MIR20046 S.L.C. 116TH CONGRESS 2D SESSION S. ll To require the Director of the Cybersecurity and Infrastructure Security Agency to establish a Cybersecurity State Coordinator in each State, and for other purposes. IN THE SENATE OF THE UNITED STATES llllllllll Ms. HASSAN (for herself, Mr. CORNYN, Mr. PORTMAN, and Mr. PETERS) introduced the following bill; which was read twice and referred to the Committee on llllllllll A BILL To require the Director of the Cybersecurity and Infrastructure Security Agency to establish a Cybersecurity State Coordinator in each State, and for other purposes. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, 3 4 SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Cybersecurity State 5 Coordinator Act of 2020’’. 6 7 SEC. 2. FINDINGS. Congress finds that— LHS X2 Y00 MIR20046 S.L.C. 2 1 (1) cyber threats, such as ransomware, against 2 State, local, Tribal, and territorial entities have 3 grown at an alarming rate; 4 (2) State, local, Tribal, and territorial entities 5 face a growing threat from advanced persistent 6 threat actors, hostile nation states, criminal groups, 7 and other malicious cyber actors; 8 (3) there is an urgent need for greater engage- 9 ment and expertise from the Federal Government to 10 help these entities build their resilience and defenses; 11 and 12 (4) coordination within Federal entities and be- 13 tween Federal and non-Federal entities, including 14 State, local, Tribal, and territorial governments, In- 15 formation Sharing and Analysis Centers, election of- 16 ficials, State adjutants general, and other non-Fed- 17 eral entities, is critical to anticipating, preventing, 18 managing, and recovering from cyberattacks. 19 20 SEC. 3. CYBERSECURITY STATE COORDINATOR. (a) IN GENERAL.—Subtitle A of title XXII of the 21 Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) 22 is amended— 23 (1) in section 2202(c) (6 U.S.C. 652(c))— 24 25 (A) in paragraph (10), by striking ‘‘and’’ at the end; LHS X2 Y00 MIR20046 S.L.C. 3 1 (B) by redesignating paragraph (11) as 2 paragraph (12); and 3 (C) by inserting after paragraph (10) the 4 following: 5 ‘‘(11) appoint a Cybersecurity State Coordi- 6 nator in each State, as described in section 2215; 7 and’’; and 8 9 10 (2) by adding at the end the following: ‘‘SEC. 2215. CYBERSECURITY STATE COORDINATOR. ‘‘(a) APPOINTMENT.—The Director shall appoint an 11 employee of the Agency in each State who shall serve as 12 the Cybersecurity State Coordinator. 13 ‘‘(b) DUTIES.—The duties of a Cybersecurity State 14 Coordinator appointed under subsection (b) shall in15 clude— 16 ‘‘(1) building strategic relationships across Fed- 17 eral and non-Federal entities by advising on estab- 18 lishing governance structures to facilitate developing 19 and maintaining secure and resilient infrastructure; 20 ‘‘(2) serving as a principal Federal cybersecu- 21 rity risk advisor and coordinating between Federal 22 and non-Federal entities to support preparation, re- 23 sponse, and remediation efforts relating to cyberse- 24 curity risks and incidents; LHS X2 Y00 MIR20046 S.L.C. 4 1 ‘‘(3) facilitating the sharing of cyber threat in- 2 formation between Federal and non-Federal entities 3 to improve understanding of cybersecurity risks and 4 situational awareness of cybersecurity incidents; 5 ‘‘(4) raising awareness of the financial, tech- 6 nical, and operational resources available from the 7 Federal Government to non-Federal entities to in- 8 crease resilience against cyber threats; 9 ‘‘(5) supporting training, exercises, and plan- 10 ning for continuity of operations to expedite recovery 11 from cybersecurity incidents, including ransomware; 12 ‘‘(6) serving as a principal point of contact for 13 non-Federal entities to engage with the Federal Gov- 14 ernment on preparing, managing, and responding to 15 cybersecurity incidents; 16 ‘‘(7) assisting non-Federal entities in developing 17 and coordinating vulnerability disclosure programs 18 consistent with Federal and information security in- 19 dustry standards; and 20 ‘‘(8) performing such other duties as necessary 21 to achieve the goal of managing cybersecurity risks 22 in the United States and reducing the impact of 23 cyber threats to non-Federal entities. 24 ‘‘(c) FEEDBACK.—The Director shall take into ac- 25 count relevant feedback provided by State and local offi- LHS X2 Y00 MIR20046 S.L.C. 5 1 cials regarding the appointment, and State and local offi2 cials and other non-Federal entities regarding the per3 formance, of the Cybersecurity State Coordinator of a 4 State.’’. 5 (b) OVERSIGHT.—Not later than 1 year after the 6 date of enactment of this Act, the Director of the Cyberse7 curity and Infrastructure Security Agency shall provide to 8 the Committee on Homeland Security and Governmental 9 Affairs of the Senate and the Committee on Homeland 10 Security of the House of Representatives a briefing on the 11 placement and efficacy of the Cybersecurity State Coordi12 nators appointed under section 2215 of Homeland Secu13 rity Act of 2002, as added by subsection (a). 14 (c) RULE OF CONSTRUCTION.—Nothing in this sec- 15 tion or the amendments made by this section shall be con16 strued to affect or otherwise modify the authority of Fed17 eral law enforcement agencies with respect to investiga18 tions relating to cybersecurity incidents. 19 (d) TECHNICAL AND CONFORMING AMENDMENT.— 20 The table of contents in section 1(b) of the Homeland Se21 curity Act of 2002 (Public Law 107–296; 116 Stat. 2135) 22 is amended by inserting after the item relating to section 23 2214 the following: ‘‘Sec. 2215. Cybersecurity State Coordinator.’’. LHS X2 Y00