View all text of Part A [§ 651 - § 665n]

§ 665g. State and Local Cybersecurity Grant Program
(a) DefinitionsIn this section:
(1) Cybersecurity Plan
(2) Eligible entityThe term “eligible entity” means a—
(A) State; or
(B) Tribal government.
(3) Multi-entity group
(4) Online service
(5) Rural area
(6) State and Local Cybersecurity Grant Program
(7) Tribal government
(b) Establishment
(1) In general
(2) Application
(c) Administration
(d) Use of fundsAn eligible entity that receives a grant under this section and a local government that receives funds from a grant under this section, as appropriate, shall use the grant to—
(1) implement the Cybersecurity Plan of the eligible entity;
(2) develop or revise the Cybersecurity Plan of the eligible entity;
(3) pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
(4) assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity; or
(5) fund any other appropriate activity determined by the Secretary, acting through the Director.
(e) Cybersecurity plans
(1) In general
(2) Required elementsA Cybersecurity Plan of an eligible entity shall—
(A) incorporate, to the extent practicable—
(i) any existing plans of the eligible entity to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments; and
(ii) if the eligible entity is a State, consultation and feedback from local governments and associations of local governments within the jurisdiction of the eligible entity;
(B) describe, to the extent practicable, how the eligible entity will—
(i) manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology;
(ii) monitor, audit, and,1
1 So in original. The comma probably should not appear.
track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity;
(iii) enhance the preparation, response, and resiliency of information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, against cybersecurity risks and cybersecurity threats;
(iv) implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity;
(v) ensure that the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, adopt and use best practices and methodologies to enhance cybersecurity, such as—(I) the practices set forth in the cybersecurity framework developed by the National Institute of Standards and Technology;(II) cyber chain supply chain risk management best practices identified by the National Institute of Standards and Technology; and(III) knowledge bases of adversary tools and tactics;
(vi) promote the delivery of safe, recognizable, and trustworthy online services by the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, including through the use of the .gov internet domain;
(vii) ensure continuity of operations of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident;
(viii) use the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity developed by the National Institute of Standards and Technology to identify and mitigate any gaps in the cybersecurity workforces of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training;
(ix) if the eligible entity is a State, ensure continuity of communications and data networks within the jurisdiction of the eligible entity between the eligible entity and local governments within the jurisdiction of the eligible entity in the event of an incident involving those communications or data networks;
(x) assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the eligible entity;
(xi) enhance capabilities to share cyber threat indicators and related information between the eligible entity and—(I) if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, including by expanding information sharing agreements with the Department; and(II) the Department;
(xii) leverage cybersecurity services offered by the Department;
(xiii) implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives;
(xiv) develop and coordinate strategies to address cybersecurity risks and cybersecurity threats in consultation with—(I) if the eligible entity is a State, local governments and associations of local governments within the jurisdiction of the eligible entity; and(II) as applicable—(aa) eligible entities that neighbor the jurisdiction of the eligible entity or, as appropriate, members of an Information Sharing and Analysis Organization; and(bb) countries that neighbor the jurisdiction of the eligible entity;
(xv) ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the jurisdiction of the eligible entity; and
(xvi) distribute funds, items, services, capabilities, or activities to local governments under subsection (n)(2)(A), including the fraction of that distribution the eligible entity plans to distribute to rural areas under subsection (n)(2)(B);
(C) assess the capabilities of the eligible entity relating to the actions described in subparagraph (B);
(D) describe, as appropriate and to the extent practicable, the individual responsibilities of the eligible entity and local governments within the jurisdiction of the eligible entity in implementing the plan;
(E) outline, to the extent practicable, the necessary resources and a timeline for implementing the plan; and
(F) describe the metrics the eligible entity will use to measure progress towards—
(i) implementing the plan; and
(ii) reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity.
(3) Discretionary elementsIn drafting a Cybersecurity Plan, an eligible entity may—
(A) consult with the Multi-State Information Sharing and Analysis Center;
(B) include a description of cooperative programs developed by groups of local governments within the jurisdiction of the eligible entity to address cybersecurity risks and cybersecurity threats; and
(C) include a description of programs provided by the eligible entity to support local governments and owners and operators of critical infrastructure to address cybersecurity risks and cybersecurity threats.
(f) Multi-entity grants
(1) In general
(2) Satisfaction of other requirementsIn order to be eligible for a multi-entity grant under this subsection, each eligible entity that comprises a multi-entity group shall have—
(A) a Cybersecurity Plan that has been reviewed by the Secretary in accordance with subsection (i); and
(B) a cybersecurity planning committee established in accordance with subsection (g).
