Cyber Resiliency Act
Cyber Resiliency Act
Cyber Resiliency Act
S. ll
116TH CONGRESS
1ST SESSION
A BILL
To provide grants to assist States in developing and imple-
menting plans to address cybersecurity threats or
vulnerabilities, and for other purposes.
7 PROGRAM.
2
1 tribal governments in preventing, preparing for, protecting
2 against, and responding to cyber threats, which shall be
3 administered by the Administrator.
4 (b) ELIGIBILITY.—Each State shall be eligible to
5 apply for grants under the Program.
6 (c) GRANTS AUTHORIZED FOR EACH STATE.—Sub-
7 ject to the funds available under a funding allocation de-
8 termined under subsection (f) for a State, the Secretary
9 of Homeland Security may award to the State—
10 (1) up to 2 planning grants under subsection
11 (e) to develop or revise a cyber resiliency plan; and
12 (2) up to 2 implementation grants under sub-
13 section (f) to implement an active cyber resiliency
14 plan.
15 (d) APPROVAL OF CYBER RESILIENCY PLANS.—
16 (1) IN GENERAL.—The Secretary shall approve
17 a cyber resiliency plan submitted by a State if the
18 Secretary determines, after considering the rec-
19 ommendations of the Review Committee established
20 under subsection (i), that the plan meets all of the
21 following criteria:
22 (A) The plan incorporates, to the extent
23 practicable, any existing plans of such State to
24 protect against cybersecurity threats or
25 vulnerabilities.
ALB19290 S.L.C.
3
1 (B) The plan is designed to achieve each of
2 the following objectives, with respect to the es-
3 sential functions of such State:
4 (i) Enhancing the preparation, re-
5 sponse, and resiliency of computer net-
6 works, industrial control systems, and com-
7 munications systems performing such func-
8 tions against cybersecurity threats or
9 vulnerabilities.
10 (ii) Implementing a process of contin-
11 uous cybersecurity vulnerability assess-
12 ments and threat mitigation practices to
13 prevent the disruption of such functions by
14 an incident within the State.
15 (iii) Ensuring that entities performing
16 such functions within the State adopt gen-
17 erally recognized best practices and meth-
18 odologies with respect to cybersecurity,
19 such as the practices provided in the cyber-
20 security framework developed by the Na-
21 tional Institute of Standards and Tech-
22 nology.
23 (iv) Mitigating talent gaps in the
24 State government cybersecurity workforce,
25 enhancing recruitment and retention ef-
ALB19290 S.L.C.
4
1 forts for such workforce, and bolstering the
2 knowledge, skills, and abilities of State
3 government personnel to protect against
4 cybersecurity threats and vulnerabilities.
5 (v) Protecting public safety answering
6 points and other emergency communica-
7 tions and data networks from cybersecurity
8 threats or vulnerabilities.
9 (vi) Ensuring continuity of commu-
10 nications and data networks between enti-
11 ties performing such functions within the
12 State, in the event of a catastrophic dis-
13 ruption of such communications or net-
14 works.
15 (vii) Accounting for and mitigating, to
16 the greatest degree possible, cybersecurity
17 threats or vulnerabilities related to critical
18 infrastructure or key resources, the deg-
19 radation of which may impact the perform-
20 ance of such functions within the State or
21 threaten public safety.
22 (viii) Providing appropriate commu-
23 nications capabilities to ensure cybersecu-
24 rity intelligence information-sharing and
ALB19290 S.L.C.
5
1 the command and coordination capabilities
2 among entities performing such functions.
3 (ix) Developing and coordinating
4 strategies with respect to cybersecurity
5 threats or vulnerabilities in consultation
6 with—
7 (I) neighboring States or mem-
8 bers of an information sharing and
9 analysis organization; and
10 (II) as applicable, neighboring
11 countries.
12 (2) DURATION OF APPROVAL.—
6
1 (3) ESSENTIAL FUNCTIONS.—For purposes of
2 this subsection, the term ‘‘essential functions’’ in-
3 cludes, with respect to a State, those functions that
4 enhance the cybersecurity posture of the State, local
5 and tribal governments of the State, and the public
6 services they provide.
7 (e) PLANNING GRANTS.—
8 (1) INITIAL PLANNING GRANT.—The Secretary
9 shall require, as a condition of awarding an initial
10 planning grant, that the State seeking the grant—
11 (A) agrees to use the funds to develop a
12 cyber resiliency plan designed to meet the cri-
13 teria described in subsection (d)(1); and
14 (B) submits an application including such
15 information as the Secretary may determine to
16 be necessary.
