HR 5078 Passed in House – PILLAR Act

Today the House took up HR 5078, the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, under the suspension of the rules process. After just 13 minutes of debate, the House passed the bill by a voice vote.

The bill would reauthorize CISA’s State and local cybersecurity grant program through 2035 (that program expired on September 30^th, 2025, but was subsequently reinstated through January 30^th, 2026 by HR 5371, the FY 2026 CR), including updating 6 USC 665g. Changes include clarifying that the grant program could be used to support operational technology, as well as information systems. There is no specific funding provided in this reauthorization, instead the funding would be “subject to the availability of appropriations”.

The Senate is unlikely to take up this bill under regular order; it is not politically important enough to be worth the legislative time that it would take to pass that bill. There is a possibility that the bill could be considered under the Senate’s unanimous consent process, but objections filed under that process frequently have nothing to do with the merits of the bill. The only other route to the President's desk would be through inclusion in another, must pass bill.

Review - HR 5078 Introduced – PILLAR Act

Last month Rep Ogles (R,TN) introduced HR 5078, the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act. The bill would reauthorize CISA’s State and local cybersecurity grant program through 2035 (the program terminated on September 30^th, 2025), including updating 6 USC 665g. Changes include clarifying that the grant program could be used to support operational technology, as well as information systems. There is no specific funding provided in this reauthorization, instead the funding would be “subject to the availability of appropriations”.

Markup Hearing

On September 9^th, 2025, the House Homeland Security Committee held a business meeting that considered seven bills, including HR 5078. The bill was ordered reported favorably by a strongly bipartisan vote of 21 to 1. The Committee Report has not yet been published.

Moving Forward

The bipartisan support in Committee almost guarantees that the bill will be considered in the full House under the suspension of the rules process. While this process restricts debate, prohibits floor amendments, and requires a supermajority for passage, it also increases the chance that the bill will be considered; more bills are considered under the suspension process than are considered under regular order.

 

For more information about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5078-introduced-pillar-act - subscription required.

Review – HR 8770 Introduced – Cybersecurity Clinic Grants

Back in June, Rep Veasey (D,TX) introduced HR 8770, the Cybersecurity Clinics Grant Program Act. The bill would require CISA to establish a new Cybersecurity Clinics Grant Program to provide “grants to fund university-based cybersecurity clinics”. The program would be administered by FEMA. The legislation would authorize “such sums as may be necessary to carry out the Program.”

Moving Forward

While Veasy is not a member of the House Homeland Security Committee to which this bill was assigned for consideration, one of his cosponsors {Rep Pfluger (R,TX)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. There will be objections from a number of Republicans to the establishment of a new grant program, particularly a program that targets minority institutions. There still should be some level of bipartisan support for the bill, but it is not clear if that support would be sufficient to move the bill to the floor of the House under the suspension of the rules process.

 

For more details about the provisions of this bill, including a commentary on the scope of the term ‘cybersecurity’ used in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8770-introduced - subscription required.

Review - HR 4910 Introduced – State Cyber Resiliency

Last month Rep Kilmer (D,WA) introduced HR 4910, the State Cyber Resiliency Act. The bill would establish the State Cyber Resiliency Grant Program administered by FEMA to assist State, local, and tribal governments in preventing, preparing for, protecting against, and responding to cyber threats. The bill would authorize “such sums as are necessary” for the grant program.

Kilmer is not a member of the House Homeland Security Committee or the House Transportation and Infrastructure Committee to which this bill was assigned for consideration, but his single cosponsor {Rep McCaul (R,TX) is a member of the Homeland Security Committee. This means that there may be enough influence to see this bill considered in Committee. I suspect that there would be at least some bipartisan support for this bill, but only if the State and local grant program in Division G, Title VI, Subtitle B of  HR 3684  (see commentary in my post here). This bill will almost certainly die without action if the provision in HR 3684 makes it to the President’s desk.

For more details about the grant program described in this bill, including the must have criteria for cyber resiliency plans, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4910-introduced - subscription required.

