HR 5823 Introduced – Cybersecurity Grants

Earlier this week Rep Richmond (D,LA) introduced HR 5823, the State and Local Cybersecurity Improvement Act. The bill would establish a DHS grant program to help State and local governments establish cybersecurity programs. The bill would add a new §2215 to the Homeland Security Act of 2002 (presumably 6 USC 665).

Definitions

Section 2215(p) provides the definitions to be used in the new section. Most of the critical definitions are taken from other sections of the US Code. Key definitions include:

• ‘Cyber threat indicator’ – from 6 USC 1501;

• ‘Cybersecurity risk’ – from 6 USC 659;

• ‘Incident’ – from §659;

• ‘Information system’ – from §1501;

There are two definitions provided in §2215(p) that reference ‘section 2’. There are no free standing definitions in §2; §2(a) adds the new §2215 and §2(b) amends the table of contents of the Homeland Security Act of 2002 to reflect the new §2215. The two undefined terms are:

• ‘Critical infrastructure’; and

• ‘Key resources’

Grant Program

Section 2215(a) establishes the ‘State and Local Cybersecurity Grant Program’ “to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments”. The new grant program would be administered under the same program office that administers the Urban Area Security Initiative (6 USC 604) and the State Homeland Security Grant Program (6 USC 605).

Each State applying for a grant would be required to submit to DHS a ‘Cybersecurity Plan’ for approval. The Plan would describe how the State would {new §2215(d)(1)(B)}:

• Enhance the preparation, response, and resiliency of information systems owned or operated by such State against cybersecurity risks and cybersecurity threats;

• Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats;

• Ensure that State, local, Tribal, and territorial governments adopt best practices and methodologies to enhance cybersecurity;

• Mitigate any identified gaps in the State, local, Tribal, or territorial government cybersecurity workforces, enhance recruitment and retention efforts for such workforces, and bolster the knowledge, skills, and abilities of government personnel to address cybersecurity risks and cybersecurity threats;

• Ensure continuity of communications and data networks in the event of an incident;

• Assess and mitigate cybersecurity risks and cybersecurity threats related to critical infrastructure and key resources, the degradation of which may impact the performance of information systems;

• Enhance capability to share cyber threat indicators and related information between such State and local, Tribal, and territorial governments; and

• Develop and coordinate strategies to address cybersecurity risks with local, Tribal, and territorial governments within the State.

The plan would also include an inventory of the information technology deployed on the covered information systems including; “legacy information technology that is no longer supported by the manufacturer” {new §2215(d)(1)(C)}.

Section 2215(h) sets limitations on how the grant monies could be spent. Grant funds could not be spent {new 2215(h)(2)}:

• To supplant State, local, Tribal, or territorial funds;

• For any recipient cost-sharing contribution;

• To pay a demand for ransom in an attempt to regain access to information or an information;

• For recreational or social purposes; or

• For any purpose that does not directly address cybersecurity risks or cybersecurity threats on information systems of such State.

Section 2215(o) would authorize $400 million for the grant program per year for 2021 through 2025.

Advisory Committee

Section 2215(m) would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a State and Local Cybersecurity Resiliency Committee to “to provide State, local, Tribal, and territorial stakeholder expertise, situational awareness, and recommendations” {new §2215(m)(1)} to CISA. The advice would provide CISA information on how to:

• Address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments; and

• Improve the ability of such governments to prevent, protect against, respond, mitigate, and recover from cybersecurity risks and cybersecurity threats.

Members of the Committee would include individuals recommended by {new §2215(m)(3)}:

• The Director by the National Governors Association (2);

• The Director by the National Association of State Chief Information Officers (2);

• The Director by the National Guard Bureau;

• The Director by the National Association of Counties (2);

• The Director by the National League of Cities (2);

• The Director by the United States Conference of Mayors; and

• The Director by the Multi-State Information Sharing and Analysis Center.

Strategy to Improve Cybersecurity

Section 3 of the bill would amend 6 USC 660, adding a new §660(e), Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments. It would give CISA 270 days to publish the Strategy to {new §660(e)(2)}:

• Identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;

• Identify Federal resources and capabilities to help such governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;

• Identify and assess the limitations of Federal resources and capabilities available to help governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents, and make recommendations to address such limitations;

• Identify opportunities to improve the Agency’s coordination to improve incident exercises, information sharing and incident notification procedures;

• Recommend new initiatives the Federal Government should undertake to help such governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;

• Set short-term and long-term goals that will improve the ability of such governments to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents; and

• Set dates, including interim benchmarks, as appropriate for State, local, Tribal, territorial governments to establish baseline capabilities to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Amended in Committee

This bill was taken up yesterday by the House Homeland Security Committee in a markup hearing. The bill was amended four times with amendments submitted by:

• Rep Katko (R,NY);

• Rep Langevin (D,RI);

• Richmond; and

• Rep Slotkin (D,MS)

Most of the changes made by the four amendments were relatively minor word changes. The most significant amendment was the addition of another section (§2216) included in the Slotkin amendment. That section would require CISA to “develop a resource guide for use by State, local, Tribal, and territorial government officials, including law enforcement officers, to help such officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents”.

All four amendments were adopted by unanimous consent as was the amended bill.

Moving Forward

One the Committee Report is prepared the bill will be ready to move to the floor of the House. This appears to be a high-priority bill so there is little doubt that it will make it to the floor for consideration. It will be considered under the House suspension of the rules process. This means there will be limited debate, no floor amendments and the bill will require a super majority to pass. The bill will almost certainly pass with substantial bipartisan support.

Commentary

Normally I would expect a bill with a $400 million authorization to face some opposition. That does not appear to be the case with this bill. That is almost certainly due to the large number of high-profile ransomware attacks against various city governments and local agencies. There is some significant pressure for Congress to ‘do something’ about the problem.

I am not sure that a mere $400 million spread across 50-states is going to do an awful lot to prevent future attacks. It will certainly provide a large number of congresscritter TV news spots when they get a chance to be on hand when the grant money is handed over.