[117th Congress Public Law 150]
[From the U.S. Government Publishing Office]



[[Page 136 STAT. 1295]]

Public Law 117-150
117th Congress

                                 An Act


 
 To amend the Homeland Security Act of 2002 to provide for engagements 
 with State, local, Tribal, and territorial governments, and for other 
             purposes. <<NOTE: June 21, 2022 -  [S. 2520]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: State and 
Local Government Cybersecurity Act of 2021.>> 
SECTION 1. <<NOTE: 6 USC 101 note.>>  SHORT TITLE.

    This Act may be cited as the ``State and Local Government 
Cybersecurity Act of 2021''.
SEC. 2. AMENDMENTS TO THE HOMELAND SECURITY ACT OF 2002.

    Subtitle A of title XXII of the Homeland Security Act of 2002 (6 
U.S.C. 651 et seq.) is amended--
            (1) in section 2201 (6 U.S.C. 651), by adding at the end the 
        following:
            ``(7) SLTT entity.--The term `SLTT entity' means a domestic 
        government entity that is a State government, local government, 
        Tribal government, territorial government, or any subdivision 
        thereof.''; and
            (2) in section 2209 (6 U.S.C. 659)--
                    (A) in subsection (c)(6), by inserting ``operational 
                and'' before ``timely'';
                    (B) in subsection (d)(1)(E), by inserting ``, 
                including an entity that collaborates with election 
                officials,'' after ``governments''; and
                    (C) by adding at the end the following:

    ``(p) Coordination on Cybersecurity for SLTT Entities.--
            ``(1) Coordination.--The Center shall, upon request and to 
        the extent practicable, and in coordination as appropriate with 
        Federal and non-Federal entities, such as the Multi-State 
        Information Sharing and Analysis Center--
                    ``(A) conduct exercises with SLTT entities;
                    ``(B) provide operational and technical 
                cybersecurity training to SLTT entities to address 
                cybersecurity risks or incidents, with or without 
                reimbursement, related to--
                          ``(i) cyber threat indicators;
                          ``(ii) defensive measures;
                          ``(iii) cybersecurity risks;
                          ``(iv) vulnerabilities; and
                          ``(v) incident response and management;
                    ``(C) in order to increase situational awareness and 
                help prevent incidents, assist SLTT entities in sharing, 
                in real time, with the Federal Government as well as 
                among SLTT entities, actionable--

[[Page 136 STAT. 1296]]

                          ``(i) cyber threat indicators;
                          ``(ii) defensive measures;
                          ``(iii) information about cybersecurity risks; 
                      and
                          ``(iv) information about incidents;
                    ``(D) provide SLTT entities notifications containing 
                specific incident and malware information that may 
                affect them or their residents;
                    ``(E) provide to, and periodically update, SLTT 
                entities via an easily accessible platform and other 
                means--
                          ``(i) information about tools;
                          ``(ii) information about products;
                          ``(iii) resources;
                          ``(iv) policies;
                          ``(v) guidelines;
                          ``(vi) controls; and
                          ``(vii) other cybersecurity standards and best 
                      practices and procedures related to information 
                      security, including, as appropriate, information 
                      produced by other Federal agencies;
                    ``(F) work with senior SLTT entity officials, 
                including chief information officers and senior election 
                officials and through national associations, to 
                coordinate the effective implementation by SLTT entities 
                of tools, products, resources, policies, guidelines, 
                controls, and procedures related to information security 
                to secure the information systems, including election 
                systems, of SLTT entities;
                    ``(G) provide operational and technical assistance 
                to SLTT entities to implement tools, products, 
                resources, policies, guidelines, controls, and 
                procedures on information security;
                    ``(H) assist SLTT entities in developing policies 
                and procedures for coordinating vulnerability 
                disclosures consistent with international and national 
                standards in the information technology industry; and
                    ``(I) promote cybersecurity education and awareness 
                through engagements with Federal agencies and non-
                Federal entities.

    ``(q) Report.--Not later than 1 year after the date of enactment of 
this subsection, and every 2 years thereafter, the Secretary shall 
submit to the Committee on Homeland Security and Governmental Affairs of 
the Senate and the Committee on Homeland

[[Page 136 STAT. 1297]]

Security of the House of Representatives a report on the services and 
capabilities that the Agency directly and indirectly provides to SLTT 
entities.''.

    Approved June 21, 2022.

LEGISLATIVE HISTORY--S. 2520:
---------------------------------------------------------------------------

SENATE REPORTS: No. 117-42 (Comm. on Homeland Security and Governmental 
Affairs).
CONGRESSIONAL RECORD, Vol. 168 (2022):
            Jan. 11, considered and passed Senate.
            May 16, 17, considered and passed House.

                                  <all>