HR 1344 Introduced – State Cybersecurity Grant Program

Earlier this month Rep. Kilmer (D,WA) introduced HR 1344, the State Cyber Resiliency Act. The bill would establish a new Federal Emergency Management Administration (FEMA) grant program to develop and implement a cyber resiliency program.

Cyber Resiliency Program

The bill would provide grants for States establishing cyber resiliency programs designed to assist State and local governments “in preventing, preparing for, protecting against, and responding to cyber threats” {§2(a)}. The FEMA Administrator would approve State plans that were {§(2)(d)(1)(B)}:

• Enhancing the preparation, response, and resiliency of computer networks, industrial control systems, and communications systems performing such functions against cybersecurity threats or vulnerabilities;

• Implementing a process of continuous cybersecurity vulnerability assessments and threat mitigation practices to prevent the disruption of such functions by an incident within the State;

• Ensuring that entities performing such functions within the State adopt generally recognized best practices and methodologies with respect to cybersecurity;

• Mitigating talent gaps in the State government cybersecurity workforce, enhancing recruitment and retention efforts for such workforce, and bolstering the knowledge, skills, and abilities of State government personnel to protect against cybersecurity threats and vulnerabilities;

• Protecting public safety answering points and other emergency communications and data networks from cybersecurity threats or vulnerabilities;

• Ensuring continuity of communications and data networks between entities performing such functions within the State, in the event of a catastrophic disruption of such communications or networks;

• Accounting for and mitigating, to the greatest degree possible, cybersecurity threats or vulnerabilities related to critical infrastructure or key resources, the degradation of which may impact the performance of such functions within the State or threaten public safety;

• Providing appropriate communications capabilities to ensure cybersecurity intelligence information-sharing and the command and coordination capabilities among entities performing such functions;

• Developing and coordinating strategies with respect to cybersecurity threats or vulnerabilities in consultation with neighboring States or members of an information sharing and analysis organization.

The Administrator would be able to approve grants to States for developing approved plans and then separate grants for State and local government activities implementing those plans. The implementing grants may be used specifically for {§2(g)(2)}:

• Supporting or enhancing information sharing and analysis organizations.

• Implementing or coordinating systems and services that use cyber threat indicators (as such term is defined in 6 USC. 1501) to address cybersecurity threats or vulnerabilities.

• Supporting dedicated cybersecurity and communications coordination planning;

• Establishing programs, such as scholarships or apprenticeships, to provide financial assistance to State residents who pursue formal education, training, and industry-recognized certifications for careers in cybersecurity and commit to working for State government for a specified period of time.

Moving Forward

Kilmer in not a member of either the House Homeland Security Committee or the Transportation and Infrastructure Committee, the two committees to which this bill was assigned for consideration. This means that it is unlikely that he will have sufficient influence to see the bill considered in either committee.

There is nothing in the bill that would draw significant opposition from any groups outside of Congress. The major stumbling block for this bill is that it authorizes a new spending program. Kilmer tries to avoid the problem not including a dollar amount in the authorization language included in the bill {§2(j)}. That would be set by the Appropriations Committee (to which Kilmer does belong) in the DHS spending bill.

Commentary

This bill is definitely intended to see States include control system security issues in their cyber resiliency. Industrial control systems are specifically mentioned in the outline of plan objectives {§2(d)(1)(B)(i)}. Where things start to get a little confusing is in the matter of definitions.

In discussing implementation grants the bill uses the term ‘cyberthreat indicators’ and references the definition in 6 USC 1501(5) which is based upon the control system inclusive definition of ‘information system’ found in that section. But later in the definition section of this bill {§2(k)} both the definition of ‘cybersecurity risk’ and ‘incident’ are adopted from 6 USC 148(a) which depends on the IT exclusive definition of ‘information system’.

That was necessary because those terms were not defined in §1501. It could have been avoided if the term ‘information system’ had been included in (k) and referenced the definition in §1501. That might have been a bit problematic because the ‘information system’ term is not directly used in this bill. A simpler way of dealing with this would have been to amend the definition in §148 to use that in §1501. This would have the added benefit of updating all other uses of ‘information system’ that rely on the §148 definition.