives; and
                          (iii) opportunities to leverage 
                        Federal schedules for cybersecurity 
                        investments under section 502 of title 
                        40, United States Code;
                  (E) recommend new initiatives the Federal 
                Government should undertake to improve the 
                ability of State, local, Tribal, and 
                territorial governments to identify, protect 
                against, detect, respond to, and recover from 
                cybersecurity risks, cybersecurity threats, 
                incidents, and ransomware incidents;
                  (F) set short-term and long-term goals that 
                will improve the ability of State, local, 
                Tribal, and territorial governments to 
                identify, protect against, detect, respond to, 
                and recover from cybersecurity risks, 
                cybersecurity threats, incidents, and 
                ransomware incidents; and
                  (G) set dates, including interim benchmarks, 
                as appropriate for State, local, Tribal, and 
                territorial governments to establish baseline 
                capabilities to identify, protect against, 
                detect, respond to, and recover from 
                cybersecurity risks, cybersecurity threats, 
                incidents, and ransomware incidents.
          (3) Considerations.--In developing the strategy 
        required under paragraph (1), the Director, in 
        coordination with the heads of appropriate Federal 
        agencies, State, local, Tribal, and territorial 
        governments, the State and Local Cybersecurity 
        Resilience Committee established under section 2220A, 
        and other stakeholders, as appropriate, shall 
        consider--
                  (A) lessons learned from incidents that have 
                affected State, local, Tribal, and territorial 
                governments, and exercises with Federal and 
                non-Federal entities;
                  (B) the impact of incidents that have 
                affected State, local, Tribal, and territorial 
                governments, including the resulting costs to 
                such governments;
                  (C) the information related to the interest 
                and ability of state and non-state threat 
                actors to compromise information systems (as 
                such term is defined in section 102 of the 
                Cybersecurity Act of 2015 (6 U.S.C. 1501)) 
                owned or operated by State, local, Tribal, and 
                territorial governments;
                  (D) emerging cybersecurity risks and 
                cybersecurity threats to State, local, Tribal, 
                and territorial governments resulting from the 
                deployment of new technologies; and
                  (E) recommendations made by the State and 
                Local Cybersecurity Resilience Committee 
                established under section 2220A.
          (4) Exemption.--Chapter 35 of title 44, United States 
        Code (commonly known as the ``Paperwork Reduction 
        Act''), shall not apply to any action to implement this 
        subsection.

           *       *       *       *       *       *       *


SEC. 2215. DUTIES AND AUTHORITIES RELATING TO.GOV INTERNET DOMAIN.

  (a) Definition.--In this section, the term ``agency'' has the 
meaning given the term in section 3502 of title 44, United 
States Code.
  (b) Availability of.gov Internet Domain.--The Director shall 
make.gov internet domain name registration services, as well as 
any supporting services described in subsection (e), generally 
available--
          (1) to any Federal, State, local, or territorial 
        government entity, or other publicly controlled entity, 
        including any Tribal government recognized by the 
        Federal Government or a State government, that complies 
        with the requirements for registration developed by the 
        Director as described in subsection (c);
          (2) without conditioning registration on the sharing 
        of any information with the Director or any other 
        Federal entity, other than the information required to 
        meet the requirements described in subsection (c); and
          (3) without conditioning registration on 
        participation in any separate service offered by the 
        Director or any other Federal entity.
  (c) Requirements.--The Director, with the approval of the 
Director of the Office of Management and Budget for agency.gov 
internet domain requirements and in consultation with the 
Director of the Office of Management and Budget for.gov 
internet domain requirements for entities that are not 
agencies, shall establish and publish on a publicly available 
website requirements for the registration and operation of.gov 
internet domains sufficient to--
          (1) minimize the risk of.gov internet domains whose 
        names could mislead or confuse users;
          (2) establish that.gov internet domains may not be 
        used for commercial or political campaign purposes;
          (3) ensure that domains are registered and maintained 
        only by authorized individuals; and
          (4) limit the sharing or use of any information 
        obtained through the administration of the.gov internet 
        domain with any other Department component or any other 
        agency for any purpose other than the administration of 
        the.gov internet domain, the services described in 
        subsection (e), and the requirements for establishing 
        a.gov inventory described in subsection (h).
  (d) Executive Branch.--
          (1) In general.--The Director of the Office of 
        Management and Budget shall establish applicable 
        processes and guidelines for the registration and 
        acceptable use of.gov internet domains by agencies.
          (2) Approval required.--The Director shall obtain the 
        approval of the Director of the Office of Management 
        and Budget before registering a.gov internet domain 
        name for an agency.
          (3) Compliance.--Each agency shall ensure that any 
        website or digital service of the agency that uses 
        a.gov internet domain is in compliance with the 21st 
        Century IDEA Act (44 U.S.C. 3501 note) and 
        implementation guidance issued pursuant to that Act.
  (e) Supporting Services.--
          (1) In general.--The Director may provide services to 
        the entities described in subsection (b)(1) 
        specifically intended to support the security, privacy, 
        reliability, accessibility, and speed of registered.gov 
        internet domains.
          (2) Rule of construction.--Nothing in paragraph (1) 
        shall be construed to--
                  (A) limit other authorities of the Director 
                to provide services or technical assistance to 
                an entity described in subsection (b)(1); or
                  (B) establish new authority for services 
                other than those the purpose of which expressly 
                supports the operation of.gov internet domains 
                and the needs of.gov internet domain 
                registrants.
  (f) Fees.--
          (1) In general.--The Director may provide any service 
        relating to the availability of the.gov internet domain 
        program, including.gov internet domain name 
        registration services described in subsection (b) and 
        supporting services described in subsection (e), to 
        entities described in subsection (b)(1) with or without 
        reimbursement, including variable pricing.
          (2) Limitation.--The total fees collected for new.gov 
        internet domain registrants or annual renewals of.gov 
        internet domains shall not exceed the direct 
        operational expenses of improving, maintaining, and 
        operating the.gov internet domain,.gov internet domain 
        services, and.gov internet domain supporting services.
  (g) Consultation.--The Director shall consult with the 
Director of the Office of Management and Budget, the 
Administrator of General Services, other civilian Federal 
agencies as appropriate, and entities representing State, 
local, Tribal, or territorial governments in developing the 
strategic direction of the.gov internet domain and in 
establishing requirements under subsection (c), in particular 
on matters of privacy, accessibility, transparency, and 
technology modernization.
  (h) .gov Inventory.--
          (1) In general.--The Director shall, on a continuous 
        basis--
                  (A) inventory all hostnames and services in 
                active use within the.gov internet domain; and
                  (B) provide the data described in 
                subparagraph (A) to domain registrants at no 
                cost.
          (2) Requirements.--In carrying out paragraph (1)--
                  (A) data may be collected through analysis of 
                public and non-public sources, including 
                commercial data sets;
                  (B) the Director shall share with Federal and 
                non-Federal domain registrants all unique 
                hostnames and services discovered within the 
                zone of their registered domain;
                  (C) the Director shall share any data or 
                information collected or used in the management 
                of the.gov internet domain name registration 
                services relating to Federal executive branch 
                registrants with the Director of the Office of 
                Management and Budget for the purpose of 
                fulfilling the duties of the Director of the 
                Office of Management and Budget under section 
                3553 of title 44, United States Code;
                  (D) the Director shall publish on a publicly 
                available website discovered hostnames that 
                describe publicly accessible agency websites, 
                to the extent consistent with the security of 
                Federal information systems but with the 
                presumption of disclosure;
                  (E) the Director may publish on a publicly 
                available website any analysis conducted and 
                data collected relating to compliance with 
                Federal mandates and industry best practices, 
                to the extent consistent with the security of 
                Federal information systems but with the 
                presumption of disclosure; and
                  (F) the Director shall--
                          (i) collect information on the use of 
                        non-.gov internet domain suffixes by 
                        agencies for their official online 
                        services;
                          (ii) collect information on the use 
                        of non-.gov internet domain suffixes by 
                        State, local, Tribal, and territorial 
                        governments; and
                          (iii) publish the information 
                        collected under clause (i) on a 
                        publicly available website to the 
                        extent consistent with the security of 
                        the Federal information systems, but 
                        with the presumption of disclosure.
          (3) National security coordination.--
                  (A) In general.--In carrying out this 
                subsection, the Director shall inventory, 
                collect, and publish hostnames and services in 
                a manner consistent with the protection of 
                national security information.
                  (B) Limitation.--The Director may not 
                inventory, collect, or publish hostnames or 
                services under this subsection if the Director, 
                in coordination with other heads of agencies, 
                as appropriate, determines that the collection 
                or publication would--
                          (i) disrupt a law enforcement 
                        investigation;
                          (ii) endanger national security or 
                        intelligence activities;
                          (iii) impede national defense 
                        activities or military operations; or
                          (iv) hamper security remediation 
                        actions.
          (4) Strategy.--Not later than 180 days after the date 
        of enactment of this section, the Director shall 
        develop and submit to the Committee on Homeland 
        Security and Governmental Affairs and the Committee on 
        Rules and Administration of the Senate and the 
        Committee on Homeland Security, the Committee on 
        Oversight and Reform, and the Committee on House 
        Administration of the House of Representatives a 
        strategy to utilize the information collected under 
        this subsection for countering malicious cyber 
        activity.

