[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3138 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 3138
To amend the Homeland Security Act of 2002 to authorize a grant program
relating to the cybersecurity of State and local governments, and for
other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
May 12, 2021
Ms. Clarke of New York (for herself, Mr. Garbarino, Mr. Kilmer, Mr.
Katko, Mr. Ruppersberger, Mr. McCaul, and Mr. Thompson of Mississippi)
introduced the following bill; which was referred to the Committee on
Homeland Security
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize a grant program
relating to the cybersecurity of State and local governments, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``State and Local Cybersecurity
Improvement Act''.
SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following new sections:
``SEC. 2220A. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.
``(a) Definitions.--In this section:
``(1) Cyber threat indicator.--The term `cyber threat
indicator' has the meaning given the term in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501).
``(2) Cybersecurity plan.--The term `Cybersecurity Plan'
means a plan submitted by a State under subsection (e)(1).
``(3) Eligible entity.--The term `eligible entity' means--
``(A) a State; or
``(B) a federally recognized Indian Tribe that, not
later than 120 days after the date of the enactment of
this section or not later than 120 days before the
start of any fiscal year in which a grant under this
section is awarded--
``(i) notifies the Secretary that the
Indian Tribe intends to develop a Cybersecurity
Plan; and
``(ii) agrees to forfeit any distribution
under subsection (n)(2).
``(4) Incident.--The term `incident' has the meaning given
the term in section 2209.
``(5) Information sharing and analysis organization.--The
term `information sharing and analysis organization' has the
meaning given the term in section 2222.
``(6) Information system.--The term `information system'
has the meaning given the term in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501).
``(8) Online service.--The term `online service' means any
internet-facing service, including a website, email, virtual
private network, or custom application.
``(9) State.--The term `State' means each of the several
States, the District of Columbia, and the territories and
possessions of the United States.
``(10) State and local cybersecurity grant program.--The
term `State and Local Cybersecurity Grant Program' means the
program established under subsection (b).
``(11) State and local cybersecurity resiliency
committee.--The term `State and Local Cybersecurity Resiliency
Committee' means the committee established under subsection
(o)(1).
``(b) Establishment.--
``(1) In general.--The Secretary, acting through the
Director, shall establish a program, to be known as the `the
State and Local Cybersecurity Grant Program', to award grants
to eligible entities to address cybersecurity risks and
cybersecurity threats to information systems of State, local,
or Tribal governments.
``(2) Application.--An eligible entity desiring a grant
under the State and Local Cybersecurity Grant Program shall
submit to the Secretary an application at such time, in such
manner, and containing such information as the Secretary may
require.
``(c) Baseline Requirements.--An eligible entity or multistate
group that receives a grant under this section shall use the grant in
compliance with--
``(1) the Cybersecurity Plan of the eligible entity or the
Cybersecurity Plans of the eligible entities that comprise the
multistate group; and
``(2) the Homeland Security Strategy to Improve the
Cybersecurity of State, Local, Tribal, and Territorial
Governments developed under section 2210(e)(1).
``(d) Administration.--The State and Local Cybersecurity Grant
Program shall be administered in the same office of the Department that
administers grants made under sections 2003 and 2004.
``(e) Cybersecurity Plans.--
``(1) In general.--An eligible entity applying for a grant
under this section shall submit to the Secretary a
Cybersecurity Plan for approval.
