[Senate Report 117-42]
[From the U.S. Government Publishing Office]
Calendar No. 152
117th Congress } { Report
SENATE
1st Session } { 117-42
_______________________________________________________________________
STATE AND LOCAL GOVERNMENT CYBERSECURITY ACT OF 2021
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2520
TO AMEND THE HOMELAND SECURITY ACT OF 2002
TO PROVIDE FOR ENGAGEMENTS WITH STATE, LOCAL,
TRIBAL, AND TERRITORIAL GOVERNMENTS, AND FOR
OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
October 21, 2021.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
29-007 WASHINGTON : 2021
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Michael A. Garcia, Professional Staff Member
Pamela Thiessen, Minority Staff Director
Andrew C. Dockham, Minority Chief Counsel and Deputy Staff Director
Cara G. Mumford, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 152
117th Congress } { Report
SENATE
1st Session } { 117-42
======================================================================
STATE AND LOCAL GOVERNMENT CYBERSECURITY
ACT OF 2021
_______
October 21, 2021.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 2520]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2520) to amend the
Homeland Security Act of 2002 to provide for engagements with
State, local, Tribal, and territorial governments, and for
other purposes, having considered the same, reports favorably
thereon with an amendment (in the nature of a substitute) and
recommends the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
IV. Section-by-Section Analysis of the Bill, as Reported.............3
V. Evaluation of Regulatory Impact..................................4
VI. Congressional Budget Office Cost Estimate........................4
VII. Changes in Existing Law Made by the Bill, as Reported............5
I. Purpose and Summary
S. 2520, the State and Local Government Cybersecurity Act
of 2021, amends the Homeland Security Act of 2002 to help
State, local, Tribal, and territorial (SLTT) entities enhance
their cybersecurity. The bill codifies and strengthens the
cybersecurity relationship between the Multi-State Information
Sharing and Analysis Center (MS-ISAC) and the Department of
Homeland Security (DHS). It authorizes DHS to work with MS-ISAC
to assist SLTT entities by conducting cybersecurity exercises,
sharing information to increase situational awareness and
prevent incidents, and coordinating effective implementation of
cybersecurity tools, products, resources, policies, and
guidelines. The bill also directs DHS to report to Congress on
any services that the Cybersecurity and Infrastructure Security
Agency (CISA), directly or indirectly through the MS-ISAC,
provides to SLTT entities.
II. Background and Need for the Legislation
State and local governments oversee critical, daily
services that Americans rely on, such as water utilities,
schools, health care facilities, and other vital services. As
these services increasingly become connected to the internet,
malicious cyber actors have targeted them for criminal or other
malicious purposes.\1\ In 2020, cybercriminals targeted at
least 2,350 government entities with ransomware attacks,
including nearly 1,700 educational institutions and 560
healthcare facilities.\2\ Many of these public entities lack
the resources to prepare for and respond to ransomware and
other cyber attacks. A 2020 survey of state chief information
security officers found that 70% of respondents listed
ransomware as a top concern for potential breaches in part due
to inadequate funding and a lack of confidence in the ability
of localities to protect state information assets.\3\ While DHS
operates disaster preparedness grant programs that SLTT
entities can use for cybersecurity purposes, only 2.35%
(roughly $40 million) of those grants were used for
cybersecurity in fiscal year 2019.\4\
---------------------------------------------------------------------------
\1\Michael Garcia, The Underbelly of Ransomware Attacks: Local
Governments, Council on Foreign Relations: Net Politics (blog) (May 10,
2021) (https://www.cfr.org/blog/underbelly-ransomware-attacks-local-
governments).
\2\Emisoft Malware Lab, The State of Ransomware in the US: Report
and Statistics 2020, Emisoft (blog) (Jan. 18, 2021) (https://
blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-
and-statistics-2020/).
\3\Deloitte Insights, 2020 Deloitte-NASCIO Cybersecurity Study 10,
28 (2020) (https://www.nascio.org/wp-content/uploads/2020/10/2020-
Deloitte-NASCIO-Cybersecurity-Study-1.pdf).
\4\Department of Homeland Security, 2020 National Preparedness
Report 46 (Dec. 2020) (https://www.fema.gov/sites/default/files/
documents/fema_2020-national-preparedness-report.pdf).