SEC. [2215]  2216. JOINT CYBER PLANNING OFFICE.

  (a) Establishment of office.--There is established in the 
Agency an office for joint cyber planning (in this section 
referred to as the ``Office'') to develop, for public and 
private sector entities, plans for cyber defense operations, 
including the development of a set of coordinated actions to 
protect, detect, respond to, and recover from cybersecurity 
risks or incidents or limit, mitigate, or defend against 
coordinated, malicious cyber operations that pose a potential 
risk to critical infrastructure or national interests. The 
Office shall be headed by a senior official of the Agency 
selected by the Director.
  (b) Planning and execution.--In leading the development of 
plans for cyber defense operations pursuant to subsection (a), 
the head of the Office shall--
          (1) coordinate with relevant Federal departments and 
        agencies to establish processes and procedures 
        necessary to develop and maintain ongoing coordinated 
        plans for cyber defense operations;
          (2) leverage cyber capabilities and authorities of 
        participating Federal departments and agencies, as 
        appropriate, in furtherance of plans for cyber defense 
        operations;
          (3) ensure that plans for cyber defense operations 
        are, to the greatest extent practicable, developed in 
        collaboration with relevant private sector entities, 
        particularly in areas in which such entities have 
        comparative advantages in limiting, mitigating, or 
        defending against a cybersecurity risk or incident or 
        coordinated, malicious cyber operation;
          (4) ensure that plans for cyber defense operations, 
        as appropriate, are responsive to potential adversary 
        activity conducted in response to United States 
        offensive cyber operations;
          (5) facilitate the exercise of plans for cyber 
        defense operations, including by developing and 
        modeling scenarios based on an understanding of 
        adversary threats to, vulnerability of, and potential 
        consequences of disruption or compromise of critical 
        infrastructure;
          (6) coordinate with and, as necessary, support 
        relevant Federal departments and agencies in the 
        establishment of procedures, development of additional 
        plans, including for offensive and intelligence 
        activities in support of cyber defense operations, and 
        creation of agreements necessary for the rapid 
        execution of plans for cyber defense operations when a 
        cybersecurity risk or incident or malicious cyber 
        operation has been identified; and
          (7) support public and private sector entities, as 
        appropriate, in the execution of plans developed 
        pursuant to this section.
  (c) Composition.--The Office shall be composed of--
          (1) a central planning staff; and
          (2) appropriate representatives of Federal 
        departments and agencies, including--
                  (A) the Department;
                  (B) United States Cyber Command;
                  (C) the National Security Agency;
                  (D) the Federal Bureau of Investigation;
                  (E) the Department of Justice; and
                  (F) the Office of the Director of National 
                Intelligence.
  (d) Consultation.--In carrying out its responsibilities 
described in subsection (b), the Office shall regularly consult 
with appropriate representatives of non-Federal entities, such 
as--
          (1) State, local, federally-recognized Tribal, and 
        territorial governments;
          (2) information sharing and analysis organizations, 
        including information sharing and analysis centers;
          (3) owners and operators of critical information 
        systems;
          (4) private entities; and
          (5) other appropriate representatives or entities, as 
        determined by the Secretary.
  (e) Interagency agreements.--The Secretary and the head of a 
Federal department or agency referred to in subsection (c) may 
enter into agreements for the purpose of detailing personnel on 
a reimbursable or non-reimbursable basis.
  (f) Definitions.--In this section:
          (1) Cyber defense operation.--The term ``cyber 
        defense operation'' means defensive activities 
        performed for a cybersecurity purpose.
          (2) Cybersecurity purpose.--The term ``cybersecurity 
        purpose'' has the meaning given such term in section 
        102 of the Cybersecurity Act of 2015 (contained in 
        division N of the Consolidated Appropriations Act, 2016 
        (Public Law 114-113; 6 U.S.C. 1501)).
          (3) Cybersecurity risk; incident.--The terms 
        ``cybersecurity risk'' and ``incident'' have the 
        meanings given such terms in section 2209.
          (4) Information sharing and analysis organization.--
        The term ``information sharing and analysis 
        organization'' has the meaning given such term in 
        section 2222(5).

SEC. [2215]  2217. CYBERSECURITY STATE COORDINATOR.

  (a) Appointment.--The Director shall appoint an employee of 
the Agency in each State, with the appropriate cybersecurity 
qualifications and expertise, who shall serve as the 
Cybersecurity State Coordinator.
  (b) Duties.--The duties of a Cybersecurity State Coordinator 
appointed under subsection (a) shall include--
          (1) building strategic public and, on a voluntary 
        basis, private sector relationships, including by 
        advising on establishing governance structures to 
        facilitate the development and maintenance of secure 
        and resilient infrastructure;
          (2) serving as the Federal cybersecurity risk advisor 
        and supporting preparation, response, and remediation 
        efforts relating to cybersecurity risks and incidents;
          (3) facilitating the sharing of cyber threat 
        information to improve understanding of cybersecurity 
        risks and situational awareness of cybersecurity 
        incidents;
          (4) raising awareness of the financial, technical, 
        and operational resources available from the Federal 
        Government to non-Federal entities to increase 
        resilience against cyber threats;
          (5) supporting training, exercises, and planning for 
        continuity of operations to expedite recovery from 
        cybersecurity incidents, including ransomware;
          (6) serving as a principal point of contact for non-
        Federal entities to engage, on a voluntary basis, with 
        the Federal Government on preparing, managing, and 
        responding to cybersecurity incidents;
          (7) assisting non-Federal entities in developing and 
        coordinating vulnerability disclosure programs 
        consistent with Federal and information security 
        industry standards;
          (8) assisting State, local, Tribal, and territorial 
        governments, on a voluntary basis, in the development 
        of State cybersecurity plans;
          (9) coordinating with appropriate officials within 
        the Agency; and
          (10) performing such other duties as determined 
        necessary by the Director to achieve the goal of 
        managing cybersecurity risks in the United States and 
        reducing the impact of cyber threats to non-Federal 
        entities.
  (c) Feedback.--The Director shall consult with relevant 
State, local, Tribal, and territorial officials regarding the 
appointment, and State, local, Tribal, and territorial 
officials and other non-Federal entities regarding the 
performance, of the Cybersecurity State Coordinator of a State.

SEC. [2215]  2218. SECTOR RISK MANAGEMENT AGENCIES.