``(2) Required elements.--A Cybersecurity Plan of an
eligible entity shall--
``(A) incorporate, to the extent practicable, any
existing plans of the eligible entity to protect
against cybersecurity risks and cybersecurity threats
to information systems of State, local, or Tribal
governments;
``(B) describe, to the extent practicable, how the
eligible entity will--
``(i) manage, monitor, and track
information systems owned or operated by the
eligible entity or by local or Tribal
governments within the jurisdiction of the
eligible entity and the information technology
deployed on those information systems,
including legacy information systems and
information technology that are no longer
supported by the manufacturer of the systems or
technology;
``(ii) monitor activity between information
systems owned or operated by the eligible
entity or by local or Tribal governments within
the jurisdiction of the eligible entity and
between those information systems and
information systems not owned or operated by
the eligible entity or by local or Tribal
governments within the jurisdiction of the
eligible entity;
``(iii) enhance the preparation, response,
and resiliency of information systems owned or
operated by the eligible entity or local or
Tribal governments against cybersecurity risks
and cybersecurity threats;
``(iv) implement a process of continuous
cybersecurity vulnerability assessments and
threat mitigation practices prioritized by
degree of risk to address cybersecurity risks
and cybersecurity threats on information
systems of the eligible entity or local or
Tribal governments;
``(v) ensure that State, local, and Tribal
governments that own or operate information
systems that are located within the
jurisdiction of the eligible entity adopt best
practices and methodologies to enhance
cybersecurity, such as the practices set forth
in the cybersecurity framework developed by,
and the cyber supply chain risk management best
practices identified by, the National Institute
of Standards and Technology;
``(vi) promote the delivery of safe,
recognizable, and trustworthy online services
by State, local, and Tribal governments,
including through the use of the .gov internet
domain;
``(vii) ensure continuity of operations of
the eligible entity and local, and Tribal
governments in the event of a cybersecurity
incident, including by conducting exercises to
practice responding to an incident;
``(viii) use the National Initiative for
Cybersecurity Education Cybersecurity Workforce
Framework developed by the National Institute
of Standards and Technology to identify and
mitigate any gaps in the cybersecurity
workforces of State, local, or Tribal
governments, enhance recruitment and retention
efforts for such workforces, and bolster the
knowledge, skills, and abilities of State,
local, and Tribal government personnel to
address cybersecurity risks and cybersecurity
threats, such as through cybersecurity hygiene
training;
``(ix) ensure continuity of communications
and data networks within the jurisdiction of
the eligible entity between the eligible entity
and local and Tribal governments that own or
operate information systems within the
jurisdiction of the eligible entity in the
event of an incident involving such
communications or data networks within the
jurisdiction of the eligible entity;
``(x) assess and mitigate, to the greatest
degree possible, cybersecurity risks and
cybersecurity threats related to critical
infrastructure and key resources, the
degradation of which may impact the performance
of information systems within the jurisdiction
of the eligible entity;
``(xi) enhance capabilities to share cyber
threat indicators and related information
between the eligible entity and local and
Tribal governments that own or operate
information systems within the jurisdiction of
the eligible entity;
``(xii) enhance the capability of the
eligible entity to share cyber threat indictors
and related information with the Department;
``(xiii) leverage cybersecurity services
offered by the Department; and
``(xiv) develop and coordinate strategies
to address cybersecurity risks and
cybersecurity threats to information systems of
the eligible entity in consultation with--
``(I) local and Tribal governments
within the jurisdiction of the eligible
entity; and
``(II) as applicable--
``(aa) States that neighbor
the jurisdiction of the
eligible entity or, as
appropriate, members of an
information sharing and
analysis organization; and
``(bb) countries that
neighbor the jurisdiction of
the eligible entity;
``(C) describe, to the extent practicable, the
individual responsibilities of the eligible entity and
local and Tribal governments within the jurisdiction of
the eligible entity in implementing the plan;
``(D) outline, to the extent practicable, the
necessary resources and a timeline for implementing the
plan; and
``(E) describe how the eligible entity will measure
progress towards implementing the plan.
``(3) Discretionary elements.--A Cybersecurity Plan of an
eligible entity may include a description of--
``(A) cooperative programs developed by groups of
local and Tribal governments within the jurisdiction of
the eligible entity to address cybersecurity risks and
cybersecurity threats; and
``(B) programs provided by the eligible entity to
support local and Tribal governments and owners and
operators of critical infrastructure to address
cybersecurity risks and cybersecurity threats.
``(4) Management of funds.--An eligible entity applying for
a grant under this section shall agree to designate the Chief
Information Officer, the Chief Information Security Officer, or
an equivalent official of the eligible entity as the primary
official for the management and allocation of funds awarded
under this section.
