[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2585 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
1st Session
S. 2585
To amend the Homeland Security Act of 2002 to authorize a grant program
relating to the cybersecurity of State, local, Tribal, and territorial
governments, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
August 3, 2021
Ms. Hassan (for herself, Mr. Cornyn, Ms. Sinema, and Mr. Tillis)
introduced the following bill; which was read twice and referred to the
Committee on Homeland Security and Governmental Affairs
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize a grant program
relating to the cybersecurity of State, local, Tribal, and territorial
governments, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``State and Local Cybersecurity
Improvement Act''.
SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following:
``SEC. 2218. STATE AND LOCAL CYBERSECURITY GRANT PROGRAM.
``(a) Definitions.--In this section:
``(1) Appropriate committees of congress.--The term
`appropriate committees of Congress' means--
``(A) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
``(B) the Committee on Homeland Security of the
House of Representatives.
``(2) Cyber threat indicator.--The term `cyber threat
indicator' has the meaning given the term in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501).
``(3) Cybersecurity plan.--The term `Cybersecurity Plan'
means a plan submitted by an eligible entity under subsection
(e)(1).
``(4) Eligible entity.--The term `eligible entity' means
a--
``(A) State; or
``(B) Tribal government.
``(5) Incident.--The term `incident' has the meaning given
the term in section 2209.
``(6) Information sharing and analysis organization.--The
term `information sharing and analysis organization' has the
meaning given the term in section 2222.
``(7) Information system.--The term `information system'
has the meaning given the term in section 102 of the
Cybersecurity Act of 2015 (6 U.S.C. 1501).
``(8) Multi-entity group.--The term `multi-entity group'
means a group of 2 or more eligible entities desiring a grant
under this section.
``(9) Online service.--The term `online service' means any
internet-facing service, including a website, email, virtual
private network, or custom application.
``(10) Rural area.--The term `rural area' has the meaning
given the term in section 5302 of title 49, United States Code.
``(11) State and local cybersecurity grant program.--The
term `State and Local Cybersecurity Grant Program' means the
program established under subsection (b).
``(12) Tribal government.--The term `Tribal government'
means the recognized governing body of any Indian or Alaska
Native Tribe, band, nation, pueblo, village, community,
component band, or component reservation, that is individually
identified (including parenthetically) in the most recent list
published pursuant to Section 104 of the Federally Recognized
Indian Tribe List Act of 1994 (25 U.S.C. 5131).
``(b) Establishment.--
``(1) In general.--There is established within the
Department a program to award grants to eligible entities to
address cybersecurity risks and cybersecurity threats to
information systems owned or operated by, or on behalf of,
State, local, or Tribal governments.
``(2) Application.--An eligible entity desiring a grant
under the State and Local Cybersecurity Grant Program shall
submit to the Secretary an application at such time, in such
manner, and containing such information as the Secretary may
require.
``(c) Administration.--The State and Local Cybersecurity Grant
Program shall be administered in the same office of the Department that
administers grants made under sections 2003 and 2004.
``(d) Use of Funds.--An eligible entity that receives a grant under
this section and a local government that receives funds from a grant
under this section, as appropriate, shall use the grant to--
``(1) implement the Cybersecurity Plan of the eligible
entity;
``(2) develop or revise the Cybersecurity Plan of the
eligible entity;
``(3) pay expenses directly relating to the administration
of the grant, which shall not exceed 5 percent of the amount of
the grant;
``(4) assist with activities that address imminent
cybersecurity threats, as confirmed by the Secretary, acting
through the Director, to the information systems owned or
operated by, or on behalf of, the eligible entity or a local
government within the jurisdiction of the eligible entity; or
``(5) fund any other appropriate activity determined by the
Secretary, acting through the Director.
``(e) Cybersecurity Plans.--
``(1) In general.--An eligible entity applying for a grant
under this section shall submit to the Secretary a
Cybersecurity Plan for review in accordance with subsection
(i).
