skip to main content

H.R. 2130: State Cyber Resiliency Act

The text of the bill below is as of Apr 8, 2019 (Introduced).


I

116th CONGRESS

1st Session

H. R. 2130

IN THE HOUSE OF REPRESENTATIVES

April 8, 2019

(for himself and Mr. McCaul) introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committee on Transportation and Infrastructure, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To provide grants to assist States in developing and implementing plans to address cybersecurity threats or vulnerabilities, and for other purposes.

1.

Short title

This Act may be cited as the State Cyber Resiliency Act.

2.

Establishment of cyber resiliency grant program

(a)

Establishment

There is established the State Cyber Resiliency Grant Program to assist State, local, and tribal governments in preventing, preparing for, protecting against, and responding to cyber threats, which shall be administered by the Administrator.

(b)

Eligibility

Each State shall be eligible to apply for grants under the Program.

(c)

Grants authorized for each State

Subject to the funds available under a funding allocation determined under subsection (f) for a State, the Secretary of Homeland Security may award to the State—

(1)

up to 2 planning grants under subsection (e) to develop or revise a cyber resiliency plan; and

(2)

up to 2 implementation grants under subsection (f) to implement an active cyber resiliency plan.

(d)

Approval of cyber resiliency plans

(1)

In general

The Secretary shall approve a cyber resiliency plan submitted by a State if the Secretary determines, after considering the recommendations of the Review Committee established under subsection (i), that the plan meets all of the following criteria:

(A)

The plan incorporates, to the extent practicable, any existing plans of such State to protect against cybersecurity threats or vulnerabilities.

(B)

The plan is designed to achieve each of the following objectives, with respect to the essential functions of such State:

(i)

Enhancing the preparation, response, and resiliency of computer networks, industrial control systems, and communications systems performing such functions against cybersecurity threats or vulnerabilities.

(ii)

Implementing a process of continuous cybersecurity vulnerability assessments and threat mitigation practices to prevent the disruption of such functions by an incident within the State.

(iii)

Ensuring that entities performing such functions within the State adopt generally recognized best practices and methodologies with respect to cybersecurity, such as the practices provided in the cybersecurity framework developed by the National Institute of Standards and Technology.

(iv)

Mitigating talent gaps in the State government cybersecurity workforce, enhancing recruitment and retention efforts for such workforce, and bolstering the knowledge, skills, and abilities of State government personnel to protect against cybersecurity threats and vulnerabilities.

(v)

Protecting public safety answering points and other emergency communications and data networks from cybersecurity threats or vulnerabilities.

(vi)

Ensuring continuity of communications and data networks between entities performing such functions within the State, in the event of a catastrophic disruption of such communications or networks.

(vii)

Accounting for and mitigating, to the greatest degree possible, cybersecurity threats or vulnerabilities related to critical infrastructure or key resources, the degradation of which may impact the performance of such functions within the State or threaten public safety.

(viii)

Providing appropriate communications capabilities to ensure cybersecurity intelligence information-sharing and the command and coordination capabilities among entities performing such functions.

(ix)

Developing and coordinating strategies with respect to cybersecurity threats or vulnerabilities in consultation with—

(I)

neighboring States or members of an information sharing and analysis organization; and

(II)

as applicable, neighboring countries.

(2)

Duration of approval

(A)

Initial duration

An approval under paragraph (1) shall be initially effective for the 2-year period beginning on the date of the determination described in such paragraph.

(B)

Annual extension

The Secretary may annually extend such approval for a 1-year period, if the Secretary determines, after considering the recommendations of the Review Committee, that the plan continues to meet the criteria described in paragraph (1) after the State makes such revisions as the Secretary may determine to be necessary.

(3)

Essential functions

For purposes of this subsection, the term essential functions includes, with respect to a State, those functions that enhance the cybersecurity posture of the State, local and tribal governments of the State, and the public services they provide.

(e)

Planning grants

(1)

Initial planning grant

The Secretary shall require, as a condition of awarding an initial planning grant, that the State seeking the grant—

(A)

agrees to use the funds to develop a cyber resiliency plan designed to meet the criteria described in subsection (d)(1); and

(B)

submits an application including such information as the Secretary may determine to be necessary.

(2)

Eligibility for initial planning grant

A State shall not be eligible to receive an initial planning grant after the date on which the State first submits a cyber resiliency plan to the Secretary for a determination under subsection (d)(1).

(3)

Additional planning grant

The Secretary may award an additional planning grant to a State if the State agrees to use the funds to revise a cyber resiliency plan in order to receive an extension in accordance with subsection (d)(2)(B), and submits an application including such information as the Secretary may determine to be necessary.

(4)

Limitations on number and timing of grants

A State shall not be eligible to receive—

(A)

more than 2 planning grants under this subsection; or

(B)

an additional planning grant for the fiscal year following the fiscal year for which it receives an initial planning grant.

(f)

Implementation grants

(1)

Application requirements

The Secretary shall require, as a condition of awarding a biennial implementation grant, that the State seeking the grant submits an application including the following:

(A)

A proposal, including a description and timeline, of the activities to be funded by the grant as described by a cyber resiliency plan of the State approved under subsection (d).