``(f) Multistate Grants.--
``(1) In general.--The Secretary, acting through the
Director, may award grants under this section to a group of two
or more eligible entities to support multistate efforts to
address cybersecurity risks and cybersecurity threats to
information systems within the jurisdictions of the eligible
entities.
``(2) Satisfaction of other requirements.--In order to be
eligible for a multistate grant under this subsection, each
eligible entity that comprises a multistate group shall--
``(A) submit to the Secretary a Cybersecurity Plan
for approval in accordance with subsection (i); and
``(B) establish a cybersecurity planning committee
under subsection (g).
``(3) Application.--
``(A) In general.--A multistate group applying for
a multistate grant under paragraph (1) shall submit to
the Secretary an application at such time, in such
manner, and containing such information as the
Secretary may require.
``(B) Joint cybersecurity plan.--An application of
a multistate group under subparagraph (A) shall include
a plan describing--
``(i) the division of responsibilities
among the eligible entities that comprise the
multistate group for administering the grant
for which application is being made;
``(ii) the distribution of funding from
such a grant among the eligible entities that
comprise the multistate group; and
``(iii) how the eligible entities that
comprise the multistate group will work
together to implement the Cybersecurity Plan of
each of those eligible entities.
``(g) Planning Committees.--
``(1) In general.--An eligible entity applying for a grant
under this section shall establish a cybersecurity planning
committee to--
``(A) assist in the development, implementation,
and revision of the Cybersecurity Plan of the eligible
entity;
``(B) approve the Cybersecurity Plan of the
eligible entity; and
``(C) assist in the determination of effective
funding priorities for a grant under this section in
accordance with subsection (h).
``(2) Composition.--A committee of an eligible entity
established under paragraph (1) shall--
``(A) be comprised of representatives from the
eligible entity and counties, cities, towns, and Tribes
within the jurisdiction of the eligible entity; and
``(B) include, as appropriate, representatives of
rural, suburban, and high-population jurisdictions.
``(3) Cybersecurity expertise.--Not less than \1/2\ of the
representatives of a committee established under paragraph (1)
shall have professional experience relating to cybersecurity or
information technology.
``(4) Rule of construction regarding existing planning
committees.--Nothing in this subsection may be construed to
require an eligible entity to establish a cybersecurity
planning committee if the eligible entity has established and
uses a multijurisdictional planning committee or commission
that meets the requirements of this subsection.
``(h) Use of Funds.--An eligible entity that receives a grant under
this section shall use the grant to--
``(1) implement the Cybersecurity Plan of the eligible
entity;
``(2) develop or revise the Cybersecurity Plan of the
eligible entity; or
``(3) assist with activities that address imminent
cybersecurity risks or cybersecurity threats to the information
systems of the eligible entity or a local or Tribal government
within the jurisdiction of the eligible entity.
``(i) Approval of Plans.--
``(1) Approval as condition of grant.--Before an eligible
entity may receive a grant under this section, the Secretary,
acting through the Director, shall review the Cybersecurity
Plan, or any revisions thereto, of the eligible entity and
approve such plan, or revised plan, if it satisfies the
requirements specified in paragraph (2).
``(2) Plan requirements.--In approving a Cybersecurity Plan
of an eligible entity under this subsection, the Director shall
ensure that the Cybersecurity Plan--
``(A) satisfies the requirements of subsection
(e)(2);
``(B) upon the issuance of the Homeland Security
Strategy to Improve the Cybersecurity of State, Local,
Tribal, and Territorial Governments authorized pursuant
to section 2210(e), complies, as appropriate, with the
goals and objectives of the strategy; and
``(C) has been approved by the cybersecurity
planning committee of the eligible entity established
under subsection (g).
``(3) Approval of revisions.--The Secretary, acting through
the Director, may approve revisions to a Cybersecurity Plan as
the Director determines appropriate.
``(4) Exception.--Notwithstanding subsection (e) and
paragraph (1) of this subsection, the Secretary may award a
grant under this section to an eligible entity that does not
submit a Cybersecurity Plan to the Secretary if--
``(A) the eligible entity certifies to the
Secretary that--
``(i) the activities that will be supported
by the grant are integral to the development of
the Cybersecurity Plan of the eligible entity;
and
``(ii) the eligible entity will submit by
September 30, 2023, to the Secretary a
Cybersecurity Plan for review, and if
appropriate, approval; or
``(B) the eligible entity certifies to the
Secretary, and the Director confirms, that the eligible
entity will use funds from the grant to assist with the
activities described in subsection (h)(3).