``(2) Required elements.--A Cybersecurity Plan of an
eligible entity shall--
``(A) incorporate, to the extent practicable--
``(i) any existing plans of the eligible
entity to protect against cybersecurity risks
and cybersecurity threats to information
systems owned or operated by, or on behalf of,
State, local, or Tribal governments; and
``(ii) if the eligible entity is a State,
consultation and feedback from local
governments and associations of local
governments within the jurisdiction of the
eligible entity;
``(B) describe, to the extent practicable, how the
eligible entity will--
``(i) manage, monitor, and track
information systems, applications, and user
accounts owned or operated by, or on behalf of,
the eligible entity or, if the eligible entity
is a State, local governments within the
jurisdiction of the eligible entity, and the
information technology deployed on those
information systems, including legacy
information systems and information technology
that are no longer supported by the
manufacturer of the systems or technology;
``(ii) monitor, audit, and, track network
traffic and activity transiting or traveling to
or from information systems, applications, and
user accounts owned or operated by, or on
behalf of, the eligible entity or, if the
eligible entity is a State, local governments
within the jurisdiction of the eligible entity;
``(iii) enhance the preparation, response,
and resiliency of information systems,
applications, and user accounts owned or
operated by, or on behalf of, the eligible
entity or, if the eligible entity is a State,
local governments within the jurisdiction of
the eligible entity, against cybersecurity
risks and cybersecurity threats;
``(iv) implement a process of continuous
cybersecurity vulnerability assessments and
threat mitigation practices prioritized by
degree of risk to address cybersecurity risks
and cybersecurity threats on information
systems, applications, and user accounts owned
or operated by, or on behalf of, the eligible
entity or, if the eligible entity is a State,
local governments within the jurisdiction of
the eligible entity;
``(v) ensure that the eligible entity and,
if the eligible entity is a State, local
governments within the jurisdiction of the
eligible entity, adopt and use best practices
and methodologies to enhance cybersecurity,
such as--
``(I) the practices set forth in
the cybersecurity framework developed
by the National Institute of Standards
and Technology;
``(II) cyber chain supply chain
risk management best practices
identified by the National Institute of
Standards and Technology; and
``(III) knowledge bases of
adversary tools and tactics;
``(vi) promote the delivery of safe,
recognizable, and trustworthy online services
by the eligible entity and, if the eligible
entity is a State, local governments within the
jurisdiction of the eligible entity, including
through the use of the .gov internet domain;
``(vii) ensure continuity of operations of
the eligible entity and, if the eligible entity
is a State, local governments within the
jurisdiction of the eligible entity, in the
event of a cybersecurity incident, including by
conducting exercises to practice responding to
a cybersecurity incident;
``(viii) use the National Initiative for
Cybersecurity Education Workforce Framework for
Cybersecurity developed by the National
Institute of Standards and Technology to
identify and mitigate any gaps in the
cybersecurity workforces of the eligible entity
and, if the eligible entity is a State, local
governments within the jurisdiction of the
eligible entity, enhance recruitment and
retention efforts for those workforces, and
bolster the knowledge, skills, and abilities of
personnel of the eligible entity and, if the
eligible entity is a State, local governments
within the jurisdiction of the eligible entity,
to address cybersecurity risks and
cybersecurity threats, such as through
cybersecurity hygiene training;
``(ix) if the eligible entity is a State,
ensure continuity of communications and data
networks within the jurisdiction of the
eligible entity between the eligible entity and
local governments within the jurisdiction of
the eligible entity in the event of an incident
involving those communications or data
networks;
``(x) assess and mitigate, to the greatest
degree possible, cybersecurity risks and
cybersecurity threats relating to critical
infrastructure and key resources, the
degradation of which may impact the performance
of information systems within the jurisdiction
of the eligible entity;
``(xi) enhance capabilities to share cyber
threat indicators and related information
between the eligible entity and--
``(I) if the eligible entity is a
State, local governments within the
jurisdiction of the eligible entity,