(B)

A description of how each activity proposed to be funded by the grant would achieve one or more of the objectives described in subsection (d)(1)(B).

(C)

A description, if applicable, of how any prior biennial implementation grant awarded under this section was spent, and to what extent the criteria described in subsection (d)(1) were met.

(D)

The share of any amounts awarded as a biennial implementation grant proposed to be distributed to local or tribal governments within such State.

(E)

Such other information as the Secretary may determine to be necessary in consultation with the chief information officer, emergency managers, and senior public safety officials of the State.

(2)

Approval of application

The Secretary shall consider the recommendations of the Review Committee in approving or disapproving an application for a biennial implementation grant.

(3)

Distribution to local and tribal governments

(A)

In general

Not later than 45 days after the date that a biennial implementation grant is awarded, not less than 50 percent of any share proposed under paragraph (1)(D) shall be distributed to local or tribal governments, in the same manner that amounts awarded under section 2004 of the Homeland Security Act of 2002 (6 U.S.C. 605) are distributed to such governments, except that—

(i)

no such distribution may be made to a federally recognized Indian tribe that is a State under subsection (k)(11)(B); and

(ii)

in applying section 2004(c)(1) of such Act with respect to distributions under this subparagraph, 100 percent shall be substituted for 80 percent each place that term appears.

(B)

Consultation

In determining how an implementation grant is distributed within a State, the State shall consult with local and regional chief information officers, emergency managers, and senior public safety officials of the State.

(4)

Competitive award

Except as provided in subsection (h), biennial implementation grants shall be awarded—

(A)

exclusively on a competitive basis; and

(B)

based on the recommendations of the Review Committee.

(5)

Limitation on number of grants

The Secretary may award to a State not more than 2 biennial implementation grants under this section.

(g)

Use of grant funds

(1)

Limitations

Any grant awarded under this section shall supplement and not supplant State or local funds or, as applicable, funds supplied by the Bureau of Indian Affairs, and may not be used—

(A)

to provide any Federal cost-sharing contribution on behalf of a State; or

(B)

for any recreational or social purpose.

(2)

Approved activities for implementation grants

A State or a government entity that receives funds through a biennial implementation grant may use such funds for one or more of the following activities, to the extent that such activities are proposed under subsection (f)(1)(A):

(A)

Supporting or enhancing information sharing and analysis organizations.

(B)

Implementing or coordinating systems and services that use cyber threat indicators (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) to address cybersecurity threats or vulnerabilities.

(C)

Supporting dedicated cybersecurity and communications coordination planning, including the coordination of—

(i)

emergency management elements of such State;

(ii)

National Guard units, as appropriate;

(iii)

entities associated with critical infrastructure or key resources;

(iv)

information sharing and analysis organizations;

(v)

public safety answering points; or

(vi)

nongovernmental organizations engaged in cybersecurity research as a formally designated information analysis and sharing organization.

(D)

Establishing programs, such as scholarships or apprenticeships, to provide financial assistance to State residents who—

(i)

pursue formal education, training, and industry-recognized certifications for careers in cybersecurity as identified by the National Initiative for Cybersecurity Education; and

(ii)

commit to working for State government for a specified period of time.

(h)

Funding allocations

(1)

In general

From any amount appropriated for a fiscal year that is not reserved for use by the Secretary in carrying out this section, the Secretary shall allocate the entire amount among the States (including the District of Columbia) eligible for grants under this section taking into consideration the factors specified in paragraph (2) and consistent with the following:

(A)

Allocations for the several States

Of the amount subject to allocation, a funding allocation for any of such States shall be—

(i)

not less than 0.001 percent, with respect to an initial planning grant, and not more than 0.001 percent, with respect to any additional planning grants; and

(ii)

not less than 0.5 percent and not more than 3 percent, with respect to biennial implementation grants.

(B)

Allocations for the territories and possessions

Of the amount subject to allocation, a funding allocation for any of the territories and possessions of the United States eligible for grants under this section shall be—

(i)

not less than 0.001 percent, with respect to an initial planning grant, and not more than 0.001 percent, with respect to any additional planning grant; and

(ii)

not less than 0.1 percent and not more than 1 percent, with respect to biennial implementation grants.

(2)

Considerations for funding allocations

In determining a funding allocation under paragraph (1) for a State, the Secretary shall consider each of the following factors:

(A)

The considerations described in section 1809(h)(1) of the Homeland Security Act of 2002 (6 U.S.C. 579(h)(1)) with respect to the State, and the degree of exposure of the State and protected government entities within the State to threats, vulnerabilities, or consequences resulting from cybersecurity risks or incidents.

(B)

The degree of exposure of the State and protected government entities within the State to threats, vulnerabilities, or consequences resulting from cybersecurity risks or incidents.

(C)

The effectiveness of, relative to evolving cyber threats against, cybersecurity assets, secure communications capabilities, and data network protections, of the State and its partners.

(D)

The extent to which the State is vulnerable to cyber threats because it has not implemented best practices such as the cybersecurity framework developed by the National Institute of Standards and Technology.