``(j) Limitations on Uses of Funds.--
``(1) In general.--An eligible entity that receives a grant
under this section may not use the grant--
``(A) to supplant State, local, or Tribal funds;
``(B) for any recipient cost-sharing contribution;
``(C) to pay a demand for ransom in an attempt to
regain access to information or an information system
of the eligible entity or of a local or Tribal
government within the jurisdiction of the eligible
entity;
``(D) for recreational or social purposes; or
``(E) for any purpose that does not address
cybersecurity risks or cybersecurity threats on
information systems of the eligible entity or of a
local or Tribal government within the jurisdiction of
the eligible entity.
``(2) Penalties.--In addition to any other remedy
available, the Secretary may take such actions as are necessary
to ensure that a recipient of a grant under this section uses
the grant for the purposes for which the grant is awarded.
``(k) Opportunity To Amend Applications.--In considering
applications for grants under this section, the Secretary shall provide
applicants with a reasonable opportunity to correct defects, if any, in
such applications before making final awards.
``(l) Apportionment.--For fiscal year 2022 and each fiscal year
thereafter, the Secretary shall apportion amounts appropriated to carry
out this section among States as follows:
``(1) Baseline amount.--The Secretary shall first apportion
0.25 percent of such amounts to each of American Samoa, the
Commonwealth of the Northern Mariana Islands, Guam, the Virgin
Islands,, and 0.75 percent of such amounts to each of the
remaining States.
``(2) Remainder.--The Secretary shall apportion the
remainder of such amounts in the ratio that--
``(A) the population of each eligible entity, bears
to
``(B) the population of all eligible entities.
``(m) Federal Share.--
``(1) In general.--The Federal share of the cost of an
activity carried out using funds made available with a grant
under this section may not exceed--
``(A) in the case of a grant to an eligible
entity--
``(i) for fiscal year 2022, 90 percent;
``(ii) for fiscal year 2023, 80 percent;
``(iii) for fiscal year 2024, 70 percent;
``(iv) for fiscal year 2025, 60 percent;
and
``(v) for fiscal year 2026 and each
subsequent fiscal year, 50 percent; and
``(B) in the case of a grant to a multistate
group--
``(i) for fiscal year 2022, 95 percent;
``(ii) for fiscal year 2023, 85 percent;
``(iii) for fiscal year 2024, 75 percent;
``(iv) for fiscal year 2025, 65 percent;
and
``(v) for fiscal year 2026 and each
subsequent fiscal year, 55 percent.
``(n) Responsibilities of Grantees.--
``(1) Certification.--Each eligible entity or multistate
group that receives a grant under this section shall certify to
the Secretary that the grant will be used--
``(A) for the purpose for which the grant is
awarded; and
``(B) in compliance with, as the case may be--
``(i) the Cybersecurity Plan of the
eligible entity;
``(ii) the Cybersecurity Plans of the
eligible entities that comprise the multistate
group; or
``(iii) a purpose approved by the Secretary
under subsection (h).
``(2) Availability of funds to local and tribal
governments.--Not later than 45 days after the date on which an
eligible entity or multistate group receives a grant under this
section, the eligible entity or multistate group shall, without
imposing unreasonable or unduly burdensome requirements as a
condition of receipt, obligate or otherwise make available to
local and Tribal governments within the jurisdiction of the
eligible entity or the eligible entities that comprise the
multistate group, consistent with the Cybersecurity Plan of the
eligible entity or the Cybersecurity Plans of the eligible
entities that comprise the multistate group--
``(A) not less than 80 percent of funds available
under the grant;
``(B) with the consent of the local and Tribal
governments, items, services, capabilities, or
activities having a value of not less than 80 percent
of the amount of the grant; or
``(C) with the consent of the local and Tribal
governments, grant funds combined with other items,
services, capabilities, or activities having the total
value of not less than 80 percent of the amount of the
grant.
