[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1191 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 1191
To direct the Director of the Cybersecurity and Infrastructure Security
Agency to establish a K-12 Cybersecurity Technology Improvement
Program, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 19, 2023
Mrs. Blackburn (for herself and Mr. Warner) introduced the following
bill; which was read twice and referred to the Committee on Homeland
Security and Governmental Affairs
_______________________________________________________________________
A BILL
To direct the Director of the Cybersecurity and Infrastructure Security
Agency to establish a K-12 Cybersecurity Technology Improvement
Program, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may cited as the ``Enhancing K-12 Cybersecurity Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Covered entity.--The term ``covered entity'' means the
following:
(A) An elementary school.
(B) A secondary school.
(C) A local educational agency.
(D) A State educational agency.
(E) An educational service agency.
(2) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency.
(3) Educational service agency.--The term ``educational
service agency'' has the meaning given that term in section
8101 of the Elementary and Secondary Education Act of 1965 (20
U.S.C. 7801).
(4) Elementary school.--The term ``elementary school'' has
the meaning given that term in section 8101 of the Elementary
and Secondary Education Act of 1965 (20 U.S.C. 7801).
(5) Information exchange.--The term ``Information
Exchange'' means the School Cybersecurity Information Exchange
established under section 3(a).
(6) Information sharing and analysis organization.--The
term ``Information Sharing and Analysis Organization'' has the
meaning given that term in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650).
(7) Local educational agency.--The term ``local educational
agency'' has the meaning given that term in section 8101 of the
Elementary and Secondary Education Act of 1965 (20 U.S.C.
7801).
(8) Secondary school.--The term ``secondary school'' has
the meaning given that term in section 8101 of the Elementary
and Secondary Education Act of 1965 (20 U.S.C. 7801).
(9) State educational agency.--The term ``State educational
agency'' has the meaning given that term in section 8101 of the
Elementary and Secondary Education Act of 1965 (20 U.S.C.
7801).
SEC. 3. SCHOOL CYBERSECURITY INFORMATION EXCHANGE.
(a) Establishment.--The Director shall enhance existing information
exchange efforts implemented through partnerships with 1 or more
Information Sharing and Analysis Organizations to focus specific
attention on the needs of covered entities with regard to
cybersecurity, including a new publicly accessible website (to be known
as the ``School Cybersecurity Information Exchange'') to disseminate
information, cybersecurity best practices, training, and lessons
learned tailored to the specific needs of, technical expertise of, and
resources available to covered entities, in accordance with subsection
(b).
(b) Duties.--In establishing the Information Exchange, the Director
shall--
(1) engage appropriate Federal, State, local, and
nongovernmental organizations to identify, promote, and
disseminate information and best practices for State
educational agencies, local educational agencies, and
educational service agencies with respect to cybersecurity,
data protection, remote learning security, and student online
privacy;
(2) maintain a database through which an elementary school,
secondary school, local educational agency, State educational
agency, or educational service agency may identify
cybersecurity tools and services funded by the Federal
Government and tools and services recommended for purchase with
State and local government funding; and
(3) provide a searchable database through which covered
entities may find and apply for funding opportunities to
improve cybersecurity.
(c) Consultation.--In carrying out the duties under subsection (b),
the Director shall consult with the following:
(1) The Secretary of Education.
(2) The Director of the National Institute of Standards and
Technology.
(3) The Federal Communications Commission.
(4) The Director of the National Science Foundation.
(5) The Federal Bureau of Investigation.
(6) State and local leaders, including, when appropriate,
Governors, employees of State departments and agencies, members
of State legislatures and State boards of education, local
educational agencies, State educational agencies,
representatives of Indian Tribes, teachers, principals, other
school leaders, charter school leaders, specialized
instructional support personnel, paraprofessionals, school
administrators, other school staff, and parents.
(7) When determined appropriate by the Director, subject
matter experts and expert organizations, including
nongovernmental organizations, vendors of school information
technology products and services, cybersecurity insurance
companies, and cybersecurity threat companies.
SEC. 4. CYBERSECURITY INCIDENT REGISTRY.
(a) In General.--The Director shall--
(1) establish, through partnerships with 1 or more
Information Sharing and Analysis Organizations, a voluntary
registry of information relating to cyber incidents affecting
information technology systems owned or managed by a covered
entity; and
(2) determine the scope of cyber incidents to be included
in the registry and processes by which incidents can be
reported for collection in the registry.
(b) Use.--Information in the registry established pursuant under
subsection (a) may be used to--
(1) improve data collection and coordination activities
related to the nationwide monitoring of the incidence and
impact of cyber incidents affecting a covered entity;
(2) conduct analyses regarding trends in cyber incidents
affecting a covered entity;
(3) develop systematic approaches to assist a covered
entity in preventing and responding to cyber incidents;
(4) increase the awareness and preparedness of a covered
entity regarding the cybersecurity of the covered entity; and
(5) identify, prevent, or investigate cyber incidents
targeting a covered entity.
(c) Information Collection.--
(1) In general.--The Director may collect information
relating to cyber incidents to store in the registry
established pursuant to subsection (a).
(2) Submission of information.--Information relating to a
cyber incident may be submitted by a covered entity and may
include the following:
(A) The date of the cyber incident, including the
date on which the incident was initially detected and
the date on which the incident was first publicly
reported or disclosed to another entity.
(B) A description of the cyber incident, which
shall include whether the incident was as a result of a
breach, malware, distributed denial of service attack,
or other method designed to cause a vulnerability.
(C) The effects of the cyber incident, including
descriptions of the type and size of each such
incident.
(D) Other information determined relevant by the
Director.
(d) Report.--The Director shall make available on the Information
Exchange an annual report relating to cyber incidents affecting
elementary schools and secondary schools which includes data, and the
analysis of such data, in a manner that--
(1) is--
(A) de-identified; and
(B) presented in the aggregate; and
(2) at a minimum, protects personal privacy to the extent
required by applicable Federal and State privacy laws.
SEC. 5. K-12 CYBERSECURITY TECHNOLOGY IMPROVEMENT PROGRAM.
(a) Establishment.--The Director shall establish, through
partnerships with 1 or more Information Sharing and Analysis
Organizations, a program (to be known as the ``K-12 Cybersecurity
Technology Improvement Program'') to deploy cybersecurity capabilities
to address cybersecurity risks and threats to information systems of
elementary schools and secondary schools through--
(1) the development of cybersecurity strategies and
installation of effective cybersecurity tools tailored for
covered entities;
(2) making available cybersecurity services that enhance
the ability of elementary schools and secondary schools to
protect themselves from ransomware and other cybersecurity
threats; and
(3) providing training opportunities on cybersecurity
threats, best practices, and relevant technologies for
elementary schools and secondary schools.
(b) Report.--The Director shall make available on the Information
Exchange an annual report relating to the impact of the K-12
Cybersecurity Technology Improvement Program, including information on
the cybersecurity capabilities made available to information technology
systems owned or managed by covered entities, the number of students
served, and cybersecurity incidents identified or prevented.
SEC. 6. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to carry out this Act
$10,000,000 for each of fiscal years 2023 and 2024.
<all>