including by expanding information
sharing agreements with the Department;
and
``(II) the Department;
``(xii) leverage cybersecurity services
offered by the Department;
``(xiii) implement an information
technology and operational technology
modernization cybersecurity review process that
ensures alignment between information
technology and operational technology
cybersecurity objectives;
``(xiv) develop and coordinate strategies
to address cybersecurity risks and
cybersecurity threats in consultation with--
``(I) if the eligible entity is a
State, local governments and
associations of local governments
within the jurisdiction of the eligible
entity; and
``(II) as applicable--
``(aa) eligible entities
that neighbor the jurisdiction
of the eligible entity or, as
appropriate, members of an
information sharing and
analysis organization; and
``(bb) countries that
neighbor the jurisdiction of
the eligible entity;
``(xv) ensure adequate access to, and
participation in, the services and programs
described in this subparagraph by rural areas
within the jurisdiction of the eligible entity;
and
``(xvi) distribute funds, items, services,
capabilities, or activities to local
governments under subsection (n)(2)(A),
including the fraction of that distribution the
eligible entity plans to distribute to rural
areas under subsection (n)(2)(B);
``(C) assess the capabilities of the eligible
entity relating to the actions described in
subparagraph (B);
``(D) describe, as appropriate and to the extent
practicable, the individual responsibilities of the
eligible entity and local governments within the
jurisdiction of the eligible entity in implementing the
plan;
``(E) outline, to the extent practicable, the
necessary resources and a timeline for implementing the
plan; and
``(F) describe the metrics the eligible entity will
use to measure progress towards--
``(i) implementing the plan; and
``(ii) reducing cybersecurity risks to, and
identifying, responding to, and recovering from
cybersecurity threats to, information systems
owned or operated by, or on behalf of, the
eligible entity or, if the eligible entity is a
State, local governments within the
jurisdiction of the eligible entity.
``(3) Discretionary elements.--In drafting a Cybersecurity
Plan, an eligible entity may--
``(A) consult with the Multi-State Information
Sharing and Analysis Center;
``(B) include a description of cooperative programs
developed by groups of local governments within the
jurisdiction of the eligible entity to address
cybersecurity risks and cybersecurity threats; and
``(C) include a description of programs provided by
the eligible entity to support local governments and
owners and operators of critical infrastructure to
address cybersecurity risks and cybersecurity threats.
``(f) Multi-Entity Grants.--
``(1) In general.--The Secretary may award grants under
this section to a multi-entity group to support multi-entity
efforts to address cybersecurity risks and cybersecurity
threats to information systems within the jurisdictions of the
eligible entities that comprise the multi-entity group.
``(2) Satisfaction of other requirements.--In order to be
eligible for a multi-entity grant under this subsection, each
eligible entity that comprises a multi-entity group shall
have--
``(A) a Cybersecurity Plan that has been reviewed
by the Secretary in accordance with subsection (i); and
``(B) a cybersecurity planning committee
established in accordance with subsection (g).
``(3) Application.--
``(A) In general.--A multi-entity group applying
for a multi-entity grant under paragraph (1) shall
submit to the Secretary an application at such time, in
such manner, and containing such information as the
Secretary may require.
``(B) Multi-entity project plan.--An application
for a grant under this section of a multi-entity group
under subparagraph (A) shall include a plan
describing--
``(i) the division of responsibilities
among the eligible entities that comprise the
multi-entity group;
``(ii) the distribution of funding from the
grant among the eligible entities that comprise
the multi-entity group; and
``(iii) how the eligible entities that
comprise the multi-entity group will work
together to implement the Cybersecurity Plan of
each of those eligible entities.
``(g) Planning Committees.--
``(1) In general.--An eligible entity that receives a grant
under this section shall establish a cybersecurity planning
committee to--
``(A) assist with the development, implementation,
and revision of the Cybersecurity Plan of the eligible
entity;
``(B) approve the Cybersecurity Plan of the
eligible entity; and
``(C) assist with the determination of effective
funding priorities for a grant under this section in
accordance with subsections (d) and (j).