  (a) In General.--Consistent with applicable law, Presidential 
directives, Federal regulations, and strategic guidance from 
the Secretary, each Sector Risk Management Agency, in 
coordination with the Director, shall--
          (1) provide specialized sector-specific expertise to 
        critical infrastructure owners and operators within its 
        designated critical infrastructure sector or subsector 
        of such sector; and
          (2) support programs and associated activities of 
        such sector or subsector of such sector.
  (b) Implementation.--In carrying out this section, Sector 
Risk Management Agencies shall--
          (1) coordinate with the Department and, as 
        appropriate, other relevant Federal departments and 
        agencies;
          (2) collaborate with critical infrastructure owners 
        and operators within the designated critical 
        infrastructure sector or subsector of such sector; and
          (3) coordinate with independent regulatory agencies, 
        and State, local, Tribal, and territorial entities, as 
        appropriate.
  (c) Responsibilities.--Consistent with applicable law, 
Presidential directives, Federal regulations, and strategic 
guidance from the Secretary, each Sector Risk Management Agency 
shall utilize its specialized expertise regarding its 
designated critical infrastructure sector or subsector of such 
sector and authorities under applicable law to--
          (1) support sector risk management, in coordination 
        with the Director, including--
                  (A) establishing and carrying out programs to 
                assist critical infrastructure owners and 
                operators within the designated sector or 
                subsector of such sector in identifying, 
                understanding, and mitigating threats, 
                vulnerabilities, and risks to their systems or 
                assets, or within a region, sector, or 
                subsector of such sector; and
                  (B) recommending security measures to 
                mitigate the consequences of destruction, 
                compromise, and disruption of systems and 
                assets;
          (2) assess sector risk, in coordination with the 
        Director, including--
                  (A) identifying, assessing, and prioritizing 
                risks within the designated sector or subsector 
                of such sector, considering physical security 
                and cybersecurity threats, vulnerabilities, and 
                consequences; and
                  (B) supporting national risk assessment 
                efforts led by the Department;
          (3) sector coordination, including--
                  (A) serving as a day-to-day Federal interface 
                for the prioritization and coordination of 
                sector-specific activities and responsibilities 
                under this title;
                  (B) serving as the Federal Government 
                coordinating council chair for the designated 
                sector or subsector of such sector; and
                  (C) participating in cross-sector 
                coordinating councils, as appropriate;
          (4) facilitating, in coordination with the Director, 
        the sharing with the Department and other appropriate 
        Federal department of information regarding physical 
        security and cybersecurity threats within the 
        designated sector or subsector of such sector, 
        including--
                  (A) facilitating, in coordination with the 
                Director, access to, and exchange of, 
                information and intelligence necessary to 
                strengthen the security of critical 
                infrastructure, including through information 
                sharing and analysis organizations and the 
                national cybersecurity and communications 
                integration center established pursuant to 
                section 2209;
                  (B) facilitating the identification of 
                intelligence needs and priorities of critical 
                infrastructure owners and operators in the 
                designated sector or subsector of such sector, 
                in coordination with the Director of National 
                Intelligence and the heads of other Federal 
                departments and agencies, as appropriate;
                  (C) providing the Director, and facilitating 
                awareness within the designated sector or 
                subsector of such sector, of ongoing, and where 
                possible, real-time awareness of identified 
                threats, vulnerabilities, mitigations, and 
                other actions related to the security of such 
                sector or subsector of such sector; and
                  (D) supporting the reporting requirements of 
                the Department under applicable law by 
                providing, on an annual basis, sector-specific 
                critical infrastructure information;
          (5) supporting incident management, including--
                  (A) supporting, in coordination with the 
                Director, incident management and restoration 
                efforts during or following a security 
                incident; and
                  (B) supporting the Director, upon request, in 
                national cybersecurity asset response 
                activities for critical infrastructure; and
          (6) contributing to emergency preparedness efforts, 
        including--
                  (A) coordinating with critical infrastructure 
                owners and operators within the designated 
                sector or subsector of such sector and the 
                Director in the development of planning 
                documents for coordinated action in the event 
                of a natural disaster, act of terrorism, or 
                other man-made disaster or emergency;
                  (B) participating in and, in coordination 
                with the Director, conducting or facilitating, 
                exercises and simulations of potential natural 
                disasters, acts of terrorism, or other man-made 
                disasters or emergencies within the designated 
                sector or subsector of such sector; and
                  (C) supporting the Department and other 
                Federal departments or agencies in developing 
                planning documents or conducting exercises or 
                simulations when relevant to the designated 
                sector or subsector or such sector.

SEC. [2216]  2219. CYBERSECURITY ADVISORY COMMITTEE.