HR 2659 Introduced - United States-Israel Cybersecurity Cooperation

Back in March, Rep Langevin (D,RI) introduced HR 2659, the United States-Israel Cybersecurity Cooperation Enhancement Act of 2021. The bill would require DHS to establish a grant program to support joint US-Israeli cybersecurity research, development, and commercialization efforts. The bill authorizes a minimum of $6 million to support the grant program each year through 2026. The bill is very similar to S 1193 (subscription required).

Differences

The differences between this bill and S 1193 are simply editorial. S 1193 puts the definitions in §2 of the bill and HR 2659 puts them in §2(c). And this bill provides a more detailed of the Cybersecurity Information Sharing Act of 2015 in the definition of “cybersecurity threat”. While these differences are practically inconsequential, they are technically sufficient from preventing these bills from being ‘companion bills’.

Moving Forward

Langevin and his sole cosponsor {Rep Garbarino (R,NY)} are both members of the House Homeland Security Committee to which this bill has been assigned for consideration. This means that, unlike S 1193, there could be sufficient influence to have this bill considered in Committee. While there should be bipartisan support for this bill, there may be enough opposition caused by concerns about the recent flareup in cross-border violence in Israel to stop this bill from being considered; it would be divisive for the Democratic caucus.

HR 3138 Reported in House - State and Local Cybersecurity Improvement Act

Tuesday, when the House met in pro forma session, it was announced that the House Homeland Security Committee had filed their report on HR 3138 (subscription required), the State and Local Cybersecurity Improvement Act. A copy of the report was published by the GPO as was the revised language for the bill. The Committee met on May 18^th, 2021 and approved substitute language (subscription required) and ordered the bill reported favorably.

I commented here earlier that I thought there the bill would probably be considered by the full house before the summer recess. With the early publication of the Report (these usually take months to file), Rep Thompson (D,MS and Chair of the Homeland Security Committee) is signaling that this bill is considered very important. This indicates that the bill will probably be considered by the full House sooner rather than later, possibly as soon as the week of June 14^th when the House returns to Washington.

There is an interesting comment in the Committee’s report. On page 13, towards the end of the ‘Background and Need for Legislation’ section, the Committee notes that:

“H.R. 3138 has been endorsed by NASCIO [National Association of State Chief Information Security Officers’]. Additionally, on May 20, 2021, the following groups urged that H.R. 3138 be included in any infrastructure package advanced by Congress [emphasis added]: Rapid7, Alliance for Digital Innovation, Avast, Broadcom, Bugcrowd, Citrix, Cybereason, Cybersecurity Coalition, Cyber Threat Alliance, Disclose.io, Global Cyber Alliance, GRIMM, ICS Village, Institute for Security and Technology, Luta, McAfee, SCYTHE, Security Scorecard, and Tenable.”

I think that this bill will pass in the House on its own merits, but it could easily die between passage and consideration in the Senate like HR 5823 did last year. Adding the bill to the infrastructure bill that is still being crafted could be a way to move this language through the Senate. This bill could easily be added as an amendment during the floor debate in the House on such a bill if it were not included in the initial language.

Review - HR 3138 Amended in Committee - State and Local Cybersecurity Improvement Act

Earlier this month the House Homeland Security Committee held a markup hearing that considered seven bills, including four cybersecurity related bills. One of those cyber bills was HR 3138, the State and Local Cybersecurity Improvement Act. Substitute language was adopted for the bill and it was ordered favorably reported, both by unanimous consent.

Changes to the bill made in the substitute language reflect a higher concern about ransomware incidents at State and local levels and some subtle difference in the way the bill treats Indian organizations.

Technically, this bill will not be able to move to the full House for consideration until the Committee report is published. The reality of the situation is that while Committee reports frequently take months to publish, Committee Chair Thompson (D,MS) could report the bill without written report on the first day the House returns to Washington, currently scheduled to be on June 14^th. I do not think the bill will be considered quite that quickly, but it will probably be considered before the summer recess.

This bill will almost certainly be considered under the House suspension of the rules process. That process limits debate, prohibits floor amendments, and requires a super majority for passage. The unanimous consent approval in Committee means that the bill should receive wide-spread bipartisan support on the floor of the House.

For a more detailed analysis of the revisions made to this bill see my post on CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/hr-3138-amended-in-committee (subscription required).