``(2) Composition.--A committee of an eligible entity
established under paragraph (1) shall--
``(A) be comprised of representatives from--
``(i) the eligible entity;
``(ii) if the eligible entity is a State,
counties, cities, and towns within the
jurisdiction of the eligible entity; and
``(iii) institutions of public education
and health within the jurisdiction of the
eligible entity; and
``(B) include, as appropriate, representatives of
rural, suburban, and high-population jurisdictions.
``(3) Cybersecurity expertise.--Not less than one-half of
the representatives of a committee established under paragraph
(1) shall have professional experience relating to
cybersecurity or information technology.
``(4) Rule of construction regarding existing planning
committees.--Nothing in this subsection shall be construed to
require an eligible entity to establish a cybersecurity
planning committee if the eligible entity has established and
uses a multijurisdictional planning committee or commission
that--
``(A) meets the requirements of this subsection; or
``(B) may be expanded or leveraged to meet the
requirements of this subsection, including through the
formation of a cybersecurity planning subcommittee.
``(5) Rule of construction regarding control of information
systems of eligible entities.--Nothing in this subsection shall
be construed to permit a cybersecurity planning committee of an
eligible entity that meets the requirements of this subsection
to make decisions relating to information systems owned or
operated by, or on behalf of, the eligible entity.
``(h) Special Rule for Tribal Governments.--With respect to any
requirement under subsection (e) or (g), the Secretary, in consultation
with the Secretary of the Interior and Tribal governments, may
prescribe an alternative substantively similar requirement for Tribal
governments if the Secretary finds that the alternative requirement is
necessary for the effective delivery and administration of grants to
Tribal governments under this section.
``(i) Review of Plans.--
``(1) Review as condition of grant.--
``(A) In general.--Subject to paragraph (3), before
an eligible entity may receive a grant under this
section, the Secretary, acting through the Director,
shall--
``(i) review the Cybersecurity Plan of the
eligible entity, including any revised
Cybersecurity Plans of the eligible entity; and
``(ii) determine that the Cybersecurity
Plan reviewed under clause (i) satisfies the
requirements under paragraph (2).
``(B) Duration of determination.--In the case of a
determination under subparagraph (A)(ii) that a
Cybersecurity Plan satisfies the requirements under
paragraph (2), the determination shall be effective for
the 2-year period beginning on the date of the
determination.
``(C) Annual renewal.--Not later than 2 years after
the date on which the Secretary determines under
subparagraph (A)(ii) that a Cybersecurity Plan
satisfies the requirements under paragraph (2), and
annually thereafter, the Secretary, acting through the
Director, shall--
``(i) determine whether the Cybersecurity
Plan and any revisions continue to meet the
criteria described in paragraph (2); and
``(ii) renew the determination if the
Secretary, acting through the Director, makes a
positive determination under clause (i).
``(2) Plan requirements.--In reviewing a Cybersecurity Plan
of an eligible entity under this subsection, the Secretary,
acting through the Director, shall ensure that the
Cybersecurity Plan--
``(A) satisfies the requirements of subsection
(e)(2); and
``(B) has been approved by--
``(i) the cybersecurity planning committee
of the eligible entity established under
subsection (g); and
``(ii) the Chief Information Officer, the
Chief Information Security Officer, or an
equivalent official of the eligible entity.
``(3) Exception.--Notwithstanding subsection (e) and
paragraph (1) of this subsection, the Secretary may award a
grant under this section to an eligible entity that does not
submit a Cybersecurity Plan to the Secretary for review before
September 30, 2023, if the eligible entity certifies to the
Secretary that--
``(A) the activities that will be supported by the
grant are--
``(i) integral to the development of the
Cybersecurity Plan of the eligible entity; or
``(ii) necessary to assist with activities
described in subsection (d)(4), as confirmed by
the Director; and
``(B) the eligible entity will submit to the
Secretary a Cybersecurity Plan for review under this
subsection by September 30, 2023.