  (a) Establishment.--The Secretary shall establish within the 
Agency a Cybersecurity Advisory Committee (referred to in this 
section as the ``Advisory Committee'').
  (b) Duties.--
          (1) In general.--The Advisory Committee shall advise, 
        consult with, report to, and make recommendations to 
        the Director, as appropriate, on the development, 
        refinement, and implementation of policies, programs, 
        planning, and training pertaining to the cybersecurity 
        mission of the Agency.
          (2) Recommendations.--
                  (A) In general.--The Advisory Committee shall 
                develop, at the request of the Director, 
                recommendations for improvements to advance the 
                cybersecurity mission of the Agency and 
                strengthen the cybersecurity of the United 
                States.
                  (B) Recommendations of subcommittees.--
                Recommendations agreed upon by subcommittees 
                established under subsection (d) for any year 
                shall be approved by the Advisory Committee 
                before the Advisory Committee submits to the 
                Director the annual report under paragraph (4) 
                for that year.
          (3) Periodic reports.--The Advisory Committee shall 
        periodically submit to the Director--
                  (A) reports on matters identified by the 
                Director; and
                  (B) reports on other matters identified by a 
                majority of the members of the Advisory 
                Committee.
          (4) Annual report.--
                  (A) In general.--The Advisory Committee shall 
                submit to the Director an annual report 
                providing information on the activities, 
                findings, and recommendations of the Advisory 
                Committee, including its subcommittees, for the 
                preceding year.
                  (B) Publication.--Not later than 180 days 
                after the date on which the Director receives 
                an annual report for a year under subparagraph 
                (A), the Director shall publish a public 
                version of the report describing the activities 
                of the Advisory Committee and such related 
                matters as would be informative to the public 
                during that year, consistent with section 
                552(b) of title 5, United States Code.
          (5) Feedback.--Not later than 90 days after receiving 
        any recommendation submitted by the Advisory Committee 
        under paragraph (2), (3), or (4), the Director shall 
        respond in writing to the Advisory Committee with 
        feedback on the recommendation. Such a response shall 
        include--
                  (A) with respect to any recommendation with 
                which the Director concurs, an action plan to 
                implement the recommendation; and
                  (B) with respect to any recommendation with 
                which the Director does not concur, a 
                justification for why the Director does not 
                plan to implement the recommendation.
          (6) Congressional notification.--Not less frequently 
        than once per year after the date of enactment of this 
        section, the Director shall provide to the Committee on 
        Homeland Security and Governmental Affairs and the 
        Committee on Appropriations of the Senate and the 
        Committee on Homeland Security, the Committee on Energy 
        and Commerce, and the Committee on Appropriations of 
        the House of Representatives a briefing on feedback 
        from the Advisory Committee.
          (7) Governance rules.--The Director shall establish 
        rules for the structure and governance of the Advisory 
        Committee and all subcommittees established under 
        subsection (d).
  (c) Membership.--
          (1) Appointment.--
                  (A) In general.--Not later than 180 days 
                after the date of enactment of the 
                Cybersecurity Advisory Committee Authorization 
                Act of 2020, the Director shall appoint the 
                members of the Advisory Committee.
                  (B) Composition.--The membership of the 
                Advisory Committee shall consist of not more 
                than 35 individuals.
                  (C) Representation.--
                          (i) In general.--The membership of 
                        the Advisory Committee shall satisfy 
                        the following criteria:
                                  (I) Consist of subject matter 
                                experts.
                                  (II) Be geographically 
                                balanced.
                                  (III) Include representatives 
                                of State, local, and Tribal 
                                governments and of a broad 
                                range of industries, which may 
                                include the following:
                                          (aa) Defense.
                                          (bb) Education.
                                          (cc) Financial 
                                        services and insurance.
                                          (dd) Healthcare.
                                          (ee) Manufacturing.
                                          (ff) Media and 
                                        entertainment.
                                          (gg) Chemicals.
                                          (hh) Retail.
                                          (ii) Transportation.
                                          (jj) Energy.
                                          (kk) Information 
                                        Technology.
                                          (ll) Communications.
                                          (mm) Other relevant 
                                        fields identified by 
                                        the Director.
                          (ii) Prohibition.--Not fewer than one 
                        member nor more than three members may 
                        represent any one category under clause 
                        (i)(III).
                          (iii) Publication of membership 
                        list.--The Advisory Committee shall 
                        publish its membership list on a 
                        publicly available website not less 
                        than once per fiscal year and shall 
                        update the membership list as changes 
                        occur.
          (2) Term of office.--
                  (A) Terms.--The term of each member of the 
                Advisory Committee shall be two years, except 
                that a member may continue to serve until a 
                successor is appointed.
                  (B) Removal.--The Director may review the 
                participation of a member of the Advisory 
                Committee and remove such member any time at 
                the discretion of the Director.
                  (C) Reappointment.--A member of the Advisory 
                Committee may be reappointed for an unlimited 
                number of terms.
          (3) Prohibition on compensation.--The members of the 
        Advisory Committee may not receive pay or benefits from 
        the United States Government by reason of their service 
        on the Advisory Committee.
          (4) Meetings.--
                  (A) In general.--The Director shall require 
                the Advisory Committee to meet not less 
                frequently than semiannually, and may convene 
                additional meetings as necessary.
                  (B) Public meetings.--At least one of the 
                meetings referred to in subparagraph (A) shall 
                be open to the public.
                  (C) Attendance.--The Advisory Committee shall 
                maintain a record of the persons present at 
                each meeting.
          (5) Member access to classified information.--
                  (A) In general.--Not later than 60 days after 
                the date on which a member is first appointed 
                to the Advisory Committee and before the member 
                is granted access to any classified 
                information, the Director shall determine, for 
                the purposes of the Advisory Committee, if the 
                member should be restricted from reviewing, 
                discussing, or possessing classified 
                information.
                  (B) Access.--Access to classified materials 
                shall be managed in accordance with Executive 
                Order No. 13526 of December 29, 2009 (75 Fed. 
                Reg. 707), or any subsequent corresponding 
                Executive Order.
                  (C) Protections.--A member of the Advisory 
                Committee shall protect all classified 
                information in accordance with the applicable 
                requirements for the particular level of 
                classification of such information.
                  (D) Rule of construction.--Nothing in this 
                paragraph shall be construed to affect the 
                security clearance of a member of the Advisory 
                Committee or the authority of a Federal agency 
                to provide a member of the Advisory Committee 
                access to classified information.
          (6) Chairperson.--The Advisory Committee shall 
        select, from among the members of the Advisory 
        Committee--
                  (A) a member to serve as chairperson of the 
                Advisory Committee; and
                  (B) a member to serve as chairperson of each 
                subcommittee of the Advisory Committee 
                established under subsection (d).
  (d) Subcommittees.--
          (1) In general.--The Director shall establish 
        subcommittees within the Advisory Committee to address 
        cybersecurity issues, which may include the following:
                  (A) Information exchange.
                  (B) Critical infrastructure.
                  (C) Risk management.
                  (D) Public and private partnerships.
          (2) Meetings and reporting.--Each subcommittee shall 
        meet not less frequently than semiannually, and submit 
        to the Advisory Committee for inclusion in the annual 
        report required under subsection (b)(4) information, 
        including activities, findings, and recommendations, 
        regarding subject matter considered by the 
        subcommittee.
          (3) Subject matter experts.--The chair of the 
        Advisory Committee shall appoint members to 
        subcommittees and shall ensure that each member 
        appointed to a subcommittee has subject matter 
        expertise relevant to the subject matter of the 
        subcommittee.

SEC. [2217]  2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.

  (a) Establishment.--
          (1) In general.--The Cybersecurity Education and 
        Training Assistance Program (referred to in this 
        section as ``CETAP'') is established within the Agency.
          (2) Purpose.--The purpose of CETAP shall be to 
        support the effort of the Agency in building and 
        strengthening a national cybersecurity workforce 
        pipeline capacity through enabling elementary and 
        secondary cybersecurity education, including by--
                  (A) providing foundational cybersecurity 
                awareness and literacy;
                  (B) encouraging cybersecurity career 
                exploration; and
                  (C) supporting the teaching of cybersecurity 
                skills at the elementary and secondary 
                education levels.
  (b) Requirements.--In carrying out CETAP, the Director 
shall--
          (1) ensure that the program--
                  (A) creates and disseminates cybersecurity-
                focused curricula and career awareness 
                materials appropriate for use at the elementary 
                and secondary education levels;
                  (B) conducts professional development 
                sessions for teachers;
                  (C) develops resources for the teaching of 
                cybersecurity-focused curricula described in 
                subparagraph (A);
                  (D) provides direct student engagement 
                opportunities through camps and other 
                programming;
                  (E) engages with State educational agencies 
                and local educational agencies to promote 
                awareness of the program and ensure that 
                offerings align with State and local curricula;
                  (F) integrates with existing post-secondary 
                education and workforce development programs at 
                the Department;
                  (G) promotes and supports national standards 
                for elementary and secondary cyber education;
                  (H) partners with cybersecurity and education 
                stakeholder groups to expand outreach; and
                  (I) any other activity the Director 
                determines necessary to meet the purpose 
                described in subsection (a)(2); and
          (2) enable the deployment of CETAP nationwide, with 
        special consideration for underserved populations or 
        communities.
  (c) Briefings.--
          (1) In general.--Not later than 1 year after the 
        establishment of CETAP, and annually thereafter, the 
        Secretary shall brief the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security of the House of 
        Representatives on the program.
          (2) Contents.--Each briefing conducted under 
        paragraph (1) shall include--
                  (A) estimated figures on the number of 
                students reached and teachers engaged;
                  (B) information on outreach and engagement 
                efforts, including the activities described in 
                subsection (b)(1)(E);
                  (C) information on new curricula offerings 
                and teacher training platforms; and
                  (D) information on coordination with post-
                secondary education and workforce development 
                programs at the Department.
  (d) Mission Promotion.--The Director may use appropriated 
amounts to purchase promotional and recognition items and 
marketing and advertising services to publicize and promote the 
mission and services of the Agency, support the activities of 
the Agency, and to recruit and retain Agency personnel.

SEC. 2220A. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.