17 (2) ELIGIBILITY FOR INITIAL PLANNING
7
1 a cyber resiliency plan in order to receive an exten-
2 sion in accordance with subsection (d)(2)(B), and
3 submits an application including such information as
4 the Secretary may determine to be necessary.
5 (4) LIMITATIONS ON NUMBER AND TIMING OF
8
1 (C) A description, if applicable, of how any
2 prior biennial implementation grant awarded
3 under this section was spent, and to what ex-
4 tent the criteria described in subsection (d)(1)
5 were met.
6 (D) The share of any amounts awarded as
7 a biennial implementation grant proposed to be
8 distributed to local or tribal governments within
9 such State.
10 (E) Such other information as the Sec-
11 retary may determine to be necessary in con-
12 sultation with the chief information officer,
13 emergency managers, and senior public safety
14 officials of the State.
15 (2) APPROVAL OF APPLICATION.—The Sec-
16 retary shall consider the recommendations of the Re-
17 view Committee in approving or disapproving an ap-
18 plication for a biennial implementation grant.
19 (3) DISTRIBUTION TO LOCAL AND TRIBAL GOV-
20 ERNMENTS.—
9
1 ments, in the same manner that amounts
2 awarded under section 2004 of the Homeland
3 Security Act of 2002 (6 U.S.C. 605) are dis-
4 tributed to such governments, except that—
5 (i) no such distribution may be made
6 to a federally recognized Indian tribe that
7 is a State under subsection (k)(11)(B);
8 and
9 (ii) in applying section 2004(c)(1) of
10 such Act with respect to distributions
11 under this subparagraph, ‘‘100 percent’’
12 shall be substituted for ‘‘80 percent’’ each
13 place that term appears.
14 (B) CONSULTATION.—In determining how
15 an implementation grant is distributed within a
16 State, the State shall consult with local and re-
17 gional chief information officer, emergency
18 managers, and senior public safety officials of
19 the State.
20 (4) COMPETITIVE AWARD.—Except as provided
21 in subsection (h), biennial implementation grants
22 shall be awarded—
23 (A) exclusively on a competitive basis; and
24 (B) based on the recommendations of the
25 Review Committee.
ALB19290 S.L.C.
10
1 (5) LIMITATION ON NUMBER OF GRANTS.—The
11
1 U.S.C. 1501)) to address cybersecurity threats
2 or vulnerabilities.
3 (C) Supporting dedicated cybersecurity
4 and communications coordination planning, in-
5 cluding the coordination of—
6 (i) emergency management elements
7 of such State;
8 (ii) National Guard units, as appro-
9 priate;
10 (iii) entities associated with critical in-
11 frastructure or key resources;
12 (iv) information sharing and analysis
13 organizations;
14 (v) public safety answering points; or
15 (vi) nongovernmental organizations
16 engaged in cybersecurity research as a for-
17 mally designated information analysis and
18 sharing organization.
19 (D) Establishing programs, such as schol-
20 arships or apprenticeships, to provide financial
21 assistance to State residents who—
22 (i) pursue formal education, training,
23 and industry-recognized certifications for
24 careers in cybersecurity as identified by the
ALB19290 S.L.C.
12
1 National Initiative for Cybersecurity Edu-
2 cation; and
3 (ii) commit to working for State gov-
4 ernment for a specified period of time.
5 (h) FUNDING ALLOCATIONS.—
6 (1) IN GENERAL.—From any amount appro-
7 priated for a fiscal year that is not reserved for use
8 by the Secretary in carrying out this section, the
9 Secretary shall allocate the entire amount among the
10 States (including the District of Columbia) eligible
11 for grants under this section taking into consider-
12 ation the factors specified in paragraph (2) and con-
13 sistent with the following:
14 (A) ALLOCATIONS FOR THE SEVERAL
13
1 (B) ALLOCATIONS FOR THE TERRITORIES
14
1 State to threats, vulnerabilities, or consequences
2 resulting from cybersecurity risks or incidents.
3 (C) The effectiveness of, relative to evolv-
4 ing cyber threats against, cybersecurity assets,
5 secure communications capabilities, and data
6 network protections, of the State and its part-
7 ners.
8 (D) The extent to which the State is vul-
9 nerable to cyber threats because it has not im-
10 plemented best practices such as the cybersecu-
11 rity framework developed by the National Insti-
12 tute of Standards and Technology.