``(4) Rule of construction.--Nothing in this subsection
shall be construed to provide authority to the Secretary to--
``(A) regulate the manner by which an eligible
entity or local government improves the cybersecurity
of the information systems owned or operated by, or on
behalf of, the eligible entity or local government; or
``(B) condition the receipt of grants under this
section on--
``(i) participation in a particular Federal
program; or
``(ii) the use of a specific product or
technology.
``(j) Limitations on Uses of Funds.--
``(1) In general.--Any entity that receives funds from a
grant under this section may not use the grant--
``(A) to supplant State or local funds;
``(B) for any recipient cost-sharing contribution;
``(C) to pay a ransom;
``(D) for recreational or social purposes; or
``(E) for any purpose that does not address
cybersecurity risks or cybersecurity threats on
information systems owned or operated by, or on behalf
of, the eligible entity that receives the grant or a
local government within the jurisdiction of the
eligible entity.
``(2) Compliance oversight.--In addition to any other
remedy available, the Secretary may take such actions as are
necessary to ensure that a recipient of a grant under this
section uses the grant for the purposes for which the grant is
awarded.
``(3) Rule of construction.--Nothing in paragraph (1)(A)
shall be construed to prohibit the use of funds from a grant
under this section awarded to a State, local, or Tribal
government for otherwise permissible uses under this section on
the basis that the State, local, or Tribal government has
previously used State, local, or Tribal funds to support the
same or similar uses.
``(k) Opportunity To Amend Applications.--In considering
applications for grants under this section, the Secretary shall provide
applicants with a reasonable opportunity to correct any defects in
those applications before making final awards, including by allowing
applicants to revise a submitted Cybersecurity Plan.
``(l) Apportionment.--For fiscal year 2022 and each fiscal year
thereafter, the Secretary shall apportion amounts appropriated to carry
out this section among eligible entities as follows:
``(1) Baseline amount.--The Secretary shall first
apportion--
``(A) 0.25 percent of such amounts to each of
American Samoa, the Commonwealth of the Northern
Mariana Islands, Guam, and the United States Virgin
Islands;
``(B) 1 percent of such amounts to each of the
remaining States; and
``(C) 3 percent of such amounts to Tribal
governments.
``(2) Remainder.--The Secretary shall apportion the
remainder of such amounts to States as follows:
``(A) 50 percent of such remainder in the ratio
that the population of each State, bears to the
population of all States; and
``(B) 50 percent of such remainder in the ratio
that the population of each State that resides in rural
areas, bears to the population of all States that
resides in rural areas.
``(3) Apportionment among tribal governments.--In
determining how to apportion amounts to Tribal governments
under paragraph (1)(C), the Secretary shall consult with the
Secretary of the Interior and Tribal governments.
``(4) Multi-entity grants.--An amount received from a
multi-entity grant awarded under subsection (f)(1) by a State
or Tribal government that is a member of the multi-entity group
shall qualify as an apportionment for the purpose of this
subsection.
``(m) Federal Share.--
``(1) In general.--The Federal share of the cost of an
activity carried out using funds made available with a grant
under this section may not exceed--
``(A) in the case of a grant to an eligible
entity--
``(i) for fiscal year 2022, 90 percent;
``(ii) for fiscal year 2023, 80 percent;
``(iii) for fiscal year 2024, 70 percent;
and
``(iv) for fiscal year 2025, 60 percent;
and
``(B) in the case of a grant to a multi-entity
group--
``(i) for fiscal year 2022, 100 percent;
``(ii) for fiscal year 2023, 90 percent;
``(iii) for fiscal year 2024, 80 percent;
and
``(iv) for fiscal year 2025, 70 percent.
``(2) Waiver.--
``(A) In general.--The Secretary may waive or
modify the requirements of paragraph (1) if an eligible
entity or multi-entity group demonstrates economic
hardship.