  (a) Definitions.--In this section:
          (1) Cyber threat indicator.--The term ``cyber threat 
        indicator'' has the meaning given the term in section 
        102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).
          (2) Cybersecurity plan.--The term ``Cybersecurity 
        Plan'' means a plan submitted by an eligible entity 
        under subsection (e)(1).
          (3) Eligible entity.--The term ``eligible entity'' 
        means--
                  (A) a State; or
                  (B) an Indian tribe that, not later than 120 
                days after the date of the enactment of this 
                section or not later than 120 days before the 
                start of any fiscal year in which a grant under 
                this section is awarded--
                          (i) notifies the Secretary that the 
                        Indian tribe intends to develop a 
                        Cybersecurity Plan; and
                          (ii) agrees to forfeit any 
                        distribution under subsection (n)(2).
          (4) Incident.--The term ``incident'' has the meaning 
        given the term in section 2209.
          (5) Indian tribe; tribal organization.--The term 
        ``Indian tribe'' or ``Tribal organization'' has the 
        meaning given that term in section 4(e) of the of the 
        Indian Self-Determination and Education Assistance Act 
        (25 U.S.C. 5304(e)).
          (6) Information sharing and analysis organization.--
        The term ``information sharing and analysis 
        organization'' has the meaning given the term in 
        section 2222.
          (7) Information system.--The term ``information 
        system'' has the meaning given the term in section 102 
        of the Cybersecurity Act of 2015 (6 U.S.C. 1501).
          (8) Online service.--The term ``online service'' 
        means any internet-facing service, including a website, 
        email, virtual private network, or custom application.
          (9) Ransomware incident.--The term ``ransomware 
        incident'' means an incident that actually or 
        imminently jeopardizes, without lawful authority, the 
        integrity, confidentiality, or availability of 
        information on an information system, or actually or 
        imminently jeopardizes, without lawful authority, an 
        information system for the purpose of coercing the 
        information system's owner, operator, or another 
        person.
          (10) State and local cybersecurity grant program.--
        The term ``State and Local Cybersecurity Grant 
        Program'' means the program established under 
        subsection (b).
          (11) State and local cybersecurity resilience 
        committee.--The term ``State and Local Cybersecurity 
        Resilience Committee'' means the committee established 
        under subsection (o)(1).
  (b) Establishment.--
          (1) In general.--The Secretary, acting through the 
        Director, shall establish a program, to be known as the 
        ``the State and Local Cybersecurity Grant Program'', to 
        award grants to eligible entities to address 
        cybersecurity risks and cybersecurity threats to 
        information systems of State, local, or Tribal 
        organizations.
          (2) Application.--An eligible entity seeking a grant 
        under the State and Local Cybersecurity Grant Program 
        shall submit to the Secretary an application at such 
        time, in such manner, and containing such information 
        as the Secretary may require.
  (c) Baseline Requirements.--An eligible entity or multistate 
group that receives a grant under this section shall use the 
grant in compliance with--
          (1)(A) the Cybersecurity Plan of the eligible entity 
        or the Cybersecurity Plans of the eligible entities 
        that comprise the multistate group; and
          (B) the Homeland Security Strategy to Improve the 
        Cybersecurity of State, Local, Tribal, and Territorial 
        Governments developed under section 2210(e)(1); or
          (2) activities carried out under paragraphs (3), (4), 
        and (5) of subsection (h).
  (d) Administration.--The State and Local Cybersecurity Grant 
Program shall be administered in the same office of the 
Department that administers grants made under sections 2003 and 
2004.
  (e) Cybersecurity Plans.--
          (1) In general.--An eligible entity applying for a 
        grant under this section shall submit to the Secretary 
        a Cybersecurity Plan for approval.
          (2) Required elements.--A Cybersecurity Plan of an 
        eligible entity shall--
                  (A) incorporate, to the extent practicable, 
                any existing plans of the eligible entity to 
                protect against cybersecurity risks and 
                cybersecurity threats to information systems of 
                State, local, or Tribal organizations;
                  (B) describe, to the extent practicable, how 
                the eligible entity will--
                          (i) manage, monitor, and track 
                        information systems, applications, and 
                        user accounts owned or operated by or 
                        on behalf of the eligible entity or by 
                        local or Tribal organizations within 
                        the jurisdiction of the eligible entity 
                        and the information technology deployed 
                        on those information systems, including 
                        legacy information systems and 
                        information technology that are no 
                        longer supported by the manufacturer of 
                        the systems or technology;
                          (ii) monitor, audit, and track 
                        activity between information systems, 
                        applications, and user accounts owned 
                        or operated by or on behalf of the 
                        eligible entity or by local or Tribal 
                        organizations within the jurisdiction 
                        of the eligible entity and between 
                        those information systems and 
                        information systems not owned or 
                        operated by the eligible entity or by 
                        local or Tribal organizations within 
                        the jurisdiction of the eligible 
                        entity;
                          (iii) enhance the preparation, 
                        response, and resilience of information 
                        systems, applications, and user 
                        accounts owned or operated by or on 
                        behalf of the eligible entity or local 
                        or Tribal organizations against 
                        cybersecurity risks and cybersecurity 
                        threats;
                          (iv) implement a process of 
                        continuous cybersecurity vulnerability 
                        assessments and threat mitigation 
                        practices prioritized by degree of risk 
                        to address cybersecurity risks and 
                        cybersecurity threats on information 
                        systems of the eligible entity or local 
                        or Tribal organizations;
                          (v) ensure that State, local, and 
                        Tribal organizations that own or 
                        operate information systems that are 
                        located within the jurisdiction of the 
                        eligible entity--
                                  (I) adopt best practices and 
                                methodologies to enhance 
                                cybersecurity, such as the 
                                practices set forth in the 
                                cybersecurity framework 
                                developed by, and the cyber 
                                supply chain risk management 
                                best practices identified by, 
                                the National Institute of 
                                Standards and Technology; and
                                  (II) utilize knowledge bases 
                                of adversary tools and tactics 
                                to assess risk;
                          (vi) promote the delivery of safe, 
                        recognizable, and trustworthy online 
                        services by State, local, and Tribal 
                        organizations, including through the 
                        use of the.gov internet domain;
                          (vii) ensure continuity of operations 
                        of the eligible entity and local, and 
                        Tribal organizations in the event of a 
                        cybersecurity incident (including a 
                        ransomware incident), including by 
                        conducting exercises to practice 
                        responding to such an incident;
                          (viii) use the National Initiative 
                        for Cybersecurity Education 
                        Cybersecurity Workforce Framework 
                        developed by the National Institute of 
                        Standards and Technology to identify 
                        and mitigate any gaps in the 
                        cybersecurity workforces of State, 
                        local, or Tribal organizations, enhance 
                        recruitment and retention efforts for 
                        such workforces, and bolster the 
                        knowledge, skills, and abilities of 
                        State, local, and Tribal organization 
                        personnel to address cybersecurity 
                        risks and cybersecurity threats, such 
                        as through cybersecurity hygiene 
                        training;
                          (ix) ensure continuity of 
                        communications and data networks within 
                        the jurisdiction of the eligible entity 
                        between the eligible entity and local 
                        and Tribal organizations that own or 
                        operate information systems within the 
                        jurisdiction of the eligible entity in 
                        the event of an incident involving such 
                        communications or data networks within 
                        the jurisdiction of the eligible 
                        entity;
                          (x) assess and mitigate, to the 
                        greatest degree possible, cybersecurity 
                        risks and cybersecurity threats related 
                        to critical infrastructure and key 
                        resources, the degradation of which may 
                        impact the performance of information 
                        systems within the jurisdiction of the 
                        eligible entity;
                          (xi) enhance capabilities to share 
                        cyber threat indicators and related 
                        information between the eligible entity 
                        and local and Tribal organizations that 
                        own or operate information systems 
                        within the jurisdiction of the eligible 
                        entity, including by expanding existing 
                        information sharing agreements with the 
                        Department;
                          (xii) enhance the capability of the 
                        eligible entity to share cyber threat 
                        indictors and related information with 
                        the Department;
                          (xiii) leverage cybersecurity 
                        services offered by the Department;
                          (xiv) develop and coordinate 
                        strategies to address cybersecurity 
                        risks and cybersecurity threats to 
                        information systems of the eligible 
                        entity in consultation with--
                                  (I) local and Tribal 
                                organizations within the 
                                jurisdiction of the eligible 
                                entity; and
                                  (II) as applicable--
                                          (aa) States that 
                                        neighbor the 
                                        jurisdiction of the 
                                        eligible entity or, as 
                                        appropriate, members of 
                                        an information sharing 
                                        and analysis 
                                        organization; and
                                          (bb) countries that 
                                        neighbor the 
                                        jurisdiction of the 
                                        eligible entity; and
                          (xv) implement an information 
                        technology and operational technology 
                        modernization cybersecurity review 
                        process that ensures alignment between 
                        information technology and operational 
                        technology cybersecurity objectives;
                  (C) describe, to the extent practicable, the 
                individual responsibilities of the eligible 
                entity and local and Tribal organizations 
                within the jurisdiction of the eligible entity 
                in implementing the plan;
                  (D) outline, to the extent practicable, the 
                necessary resources and a timeline for 