``(3) Certifications regarding distribution of grant funds
to local and tribal governments.--An eligible entity or
multistate group shall certify to the Secretary that the
eligible entity or multistate group has made the distribution
to local, Tribal, and territorial governments required under
paragraph (2).
``(4) Extension of period.--
``(A) In general.--An eligible entity or multistate
group may request in writing that the Secretary extend
the period of time specified in paragraph (2) for an
additional period of time.
``(B) Approval.--The Secretary may approve a
request for an extension under subparagraph (A) if the
Secretary determines the extension is necessary to
ensure that the obligation and expenditure of grant
funds align with the purpose of the State and Local
Cybersecurity Grant Program.
``(5) Exception.--Paragraph (2) shall not apply to the
District of Columbia, the Commonwealth of Puerto Rico, American
Samoa, the Commonwealth of the Northern Mariana Islands, Guam,
the Virgin Islands, or a Federally recognized Indian Tribe.
``(6) Direct funding.--If an eligible entity does not make
a distribution to a local or Tribal government required in
accordance with paragraph (2), the local or Tribal government
may petition the Secretary.
``(7) Penalties.--In addition to other remedies available
to the Secretary, the Secretary may terminate or reduce the
amount of a grant awarded under this section to an eligible
entity or transfer grant funds previously awarded to such
eligible entity directly to the appropriate local or Tribal
government if such eligible entity violates a requirement of
this subsection.
``(o) Advisory Committee.--
``(1) Establishment.--Not later than 120 days after the
date of enactment of this section, the Director shall establish
a State and Local Cybersecurity Resiliency Committee to provide
State, local, and Tribal stakeholder expertise, situational
awareness, and recommendations to the Director, as appropriate,
regarding how to--
``(A) address cybersecurity risks and cybersecurity
threats to information systems of State, local, or
Tribal governments; and
``(B) improve the ability of State, local, and
Tribal governments to prevent, protect against, respond
to, mitigate, and recover from such cybersecurity risks
and cybersecurity threats.
``(2) Duties.--The committee established under paragraph
(1) shall--
``(A) submit to the Director recommendations that
may inform guidance for applicants for grants under
this section;
``(B) upon the request of the Director, provide to
the Director technical assistance to inform the review
of Cybersecurity Plans submitted by applicants for
grants under this section, and, as appropriate, submit
to the Director recommendations to improve those plans
prior to the approval of the plans under subsection
(i);
``(C) advise and provide to the Director input
regarding the Homeland Security Strategy to Improve
Cybersecurity for State, Local, Tribal, and Territorial
Governments required under section 2210; and
``(D) upon the request of the Director, provide to
the Director recommendations, as appropriate, regarding
how to--
``(i) address cybersecurity risks and
cybersecurity threats on information systems of
State, local, or Tribal governments; and
``(ii) improve the cybersecurity resilience
of State, local, or Tribal governments.
``(3) Membership.--
``(A) Number and appointment.--The State and Local
Cybersecurity Resiliency Committee established pursuant
to paragraph (1) shall be composed of 15 members
appointed by the Director, as follows:
``(i) Two individuals recommended to the
Director by the National Governors Association.
``(ii) Two individuals recommended to the
Director by the National Association of State
Chief Information Officers.
``(iii) One individual recommended to the
Director by the National Guard Bureau.
``(iv) Two individuals recommended to the
Director by the National Association of
Counties.
``(v) One individual recommended to the
Director by the National League of Cities.
``(vi) One individual recommended to the
Director by the United States Conference of
Mayors.
``(vii) One individual recommended to the
Director by the Multi-State Information Sharing
and Analysis Center.
``(viii) One individual recommended to the
Director by the National Congress of American
Indians.
``(viii) Four individuals who have
educational and professional experience
relating to cybersecurity work or cybersecurity
policy.
``(B) Terms.--
``(i) In general.--Subject to clause (ii),
each member of the State and Local
Cybersecurity Resiliency Committee shall be
appointed for a term of two years.
