II 118TH CONGRESS 1ST SESSION S. 1191 To direct the Director of the Cybersecurity and Infrastructure Security Agen- cy to establish a K–12 Cybersecurity Technology Improvement Program, and for other purposes. IN THE SENATE OF THE UNITED STATES APRIL 19, 2023 Mrs. BLACKBURN (for herself and Mr. WARNER) introduced the following bill; which was read twice and referred to the Committee on Homeland Secu- rity and Governmental Affairs A BILL To direct the Director of the Cybersecurity and Infrastruc- ture Security Agency to establish a K–12 Cybersecurity Technology Improvement Program, and for other pur- poses. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may cited as the ‘‘Enhancing K–12 Cyberse- 4 curity Act’’. 5 SEC. 2. DEFINITIONS. 6 In this Act: 7 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 2 •S 1191 IS (1) COVERED ENTITY.—The term ‘‘covered en- 1 tity’’ means the following: 2 (A) An elementary school. 3 (B) A secondary school. 4 (C) A local educational agency. 5 (D) A State educational agency. 6 (E) An educational service agency. 7 (2) DIRECTOR.—The term ‘‘Director’’ means 8 the Director of the Cybersecurity and Infrastructure 9 Security Agency. 10 (3) EDUCATIONAL SERVICE AGENCY.—The 11 term ‘‘educational service agency’’ has the meaning 12 given that term in section 8101 of the Elementary 13 and Secondary Education Act of 1965 (20 U.S.C. 14 7801). 15 (4) ELEMENTARY SCHOOL.—The term ‘‘elemen- 16 tary school’’ has the meaning given that term in sec- 17 tion 8101 of the Elementary and Secondary Edu- 18 cation Act of 1965 (20 U.S.C. 7801). 19 (5) INFORMATION EXCHANGE.—The term ‘‘In- 20 formation Exchange’’ means the School Cybersecu- 21 rity Information Exchange established under section 22 3(a). 23 (6) INFORMATION SHARING AND ANALYSIS OR- 24 GANIZATION.—The term ‘‘Information Sharing and 25 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 3 •S 1191 IS Analysis Organization’’ has the meaning given that 1 term in section 2200 of the Homeland Security Act 2 of 2002 (6 U.S.C. 650). 3 (7) LOCAL EDUCATIONAL AGENCY.—The term 4 ‘‘local educational agency’’ has the meaning given 5 that term in section 8101 of the Elementary and 6 Secondary Education Act of 1965 (20 U.S.C. 7801). 7 (8) SECONDARY SCHOOL.—The term ‘‘sec- 8 ondary school’’ has the meaning given that term in 9 section 8101 of the Elementary and Secondary Edu- 10 cation Act of 1965 (20 U.S.C. 7801). 11 (9) STATE EDUCATIONAL AGENCY.—The term 12 ‘‘State educational agency’’ has the meaning given 13 that term in section 8101 of the Elementary and 14 Secondary Education Act of 1965 (20 U.S.C. 7801). 15 SEC. 3. SCHOOL CYBERSECURITY INFORMATION EX- 16 CHANGE. 17 (a) ESTABLISHMENT.—The Director shall enhance 18 existing information exchange efforts implemented 19 through partnerships with 1 or more Information Sharing 20 and Analysis Organizations to focus specific attention on 21 the needs of covered entities with regard to cybersecurity, 22 including a new publicly accessible website (to be known 23 as the ‘‘School Cybersecurity Information Exchange’’) to 24 disseminate information, cybersecurity best practices, 25 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 4 •S 1191 IS training, and lessons learned tailored to the specific needs 1 of, technical expertise of, and resources available to cov- 2 ered entities, in accordance with subsection (b). 3 (b) DUTIES.—In establishing the Information Ex- 4 change, the Director shall— 5 (1) engage appropriate Federal, State, local, 6 and nongovernmental organizations to identify, pro- 7 mote, and disseminate information and best prac- 8 tices for State educational agencies, local educational 9 agencies, and educational service agencies with re- 10 spect to cybersecurity, data protection, remote learn- 11 ing security, and student online privacy; 12 (2) maintain a database through which an ele- 13 mentary school, secondary school, local educational 14 agency, State educational agency, or educational 15 service agency may identify cybersecurity tools and 16 services funded by the Federal Government and 17 tools and services recommended for purchase with 18 State and local government funding; and 19 (3) provide a searchable database through 20 which covered entities may find and apply for fund- 21 ing opportunities to improve cybersecurity. 22 (c) CONSULTATION.—In carrying out the duties 23 under subsection (b), the Director shall consult with the 24 following: 25 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 5 •S 1191 IS (1) The Secretary of Education. 1 (2) The Director of the National Institute of 2 Standards and Technology. 3 (3) The Federal Communications Commission. 4 (4) The Director of the National Science Foun- 5 dation. 6 (5) The Federal Bureau of Investigation. 7 (6) State and local leaders, including, when ap- 8 propriate, Governors, employees of State depart- 9 ments and agencies, members of State legislatures 10 and State boards of education, local educational 11 agencies, State educational agencies, representatives 12 of Indian Tribes, teachers, principals, other school 13 leaders, charter school leaders, specialized instruc- 14 tional support personnel, paraprofessionals, school 15 administrators, other school staff, and parents. 