                implementing the plan; and
                  (E) describe how the eligible entity will 
                measure progress towards implementing the plan.
          (3) Discretionary elements.--A Cybersecurity Plan of 
        an eligible entity may include a description of--
                  (A) cooperative programs developed by groups 
                of local and Tribal organizations within the 
                jurisdiction of the eligible entity to address 
                cybersecurity risks and cybersecurity threats; 
                and
                  (B) programs provided by the eligible entity 
                to support local and Tribal organizations and 
                owners and operators of critical infrastructure 
                to address cybersecurity risks and 
                cybersecurity threats.
          (4) Management of funds.--An eligible entity applying 
        for a grant under this section shall agree to designate 
        the Chief Information Officer, the Chief Information 
        Security Officer, or an equivalent official of the 
        eligible entity as the primary official for the 
        management and allocation of funds awarded under this 
        section.
  (f) Multistate Grants.--
          (1) In general.--The Secretary, acting through the 
        Director, may award grants under this section to a 
        group of two or more eligible entities to support 
        multistate efforts to address cybersecurity risks and 
        cybersecurity threats to information systems within the 
        jurisdictions of the eligible entities.
          (2) Satisfaction of other requirements.--In order to 
        be eligible for a multistate grant under this 
        subsection, each eligible entity that comprises a 
        multistate group shall submit to the Secretary--
                  (A) a Cybersecurity Plan for approval in 
                accordance with subsection (i); and
                  (B) a plan for establishing a cybersecurity 
                planning committee under subsection (g).
          (3) Application.--
                  (A) In general.--A multistate group applying 
                for a multistate grant under paragraph (1) 
                shall submit to the Secretary an application at 
                such time, in such manner, and containing such 
                information as the Secretary may require.
                  (B) Multistate project description.--An 
                application of a multistate group under 
                subparagraph (A) shall include a plan 
                describing--
                          (i) the division of responsibilities 
                        among the eligible entities that 
                        comprise the multistate group for 
                        administering the grant for which 
                        application is being made;
                          (ii) the distribution of funding from 
                        such a grant among the eligible 
                        entities that comprise the multistate 
                        group; and
                          (iii) how the eligible entities that 
                        comprise the multistate group will work 
                        together to implement the Cybersecurity 
                        Plan of each of those eligible 
                        entities.
  (g) Planning Committees.--
          (1) In general.--An eligible entity that receives a 
        grant under this section shall establish a 
        cybersecurity planning committee to--
                  (A) assist in the development, 
                implementation, and revision of the 
                Cybersecurity Plan of the eligible entity;
                  (B) approve the Cybersecurity Plan of the 
                eligible entity; and
                  (C) assist in the determination of effective 
                funding priorities for a grant under this 
                section in accordance with subsection (h).
          (2) Composition.--A committee of an eligible entity 
        established under paragraph (1) shall--
                  (A) be comprised of representatives from the 
                eligible entity and counties, cities, towns, 
                Tribes, and public educational and health 
                institutions within the jurisdiction of the 
                eligible entity; and
                  (B) include, as appropriate, representatives 
                of rural, suburban, and high-population 
                jurisdictions.
          (3) Cybersecurity expertise.--Not less than \1/2\ of 
        the representatives of a committee established under 
        paragraph (1) shall have professional experience 
        relating to cybersecurity or information technology.
          (4) Rule of construction regarding existing planning 
        committees.--Nothing in this subsection may be 
        construed to require an eligible entity to establish a 
        cybersecurity planning committee if the eligible entity 
        has established and uses a multijurisdictional planning 
        committee or commission that meets, or may be leveraged 
        to meet, the requirements of this subsection.
  (h) Use of Funds.--An eligible entity that receives a grant 
under this section shall use the grant to--
          (1) implement the Cybersecurity Plan of the eligible 
        entity;
          (2) develop or revise the Cybersecurity Plan of the 
        eligible entity; or
          (3) assist with activities that address imminent 
        cybersecurity risks or cybersecurity threats to the 
        information systems of the eligible entity or a local 
        or Tribal organization within the jurisdiction of the 
        eligible entity.
  (i) Approval of Plans.--
          (1) Approval as condition of grant.--Before an 
        eligible entity may receive a grant under this section, 
        the Secretary, acting through the Director, shall 
        review the Cybersecurity Plan, or any revisions 
        thereto, of the eligible entity and approve such plan, 
        or revised plan, if it satisfies the requirements 
        specified in paragraph (2).
          (2) Plan requirements.--In approving a Cybersecurity 
        Plan of an eligible entity under this subsection, the 
        Director shall ensure that the Cybersecurity Plan--
                  (A) satisfies the requirements of subsection 
                (e)(2);
                  (B) upon the issuance of the Homeland 
                Security Strategy to Improve the Cybersecurity 
                of State, Local, Tribal, and Territorial 
                Governments authorized pursuant to section 
                2210(e), complies, as appropriate, with the 
                goals and objectives of the strategy; and
                  (C) has been approved by the cybersecurity 
                planning committee of the eligible entity 
                established under subsection (g).
          (3) Approval of revisions.--The Secretary, acting 
        through the Director, may approve revisions to a 
        Cybersecurity Plan as the Director determines 
        appropriate.
          (4) Exception.--Notwithstanding subsection (e) and 
        paragraph (1) of this subsection, the Secretary may 
        award a grant under this section to an eligible entity 
        that does not submit a Cybersecurity Plan to the 
        Secretary if--
                  (A) the eligible entity certifies to the 
                Secretary that--
                          (i) the activities that will be 
                        supported by the grant are integral to 
                        the development of the Cybersecurity 
                        Plan of the eligible entity; and
                          (ii) the eligible entity will submit 
                        by September 30, 2023, to the Secretary 
                        a Cybersecurity Plan for review, and if 
                        appropriate, approval; or
                  (B) the eligible entity certifies to the 
                Secretary, and the Director confirms, that the 
                eligible entity will use funds from the grant 
                to assist with the activities described in 
                subsection (h)(3).
  (j) Limitations on Uses of Funds.--
          (1) In general.--An eligible entity that receives a 
        grant under this section may not use the grant--
                  (A) to supplant State, local, or Tribal 
                funds;
                  (B) for any recipient cost-sharing 
                contribution;
                  (C) to pay a demand for ransom in an attempt 
                to--
                          (i) regain access to information or 
                        an information system of the eligible 
                        entity or of a local or Tribal 
                        organization within the jurisdiction of 
                        the eligible entity; or
                          (ii) prevent the disclosure of 
                        information that has been removed 
                        without authorization from an 
                        information system of the eligible 
                        entity or of a local or Tribal 
                        organization within the jurisdiction of 
                        the eligible entity;
                  (D) for recreational or social purposes; or
                  (E) for any purpose that does not address 
                cybersecurity risks or cybersecurity threats on 
                information systems of the eligible entity or 
                of a local or Tribal organization within the 
                jurisdiction of the eligible entity.
          (2) Penalties.--In addition to any other remedy 
        available, the Secretary may take such actions as are 
        necessary to ensure that a recipient of a grant under 
        this section uses the grant for the purposes for which 
        the grant is awarded.
          (3) Rule of construction.--Nothing in paragraph (1) 
        may be construed to prohibit the use of grant funds 
        provided to a State, local, or Tribal organization for 
        otherwise permissible uses under this section on the 
        basis that a State, local, or Tribal organization has 
        previously used State, local, or Tribal funds to 
        support the same or similar uses.
  (k) Opportunity to Amend Applications.--In considering 
applications for grants under this section, the Secretary shall 
provide applicants with a reasonable opportunity to correct 
defects, if any, in such applications before making final 
awards.
  (l) Apportionment.--For fiscal year 2022 and each fiscal year 
thereafter, the Secretary shall apportion amounts appropriated 
to carry out this section among States as follows:
          (1) Baseline amount.--The Secretary shall first 
        apportion 0.25 percent of such amounts to each of 
        American Samoa, the Commonwealth of the Northern 
        Mariana Islands, Guam, the U.S. Virgin Islands, and 
        0.75 percent of such amounts to each of the remaining 
        States.
          (2) Remainder.--The Secretary shall apportion the 
        remainder of such amounts in the ratio that--
                  (A) the population of each eligible entity, 
                bears to
                  (B) the population of all eligible entities.
          (3) Minimum allocation to indian tribes.--
                  (A) In general.--In apportioning amounts 
                under this section, the Secretary shall ensure 
                that, for each fiscal year, directly eligible 
                Tribes collectively receive, from amounts 
                appropriated under the State and Local 
                Cybersecurity Grant Program, not less than an 
                amount equal to three percent of the total 
                amount appropriated for grants under this 
                section.
                  (B) Allocation.--Of the amount reserved under 
                subparagraph (A), funds shall be allocated in a 
                manner determined by the Secretary in 
                consultation with Indian tribes.
                  (C) Exception.--This paragraph shall not 
                apply in any fiscal year in which the 
                Secretary--
                          (i) receives fewer than five 
                        applications from Indian tribes; or
                          (ii) does not approve at least two 
                        application from Indian tribes.
  (m) Federal Share.--
          (1) In general.--The Federal share of the cost of an 
        activity carried out using funds made available with a 
        grant under this section may not exceed--
                  (A) in the case of a grant to an eligible 
                entity--
                          (i) for fiscal year 2022, 90 percent;
                          (ii) for fiscal year 2023, 80 
                        percent;
                          (iii) for fiscal year 2024, 70 
                        percent;
                          (iv) for fiscal year 2025, 60 
                        percent; and
                          (v) for fiscal year 2026 and each 
                        subsequent fiscal year, 50 percent; and
                  (B) in the case of a grant to a multistate 
                group--
                          (i) for fiscal year 2022, 95 percent;
                          (ii) for fiscal year 2023, 85 
                        percent;
                          (iii) for fiscal year 2024, 75 
                        percent;
                          (iv) for fiscal year 2025, 65 
                        percent; and
                          (v) for fiscal year 2026 and each 
                        subsequent fiscal year, 55 percent.
          (2) Waiver.--The Secretary may waive or modify the 
        requirements of paragraph (1) for an Indian tribe if 
        the Secretary determines such a waiver is in the public 
        interest.
  (n) Responsibilities of Grantees.--
          (1) Certification.--Each eligible entity or 
        multistate group that receives a grant under this 