---------------------------------------------------------------------------
The MS-ISAC helps SLTT entities bolster their cybersecurity
through focused cyber threat prevention, protection, response,
and recovery offerings and assistance.\5\ The MS-ISAC is a
division within the nonprofit Center for Internet Security
(CIS), which also manages the Elections Infrastructure
Information Sharing and Analysis Center (EI-ISAC).\6\ CIS is a
20-year old organization that develops and helps businesses and
governments implement cybersecurity best practices and created
the MS-ISAC in 2004 to help SLTT entities with cyber
prevention, protection, response, and recovery.\7\ The MS-ISAC
maintains its own 24/7 watch and warning center and a computer
emergency response team that can provide members with cyber
incident response; malware, log, and forensics analysis;
reverse engineering; and vulnerability assessments.\8\ DHS s
24-hour watch floor, the National Cybersecurity and
Communications Integration Center (NCCIC), coordinates with the
MS-ISAC to share information and help states and localities
stay on top of emerging and evolving cyber threats.\9\ MS-ISAC
analysts are co-located on the NCCIC watch floor and work in
tandem with NCCIC analysts to improve and support the nation's
cybersecurity posture.\10\ Today, the MS-ISAC has over 2,500
members including government, education, utility, and
transportation entities.\11\
---------------------------------------------------------------------------
\5\Center for Internet Security, MS-ISAC (https://
www.cisecurity.org/ms-isac/) (accessed Sept. 27, 2021).
\6\Center for Internet Security, Elections Infrastructure ISAC
(https://www.cisecurity.org/ei-isac/) (accessed Sept. 27, 2021).
\7\Center for Internet Security, About Us (https://
www.cisecurity.org/about-us/) (accessed Sept. 30, 2021).
\8\Center for Internet Security, Services (https://
www.cisecurity.org/ms-isac/services/) (accessed Sept. 27, 2021).
\9\Department of Homeland Security, NCIC Services for State, Local,
Tribal, and Territorial Governments (https://us-cert.cisa.gov/sites/
default/files/publications/NCCIC%20Service%20Menu%20-%20SLTT.pdf)
(accessed Sept. 27, 2021).
\10\Multi-State Information Sharing & Analysis Center, Services
Guide 7 (Jan. 5, 2018) (https://www.cisecurity.org/wp-content/uploads/
2018/02/MS-ISAC-Services-Guide-eBook-2018-5-Jan.pdf).
\11\Center for Internet Security, MS ISAC Membership FAQ (https://
www.cisecurity.org/ms-isac/ms-isac-membership-faq/) (accessed Sept. 27,
2021).
---------------------------------------------------------------------------
S. 2520 codifies and strengthens the cybersecurity
relationship between the MS-ISAC and DHS which will provide
additional cybersecurity services to SLTT entities. The bill
authorizes DHS to work with the MS-ISAC to assist SLTT entities
by conducting cybersecurity exercises with them; sharing cyber
threat indicators, defensive measures, cybersecurity risks, and
ongoing cyber incidents to increase situational awareness and
help prevent incidents; and providing notifications with
specific incident and malware information. This bill will also
ensure MS-ISAC can continue enhancing and expanding its work
with chief information officers, senior election officials, and
others to coordinate effective implementation of tools,
products, resources, policies, procedures, and guidelines to
ensure the resiliency of systems, including election systems.
In addition to these and other activities, S.2520 directs DHS
to submit a report to Congress on the cybersecurity services
and capabilities that CISA, directly or indirectly through the
MS-ISAC, provides to SLTT entities.
III. Legislative History
Chairman Gary Peters (D-MI) introduced S. 2520, the State
and Local Government Cybersecurity Act of 2021, on July 28,
2021. Ranking Member Rob Portman (R-OH) joined as a cosponsor
on August 4, 2021. The bill was referred to the Senate
Committee on Homeland Security and Governmental Affairs. The
Committee considered S. 2520 at a business meeting on August 4,
2021. During the business meeting, a substitute amendment was
offered by Chairman Peters and Ranking Member Portman. The
Peters-Portman Substitute Amendment was adopted by voice vote
en bloc with Senators Peters, Carper, Hassan, Sinema, Rosen,
Padilla, Ossoff, Portman, Johnson, Lankford, Romney, Scott, and
Hawley present. The Committee ordered the bill, as amended,
reported favorably by voice vote en bloc with Senators Peters,
Carper, Hassan, Sinema, Rosen, Padilla, Ossoff, Portman,
Johnson, Lankford, Romney, Scott, and Hawley present.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section designates the name of the bill as the ``State
and Local Government Cybersecurity Act of 2021.''
Section 2. Amendments to the Homeland Security Act of 2002
This section amends Subtitle A of title XXII of the
Homeland Security Act of 2002.
Paragraph (1) adds a definition of SLTT entity.
Paragraph (2), subparagraph (A) specifies that NCCIC will
provide ``operational'' information on cyber threats, risks,
and incidents to Federal and non-Federal entities.
Paragraph (2), subparagraph (B) adds a requirement that
NCCIC will include an entity that collaborates with state and
local election officials.
Paragraph (2), subparagraph (C) requires NCCIC to
coordinate with Federal and non-Federal entities like the MS-
ISAC to: conduct cybersecurity exercises with SLTT entities;
offer operational and technical cybersecurity training for SLTT
entities; assist SLTT entities with real-time information
sharing; provide SLTT entities with notifications about
specific incidents or malware information; provide to and
periodically update SLTT entities on information about tools
and products, resources, policies, guidelines, controls, and
cybersecurity standards and best practices; work with senior
SLTT officials to coordinate implementation of cybersecurity
best practices and products; provide operational and technical
assistance to help SLTT entities implement cybersecurity best
practices and products; assist SLTT entities in developing
their policies and procedures for coordinating vulnerability
disclosures; and promote cybersecurity education and awareness.