``(B) Guidelines.--The Secretary shall establish
and publish guidelines for determining what constitutes
economic hardship for the purposes of this subsection.
``(C) Considerations.--In developing guidelines
under subparagraph (B), the Secretary shall consider,
with respect to the jurisdiction of an eligible
entity--
``(i) changes in rates of unemployment in
the jurisdiction from previous years;
``(ii) changes in the percentage of
individuals who are eligible to receive
benefits under the supplemental nutrition
assistance program established under the Food
and Nutrition Act of 2008 (7 U.S.C. 2011 et
seq.) from previous years; and
``(iii) any other factors the Secretary
considers appropriate.
``(3) Waiver for tribal governments.--Notwithstanding
paragraph (2), the Secretary, in consultation with the
Secretary of the Interior and Tribal governments, may waive or
modify the requirements of paragraph (1) for 1 or more Tribal
governments if the Secretary determines that the waiver is in
the public interest.
``(n) Responsibilities of Grantees.--
``(1) Certification.--Each eligible entity or multi-entity
group that receives a grant under this section shall certify to
the Secretary that the grant will be used--
``(A) for the purpose for which the grant is
awarded; and
``(B) in compliance with subsections (d) and (j).
``(2) Availability of funds to local governments and rural
areas.--
``(A) In general.--Subject to subparagraph (C), not
later than 45 days after the date on which an eligible
entity or multi-entity group receives a grant under
this section, the eligible entity or multi-entity group
shall, without imposing unreasonable or unduly
burdensome requirements as a condition of receipt,
obligate or otherwise make available to local
governments within the jurisdiction of the eligible
entity or the eligible entities that comprise the
multi-entity group, consistent with the Cybersecurity
Plan of the eligible entity or the Cybersecurity Plans
of the eligible entities that comprise the multi-entity
group--
``(i) not less than 80 percent of funds
available under the grant;
``(ii) with the consent of the local
governments, items, services, capabilities, or
activities having a value of not less than 80
percent of the amount of the grant; or
``(iii) with the consent of the local
governments, grant funds combined with other
items, services, capabilities, or activities
having the total value of not less than 80
percent of the amount of the grant.
``(B) Availability to rural areas.--In obligating
funds, items, services, capabilities, or activities to
local governments under subparagraph (A), the eligible
entity or eligible entities that comprise the multi-
entity group shall ensure that rural areas within the
jurisdiction of the eligible entity or the eligible
entities that comprise the multi-entity group receive
not less than--
``(i) 25 percent of the amount of the grant
awarded to the eligible entity;
``(ii) items, services, capabilities, or
activities having a value of not less than 25
percent of the amount of the grant awarded to
the eligible entity; or
``(iii) grant funds combined with other
items, services, capabilities, or activities
having the total value of not less than 25
percent of the grant awarded to the eligible
entity.
``(C) Exceptions.--This paragraph shall not apply
to--
``(i) any grant awarded under this section
that solely supports activities that are
integral to the development or revision of the
Cybersecurity Plan of the eligible entity; or
``(ii) the District of Columbia, the
Commonwealth of Puerto Rico, American Samoa,
the Commonwealth of the Northern Mariana
Islands, Guam, the United States Virgin
Islands, or a Tribal government.
``(3) Certifications regarding distribution of grant funds
to local governments.--An eligible entity or multi-entity group
shall certify to the Secretary that the eligible entity or
multi-entity group has made the distribution to local
governments required under paragraph (2).
``(4) Extension of period.--
``(A) In general.--An eligible entity or multi-
entity group may request in writing that the Secretary
extend the period of time specified in paragraph (2)
for an additional period of time.
``(B) Approval.--The Secretary may approve a
request for an extension under subparagraph (A) if the
Secretary determines the extension is necessary to
ensure that the obligation and expenditure of grant
funds align with the purpose of the State and Local
Cybersecurity Grant Program.