Bills Introduced – 3-23-21

Yesterday with the Senate in Washington and the House meeting in pro forma session (this is a ‘Committee Week’ in the House) there were 124 bills introduced. One of those bills may receive additional coverage in this blog:

S 914 A bill to amend the Safe Drinking Water Act and the Federal Water Pollution Control Act to reauthorize programs under those Acts, and for other purposes. Sen. Duckworth, Tammy [D-IL]

According to at least one news report notes that the bill would “create a grant program for projects aimed at making water systems more resilient to natural hazards, cybersecurity threats [emphasis added] and extreme weather.” There is nothing in Duckworth’s press release on the bill that confirms this, but that means little. The Senate Environment and Public Works Committee will take up the bill at their business meeting scheduled for today. No link to a committee print of the bill is available on the meeting website.

HR 5823 Introduced – Cybersecurity Grants

Earlier this week Rep Richmond (D,LA) introduced HR 5823, the State and Local Cybersecurity Improvement Act. The bill would establish a DHS grant program to help State and local governments establish cybersecurity programs. The bill would add a new §2215 to the Homeland Security Act of 2002 (presumably 6 USC 665).

Definitions

Section 2215(p) provides the definitions to be used in the new section. Most of the critical definitions are taken from other sections of the US Code. Key definitions include:

• ‘Cyber threat indicator’ – from 6 USC 1501;

• ‘Cybersecurity risk’ – from 6 USC 659;

• ‘Incident’ – from §659;

• ‘Information system’ – from §1501;

There are two definitions provided in §2215(p) that reference ‘section 2’. There are no free standing definitions in §2; §2(a) adds the new §2215 and §2(b) amends the table of contents of the Homeland Security Act of 2002 to reflect the new §2215. The two undefined terms are:

• ‘Critical infrastructure’; and

• ‘Key resources’

Grant Program

Section 2215(a) establishes the ‘State and Local Cybersecurity Grant Program’ “to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments”. The new grant program would be administered under the same program office that administers the Urban Area Security Initiative (6 USC 604) and the State Homeland Security Grant Program (6 USC 605).

Each State applying for a grant would be required to submit to DHS a ‘Cybersecurity Plan’ for approval. The Plan would describe how the State would {new §2215(d)(1)(B)}:

• Enhance the preparation, response, and resiliency of information systems owned or operated by such State against cybersecurity risks and cybersecurity threats;

• Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats;

• Ensure that State, local, Tribal, and territorial governments adopt best practices and methodologies to enhance cybersecurity;

• Mitigate any identified gaps in the State, local, Tribal, or territorial government cybersecurity workforces, enhance recruitment and retention efforts for such workforces, and bolster the knowledge, skills, and abilities of government personnel to address cybersecurity risks and cybersecurity threats;

• Ensure continuity of communications and data networks in the event of an incident;

• Assess and mitigate cybersecurity risks and cybersecurity threats related to critical infrastructure and key resources, the degradation of which may impact the performance of information systems;

• Enhance capability to share cyber threat indicators and related information between such State and local, Tribal, and territorial governments; and

• Develop and coordinate strategies to address cybersecurity risks with local, Tribal, and territorial governments within the State.

The plan would also include an inventory of the information technology deployed on the covered information systems including; “legacy information technology that is no longer supported by the manufacturer” {new §2215(d)(1)(C)}.

Section 2215(h) sets limitations on how the grant monies could be spent. Grant funds could not be spent {new 2215(h)(2)}:

• To supplant State, local, Tribal, or territorial funds;

• For any recipient cost-sharing contribution;

• To pay a demand for ransom in an attempt to regain access to information or an information;

• For recreational or social purposes; or

• For any purpose that does not directly address cybersecurity risks or cybersecurity threats on information systems of such State.

Section 2215(o) would authorize $400 million for the grant program per year for 2021 through 2025.

Advisory Committee

Section 2215(m) would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a State and Local Cybersecurity Resiliency Committee to “to provide State, local, Tribal, and territorial stakeholder expertise, situational awareness, and recommendations” {new §2215(m)(1)} to CISA. The advice would provide CISA information on how to:

• Address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments; and

• Improve the ability of such governments to prevent, protect against, respond, mitigate, and recover from cybersecurity risks and cybersecurity threats.

