IIB 116TH CONGRESS 2D SESSION H. R. 5823 IN THE SENATE OF THE UNITED STATES OCTOBER 1, 2020 Received; read twice and referred to the Committee on Homeland Security and Governmental Affairs AN ACT To establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to informa- tion systems of State, local, Tribal, or territorial govern- ments, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 2 HR 5823 RFS SECTION 1. SHORT TITLE. 1 This Act may be cited as the ‘‘State and Local Cyber- 2 security Improvement Act’’. 3 SEC. 2. STATE AND LOCAL CYBERSECURITY GRANT PRO- 4 GRAM. 5 (a) IN GENERAL.—Subtitle A of title XXII of the 6 Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) 7 is amended by adding at the end the following new sec- 8 tions: 9 ‘‘SEC. 2215. STATE AND LOCAL CYBERSECURITY GRANT 10 PROGRAM. 11 ‘‘(a) ESTABLISHMENT.—The Secretary, acting 12 through the Director, shall establish a program to make 13 grants to States to address cybersecurity risks and cyber- 14 security threats to information systems of State, local, 15 Tribal, or territorial governments (referred to as the 16 ‘State and Local Cybersecurity Grant Program’ in this 17 section). 18 ‘‘(b) BASELINE REQUIREMENTS.—A grant awarded 19 under this section shall be used in compliance with the 20 following: 21 ‘‘(1) The Cybersecurity Plan required under 22 subsection (d) and approved pursuant to subsection 23 (g). 24 ‘‘(2) The Homeland Security Strategy to Im- 25 prove the Cybersecurity of State, Local, Tribal, and 26 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 3 HR 5823 RFS Territorial Governments required in accordance with 1 section 2210, when issued. 2 ‘‘(c) ADMINISTRATION.—The State and Local Cyber- 3 security Grant Program shall be administered in the same 4 program office that administers grants made under sec- 5 tions 2003 and 2004. 6 ‘‘(d) ELIGIBILITY.— 7 ‘‘(1) IN GENERAL.—A State applying for a 8 grant under the State and Local Cybersecurity 9 Grant Program shall submit to the Secretary a Cy- 10 bersecurity Plan for approval. Such plan shall— 11 ‘‘(A) incorporate, to the extent practicable, 12 any existing plans of such State to protect 13 against cybersecurity risks and cybersecurity 14 threats to information systems of State, local, 15 Tribal, or territorial governments; 16 ‘‘(B) describe, to the extent practicable, 17 how such State shall— 18 ‘‘(i) enhance the preparation, re- 19 sponse, and resiliency of information sys- 20 tems owned or operated by such State or, 21 if appropriate, by local, Tribal, or terri- 22 torial governments, against cybersecurity 23 risks and cybersecurity threats; 24 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 4 HR 5823 RFS ‘‘(ii) implement a process of contin- 1 uous cybersecurity vulnerability assess- 2 ments and threat mitigation practices 3 prioritized by degree of risk to address cy- 4 bersecurity risks and cybersecurity threats 5 in information systems of such State, local, 6 Tribal, or territorial governments; 7 ‘‘(iii) ensure that State, local, Tribal, 8 and territorial governments that own or 9 operate information systems within the 10 State adopt best practices and methodolo- 11 gies to enhance cybersecurity, such as the 12 practices set forth in the cybersecurity 13 framework developed by the National Insti- 14 tute of Standards and Technology; 15 ‘‘(iv) promote the delivery of safe, rec- 16 ognizable, and trustworthy online services 17 by State, local, Tribal, and territorial gov- 18 ernments, including through the use of the 19 .gov internet domain; 20 ‘‘(v) mitigate any identified gaps in 21 the State, local, Tribal, or territorial gov- 22 ernment cybersecurity workforces, enhance 23 recruitment and retention efforts for such 24 workforces, and bolster the knowledge, 25 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 5 HR 5823 RFS skills, and abilities of State, local, Tribal, 1 and territorial government personnel to ad- 2 dress cybersecurity risks and cybersecurity 3 threats; 4 ‘‘(vi) ensure continuity of communica- 5 tions and data networks within such State 6 between such State and local, Tribal, and 7 territorial governments that own or operate 8 information systems within such State in 9 the event of an incident involving such 10 communications or data networks within 11 such State; 12 ‘‘(vii) assess and mitigate, to the 13 greatest degree possible, cybersecurity 14 risks and cybersecurity threats related to 15 critical infrastructure and key resources, 16 the degradation of which may impact the 17 performance