``(ii) Exception.--A term of a member of
the State and Local Cybersecurity Resiliency
Committee shall be three years if the member is
appointed initially to the Committee upon the
establishment of the Committee.
``(iii) Term remainders.--Any member of the
State and Local Cybersecurity Resiliency
Committee appointed to fill a vacancy occurring
before the expiration of the term for which the
member's predecessor was appointed shall be
appointed only for the remainder of such term.
A member may serve after the expiration of such
member's term until a successor has taken
office.
``(iv) Vacancies.--A vacancy in State and
Local Cybersecurity Resiliency Committee shall
be filled in the manner in which the original
appointment was made.
``(C) Pay.--Members of the State and Local
Cybersecurity Resiliency Committee shall serve without
pay.
``(4) Chairperson; vice chairperson.--The members of the
State and Local Cybersecurity Resiliency Committee shall select
a chairperson and vice chairperson from among members of the
committee.
``(5) Permanent authority.--Notwithstanding section 14 of
the Federal Advisory Committee Act (5 U.S.C. App.), the State
and Local Cybersecurity Resiliency Committee shall be a
permanent authority.
``(p) Reports.--
``(1) Annual reports by grant recipients.--
``(A) In general.--Not later than 30 days after the
end of a fiscal year during which an eligible entity or
multistate group receives funds under this section, the
eligible entity or multistate group shall submit to the
Secretary a report on the progress of the eligible
entity or multistate group in implementing the
Cybersecurity Plan of the eligible entity or
Cybersecurity Plans of the eligible entities that
comprise the multistate group, as the case may be.
``(B) Absence of plan.--Not later than 30 days
after the end of a fiscal year during which an eligible
entity that does not have a Cybersecurity Plan receives
funds under this section, the eligible entity shall
submit to the Secretary a report describing how the
eligible entity obligated and expended grant funds
during the fiscal year to--
``(i) develop a Cybersecurity Plan; or
``(ii) assist with the activities described
in subsection (h)(3).
``(C) Public availability.--The Secretary, acting
through the Director, shall make each report submitted
under subparagraphs (A) and (B) publicly available,
including by making each such report available on the
internet website of the Agency, subject to any
redactions the Director determines necessary to protect
classified or other sensitive information.
``(2) Annual reports to congress.--Not less than frequently
than once per year, the Secretary, acting through the Director,
shall submit to Congress a report on the use of grants awarded
under this section and any progress made toward the following:
``(A) Achieving the objectives set forth in the
Homeland Security Strategy to Improve the Cybersecurity
of State, Local, Tribal, and Territorial Governments,
upon the date on which the strategy is issued under
section 2210.
``(B) Developing, implementing, or revising
Cybersecurity Plans.
``(C) Reducing cybersecurity risks and
cybersecurity threats to information systems owned or
operated by State, local, and Tribal governments as a
result of the award of such grants.
``(q) Authorization of Appropriations.--There are authorized to be
appropriated for grants under this section--
``(1) for each of fiscal years 2022 through 2026,
$500,000,000; and
``(2) for each subsequent fiscal year, such sums as may be
necessary.
``SEC. 2220B. CYBERSECURITY RESOURCE GUIDE DEVELOPMENT FOR STATE,
LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENT OFFICIALS.
``The Secretary, acting through the Director, shall develop,
regularly update, and maintain a resource guide for use by State,
local, Tribal, and territorial government officials, including law
enforcement officers, to help such officials identify, prepare for,
detect, protect against, respond to, and recover from cybersecurity
risks (as such term is defined in section 2209), cybersecurity threats,
and incidents (as such term is defined in section 2209).''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002, as amended by section 4, is further
amended by inserting after the item relating to section 2220 the
following new items:
``Sec. 2220A. State and Local Cybersecurity Grant Program.
``Sec. 2220B. Cybersecurity resource guide development for State,
local, Tribal, and territorial government
officials.''.
SEC. 3. STRATEGY.