(3) Application
(A)
(B) Multi-entity project planAn application for a grant under this section of a multi-entity group under subparagraph (A) shall include a plan describing—
(i) the division of responsibilities among the eligible entities that comprise the multi-entity group;
(ii) the distribution of funding from the grant among the eligible entities that comprise the multi-entity group; and
(iii) how the eligible entities that comprise the multi-entity group will work together to implement the Cybersecurity Plan of each of those eligible entities.
(g) Planning committees
(1) In generalAn eligible entity that receives a grant under this section shall establish a cybersecurity planning committee to—
(A) assist with the development, implementation, and revision of the Cybersecurity Plan of the eligible entity;
(B) approve the Cybersecurity Plan of the eligible entity; and
(C) assist with the determination of effective funding priorities for a grant under this section in accordance with subsections (d) and (j).
(2) CompositionA committee of an eligible entity established under paragraph (1) shall—
(A) be comprised of representatives from—
(i) the eligible entity;
(ii) if the eligible entity is a State, counties, cities, and towns within the jurisdiction of the eligible entity; and
(iii) institutions of public education and health within the jurisdiction of the eligible entity; and
(B) include, as appropriate, representatives of rural, suburban, and high-population jurisdictions.
(3) Cybersecurity expertise
(4) Rule of construction regarding existing planning committeesNothing in this subsection shall be construed to require an eligible entity to establish a cybersecurity planning committee if the eligible entity has established and uses a multijurisdictional planning committee or commission that—
(A) meets the requirements of this subsection; or
(B) may be expanded or leveraged to meet the requirements of this subsection, including through the formation of a cybersecurity planning subcommittee.
(5) Rule of construction regarding control of information systems of eligible entities
(h) Special rule for Tribal governments
(i) Review of plans
(1) Review as condition of grant
(A) In generalSubject to paragraph (3), before an eligible entity may receive a grant under this section, the Secretary, acting through the Director, shall—
(i) review the Cybersecurity Plan of the eligible entity, including any revised Cybersecurity Plans of the eligible entity; and
(ii) determine that the Cybersecurity Plan reviewed under clause (i) satisfies the requirements under paragraph (2).
(B) Duration of determination
(C) Annual renewalNot later than 2 years after the date on which the Secretary determines under subparagraph (A)(ii) that a Cybersecurity Plan satisfies the requirements under paragraph (2), and annually thereafter, the Secretary, acting through the Director, shall—
(i) determine whether the Cybersecurity Plan and any revisions continue to meet the criteria described in paragraph (2); and
(ii) renew the determination if the Secretary, acting through the Director, makes a positive determination under clause (i).
(2) Plan requirementsIn reviewing a Cybersecurity Plan of an eligible entity under this subsection, the Secretary, acting through the Director, shall ensure that the Cybersecurity Plan—
(A) satisfies the requirements of subsection (e)(2); and
(B) has been approved by—
(i) the cybersecurity planning committee of the eligible entity established under subsection (g); and
(ii) the Chief Information Officer, the Chief Information Security Officer, or an equivalent official of the eligible entity.
(3) ExceptionNotwithstanding subsection (e) and paragraph (1) of this subsection, the Secretary may award a grant under this section to an eligible entity that does not submit a Cybersecurity Plan to the Secretary for review before September 30, 2023, if the eligible entity certifies to the Secretary that—
(A) the activities that will be supported by the grant are—
(i) integral to the development of the Cybersecurity Plan of the eligible entity; or
(ii) necessary to assist with activities described in subsection (d)(4), as confirmed by the Director; and
(B) the eligible entity will submit to the Secretary a Cybersecurity Plan for review under this subsection by September 30, 2023.
(4) Rule of constructionNothing in this subsection shall be construed to provide authority to the Secretary to—
(A) regulate the manner by which an eligible entity or local government improves the cybersecurity of the information systems owned or operated by, or on behalf of, the eligible entity or local government; or
(B) condition the receipt of grants under this section on—
(i) participation in a particular Federal program; or
(ii) the use of a specific product or technology.
(j) Limitations on uses of funds
(1) In generalAny entity that receives funds from a grant under this section may not use the grant—
(A) to supplant State or local funds;
(B) for any recipient cost-sharing contribution;
(C) to pay a ransom;
(D) for recreational or social purposes; or
(E) for any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity that receives the grant or a local government within the jurisdiction of the eligible entity.
