HSGA Amends and Adopts S 3207 – CISA Cybersecurity State Coordinators

Last week the Senate Homeland Security and Governmental Affairs committee held a business meeting that included consideration of S 3207, the Cybersecurity State Coordinator Act of 2020. Substitute language was offered by Sen Hassan (D,NH) who sponsored the bill. The Committee adopted that substitute language and favorably recommended the bill by a voice vote.

Changes

Most of the changes were relatively minor wording changes. For example in the proposed new §2215, subsection (b) saw the phrase “on a voluntary basis” inserted into four of the eight paragraphs describing the duties of the State Coordinator when describing the interactions of the State Coordinator with non-Federal entities.

Subsection (c) was completely re-written to increase the emphasis that the State Coordinators were intended to be an aid to, and should work closely with, State and local governments. The new subsection reads:

“(c) FEEDBACK.—The Director shall take into account relevant feedback provided by State and local officials regarding the appointment, and State and local officials and other non-Federal entities regarding the performance, of the Cybersecurity State Coordinator of a State.”

Finally §2(b) of the bill was modified to add a second report to Congress on the State Coordinator program two years after the initial report.

Moving Forward

While relatively minor, it would seem to me that these changes were made to ease any concerns about Federal-State interactions that this bill might have caused. This should make it easier for this bill to be considered under the Senate unanimous consent process. If objections were raised in that process, the only other way that this bill would move forward would be to include it in the DHS appropriations bill or a CISA reauthorization bill.

Commentary

None of the concerns that I expressed with the introduced version of this bill were addressed in the substitute language. If this bill moves forward (and I think that it will), these deficiencies would have to be addressed in the House.

The addition of the ‘voluntary basis’ language in the substitute raises some interesting issues; not so much in the areas where it was inserted, but rather with where it was not. It was not inserted into paragraphs 4,5, 7 or 8. Paragraph 4 talks about raising awareness of the availability of Federal assistance, so no big deal there. And paragraph 8 is the obligatory ‘other duties’ language, so, again, no problem. The other two, however may raise some interesting issues down the road.

Paragraph 5 deals with “supporting training, exercises, and planning for continuity of operations”. Not specifically adding the ‘voluntary basis’ language here when it was specifically added elsewhere might be seen as implying a federal requirement for State and local governments to conduct such ‘training, exercises, and planning’.

Similarly, in paragraph (7) the failure to include the language could be seen as a requirement for State and local governments to develop “vulnerability disclosure programs consistent with Federal and information security industry standards”.

Realistically, I do not see CISA trying to exercise such implied authority. It could, however, reasonably be expected to be used by lawyers in civil suits against such agencies when such failures by State and/or local governments (and potentially private sector entities) resulted in financial harm to their clients.