(E)

The extent to which a State government may face low cybersecurity workforce supply and high cybersecurity workforce demand, as identified by the National Institute of Standards and Technology.

(i)

Review Committee for Cyber Resiliency Grants

(1)

Establishment

There is established a committee to be known as the Review Committee for Cyber Resiliency Grants (in this section referred to as the Review Committee).

(2)

Consideration of submissions

The Secretary shall forward a copy of each cyber resiliency plan submitted for approval under subsection (d)(1), each application for an additional planning grant submitted under subsection (e)(3), and each application for a biennial implementation grant submitted under subsection (d)(1) to the Review Committee for consideration under this subsection.

(3)

Duties

The Review Committee shall—

(A)

promulgate guidance for the development of applications for grants under this section;

(B)

review any plan or application forwarded under paragraph (2);

(C)

provide to the State and to the Secretary the recommendations of the Review Committee regarding the approval or disapproval of such plan or application and, if applicable, possible improvements to such plan or application;

(D)

provide to the Secretary an evaluation of any progress made by a State in implementing an active cyber resiliency plan using a prior biennial implementation grant; and

(E)

submit to Congress an annual report on the progress made in implementing active cyber resiliency plans.

(4)

Membership

(A)

Number and appointment

The Review Committee shall be composed of 15 members appointed by the Secretary as follows:

(i)

At least 2 individuals recommended to the Secretary by the National Governors Association.

(ii)

At least 1 individual recommended to the Secretary by the National Association of State Chief Information Officers.

(iii)

At least 1 individual recommended to the Secretary by the National Guard Bureau.

(iv)

At least 1 individual recommended to the Secretary by the National Association of Counties.

(v)

At least 1 individual recommended to the Secretary by the National League of Cities.

(vi)

Not more than 9 other individuals who have educational and professional experience related to cybersecurity analysis or policy.

(B)

Terms

Each member shall be appointed for a term of 1 year. Any member appointed to fill a vacancy occurring before the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member’s term until a successor has taken office. A vacancy in the Commission shall be filled in the manner in which the original appointment was made.

(C)

Pay

Members shall serve without pay.

(D)

Chairperson; Vice Chairperson

The Secretary, or a designee of the Secretary, shall serve as the Chairperson of the Review Committee. The Administrator of the Federal Emergency Management Agency, or a designee of the Administrator, shall serve as the Vice Chairperson of the Review Committee.

(5)

Staff and experts

The Review Committee may—

(A)

appoint additional personnel as it considers appropriate, without regard to the provisions of title 5, United States Code, governing appointments in the competitive service;

(B)

fix the pay of such additional personnel, without regard to the provisions of chapter 51 and subchapter III of chapter 53 of such title relating to classification and General Schedule pay rates; and

(C)

procure temporary and intermittent services under section 3109(b) of such title.

(6)

Detailees

Upon request of the Review Committee, the head of any Federal department or agency may detail, on a reimbursable basis, any of the personnel of that department or agency to the Commission to assist it in carrying out the duties under this Act.

(7)

Federal Advisory Committee Act

The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Review Committee.

(8)

Termination

The authority of the Review Committee shall terminate on the day after the end of the 5-fiscal-year period described in subsection (j).

(j)

Funding

There is authorized to be appropriated for grants under this section such sums as are necessary for fiscal years 2020 through 2025.

(k)

Definitions

In this section:

(1)

Active cyber resiliency plan

The term active cyber resiliency plan means a cyber resiliency plan for which an approval is in effect in accordance with subsection (d)(2)(A) or for which the Secretary extends such approval in accordance with subsection (d)(2)(B).

(2)

Administrator

The term Administrator means the Administrator of the Federal Emergency Management Agency.

(3)

Critical infrastructure

The term critical infrastructure has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).

(4)

Cyber resiliency plan

The term cyber resiliency plan means, with respect to a State, a plan that addresses the cybersecurity threats or vulnerabilities faced by the State through a statewide plan and decisionmaking process to respond to cybersecurity risks or incidents.

(5)

Cybersecurity risk

The term cybersecurity risk has the meaning given that term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).

(6)

Incident

The term incident has the meaning given that term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).

(7)

Information sharing and analysis organization

The term information sharing and analysis organization has the meaning given that term in section 2222 of the Homeland Security Act of 2002 (6 U.S.C. 671).

(8)

Key resources

The term key resources has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).

(9)

Program

The term Program means the State Cyber Resiliency Grant Program established by this section.

(10)

Public safety answering points

The term public safety answering points has the meaning given that term in section 222(h) of the Communications Act of 1934 (47 U.S.C. 222(h)).

(11)

State

The term State

(A)

means each of the several States, the District of Colombia, and the territories and possessions of the United States; and

(B)

includes any federally recognized Indian tribe that notifies the Secretary, not later than 120 days after the date of the enactment of this Act or not later than 120 days before the start of any fiscal year during the 5-fiscal-year period described in subsection (j), that the tribe intends to develop a cyber resiliency plan and agrees to forfeit any distribution under subsection (f)(3).