(2) Compliance oversight
(3) Rule of construction
(k) Opportunity to amend applications
(l) ApportionmentFor fiscal year 2022 and each fiscal year thereafter, the Secretary shall apportion amounts appropriated to carry out this section among eligible entities as follows:
(1) Baseline amountThe Secretary shall first apportion—
(A) 0.25 percent of such amounts to each of American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the United States Virgin Islands;
(B) 1 percent of such amounts to each of the remaining States; and
(C) 3 percent of such amounts to Tribal governments.
(2) RemainderThe Secretary shall apportion the remainder of such amounts to States as follows:
(A) 50 percent of such remainder in the ratio that the population of each State, bears to the population of all States; and
(B) 50 percent of such remainder in the ratio that the population of each State that resides in rural areas, bears to the population of all States that resides in rural areas.
(3) Apportionment among Tribal governments
(4) Multi-entity grants
(m) Federal share
(1) In generalThe Federal share of the cost of an activity carried out using funds made available with a grant under this section may not exceed—
(A) in the case of a grant to an eligible entity—
(i) for fiscal year 2022, 90 percent;
(ii) for fiscal year 2023, 80 percent;
(iii) for fiscal year 2024, 70 percent; and
(iv) for fiscal year 2025, 60 percent; and
(B) in the case of a grant to a multi-entity group—
(i) for fiscal year 2022, 100 percent;
(ii) for fiscal year 2023, 90 percent;
(iii) for fiscal year 2024, 80 percent; and
(iv) for fiscal year 2025, 70 percent.
(2) Waiver
(A) In general
(B) Guidelines
(C) ConsiderationsIn developing guidelines under subparagraph (B), the Secretary shall consider, with respect to the jurisdiction of an eligible entity—
(i) changes in rates of unemployment in the jurisdiction from previous years;
(ii) changes in the percentage of individuals who are eligible to receive benefits under the supplemental nutrition assistance program established under the Food and Nutrition Act of 2008 (7 U.S.C. 2011 et seq.) from previous years; and
(iii) any other factors the Secretary considers appropriate.
(3) Waiver for Tribal governments
(n) Responsibilities of grantees
(1) CertificationEach eligible entity or multi-entity group that receives a grant under this section shall certify to the Secretary that the grant will be used—
(A) for the purpose for which the grant is awarded; and
(B) in compliance with subsections (d) and (j).
(2) Availability of funds to local governments and rural areas
(A) In generalSubject to subparagraph (C), not later than 45 days after the date on which an eligible entity or multi-entity group receives a grant under this section, the eligible entity or multi-entity group shall, without imposing unreasonable or unduly burdensome requirements as a condition of receipt, obligate or otherwise make available to local governments within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group, consistent with the Cybersecurity Plan of the eligible entity or the Cybersecurity Plans of the eligible entities that comprise the multi-entity group—
(i) not less than 80 percent of funds available under the grant;
(ii) with the consent of the local governments, items, services, capabilities, or activities having a value of not less than 80 percent of the amount of the grant; or
(iii) with the consent of the local governments, grant funds combined with other items, services, capabilities, or activities having the total value of not less than 80 percent of the amount of the grant.
(B) Availability to rural areasIn obligating funds, items, services, capabilities, or activities to local governments under subparagraph (A), the eligible entity or eligible entities that comprise the multi-entity group shall ensure that rural areas within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group receive not less than—
(i) 25 percent of the amount of the grant awarded to the eligible entity;
(ii) items, services, capabilities, or activities having a value of not less than 25 percent of the amount of the grant awarded to the eligible entity; or
(iii) grant funds combined with other items, services, capabilities, or activities having the total value of not less than 25 percent of the grant awarded to the eligible entity.
(C) ExceptionsThis paragraph shall not apply to—
(i) any grant awarded under this section that solely supports activities that are integral to the development or revision of the Cybersecurity Plan of the eligible entity; or
(ii) the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, the United States Virgin Islands, or a Tribal government.
(3) Certifications regarding distribution of grant funds to local governments
(4) Extension of period
(A) In general
(B) Approval
(5) Direct funding
(6) Limitation on construction
(7) Consultation in allocating funds
(8) PenaltiesIn addition to other remedies available to the Secretary, if an eligible entity violates a requirement of this subsection, the Secretary may—
(A) terminate or reduce the amount of a grant awarded under this section to the eligible entity; or
(B) distribute grant funds previously awarded to the eligible entity—
(i) in the case of an eligible entity that is a State, directly to the appropriate local government as a replacement grant in an amount determined by the Secretary; or
(ii) in the case of an eligible entity that is a Tribal government, to another Tribal government or Tribal governments as a replacement grant in an amount determined by the Secretary.