Members of the Committee would include individuals recommended by {new §2215(m)(3)}:

• The Director by the National Governors Association (2);

• The Director by the National Association of State Chief Information Officers (2);

• The Director by the National Guard Bureau;

• The Director by the National Association of Counties (2);

• The Director by the National League of Cities (2);

• The Director by the United States Conference of Mayors; and

• The Director by the Multi-State Information Sharing and Analysis Center.

Strategy to Improve Cybersecurity

Section 3 of the bill would amend 6 USC 660, adding a new §660(e), Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments. It would give CISA 270 days to publish the Strategy to {new §660(e)(2)}:

• Identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;

• Identify Federal resources and capabilities to help such governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;

• Identify and assess the limitations of Federal resources and capabilities available to help governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents, and make recommendations to address such limitations;

• Identify opportunities to improve the Agency’s coordination to improve incident exercises, information sharing and incident notification procedures;

• Recommend new initiatives the Federal Government should undertake to help such governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;

• Set short-term and long-term goals that will improve the ability of such governments to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents; and

• Set dates, including interim benchmarks, as appropriate for State, local, Tribal, territorial governments to establish baseline capabilities to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Amended in Committee

This bill was taken up yesterday by the House Homeland Security Committee in a markup hearing. The bill was amended four times with amendments submitted by:

• Rep Katko (R,NY);

• Rep Langevin (D,RI);

• Richmond; and

• Rep Slotkin (D,MS)

Most of the changes made by the four amendments were relatively minor word changes. The most significant amendment was the addition of another section (§2216) included in the Slotkin amendment. That section would require CISA to “develop a resource guide for use by State, local, Tribal, and territorial government officials, including law enforcement officers, to help such officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents”.

All four amendments were adopted by unanimous consent as was the amended bill.

Moving Forward

One the Committee Report is prepared the bill will be ready to move to the floor of the House. This appears to be a high-priority bill so there is little doubt that it will make it to the floor for consideration. It will be considered under the House suspension of the rules process. This means there will be limited debate, no floor amendments and the bill will require a super majority to pass. The bill will almost certainly pass with substantial bipartisan support.

Commentary

Normally I would expect a bill with a $400 million authorization to face some opposition. That does not appear to be the case with this bill. That is almost certainly due to the large number of high-profile ransomware attacks against various city governments and local agencies. There is some significant pressure for Congress to ‘do something’ about the problem.

I am not sure that a mere $400 million spread across 50-states is going to do an awful lot to prevent future attacks. It will certainly provide a large number of congresscritter TV news spots when they get a chance to be on hand when the grant money is handed over.

Bills Introduced – 2-10-20

Yesterday with both the House and Senate in session there were 27 bills introduce. One of those bills will receive additional attention in this blog:

HR 5823 To establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments, and for other purposes. Rep. Richmond, Cedric L. [D-LA-2]

This is the second bill I mentioned yesterday that will be marked up by the House Homeland Security Committee tomorrow. A copy of the bill has been published by the GPO so I may be able to review this bill before tomorrow’s hearing.

Bills Introduced – 06-05-18

Yesterday with both the House and Senate in session there were 36 bills introduced. Of these, three may be of specific interest to readers of this blog:

HR 6001 To safeguard certain technology and intellectual property in the United States from export to or influence by the People's Republic of China and to protect United States industry from unfair competition by the People's Republic of China, and for other purposes. Rep. Conaway, K. Michael [R-TX-11]

S 2987 An original bill to authorize appropriations for fiscal year 2019 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes. Sen. Inhofe, James M. [R-OK]

S 2991 A bill to amend the Rural Electrification Act of 1936 to provide that cybersecurity and grid security improvements are eligible for electric loans and loan guarantees under that Act. Sen. Bennet, Michael F. [D-CO]

The wording of the title for HR 6001 is vague enough to possibly cover industrial control systems, but it probably will not. This bill will probably not be mentioned again in this blog.

