House Panel Passes Bill to Explore Bringing State and Local Cybersecurity Workers into CISA


The Homeland Security Committee cleared several bills to address cybersecurity following the attack on Colonial Pipeline.

A bill to improve the cybersecurity of state, local, tribal and territorial entities following a string of major cybersecurity incidents seeks to determine whether employees from those governments could spend some time working at the Cybersecurity and Infrastructure Security Agency.  

“Not later than 180 days after the date of the enactment of this Act,” reads H.R. 3138, “the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall conduct a study to assess the feasibility of implementing a short-term rotational program for the detail to the Agency of approved State, local, tribal and territorial government employees in cyber workforce positions. 

The bill, led by Rep. Yvette Clarke, D-N.Y., chair of the House Homeland Security Committee’s panel on cybersecurity, infrastructure protection and innovation, passed the committee after a markup Tuesday along with a number of other bills aimed at improving cybersecurity in the wake of the ransomware attack on Colonial Pipeline.

“The Colonial Pipeline ransomware attack that shut down one of our nation’s largest pipelines and triggered fuel shortages across the northeast has brought new urgency to our work to protect the country’s critical infrastructure. This attack also follows a string of disturbing cyberattacks against government entities and the private sector – from SolarWinds and Pulse Connect Secure to Microsoft Exchange Server and the Oldsmar Water facility. Since the beginning of this Congress, this Committee has engaged in extensive oversight of these events and how the Federal government partners with others to defend our networks,” said Committee Chairman Bennie Thompson, D-Miss. “The legislation we reported today was the result of this oversight. I am pleased that they received broad bipartisan support and hope they are considered on the House floor in short order.”

Clarke’s bill would make $500 million available in grants each year between 2022 and 2026 that the state and local entities can apply for from the Department of Homeland Security.

In order to be considered, the applicants will have to submit a cybersecurity plan that, among other things, includes consideration of their workforce.

They will have to show how they’ll use the “Cybersecurity Framework developed by the National Institute of Standards and Technology to identify and mitigate any gaps in the cybersecurity workforces ... enhance recruitment and retention efforts for such workforces, and bolster the knowledge, skills, and abilities of state, local, and tribal government personnel to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene 17 training,” according to the bill.

The committee also passed the Pipeline Security Act, which would codify the Transportation Security Administration’s role overseeing pipeline cybersecurity and require the TSA administrator to, in coordination with the CISA director, come up with a personnel strategy to enhance the operations of a new pipeline security division.

“The Administrator shall appoint as the head of the section an individual with knowledge of the pipeline industry and security best practices, as determined appropriate by the Administrator,” the bill reads, adding, “The section shall be staffed by a workforce that includes 25 personnel with cybersecurity expertise.” 

Also clearing the committee Tuesday was a bill from Rep. Sheila Jackson Lee, D-Texas, which would require the CISA director to report to Congress within a year on the agency’s efforts to coordinate vulnerability disclosures, including “any available information on the degree to which such information was acted upon by industry and other stakeholders.”

Other cybersecurity bills that made it through the markup were the CISA Cyber Exercise Act from Rep. Elissa Slotkin, D-Mich.—establishes a program to test cyber readiness—and the Domains Critical to Homeland Security Act from ranking member John Katko, R-N.Y. Katko’s bill “authorizes DHS to conduct research and development into supply chain risks for critical domains of the United States economy and transmit the results to Congress,” according to a statement released by the committee.