        section shall certify to the Secretary that the grant 
        will be used--
                  (A) for the purpose for which the grant is 
                awarded; and
                  (B) in compliance with, as the case may be--
                          (i) the Cybersecurity Plan of the 
                        eligible entity;
                          (ii) the Cybersecurity Plans of the 
                        eligible entities that comprise the 
                        multistate group; or
                          (iii) a purpose approved by the 
                        Secretary under subsection (h) or 
                        pursuant to an exception under 
                        subsection (i).
          (2) Availability of funds to local and tribal 
        organizations.--Not later than 45 days after the date 
        on which an eligible entity or multistate group 
        receives a grant under this section, the eligible 
        entity or multistate group shall, without imposing 
        unreasonable or unduly burdensome requirements as a 
        condition of receipt, obligate or otherwise make 
        available to local and Tribal organizations within the 
        jurisdiction of the eligible entity or the eligible 
        entities that comprise the multistate group, and as 
        applicable, consistent with the Cybersecurity Plan of 
        the eligible entity or the Cybersecurity Plans of the 
        eligible entities that comprise the multistate group--
                  (A) not less than 80 percent of funds 
                available under the grant;
                  (B) with the consent of the local and Tribal 
                organizations, items, services, capabilities, 
                or activities having a value of not less than 
                80 percent of the amount of the grant; or
                  (C) with the consent of the local and Tribal 
                organizations, grant funds combined with other 
                items, services, capabilities, or activities 
                having the total value of not less than 80 
                percent of the amount of the grant.
          (3) Certifications regarding distribution of grant 
        funds to local and tribal organizations.--An eligible 
        entity or multistate group shall certify to the 
        Secretary that the eligible entity or multistate group 
        has made the distribution to local, Tribal, and 
        territorial governments required under paragraph (2).
          (4) Extension of period.--
                  (A) In general.--An eligible entity or 
                multistate group may request in writing that 
                the Secretary extend the period of time 
                specified in paragraph (2) for an additional 
                period of time.
                  (B) Approval.--The Secretary may approve a 
                request for an extension under subparagraph (A) 
                if the Secretary determines the extension is 
                necessary to ensure that the obligation and 
                expenditure of grant funds align with the 
                purpose of the State and Local Cybersecurity 
                Grant Program.
          (5) Exception.--Paragraph (2) shall not apply to the 
        District of Columbia, the Commonwealth of Puerto Rico, 
        American Samoa, the Commonwealth of the Northern 
        Mariana Islands, Guam, the Virgin Islands, or an Indian 
        tribe.
          (6) Direct funding.--If an eligible entity does not 
        make a distribution to a local or Tribal organization 
        required in accordance with paragraph (2), the local or 
        Tribal organization may petition the Secretary to 
        request that grant funds be provided directly to the 
        local or Tribal organization.
          (7) Penalties.--In addition to other remedies 
        available to the Secretary, the Secretary may terminate 
        or reduce the amount of a grant awarded under this 
        section to an eligible entity or distribute grant funds 
        previously awarded to such eligible entity directly to 
        the appropriate local or Tribal organization as a 
        replacement grant in an amount the Secretary determines 
        appropriate if such eligible entity violates a 
        requirement of this subsection.
  (o) Advisory Committee.--
          (1) Establishment.--Not later than 120 days after the 
        date of enactment of this section, the Director shall 
        establish a State and Local Cybersecurity Resilience 
        Committee to provide State, local, and Tribal 
        stakeholder expertise, situational awareness, and 
        recommendations to the Director, as appropriate, 
        regarding how to--
                  (A) address cybersecurity risks and 
                cybersecurity threats to information systems of 
                State, local, or Tribal organizations; and
                  (B) improve the ability of State, local, and 
                Tribal organizations to prevent, protect 
                against, respond to, mitigate, and recover from 
                such cybersecurity risks and cybersecurity 
                threats.
          (2) Duties.--The committee established under 
        paragraph (1) shall--
                  (A) submit to the Director recommendations 
                that may inform guidance for applicants for 
                grants under this section;
                  (B) upon the request of the Director, provide 
                to the Director technical assistance to inform 
                the review of Cybersecurity Plans submitted by 
                applicants for grants under this section, and, 
                as appropriate, submit to the Director 
                recommendations to improve those plans prior to 
                the approval of the plans under subsection (i);
                  (C) advise and provide to the Director input 
                regarding the Homeland Security Strategy to 
                Improve Cybersecurity for State, Local, Tribal, 
                and Territorial Governments required under 
                section 2210;
                  (D) upon the request of the Director, provide 
                to the Director recommendations, as 
                appropriate, regarding how to--
                          (i) address cybersecurity risks and 
                        cybersecurity threats on information 
                        systems of State, local, or Tribal 
                        organizations; and
                          (ii) improve the cybersecurity 
                        resilience of State, local, or Tribal 
                        organizations; and
                  (E) regularly coordinate with the State, 
                Local, Tribal and Territorial Government 
                Coordinating Council, within the Critical 
                Infrastructure Partnership Advisory Council, 
                established under section 871.
          (3) Membership.--
                  (A) Number and appointment.--The State and 
                Local Cybersecurity Resilience Committee 
                established pursuant to paragraph (1) shall be 
                composed of 15 members appointed by the 
                Director, as follows:
                          (i) Two individuals recommended to 
                        the Director by the National Governors 
                        Association.
                          (ii) Two individuals recommended to 
                        the Director by the National 
                        Association of State Chief Information 
                        Officers.
                          (iii) One individual recommended to 
                        the Director by the National Guard 
                        Bureau.
                          (iv) Two individuals recommended to 
                        the Director by the National 
                        Association of Counties.
                          (v) One individual recommended to the 
                        Director by the National League of 
                        Cities.
                          (vi) One individual recommended to 
                        the Director by the United States 
                        Conference of Mayors.
                          (vii) One individual recommended to 
                        the Director by the Multi-State 
                        Information Sharing and Analysis 
                        Center.
                          (viii) One individual recommended to 
                        the Director by the National Congress 
                        of American Indians.
                          (viii) Four individuals who have 
                        educational and professional experience 
                        relating to cybersecurity work or 
                        cybersecurity policy.
                  (B) Terms.--
                          (i) In general.--Subject to clause 
                        (ii), each member of the State and 
                        Local Cybersecurity Resilience 
                        Committee shall be appointed for a term 
                        of two years.
                          (ii) Requirement.--At least two 
                        members of the State and Local 
                        Cybersecurity Resilience Committee 
                        shall also be members of the State, 
                        Local, Tribal and Territorial 
                        Government Coordinating Council, within 
                        the Critical Infrastructure Partnership 
                        Advisory Council, established under 
                        section 871.
                          (iii) Exception.--A term of a member 
                        of the State and Local Cybersecurity 
                        Resilience Committee shall be three 
                        years if the member is appointed 
                        initially to the Committee upon the 
                        establishment of the Committee.
                          (iv) Term remainders.--Any member of 
                        the State and Local Cybersecurity 
                        Resilience Committee appointed to fill 
                        a vacancy occurring before the 
                        expiration of the term for which the 
                        member's predecessor was appointed 
                        shall be appointed only for the 
                        remainder of such term. A member may 
                        serve after the expiration of such 
                        member's term until a successor has 
                        taken office.
                          (v) Vacancies.--A vacancy in the 
                        State and Local Cybersecurity 
                        Resilience Committee shall be filled in 
                        the manner in which the original 
                        appointment was made.
                  (C) Pay.--Members of the State and Local 
                Cybersecurity Resilience Committee shall serve 
                without pay.
          (4) Chairperson; vice chairperson.--The members of 
        the State and Local Cybersecurity Resilience Committee 
        shall select a chairperson and vice chairperson from 
        among members of the committee.
          (5) Permanent authority.--Notwithstanding section 14 
        of the Federal Advisory Committee Act (5 U.S.C. App.), 
        the State and Local Cybersecurity Resilience Committee 
        shall be a permanent authority.
  (p) Reports.--
          (1) Annual reports by grant recipients.--
                  (A) In general.--Not later than one year 
                after an eligible entity or multistate group 
                receives funds under this section, the eligible 
                entity or multistate group shall submit to the 
                Secretary a report on the progress of the 
                eligible entity or multistate group in 
                implementing the Cybersecurity Plan of the 
                eligible entity or Cybersecurity Plans of the 
                eligible entities that comprise the multistate 
                group, as the case may be.
                  (B) Absence of plan.--Not later than 180 days 
                after an eligible entity that does not have a 
                Cybersecurity Plan receives funds under this 
                section for developing its Cybersecurity Plan, 
                the eligible entity shall submit to the 
                Secretary a report describing how the eligible 
                entity obligated and expended grant funds 
                during the fiscal year to--
                          (i) so develop such a Cybersecurity 
                        Plan; or
                          (ii) assist with the activities 
                        described in subsection (h)(3).
          (2) Annual reports to congress.--Not less frequently 
        than once per year, the Secretary, acting through the 
        Director, shall submit to Congress a report on the use 
        of grants awarded under this section and any progress 
        made toward the following:
                  (A) Achieving the objectives set forth in the 
                Homeland Security Strategy to Improve the 
                Cybersecurity of State, Local, Tribal, and 
                Territorial Governments, upon the date on which 
                the strategy is issued under section 2210.
                  (B) Developing, implementing, or revising 
                Cybersecurity Plans.
                  (C) Reducing cybersecurity risks and 
                cybersecurity threats to information systems, 
                applications, and user accounts owned or 
                operated by or on behalf of State, local, and 
                Tribal organizations as a result of the award 
                of such grants.
  (q) Authorization of Appropriations.--There are authorized to 
be appropriated for grants under this section--
          (1) for each of fiscal years 2022 through 2026, 
        $500,000,000; and
          (2) for each subsequent fiscal year, such sums as may 
        be necessary.