(a) Homeland Security Strategy To Improve the Cybersecurity of
State, Local, Tribal, and Territorial Governments.--Section 2210 of the
Homeland Security Act of 2002 (6 U.S.C. 660) is amended by adding at
the end the following new subsection:
``(e) Homeland Security Strategy To Improve the Cybersecurity of
State, Local, Tribal, and Territorial Governments.--
``(1) In general.--
``(A) Requirement.--Not later than 270 days after
the date of the enactment of this subsection, the
Secretary, acting through the Director, shall, in
coordination with the heads of appropriate Federal
agencies, State, local, Tribal, and territorial
governments, the State and Local Cybersecurity
Resilience Committee established under section 2220A,
and other stakeholders, as appropriate, develop and
make publicly available a Homeland Security Strategy to
Improve the Cybersecurity of State, Local, Tribal, and
Territorial Governments.
``(B) Recommendations and requirements.--The
strategy required under subparagraph (A) shall--
``(i) provide recommendations relating to
the ways in which the Federal Government should
support and promote the ability of State,
local, Tribal, and territorial governments to
identify, protect against, detect, respond to,
and recover from cybersecurity risks (as such
term is defined in section 2209), cybersecurity
threats, and incidents (as such term is defined
in section 2209); and
``(ii) establish baseline requirements for
cybersecurity plans under this section and
principles with which such plans shall align.
``(2) Contents.--The strategy required under paragraph (1)
shall--
``(A) identify capability gaps in the ability of
State, local, Tribal, and territorial governments to
identify, protect against, detect, respond to, and
recover from cybersecurity risks, cybersecurity
threats, and incidents;
``(B) identify Federal resources and capabilities
that are available or could be made available to State,
local, Tribal, and territorial governments to help
those governments identify, protect against, detect,
respond to, and recover from cybersecurity risks,
cybersecurity threats, and incidents;
``(C) identify and assess the limitations of
Federal resources and capabilities available to State,
local, Tribal, and territorial governments to help
those governments identify, protect against, detect,
respond to, and recover from cybersecurity risks,
cybersecurity threats, and incidents, and make
recommendations to address such limitations;
``(D) identify opportunities to improve the
coordination of the Agency with Federal and non-Federal
entities, such as the Multi-State Information Sharing
and Analysis Center, to improve--
``(i) incident exercises, information
sharing and incident notification procedures;
``(ii) the ability for State, local,
Tribal, and territorial governments to
voluntarily adapt and implement guidance in
Federal binding operational directives; and
``(iii) opportunities to leverage Federal
schedules for cybersecurity investments under
section 502 of title 40, United States Code;
``(E) recommend new initiatives the Federal
Government should undertake to improve the ability of
State, local, Tribal, and territorial governments to
identify, protect against, detect, respond to, and
recover from cybersecurity risks, cybersecurity
threats, and incidents;
``(F) set short-term and long-term goals that will
improve the ability of State, local, Tribal, and
territorial governments to identify, protect against,
detect, respond to, and recover from cybersecurity
risks, cybersecurity threats, and incidents; and
``(G) set dates, including interim benchmarks, as
appropriate for State, local, Tribal, and territorial
governments to establish baseline capabilities to
identify, protect against, detect, respond to, and
recover from cybersecurity risks, cybersecurity
threats, and incidents.
``(3) Considerations.--In developing the strategy required
under paragraph (1), the Director, in coordination with the
heads of appropriate Federal agencies, State, local, Tribal,
and territorial governments, the State and Local Cybersecurity
Resilience Committee established under section 2220A, and other
stakeholders, as appropriate, shall consider--
``(A) lessons learned from incidents that have
affected State, local, Tribal, and territorial
governments, and exercises with Federal and non-Federal
entities;
``(B) the impact of incidents that have affected
State, local, Tribal, and territorial governments,
including the resulting costs to such governments;
``(C) the information related to the interest and
ability of state and non-state threat actors to
compromise information systems (as such term is defined
in section 102 of the Cybersecurity Act of 2015 (6
U.S.C. 1501)) owned or operated by State, local,
Tribal, and territorial governments;
``(D) emerging cybersecurity risks and
cybersecurity threats to State, local, Tribal, and
territorial governments resulting from the deployment
of new technologies; and
``(E) recommendations made by the State and Local
Cybersecurity Resilience Committee established under
section 2220A.''.