of information systems within 18 such State; 19 ‘‘(viii) enhance capability to share 20 cyber threat indicators and related infor- 21 mation between such State and local, Trib- 22 al, and territorial governments that own or 23 operate information systems within such 24 State; and 25 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 6 HR 5823 RFS ‘‘(ix) develop and coordinate strategies 1 to address cybersecurity risks and cyberse- 2 curity threats in consultation with— 3 ‘‘(I) local, Tribal, and territorial 4 governments within the State; and 5 ‘‘(II) as applicable— 6 ‘‘(aa) neighboring States or, 7 as appropriate, members of an 8 information sharing and analysis 9 organization; and 10 ‘‘(bb) neighboring countries; 11 and 12 ‘‘(C) include, to the extent practicable, an 13 inventory of the information technology de- 14 ployed on the information systems owned or op- 15 erated by such State or by local, Tribal, or ter- 16 ritorial governments within such State, includ- 17 ing legacy information technology that is no 18 longer supported by the manufacturer. 19 ‘‘(e) PLANNING COMMITTEES.— 20 ‘‘(1) IN GENERAL.—A State applying for a 21 grant under this section shall establish a cybersecu- 22 rity planning committee to assist in the following: 23 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 7 HR 5823 RFS ‘‘(A) The development, implementation, 1 and revision of such State’s Cybersecurity Plan 2 required under subsection (d). 3 ‘‘(B) The determination of effective fund- 4 ing priorities for such grant in accordance with 5 subsection (f). 6 ‘‘(2) COMPOSITION.—Cybersecurity planning 7 committees described in paragraph (1) shall be com- 8 prised of representatives from counties, cities, towns, 9 and Tribes within the State receiving a grant under 10 this section, including, as appropriate, representa- 11 tives of rural, suburban, and high-population juris- 12 dictions. 13 ‘‘(3) RULE OF CONSTRUCTION REGARDING EX- 14 ISTING PLANNING COMMITTEES.—Nothing in this 15 subsection may be construed to require that any 16 State establish a cybersecurity planning committee if 17 such State has established and uses a multijuris- 18 dictional planning committee or commission that 19 meets the requirements of this paragraph. 20 ‘‘(f) USE OF FUNDS.—A State that receives a grant 21 under this section shall use the grant to implement such 22 State’s Cybersecurity Plan, or to assist with activities de- 23 termined by the Secretary, in consultation with the Direc- 24 tor, to be integral to address cybersecurity risks and cy- 25 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 8 HR 5823 RFS bersecurity threats to information systems of State, local, 1 Tribal, or territorial governments, as the case may be. 2 ‘‘(g) APPROVAL OF PLANS.— 3 ‘‘(1) APPROVAL AS CONDITION OF GRANT.—Be- 4 fore a State may receive a grant under this section, 5 the Secretary, acting through the Director, shall re- 6 view and approve such State’s Cybersecurity Plan 7 required under subsection (d). 8 ‘‘(2) PLAN REQUIREMENTS.—In approving a 9 Cybersecurity Plan under this subsection, the Direc- 10 tor shall ensure such Plan— 11 ‘‘(A) meets the requirements specified in 12 subsection (d); and 13 ‘‘(B) upon issuance of the Homeland Secu- 14 rity Strategy to Improve the Cybersecurity of 15 State, Local, Tribal, and Territorial Govern- 16 ments authorized pursuant to section 2210, 17 complies, as appropriate, with the goals and ob- 18 jectives of such Strategy. 19 ‘‘(3) APPROVAL OF REVISIONS.—The Secretary, 20 acting through the Director, may approve revisions 21 to a Cybersecurity Plan as the Director determines 22 appropriate. 23 ‘‘(4) EXCEPTION.—Notwithstanding the re- 24 quirement under subsection (d) to submit a Cyberse- 25 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 9 HR 5823 RFS curity Plan as a condition of apply for a grant under 1 this section, such a grant may be awarded to a State 2 that has not so submitted a Cybersecurity Plan to 3 the Secretary if— 4 ‘‘(A) such State certifies to the Secretary 5 that it will submit to the Secretary a Cyberse- 6 curity Plan for approval by September 30, 7 2022; 8 ‘‘(B) such State certifies to the Secretary 9 that the activities that will be supported by 10 such grant are integral to the development of 11 such Cybersecurity Plan; or 12 ‘‘(C) such State certifies to the Secretary, 13 and the Director confirms, that the activities 14 that will be supported by the grant will address 15 imminent cybersecurity risks or cybersecurity 16 threats to the information systems of such 17 State or of a local, Tribal, or territorial govern- 18 ment in such State. 