``(5) Direct funding.--If an eligible entity does not make
a distribution to a local government required under paragraph
(2) in a timely fashion, the local government may petition the
Secretary to request the Secretary to provide funds directly to
the local government.
``(6) Limitation on construction.--A grant awarded under
this section may not be used to acquire land or to construct,
remodel, or perform alterations of buildings or other physical
facilities.
``(7) Consultation in allocating funds.--An eligible entity
applying for a grant under this section shall agree to consult
the Chief Information Officer, the Chief Information Security
Officer, or an equivalent official of the eligible entity in
allocating funds from a grant awarded under this section.
``(8) Penalties.--In addition to other remedies available
to the Secretary, if an eligible entity violates a requirement
of this subsection, the Secretary may--
``(A) terminate or reduce the amount of a grant
awarded under this section to the eligible entity; or
``(B) distribute grant funds previously awarded to
the eligible entity--
``(i) in the case of an eligible entity
that is a State, directly to the appropriate
local government as a replacement grant in an
amount determined by the Secretary; or
``(ii) in the case of an eligible entity
that is a Tribal government, to another Tribal
government or Tribal governments as a
replacement grant in an amount determined by
the Secretary.
``(o) Consultation With State, Local, and Tribal Representatives.--
In carrying out this section, the Secretary shall consult with State,
local, and Tribal representatives with professional experience relating
to cybersecurity, including representatives of associations
representing State, local, and Tribal governments, to inform--
``(1) guidance for applicants for grants under this
section, including guidance for Cybersecurity Plans;
``(2) the study of risk-based formulas required under
subsection (q)(4);
``(3) the development of guidelines required under
subsection (m)(2)(B); and
``(4) any modifications described in subsection (q)(2)(D).
``(p) Notification to Congress.--Not later than 3 business days
before the date on which the Department announces the award of a grant
to an eligible entity under this section, including an announcement to
the eligible entity, the Secretary shall provide to the appropriate
committees of Congress notice of the announcement.
``(q) Reports, Study, and Review.--
``(1) Annual reports by grant recipients.--
``(A) In general.--Not later than 1 year after the
date on which an eligible entity receives a grant under
this section for the purpose of implementing the
Cybersecurity Plan of the eligible entity, including an
eligible entity that comprises a multi-entity group
that receives a grant for that purpose, and annually
thereafter until 1 year after the date on which funds
from the grant are expended or returned, the eligible
entity shall submit to the Secretary a report that,
using the metrics described in the Cybersecurity Plan
of the eligible entity, describes the progress of the
eligible entity in--
``(i) implementing the Cybersecurity Plan
of the eligible entity; and
``(ii) reducing cybersecurity risks to, and
identifying, responding to, and recovering from
cybersecurity threats to, information systems
owned or operated by, or on behalf of, the
eligible entity or, if the eligible entity is a
State, local governments within the
jurisdiction of the eligible entity.
``(B) Absence of plan.--Not later than 1 year after
the date on which an eligible entity that does not have
a Cybersecurity Plan receives funds under this section,
and annually thereafter until 1 year after the date on
which funds from the grant are expended or returned,
the eligible entity shall submit to the Secretary a
report describing how the eligible entity obligated and
expended grant funds to--
``(i) develop or revise a Cybersecurity
Plan; or
``(ii) assist with the activities described
in subsection (d)(4).
``(2) Annual reports to congress.--Not less frequently than
annually, the Secretary, acting through the Director, shall
submit to Congress a report on--
``(A) the use of grants awarded under this section;
``(B) the proportion of grants used to support
cybersecurity in rural areas;
``(C) the effectiveness of the State and Local
Cybersecurity Grant Program;
``(D) any necessary modifications to the State and
Local Cybersecurity Grant Program; and
``(E) any progress made toward--
``(i) developing, implementing, or revising
Cybersecurity Plans; and
``(ii) reducing cybersecurity risks to, and
identifying, responding to, and recovering from
cybersecurity threats to, information systems
owned or operated by, or on behalf of, State,
local, or Tribal governments as a result of the
award of grants under this section.