Subparagraph (C) also requires biannual reports by DHS to
appropriate congressional committees on the services and
capabilities that CISA directly and indirectly provides to SLTT
entities.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, September 24, 2021.
Hon. Gary C. Peters,
Chairman Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2520, the State and
Local Government Cybersecurity Act of 2021.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 2520 would authorize the Department of Homeland Security
(DHS) to coordinate with state, local, tribal, and territorial
governments to enhance the cybersecurity of their information
systems. Under the bill, DHS would continue to assist those
governments by conducting cybersecurity exercises, providing
training, and notifying them of cybersecurity threats. The bill
also would require the department to report to the Congress on
the effectiveness of its efforts.
DHS is already performing the coordination activities
required by S. 2520; thus, the bill would codify those
responsibilities but would not impose any new operating
requirements on the department. CBO estimates that implementing
S. 2520 would cost less than $500,000 over the 2021-2026 period
to prepare and deliver the required reports; such spending
would be subject to the availability of appropriations.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of Budget
Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows: (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
UNITED STATES CODE
* * * * * * *
TITLE 6--DOMESTIC SECURITY
* * * * * * *
CHAPTER 1--HOMELAND SECURITY ORGANIZATION
* * * * * * *
Subchapter XVIII--Cybersecurity and Infrastructure Security Agency
* * * * * * *
Part A--Cybersecurity and Infrastructure Security
* * * * * * *
SEC. 651. DEFINITIONS
In this part:
(1) * * *
* * * * * * *
(7) SLTT Entity.--The term `SLTT entity' means a domestic
government entity that is a State government, local government,
Tribal government, territorial government, or any subdivision
thereof.
* * * * * * *
SEC. 659. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER
(a) * * *
(b) * * *
(c) Functions.--The cybersecurity functions of the Center
shall include--
(1) * * *
* * * * * * *
(6) upon request, providing operational and timely
technical assistance, risk management support, and
incident response capabilities to Federal and non-
Federal entities with respect to cyber threat
indicators, defensive measures, cybersecurity risks,
and incidents, which may include attribution,
mitigation, and remediation;
* * * * * * *
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) * * *
* * * * * * *
(E) an entity that collaborates with State
and local governments, including an entity that
collaborates with election officials, on
cybersecurity risks and incidents, and has
entered into a voluntary information sharing
relationship with the Center; and
* * * * * * *
(p) Coordination on Cybersecurity for SLTT Entities.--
(1) Coordination.--The Center shall, upon request and
to the extent practicable, and in coordination as
appropriate with Federal and non-Federal entities, such
as the Multi-State Information Sharing and Analysis
Center--
(A) conduct exercises with SLTT entities;
(B) provide operational and technical
cybersecurity training to SLTT entities to
address cybersecurity risks or incidents, with
or without reimbursement, related to--
(i) cyber threat indicators;
(ii) defensive measures;
(iii) cybersecurity risks;
(iv) vulnerabilities; and
(v) incident response and management;
(C) in order to increase situational
awareness and help prevent incidents, assist
SLTT entities in sharing, in real time, with
the Federal Government as well as among SLTT
entities, actionable--
(i) cyber threat indicators;
(ii) defensive measures;
(iii) information about cybersecurity
risks; and
(iv) information about incidents;
(D) provide SLTT entities notifications
containing specific incident and malware
information that may affect them or their
residents;
(E) provide to, and periodically update, SLTT
entities via an easily accessible platform and
other means--
(i) information about tools;
(ii) information about products;
(iii) resources;
(iv) policies;
(v) guidelines;
(vi) controls; and
(vii) other cybersecurity standards
and best practices and procedures
related to information security;
(F) work with senior SLTT entity officials,
including chief information officers and senior
election officials and through national
associations, to coordinate the effective
implementation by SLTT entities of tools,
products, resources, policies, guidelines,
controls, and procedures related to information
security to secure the information systems,
including election systems, of SLTT entities;
(G) provide operational and technical
assistance to SLTT entities to implement tools,
products, resources, policies, guidelines,
controls, and procedures on information
security;
(H) assist SLTT entities in developing
policies and procedures for coordinating
vulnerability disclosures consistent with
international and national standards in the
information technology industry; and
(I) promote cybersecurity education and
awareness through engagements with Federal
agencies and non-Federal entities.
(p) Report.-- Not later than 1 year after the date of
enactment of this subsection, and every 2 years thereafter, the
Secretary shall submit to the Committee on Homeland Security
and Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report on
the services and capabilities that the Agency directly and
indirectly provides to SLTT entities.
* * * * * * *
[all]