(o) Consultation with State, local, and Tribal representativesIn carrying out this section, the Secretary shall consult with State, local, and Tribal representatives with professional experience relating to cybersecurity, including representatives of associations representing State, local, and Tribal governments, to inform—
(1) guidance for applicants for grants under this section, including guidance for Cybersecurity Plans;
(2) the study of risk-based formulas required under subsection (q)(4);
(3) the development of guidelines required under subsection (m)(2)(B); and
(4) any modifications described in subsection (q)(2)(D).
(p) Notification to Congress
(q) Reports, study, and review
(1) Annual reports by grant recipients
(A) In generalNot later than 1 year after the date on which an eligible entity receives a grant under this section for the purpose of implementing the Cybersecurity Plan of the eligible entity, including an eligible entity that comprises a multi-entity group that receives a grant for that purpose, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report that, using the metrics described in the Cybersecurity Plan of the eligible entity, describes the progress of the eligible entity in—
(i) implementing the Cybersecurity Plan of the eligible entity; and
(ii) reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity.
(B) Absence of planNot later than 1 year after the date on which an eligible entity that does not have a Cybersecurity Plan receives funds under this section, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report describing how the eligible entity obligated and expended grant funds to—
(i) develop or revise a Cybersecurity Plan; or
(ii) assist with the activities described in subsection (d)(4).
(2) Annual reports to CongressNot less frequently than annually, the Secretary, acting through the Director, shall submit to Congress a report on—
(A) the use of grants awarded under this section;
(B) the proportion of grants used to support cybersecurity in rural areas;
(C) the effectiveness of the State and Local Cybersecurity Grant Program;
(D) any necessary modifications to the State and Local Cybersecurity Grant Program; and
(E) any progress made toward—
(i) developing, implementing, or revising Cybersecurity Plans; and
(ii) reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, State, local, or Tribal governments as a result of the award of grants under this section.
(3) Public availability
(A) In general
(B) Redactions
(4) Study of risk-based formulas
(A) In generalNot later than September 30, 2024, the Secretary, acting through the Director, shall submit to the appropriate congressional committees a study and legislative recommendations on the potential use of a risk-based formula for apportioning funds under this section, including—
(i) potential components that could be included in a risk-based formula, including the potential impact of those components on support for rural areas under this section;
(ii) potential sources of data and information necessary for the implementation of a risk-based formula;
(iii) any obstacles to implementing a risk-based formula, including obstacles that require a legislative solution;
(iv) if a risk-based formula were to be implemented for fiscal year 2026, a recommended risk-based formula for the State and Local Cybersecurity Grant Program; and
(v) any other information that the Secretary, acting through the Director, determines necessary to help Congress understand the progress towards, and obstacles to, implementing a risk-based formula.
(B) Inapplicability of Paperwork Reduction Act
(5) Tribal cybersecurity needs reportNot later than 2 years after November 15, 2021, the Secretary, acting through the Director, shall submit to Congress a report that—
(A) describes the cybersecurity needs of Tribal governments, which shall be determined in consultation with the Secretary of the Interior and Tribal governments; and
(B) includes any recommendations for addressing the cybersecurity needs of Tribal governments, including any necessary modifications to the State and Local Cybersecurity Grant Program to better serve Tribal governments.
(6) GAO reviewNot later than 3 years after November 15, 2021, the Comptroller General of the United States shall conduct a review of the State and Local Cybersecurity Grant Program, including—
(A) the grant selection process of the Secretary; and
(B) a sample of grants awarded under this section.
(r) Authorization of appropriations
(1) In generalThere are authorized to be appropriated for activities under this section—
(A) for fiscal year 2022, $200,000,000;
(B) for fiscal year 2023, $400,000,000;
(C) for fiscal year 2024, $300,000,000; and
(D) for fiscal year 2025, $100,000,000.
(2) Transfers authorized
(A) In general
(B) Additional appropriations
(s) Termination
(1) In general
(2) Exception
(Pub. L. 107–296, title XXII, § 2220A, formerly § 2218, as added Pub. L. 117–58, div. G, title VI, § 70612(a), Nov. 15, 2021, 135 Stat. 1272; renumbered § 2220A and amended Pub. L. 117–81, div. A, title XV, § 1547(b)(1)(A)(viii), Dec. 27, 2021, 135 Stat. 2061; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(K), Dec. 23, 2022, 136 Stat. 3660.)