``(3) Public availability.--
``(A) In general.--The Secretary, acting through
the Director, shall make each report submitted under
paragraph (2) publicly available, including by making
each report available on the website of the Agency.
``(B) Redactions.--In making each report publicly
available under subparagraph (A), the Director may make
redactions that the Director, in consultation with each
eligible entity, determines necessary to protect
classified or other information exempt from disclosure
under section 552 of title 5, United States Code
(commonly referred to as the `Freedom of Information
Act').
``(4) Study of risk-based formulas.--
``(A) In general.--Not later than September 30,
2024, the Secretary, acting through the Director, shall
submit to the appropriate committees of Congress a
study and legislative recommendations on the potential
use of a risk-based formula for apportioning funds
under this section, including--
``(i) potential components that could be
included in a risk-based formula, including the
potential impact of those components on support
for rural areas under this section;
``(ii) potential sources of data and
information necessary for the implementation of
a risk-based formula;
``(iii) any obstacles to implementing a
risk-based formula, including obstacles that
require a legislative solution;
``(iv) if a risk-based formula were to be
implemented for fiscal year 2026, a recommended
risk-based formula for the State and Local
Cybersecurity Grant Program; and
``(v) any other information that the
Secretary, acting through the Director,
determines necessary to help Congress
understand the progress towards, and obstacles
to, implementing a risk-based formula.
``(B) Inapplicability of paperwork reduction act.--
The requirements of chapter 35 of title 44, United
States Code (commonly referred to as the `Paperwork
Reduction Act'), shall not apply to any action taken to
carry out this paragraph.
``(5) Tribal cybersecurity needs report.--Not later than 2
years after the date of enactment of this section, the
Secretary, acting through the Director, shall submit to
Congress a report that--
``(A) describes the cybersecurity needs of Tribal
governments, which shall be determined in consultation
with the Secretary of the Interior and Tribal
governments; and
``(B) includes any recommendations for addressing
the cybersecurity needs of Tribal governments,
including any necessary modifications to the State and
Local Cybersecurity Grant Program to better serve
Tribal governments.
``(6) GAO review.--Not later than 3 years after the date of
enactment of this section, the Comptroller General of the
United States shall conduct a review of the State and Local
Cybersecurity Grant Program, including--
``(A) the grant selection process of the Secretary;
and
``(B) a sample of grants awarded under this
section.
``(r) Authorization of Appropriations.--
``(1) In general.--There are authorized to be appropriated
for activities under this section--
``(A) for fiscal year 2022, $200,000,000;
``(B) for fiscal year 2023, $400,000,000;
``(C) for fiscal year 2024, $300,000,000; and
``(D) for fiscal year 2025, $100,000,000.
``(2) Transfers authorized.--
``(A) In general.--During a fiscal year, the
Secretary or the head of any component of the
Department that administers the State and Local
Cybersecurity Grant Program may transfer not more than
5 percent of the amounts appropriated pursuant to
paragraph (1) or other amounts appropriated to carry
out the State and Local Cybersecurity Grant Program for
that fiscal year to an account of the Department for
salaries, expenses, and other administrative costs
incurred for the management, administration, or
evaluation of this section.
``(B) Additional appropriations.--Any funds
transferred under subparagraph (A) shall be in addition
to any funds appropriated to the Department or the
components described in subparagraph (A) for salaries,
expenses, and other administrative costs.
``(s) Termination.--
``(1) In general.--Subject to paragraph (2), the
requirements of this section shall terminate on September 30,
2025.
``(2) Exception.--The reporting requirements under
subsection (q) shall terminate on the date that is 1 year after
the date on which the final funds from a grant under this
section are expended or returned.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135),
is amended by inserting after the item relating to section 2217 the
following:
``Sec. 2218. State and Local Cybersecurity Grant Program.''.
<all>