[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1917 Enrolled Bill (ENR)]

        S.1917

                    One Hundred Seventeenth Congress

                                 of the

                        United States of America


                          AT THE FIRST SESSION

           Begun and held at the City of Washington on Sunday,
          the third day of January, two thousand and twenty one


                                 An Act


 
 To establish a K-12 education cybersecurity initiative, and for other 
                                purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
    This Act may be cited as the ``K-12 Cybersecurity Act of 2021''.
SEC. 2. FINDINGS.
    Congress finds the following:
        (1) K-12 educational institutions across the United States are 
    facing cyber attacks.
        (2) Cyber attacks place the information systems of K-12 
    educational institutions at risk of possible disclosure of 
    sensitive student and employee information, including--
            (A) grades and information on scholastic development;
            (B) medical records;
            (C) family records; and
            (D) personally identifiable information.
        (3) Providing K-12 educational institutions with resources to 
    aid cybersecurity efforts will help K-12 educational institutions 
    prevent, detect, and respond to cyber events.
SEC. 3. K-12 EDUCATION CYBERSECURITY INITIATIVE.
    (a) Definitions.--In this section:
        (1) Cybersecurity risk.--The term ``cybersecurity risk'' has 
    the meaning given the term in section 2209 of the Homeland Security 
    Act of 2002 (6 U.S.C. 659).
        (2) Director.--The term ``Director'' means the Director of 
    Cybersecurity and Infrastructure Security.
        (3) Information system.--The term ``information system'' has 
    the meaning given the term in section 3502 of title 44, United 
    States Code.
        (4) K-12 educational institution.--The term ``K-12 educational 
    institution'' means an elementary school or a secondary school, as 
    those terms are defined in section 8101 of the Elementary and 
    Secondary Education Act of 1965 (20 U.S.C. 7801).
    (b) Study.--
        (1) In general.--Not later than 120 days after the date of 
    enactment of this Act, the Director, in accordance with subsection 
    (g)(1), shall conduct a study on the specific cybersecurity risks 
    facing K-12 educational institutions that--
            (A) analyzes how identified cybersecurity risks 
        specifically impact K-12 educational institutions;
            (B) includes an evaluation of the challenges K-12 
        educational institutions face in--
                (i) securing--

                    (I) information systems owned, leased, or relied 
                upon by K-12 educational institutions; and
                    (II) sensitive student and employee records; and

                (ii) implementing cybersecurity protocols;
            (C) identifies cybersecurity challenges relating to remote 
        learning; and
            (D) evaluates the most accessible ways to communicate 
        cybersecurity recommendations and tools.
        (2) Congressional briefing.--Not later than 120 days after the 
    date of enactment of this Act, the Director shall provide a 
    Congressional briefing on the study conducted under paragraph (1).
    (c) Cybersecurity Recommendations.--Not later than 60 days after 
the completion of the study required under subsection (b)(1), the 
Director, in accordance with subsection (g)(1), shall develop 
recommendations that include cybersecurity guidelines designed to 
assist K-12 educational institutions in facing the cybersecurity risks 
described in subsection (b)(1), using the findings of the study.
    (d) Online Training Toolkit.--Not later than 120 days after the 
completion of the development of the recommendations required under 
subsection (c), the Director shall develop an online training toolkit 
designed for officials at K-12 educational institutions to--
        (1) educate the officials about the cybersecurity 
    recommendations developed under subsection (c); and
        (2) provide strategies for the officials to implement the 
    recommendations developed under subsection (c).
    (e) Public Availability.--The Director shall make available on the 
website of the Department of Homeland Security with other information 
relating to school safety the following:
        (1) The findings of the study conducted under subsection 
    (b)(1).
        (2) The cybersecurity recommendations developed under 
    subsection (c).
        (3) The online training toolkit developed under subsection (d).
    (f) Voluntary Use.--The use of the cybersecurity recommendations 
developed under (c) by K-12 educational institutions shall be 
voluntary.
    (g) Consultation.--
        (1) In general.--In the course of the conduction of the study 
    required under subsection (b)(1) and the development of the 
    recommendations required under subsection (c), the Director shall 
    consult with individuals and entities focused on cybersecurity and 
    education, as appropriate, including--
            (A) teachers;
            (B) school administrators;
            (C) Federal agencies;
            (D) non-Federal cybersecurity entities with experience in 
        education issues; and
            (E) private sector organizations.
        (2) Inapplicability of faca.--The Federal Advisory Committee 
    Act (5 U.S.C App.) shall not apply to any consultation under 
    paragraph (1).

                               Speaker of the House of Representatives.

                            Vice President of the United States and    
                                               President of the Senate.