19 ‘‘(h) LIMITATIONS ON USES OF FUNDS.— 20 ‘‘(1) IN GENERAL.—A State that receives a 21 grant under this section may not use such grant— 22 ‘‘(A) to supplant State, local, Tribal, or 23 territorial funds; 24 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 10 HR 5823 RFS ‘‘(B) for any recipient cost-sharing con- 1 tribution; 2 ‘‘(C) to pay a demand for ransom in an at- 3 tempt to regain access to information or an in- 4 formation system of such State or of a local, 5 Tribal, or territorial government in such State; 6 ‘‘(D) for recreational or social purposes; or 7 ‘‘(E) for any purpose that does not directly 8 address cybersecurity risks or cybersecurity 9 threats on an information systems of such State 10 or of a local, Tribal, or territorial government 11 in such State. 12 ‘‘(2) PENALTIES.—In addition to other rem- 13 edies available, the Secretary may take such actions 14 as are necessary to ensure that a recipient of a 15 grant under this section is using such grant for the 16 purposes for which such grant was awarded. 17 ‘‘(i) OPPORTUNITY TO AMEND APPLICATIONS.—In 18 considering applications for grants under this section, the 19 Secretary shall provide applicants with a reasonable op- 20 portunity to correct defects, if any, in such applications 21 before making final awards. 22 ‘‘(j) APPORTIONMENT.—For fiscal year 2020 and 23 each fiscal year thereafter, the Secretary shall apportion 24 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 11 HR 5823 RFS amounts appropriated to carry out this section among 1 States as follows: 2 ‘‘(1) BASELINE AMOUNT.—The Secretary shall 3 first apportion 0.25 percent of such amounts to each 4 of American Samoa, the Commonwealth of the 5 Northern Mariana Islands, Guam, and the Virgin Is- 6 lands, and 0.75 percent of such amounts to each of 7 the remaining States. 8 ‘‘(2) REMAINDER.—The Secretary shall appor- 9 tion the remainder of such amounts in the ratio 10 that— 11 ‘‘(A) the population of each State; bears to 12 ‘‘(B) the population of all States. 13 ‘‘(k) FEDERAL SHARE.—The Federal share of the 14 cost of an activity carried out using funds made available 15 under the program may not exceed the following percent- 16 ages: 17 ‘‘(1) For fiscal year 2021, 90 percent. 18 ‘‘(2) For fiscal year 2022, 80 percent. 19 ‘‘(3) For fiscal year 2023, 70 percent. 20 ‘‘(4) For fiscal year 2024, 60 percent. 21 ‘‘(5) For fiscal year 2025 and each subsequent 22 fiscal year, 50 percent. 23 ‘‘(l) STATE RESPONSIBILITIES.— 24 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 12 HR 5823 RFS ‘‘(1) CERTIFICATION.—Each State that receives 1 a grant under this section shall certify to the Sec- 2 retary that the grant will be used for the purpose for 3 which the grant is awarded and in compliance with 4 the Cybersecurity Plan or other purpose approved by 5 the Secretary under subsection (g). 6 ‘‘(2) AVAILABILITY OF FUNDS TO LOCAL, TRIB- 7 AL, AND TERRITORIAL GOVERNMENTS.—Not later 8 than 45 days after a State receives a grant under 9 this section, such State shall, without imposing un- 10 reasonable or unduly burdensome requirements as a 11 condition of receipt, obligate or otherwise make 12 available to local, Tribal, and territorial governments 13 in such State, consistent with the applicable Cyber- 14 security Plan— 15 ‘‘(A) not less than 80 percent of funds 16 available under such grant; 17 ‘‘(B) with the consent of such local, Tribal, 18 and territorial governments, items, services, ca- 19 pabilities, or activities having a value of not less 20 than 80 percent of the amount of the grant; or 21 ‘‘(C) with the consent of the local, Tribal, 22 and territorial governments, grant funds com- 23 bined with other items, services, capabilities, or 24 VerDate Sep 11 2014 03:29 Oct 02, 2020 Jkt 019200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E:\BILLS\H5823.RFS H5823 pbinns on DSKJLVW7X2PROD with BILLS 13 HR 5823 RFS activities having the total value of not less than 1 80 percent of the amount of the grant. 2 ‘‘(3) CERTIFICATIONS REGARDING DISTRIBU- 3 TION OF GRANT FUNDS TO LOCAL, TRIBAL, TERRI- 4 TORIAL GOVERNMENTS.—A State shall certify to the 5 Secretary that the State has made the distribution 6 to local, Tribal, and territorial governments required 7 under paragraph (2). 8 ‘‘(4) EXTENSION OF PERIOD.—A State may re- 9 quest in writing t [Text truncated for display. Full text available on Congress.gov.]