16 (7) When determined appropriate by the Direc- 17 tor, subject matter experts and expert organizations, 18 including nongovernmental organizations, vendors of 19 school information technology products and services, 20 cybersecurity insurance companies, and cybersecu- 21 rity threat companies. 22 SEC. 4. CYBERSECURITY INCIDENT REGISTRY. 23 (a) IN GENERAL.—The Director shall— 24 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 6 •S 1191 IS (1) establish, through partnerships with 1 or 1 more Information Sharing and Analysis Organiza- 2 tions, a voluntary registry of information relating to 3 cyber incidents affecting information technology sys- 4 tems owned or managed by a covered entity; and 5 (2) determine the scope of cyber incidents to be 6 included in the registry and processes by which inci- 7 dents can be reported for collection in the registry. 8 (b) USE.—Information in the registry established 9 pursuant under subsection (a) may be used to— 10 (1) improve data collection and coordination ac- 11 tivities related to the nationwide monitoring of the 12 incidence and impact of cyber incidents affecting a 13 covered entity; 14 (2) conduct analyses regarding trends in cyber 15 incidents affecting a covered entity; 16 (3) develop systematic approaches to assist a 17 covered entity in preventing and responding to cyber 18 incidents; 19 (4) increase the awareness and preparedness of 20 a covered entity regarding the cybersecurity of the 21 covered entity; and 22 (5) identify, prevent, or investigate cyber inci- 23 dents targeting a covered entity. 24 (c) INFORMATION COLLECTION.— 25 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 7 •S 1191 IS (1) IN GENERAL.—The Director may collect in- 1 formation relating to cyber incidents to store in the 2 registry established pursuant to subsection (a). 3 (2) SUBMISSION OF INFORMATION.—Informa- 4 tion relating to a cyber incident may be submitted 5 by a covered entity and may include the following: 6 (A) The date of the cyber incident, includ- 7 ing the date on which the incident was initially 8 detected and the date on which the incident was 9 first publicly reported or disclosed to another 10 entity. 11 (B) A description of the cyber incident, 12 which shall include whether the incident was as 13 a result of a breach, malware, distributed denial 14 of service attack, or other method designed to 15 cause a vulnerability. 16 (C) The effects of the cyber incident, in- 17 cluding descriptions of the type and size of each 18 such incident. 19 (D) Other information determined relevant 20 by the Director. 21 (d) REPORT.—The Director shall make available on 22 the Information Exchange an annual report relating to 23 cyber incidents affecting elementary schools and secondary 24 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 8 •S 1191 IS schools which includes data, and the analysis of such data, 1 in a manner that— 2 (1) is— 3 (A) de-identified; and 4 (B) presented in the aggregate; and 5 (2) at a minimum, protects personal privacy to 6 the extent required by applicable Federal and State 7 privacy laws. 8 SEC. 5. K–12 CYBERSECURITY TECHNOLOGY IMPROVEMENT 9 PROGRAM. 10 (a) ESTABLISHMENT.—The Director shall establish, 11 through partnerships with 1 or more Information Sharing 12 and Analysis Organizations, a program (to be known as 13 the ‘‘K–12 Cybersecurity Technology Improvement Pro- 14 gram’’) to deploy cybersecurity capabilities to address cy- 15 bersecurity risks and threats to information systems of el- 16 ementary schools and secondary schools through— 17 (1) the development of cybersecurity strategies 18 and installation of effective cybersecurity tools tai- 19 lored for covered entities; 20 (2) making available cybersecurity services that 21 enhance the ability of elementary schools and sec- 22 ondary schools to protect themselves from 23 ransomware and other cybersecurity threats; and 24 VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB 9 •S 1191 IS (3) providing training opportunities on cyberse- 1 curity threats, best practices, and relevant tech- 2 nologies for elementary schools and secondary 3 schools. 4 (b) REPORT.—The Director shall make available on 5 the Information Exchange an annual report relating to the 6 impact of the K–12 Cybersecurity Technology Improve- 7 ment Program, including information on the cybersecurity 8 capabilities made available to information technology sys- 9 tems owned or managed by covered entities, the number 10 of students served, and cybersecurity incidents identified 11 or prevented. 12 SEC. 6. AUTHORIZATION OF APPROPRIATIONS. 13 There are authorized to be appropriated to carry out 14 this Act $10,000,000 for each of fiscal years 2023 and 15 2024. 16 Æ VerDate Sep 11 2014 03:13 Apr 21, 2023 Jkt 039200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6301 E:\BILLS\S1191.IS S1191 pbinns on DSKJLVW7X2PROD with $$_JOB