H. R. 2130
IN THE HOUSE OF REPRESENTATIVES
April 8, 2019
Mr. Kilmer (for himself and Mr. McCaul) introduced the following bill; which was referred to the Committee on Homeland Security, and in addition to the Committee on Transportation and Infrastructure, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To provide grants to assist States in developing and implementing plans to address cybersecurity threats or vulnerabilities, and for other purposes.
This Act may be cited as the
State Cyber Resiliency Act.
Establishment of cyber resiliency grant program
There is established the State Cyber Resiliency Grant Program to assist State, local, and tribal governments in preventing, preparing for, protecting against, and responding to cyber threats, which shall be administered by the Administrator.
Each State shall be eligible to apply for grants under the Program.
Grants authorized for each State
Subject to the funds available under a funding allocation determined under subsection (f) for a State, the Secretary of Homeland Security may award to the State—
up to 2 planning grants under subsection (e) to develop or revise a cyber resiliency plan; and
up to 2 implementation grants under subsection (f) to implement an active cyber resiliency plan.
Approval of cyber resiliency plans
The Secretary shall approve a cyber resiliency plan submitted by a State if the Secretary determines, after considering the recommendations of the Review Committee established under subsection (i), that the plan meets all of the following criteria:
The plan incorporates, to the extent practicable, any existing plans of such State to protect against cybersecurity threats or vulnerabilities.
The plan is designed to achieve each of the following objectives, with respect to the essential functions of such State:
Enhancing the preparation, response, and resiliency of computer networks, industrial control systems, and communications systems performing such functions against cybersecurity threats or vulnerabilities.
Implementing a process of continuous cybersecurity vulnerability assessments and threat mitigation practices to prevent the disruption of such functions by an incident within the State.
Ensuring that entities performing such functions within the State adopt generally recognized best practices and methodologies with respect to cybersecurity, such as the practices provided in the cybersecurity framework developed by the National Institute of Standards and Technology.
Mitigating talent gaps in the State government cybersecurity workforce, enhancing recruitment and retention efforts for such workforce, and bolstering the knowledge, skills, and abilities of State government personnel to protect against cybersecurity threats and vulnerabilities.
Protecting public safety answering points and other emergency communications and data networks from cybersecurity threats or vulnerabilities.
Ensuring continuity of communications and data networks between entities performing such functions within the State, in the event of a catastrophic disruption of such communications or networks.
Accounting for and mitigating, to the greatest degree possible, cybersecurity threats or vulnerabilities related to critical infrastructure or key resources, the degradation of which may impact the performance of such functions within the State or threaten public safety.
Providing appropriate communications capabilities to ensure cybersecurity intelligence information-sharing and the command and coordination capabilities among entities performing such functions.
Developing and coordinating strategies with respect to cybersecurity threats or vulnerabilities in consultation with—
neighboring States or members of an information sharing and analysis organization; and
as applicable, neighboring countries.
Duration of approval
An approval under paragraph (1) shall be initially effective for the 2-year period beginning on the date of the determination described in such paragraph.
The Secretary may annually extend such approval for a 1-year period, if the Secretary determines, after considering the recommendations of the Review Committee, that the plan continues to meet the criteria described in paragraph (1) after the State makes such revisions as the Secretary may determine to be necessary.
For purposes of this subsection, the term
essential functions includes, with respect to a State, those functions that enhance the cybersecurity posture of the State, local and tribal governments of the State, and the public services they provide.
Initial planning grant
The Secretary shall require, as a condition of awarding an initial planning grant, that the State seeking the grant—
agrees to use the funds to develop a cyber resiliency plan designed to meet the criteria described in subsection (d)(1); and
submits an application including such information as the Secretary may determine to be necessary.
Eligibility for initial planning grant
A State shall not be eligible to receive an initial planning grant after the date on which the State first submits a cyber resiliency plan to the Secretary for a determination under subsection (d)(1).
Additional planning grant
The Secretary may award an additional planning grant to a State if the State agrees to use the funds to revise a cyber resiliency plan in order to receive an extension in accordance with subsection (d)(2)(B), and submits an application including such information as the Secretary may determine to be necessary.
Limitations on number and timing of grants
A State shall not be eligible to receive—
more than 2 planning grants under this subsection; or
an additional planning grant for the fiscal year following the fiscal year for which it receives an initial planning grant.
The Secretary shall require, as a condition of awarding a biennial implementation grant, that the State seeking the grant submits an application including the following:
A proposal, including a description and timeline, of the activities to be funded by the grant as described by a cyber resiliency plan of the State approved under subsection (d).