13 (E) The extent to which a State govern-
14 ment may face low cybersecurity workforce sup-
15 ply and high cybersecurity workforce demand,
16 as identified by the National Institute of Stand-
17 ards and Technology
18 (i) REVIEW COMMITTEE FOR CYBER RESILIENCY
19 GRANTS.—
20 (1) ESTABLISHMENT.—There is established a
21 committee to be known as the ‘‘Review Committee
22 for Cyber Resiliency Grants’’ (in this section re-
23 ferred to as the ‘‘Review Committee’’).
24 (2) CONSIDERATION OF SUBMISSIONS.—The
15
1 iency plan submitted for approval under subsection
2 (d)(1), each application for an additional planning
3 grant submitted under subsection (e)(3), and each
4 application for a biennial implementation grant sub-
5 mitted under subsection (d)(1) to the Review Com-
6 mittee for consideration under this subsection.
7 (3) DUTIES.—The Review Committee shall—
8 (A) promulgate guidance for the develop-
9 ment of applications for grants under this sec-
10 tion;
11 (B) review any plan or application for-
12 warded under paragraph (2);
13 (C) provide to the State and to the Sec-
14 retary the recommendations of the Review Com-
15 mittee regarding the approval or disapproval of
16 such plan or application and, if applicable, pos-
17 sible improvements to such plan or application;
18 (D) provide to the Secretary an evaluation
19 of any progress made by a State in imple-
20 menting an active cyber resiliency plan using a
21 prior biennial implementation grant; and
22 (E) submit to Congress an annual report
23 on the progress made in implementing active
24 cyber resiliency plans.
25 (4) MEMBERSHIP.—
ALB19290 S.L.C.
16
1 (A) NUMBER AND APPOINTMENT.—The
17
1 expiration of the term for which the member’s
2 predecessor was appointed shall be appointed
3 only for the remainder of that term. A member
4 may serve after the expiration of that member’s
5 term until a successor has taken office. A va-
6 cancy in the Commission shall be filled in the
7 manner in which the original appointment was
8 made.
9 (C) PAY.—Members shall serve without
10 pay.
11 (D) CHAIRPERSON; VICE CHAIRPERSON.—
18
1 chapter 51 and subchapter III of chapter 53 of
2 such title relating to classification and General
3 Schedule pay rates; and
4 (C) procure temporary and intermittent
5 services under section 3109(b) of such title.
6 (6) DETAILEES.—Upon request of the Review
7 Committee, the head of any Federal department or
8 agency may detail, on a reimbursable basis, any of
9 the personnel of that department or agency to the
10 Commission to assist it in carrying out the duties
11 under this Act.
12 (7) FEDERAL ADVISORY COMMITTEE ACT.—The
19
1 accordance with subsection (d)(2)(A) or for which
2 the Secretary extends such approval in accordance
3 with subsection (d)(2)(B).
4 (2) ADMINISTRATOR.—The term ‘‘Adminis-
5 trator’’ means the Administrator of the Federal
6 Emergency Management Agency.
7 (3) CRITICAL INFRASTRUCTURE.—The term
8 ‘‘critical infrastructure’’ has the meaning given that
9 term in section 2 of the Homeland Security Act of
10 2002 (6 U.S.C. 101).
11 (4) CYBER RESILIENCY PLAN.—The term
12 ‘‘cyber resiliency plan’’ means, with respect to a
13 State, a plan that addresses the cybersecurity
14 threats or vulnerabilities faced by the State through
15 a statewide plan and decisionmaking process to re-
16 spond to cybersecurity risks or incidents.
17 (5) CYBERSECURITY RISK.—The term ‘‘cyberse-
18 curity risk’’ has the meaning given that term in sec-
19 tion 2209 of the Homeland Security Act of 2002 (6
20 U.S.C. 659).
21 (6) INCIDENT.—The term ‘‘incident’’ has the
22 meaning given that term in section 2209 of the
23 Homeland Security Act of 2002 (6 U.S.C. 659).
24 (7) INFORMATION SHARING AND ANALYSIS OR-
20
1 analysis organization’’ has the meaning given that
2 term in section 2222 of the Homeland Security Act
3 of 2002 (6 U.S.C. 671).
4 (8) KEY RESOURCES.—The term ‘‘key re-
5 sources’’ has the meaning given that term in section
6 2 of the Homeland Security Act of 2002 (6 U.S.C.
7 101).
8 (9) PROGRAM.—The term ‘‘Program’’ means
9 the State Cyber Resiliency Grant Program estab-
10 lished by this section.
11 (10) PUBLIC SAFETY ANSWERING POINTS.—
21
1 and agrees to forfeit any distribution under
2 subsection (f)(3).