(b) Responsibilities of the Director of the Cybersecurity and
Infrastructure Security Agency.--Section 2202(c) of the Homeland
Security Act of 2002 (6 U.S.C. 652(c)) is amended--
(1) by redesignating paragraphs (6), (7), (8), (9), (10),
and (11) as paragraphs (10), (11), (12), (13), (14), and (15),
respectively; and
(2) by inserting after paragraph (5) the following new
paragraphs:
``(6) develop program guidance, in consultation with the
State and Local Government Cybersecurity Resiliency Committee
established under section 2220A, for the State and Local
Cybersecurity Grant Program under such section or any other
homeland security assistance administered by the Department to
improve cybersecurity;
``(7) review, in consultation with the State and Local
Cybersecurity Resiliency Committee, all cybersecurity plans of
State, local, Tribal, and territorial governments developed
pursuant to any homeland security assistance administered by
the Department to improve cybersecurity;
``(8) provide expertise and technical assistance to State,
local, Tribal, and territorial government officials with
respect to cybersecurity;
``(9) provide education, training, and capacity development
to enhance the security and resilience of cybersecurity and
infrastructure security;''.
(c) Feasibility Study.--Not later than 180 days after the date of
the enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security of the Department of Homeland Security shall
conduct a study to assess the feasibility of implementing a short-term
rotational program for the detail to the Agency of approved State,
local, Tribal, and territorial government employees in cyber workforce
positions.
SEC. 4. TITLE XXII TECHNICAL AND CLERICAL AMENDMENTS.
(a) Technical Amendments.--
(1) Homeland security act of 2002.--Subtitle A of title
XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et
seq.) is amended--
(A) in the first section 2215 (6 U.S.C. 665;
relating to the duties and authorities relating to .gov
internet domain), by amending the section enumerator
and heading to read as follows:
``SEC. 2215. DUTIES AND AUTHORITIES RELATING TO .GOV INTERNET
DOMAIN.'';
(B) in the second section 2215 (6 U.S.C. 665b;
relating to the joint cyber planning office), by
amending the section enumerator and heading to read as
follows:
``SEC. 2216. JOINT CYBER PLANNING OFFICE.'';
(C) in the third section 2215 (6 U.S.C. 665c;
relating to the Cybersecurity State Coordinator), by
amending the section enumerator and heading to read as
follows:
``SEC. 2217. CYBERSECURITY STATE COORDINATOR.'';
(D) in the fourth section 2215 (6 U.S.C. 665d;
relating to Sector Risk Management Agencies), by
amending the section enumerator and heading to read as
follows:
``SEC. 2218. SECTOR RISK MANAGEMENT AGENCIES.'';
(E) in section 2216 (6 U.S.C. 665e; relating to the
Cybersecurity Advisory Committee), by amending the
section enumerator and heading to read as follows:
``SEC. 2219. CYBERSECURITY ADVISORY COMMITTEE.''; AND
(F) in section 2217 (6 U.S.C. 665f; relating to
Cybersecurity Education and Training Programs), by
amending the section enumerator and heading to read as
follows:
``SEC. 2220. CYBERSECURITY EDUCATION AND TRAINING PROGRAMS.''.
(2) Consolidated appropriations act, 2021.--Paragraph (1)
of section 904(b) of division U of the Consolidated
Appropriations Act, 2021 (Public Law 116-260) is amended, in
the matter preceding subparagraph (A), by inserting ``of 2002''
after ``Homeland Security Act''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 is amended by striking the items
relating to sections 2214 through 2217 and inserting the following new
items:
``Sec. 2214. National Asset Database.
``Sec. 2215. Duties and authorities relating to .gov internet domain.
``Sec. 2216. Joint cyber planning office.
``Sec. 2217. Cybersecurity State Coordinator.
``Sec. 2218. Sector Risk Management Agencies.
``Sec. 2219. Cybersecurity Advisory Committee.
``Sec. 2220. Cybersecurity Education and Training Programs.''.
<all>