A description of how each activity proposed to be funded by the grant would achieve one or more of the objectives described in subsection (d)(1)(B).
A description, if applicable, of how any prior biennial implementation grant awarded under this section was spent, and to what extent the criteria described in subsection (d)(1) were met.
The share of any amounts awarded as a biennial implementation grant proposed to be distributed to local or tribal governments within such State.
Such other information as the Secretary may determine to be necessary in consultation with the chief information officer, emergency managers, and senior public safety officials of the State.
Approval of application
The Secretary shall consider the recommendations of the Review Committee in approving or disapproving an application for a biennial implementation grant.
Distribution to local and tribal governments
Not later than 45 days after the date that a biennial implementation grant is awarded, not less than 50 percent of any share proposed under paragraph (1)(D) shall be distributed to local or tribal governments, in the same manner that amounts awarded under section 2004 of the Homeland Security Act of 2002 (6 U.S.C. 605) are distributed to such governments, except that—
no such distribution may be made to a federally recognized Indian tribe that is a State under subsection (k)(11)(B); and
in applying section 2004(c)(1) of such Act with respect to distributions under this subparagraph,
100 percent shall be substituted for
80 percent each place that term appears.
In determining how an implementation grant is distributed within a State, the State shall consult with local and regional chief information officers, emergency managers, and senior public safety officials of the State.
Except as provided in subsection (h), biennial implementation grants shall be awarded—
exclusively on a competitive basis; and
based on the recommendations of the Review Committee.
Limitation on number of grants
The Secretary may award to a State not more than 2 biennial implementation grants under this section.
Use of grant funds
Any grant awarded under this section shall supplement and not supplant State or local funds or, as applicable, funds supplied by the Bureau of Indian Affairs, and may not be used—
to provide any Federal cost-sharing contribution on behalf of a State; or
for any recreational or social purpose.
Approved activities for implementation grants
A State or a government entity that receives funds through a biennial implementation grant may use such funds for one or more of the following activities, to the extent that such activities are proposed under subsection (f)(1)(A):
Supporting or enhancing information sharing and analysis organizations.
Implementing or coordinating systems and services that use cyber threat indicators (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) to address cybersecurity threats or vulnerabilities.
Supporting dedicated cybersecurity and communications coordination planning, including the coordination of—
emergency management elements of such State;
National Guard units, as appropriate;
entities associated with critical infrastructure or key resources;
information sharing and analysis organizations;
public safety answering points; or
nongovernmental organizations engaged in cybersecurity research as a formally designated information analysis and sharing organization.
Establishing programs, such as scholarships or apprenticeships, to provide financial assistance to State residents who—
pursue formal education, training, and industry-recognized certifications for careers in cybersecurity as identified by the National Initiative for Cybersecurity Education; and
commit to working for State government for a specified period of time.
From any amount appropriated for a fiscal year that is not reserved for use by the Secretary in carrying out this section, the Secretary shall allocate the entire amount among the States (including the District of Columbia) eligible for grants under this section taking into consideration the factors specified in paragraph (2) and consistent with the following:
Allocations for the several States
Of the amount subject to allocation, a funding allocation for any of such States shall be—
not less than 0.001 percent, with respect to an initial planning grant, and not more than 0.001 percent, with respect to any additional planning grants; and
not less than 0.5 percent and not more than 3 percent, with respect to biennial implementation grants.
Allocations for the territories and possessions
Of the amount subject to allocation, a funding allocation for any of the territories and possessions of the United States eligible for grants under this section shall be—
not less than 0.001 percent, with respect to an initial planning grant, and not more than 0.001 percent, with respect to any additional planning grant; and
not less than 0.1 percent and not more than 1 percent, with respect to biennial implementation grants.
Considerations for funding allocations
In determining a funding allocation under paragraph (1) for a State, the Secretary shall consider each of the following factors:
The considerations described in section 1809(h)(1) of the Homeland Security Act of 2002 (6 U.S.C. 579(h)(1)) with respect to the State, and the degree of exposure of the State and protected government entities within the State to threats, vulnerabilities, or consequences resulting from cybersecurity risks or incidents.
The degree of exposure of the State and protected government entities within the State to threats, vulnerabilities, or consequences resulting from cybersecurity risks or incidents.
The effectiveness of, relative to evolving cyber threats against, cybersecurity assets, secure communications capabilities, and data network protections, of the State and its partners.