HR 1344 Introduced – State Cybersecurity Grant Program

Earlier this month Rep. Kilmer (D,WA) introduced HR 1344, the State Cyber Resiliency Act. The bill would establish a new Federal Emergency Management Administration (FEMA) grant program to develop and implement a cyber resiliency program.

Cyber Resiliency Program

The bill would provide grants for States establishing cyber resiliency programs designed to assist State and local governments “in preventing, preparing for, protecting against, and responding to cyber threats” {§2(a)}. The FEMA Administrator would approve State plans that were {§(2)(d)(1)(B)}:

• Enhancing the preparation, response, and resiliency of computer networks, industrial control systems, and communications systems performing such functions against cybersecurity threats or vulnerabilities;

• Implementing a process of continuous cybersecurity vulnerability assessments and threat mitigation practices to prevent the disruption of such functions by an incident within the State;

• Ensuring that entities performing such functions within the State adopt generally recognized best practices and methodologies with respect to cybersecurity;

• Mitigating talent gaps in the State government cybersecurity workforce, enhancing recruitment and retention efforts for such workforce, and bolstering the knowledge, skills, and abilities of State government personnel to protect against cybersecurity threats and vulnerabilities;

• Protecting public safety answering points and other emergency communications and data networks from cybersecurity threats or vulnerabilities;

• Ensuring continuity of communications and data networks between entities performing such functions within the State, in the event of a catastrophic disruption of such communications or networks;

• Accounting for and mitigating, to the greatest degree possible, cybersecurity threats or vulnerabilities related to critical infrastructure or key resources, the degradation of which may impact the performance of such functions within the State or threaten public safety;

• Providing appropriate communications capabilities to ensure cybersecurity intelligence information-sharing and the command and coordination capabilities among entities performing such functions;

• Developing and coordinating strategies with respect to cybersecurity threats or vulnerabilities in consultation with neighboring States or members of an information sharing and analysis organization.

The Administrator would be able to approve grants to States for developing approved plans and then separate grants for State and local government activities implementing those plans. The implementing grants may be used specifically for {§2(g)(2)}:

• Supporting or enhancing information sharing and analysis organizations.

• Implementing or coordinating systems and services that use cyber threat indicators (as such term is defined in 6 USC. 1501) to address cybersecurity threats or vulnerabilities.

• Supporting dedicated cybersecurity and communications coordination planning;

• Establishing programs, such as scholarships or apprenticeships, to provide financial assistance to State residents who pursue formal education, training, and industry-recognized certifications for careers in cybersecurity and commit to working for State government for a specified period of time.

Moving Forward

Kilmer in not a member of either the House Homeland Security Committee or the Transportation and Infrastructure Committee, the two committees to which this bill was assigned for consideration. This means that it is unlikely that he will have sufficient influence to see the bill considered in either committee.

There is nothing in the bill that would draw significant opposition from any groups outside of Congress. The major stumbling block for this bill is that it authorizes a new spending program. Kilmer tries to avoid the problem not including a dollar amount in the authorization language included in the bill {§2(j)}. That would be set by the Appropriations Committee (to which Kilmer does belong) in the DHS spending bill.

Commentary

This bill is definitely intended to see States include control system security issues in their cyber resiliency. Industrial control systems are specifically mentioned in the outline of plan objectives {§2(d)(1)(B)(i)}. Where things start to get a little confusing is in the matter of definitions.

In discussing implementation grants the bill uses the term ‘cyberthreat indicators’ and references the definition in 6 USC 1501(5) which is based upon the control system inclusive definition of ‘information system’ found in that section. But later in the definition section of this bill {§2(k)} both the definition of ‘cybersecurity risk’ and ‘incident’ are adopted from 6 USC 148(a) which depends on the IT exclusive definition of ‘information system’.

That was necessary because those terms were not defined in §1501. It could have been avoided if the term ‘information system’ had been included in (k) and referenced the definition in §1501. That might have been a bit problematic because the ‘information system’ term is not directly used in this bill. A simpler way of dealing with this would have been to amend the definition in §148 to use that in §1501. This would have the added benefit of updating all other uses of ‘information system’ that rely on the §148 definition.