SEC. 2220B. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE, LOCAL, 
                    TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.

  The Secretary, acting through the Director, shall develop, 
regularly update, and maintain a resource guide for use by 
State, local, Tribal, and territorial government officials, 
including law enforcement officers, to help such officials 
identify, prepare for, detect, protect against, respond to, and 
recover from cybersecurity risks (as such term is defined in 
section 2209), cybersecurity threats, and incidents (as such 
term is defined in section 2209).

           *       *       *       *       *       *       *

                              ----------                              


 SECTION 904 OF DIVISION U OF THE CONSOLIDATED APPROPRIATIONS ACT, 2021

SEC. 904. DUTIES OF DEPARTMENT OF HOMELAND SECURITY.

  (a) Purpose.--The purpose of the.gov internet domain program 
is to--
          (1) legitimize and enhance public trust in government 
        entities and their online services;
          (2) facilitate trusted electronic communication and 
        connections to and from government entities;
          (3) provide simple and secure registration of.gov 
        internet domains;
          (4) improve the security of the services hosted 
        within these.gov internet domains, and of the.gov 
        namespace in general; and
          (5) enable the discoverability of government services 
        to the public and to domain registrants.
  (b) Duties and Authorities Relating to the.gov Internet 
Domain.--
          (1) In general.--Subtitle A of title XXII of the 
        Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is 
        amended--
                  (A) (Omitted amendatory)
                  (B) (Omitted amendatory)
          (2) Additional duties.--
                  (A) Outreach strategy.--Not later than 1 year 
                after the date of enactment of this Act, the 
                Director, in consultation with the 
                Administrator and entities representing State, 
                local, Tribal, or territorial governments, 
                shall develop and submit to the Committee on 
                Homeland Security and Governmental Affairs and 
                the Committee on Rules and Administration of 
                the Senate and the Committee on Homeland 
                Security, the Committee on Oversight and 
                Reform, and the Committee on House 
                Administration of the House of Representatives 
                an outreach strategy to local, Tribal, and 
                territorial governments and other publicly 
                controlled entities as determined by the 
                Director to inform and support migration to 
                the.gov internet domain, which shall include--
                          (i) stakeholder engagement plans; and
                          (ii) information on how migrating 
                        information technology systems to 
                        the.gov internet domain is beneficial 
                        to that entity, including benefits 
                        relating to cybersecurity and the 
                        supporting services offered by the 
                        Federal Government.
                  (B) Reference guide.--Not later than 1 year 
                after the date of enactment of this Act, the 
                Director, in consultation with the 
                Administrator and entities representing State, 
                local, Tribal, or territorial governments, 
                shall develop and publish on a publicly 
                available website a reference guide for 
                migrating online services to the.gov internet 
                domain, which shall include--
                          (i) process and technical information 
                        on how to carry out a migration of 
                        common categories of online services, 
                        such as web and email services;
                          (ii) best practices for cybersecurity 
                        pertaining to registration and 
                        operation of a.gov internet domain; and
                          (iii) an outline of specific security 
                        enhancements the.gov program intends to 
                        provide to users during that 5-year 
                        period.
          (3) (Omitted amendatory)
  (c) (Omitted amendatory)

           *       *       *       *       *       *       *