The extent to which the State is vulnerable to cyber threats because it has not implemented best practices such as the cybersecurity framework developed by the National Institute of Standards and Technology.
The extent to which a State government may face low cybersecurity workforce supply and high cybersecurity workforce demand, as identified by the National Institute of Standards and Technology.
Review Committee for Cyber Resiliency Grants
There is established a committee to be known as the
Review Committee for Cyber Resiliency Grants (in this section referred to as the
Consideration of submissions
The Secretary shall forward a copy of each cyber resiliency plan submitted for approval under subsection (d)(1), each application for an additional planning grant submitted under subsection (e)(3), and each application for a biennial implementation grant submitted under subsection (d)(1) to the Review Committee for consideration under this subsection.
The Review Committee shall—
promulgate guidance for the development of applications for grants under this section;
review any plan or application forwarded under paragraph (2);
provide to the State and to the Secretary the recommendations of the Review Committee regarding the approval or disapproval of such plan or application and, if applicable, possible improvements to such plan or application;
provide to the Secretary an evaluation of any progress made by a State in implementing an active cyber resiliency plan using a prior biennial implementation grant; and
submit to Congress an annual report on the progress made in implementing active cyber resiliency plans.
Number and appointment
The Review Committee shall be composed of 15 members appointed by the Secretary as follows:
At least 2 individuals recommended to the Secretary by the National Governors Association.
At least 1 individual recommended to the Secretary by the National Association of State Chief Information Officers.
At least 1 individual recommended to the Secretary by the National Guard Bureau.
At least 1 individual recommended to the Secretary by the National Association of Counties.
At least 1 individual recommended to the Secretary by the National League of Cities.
Not more than 9 other individuals who have educational and professional experience related to cybersecurity analysis or policy.
Each member shall be appointed for a term of 1 year. Any member appointed to fill a vacancy occurring before the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member’s term until a successor has taken office. A vacancy in the Commission shall be filled in the manner in which the original appointment was made.
Members shall serve without pay.
Chairperson; Vice Chairperson
The Secretary, or a designee of the Secretary, shall serve as the Chairperson of the Review Committee. The Administrator of the Federal Emergency Management Agency, or a designee of the Administrator, shall serve as the Vice Chairperson of the Review Committee.
Staff and experts
The Review Committee may—
appoint additional personnel as it considers appropriate, without regard to the provisions of title 5, United States Code, governing appointments in the competitive service;
fix the pay of such additional personnel, without regard to the provisions of chapter 51 and subchapter III of chapter 53 of such title relating to classification and General Schedule pay rates; and
procure temporary and intermittent services under section 3109(b) of such title.
Upon request of the Review Committee, the head of any Federal department or agency may detail, on a reimbursable basis, any of the personnel of that department or agency to the Commission to assist it in carrying out the duties under this Act.
Federal Advisory Committee Act
The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Review Committee.
The authority of the Review Committee shall terminate on the day after the end of the 5-fiscal-year period described in subsection (j).
There is authorized to be appropriated for grants under this section such sums as are necessary for fiscal years 2020 through 2025.
In this section:
Active cyber resiliency plan
active cyber resiliency plan means a cyber resiliency plan for which an approval is in effect in accordance with subsection (d)(2)(A) or for which the Secretary extends such approval in accordance with subsection (d)(2)(B).
Administrator means the Administrator of the Federal Emergency Management Agency.
critical infrastructure has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).
Cyber resiliency plan
cyber resiliency plan means, with respect to a State, a plan that addresses the cybersecurity threats or vulnerabilities faced by the State through a statewide plan and decisionmaking process to respond to cybersecurity risks or incidents.
cybersecurity risk has the meaning given that term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).
incident has the meaning given that term in section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659).
Information sharing and analysis organization
information sharing and analysis organization has the meaning given that term in section 2222 of the Homeland Security Act of 2002 (6 U.S.C. 671).
key resources has the meaning given that term in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).
Program means the State Cyber Resiliency Grant Program established by this section.
Public safety answering points
public safety answering points has the meaning given that term in section 222(h) of the Communications Act of 1934 (47 U.S.C. 222(h)).
means each of the several States, the District of Colombia, and the territories and possessions of the United States; and
includes any federally recognized Indian tribe that notifies the Secretary, not later than 120 days after the date of the enactment of this Act or not later than 120 days before the start of any fiscal year during the 5-fiscal-year period described in subsection (j), that the tribe intends to develop a cyber resiliency plan and agrees to forfeit any distribution under subsection (f)(3).