Cyberspace Solarium Commissioners Introduce Legislation to Securely Modernize State Information Technology

Aug 13, 2020 Issues: Cybersecurity

Washington – Cyberspace Solarium Commissioner Congressman Jim Langevin (D-RI) and Solarium co-chairs Senator Angus King (I-ME) and Congressman Mike Gallagher (R-WI) are introducing legislation to support modernizing and securing state and local government information technology. The State and Local IT Modernization and Cybersecurity Act, which will be introduced in both the House and the Senate, addresses a recommendation from the Solarium’s pandemic white paper that calls for helping state and local governments migrate legacy IT infrastructure to modern, secure platforms, including cloud-based services. During the COVID-19 pandemic, many states and localities have struggled to deliver essential services, from unemployment benefits to public health tracking data, due to outdated infrastructure. Congressmen Cedric Richmond (D-LA), Will Hurd (R-TX), C. A. Dutch Ruppersberger (D-MD), Michael McCaul (R-TX), Max Rose (D-NY), and Don Bacon (R-NE), joined Langevin and Gallagher in introducing the House bill, which includes $28 billion in federal aid.

“In our initial report, the Solarium Commission recognized that outdated state and local government systems were attractive targets for our adversaries and that we needed to help them migrate to secure, cloud-based infrastructure,” said Congressman Langevin, a senior member of the House Homeland Security Committee and the co-founder and co-chair of the Congressional Cybersecurity Caucus. “COVID-19 has made it apparent how much legacy IT is affecting state and local governments operationally. We need immediate investments to ensure state and local employees can safely work remotely, and we need IT modernization strategies to ensure that essential services, like unemployment insurance, can be provided to Americans in need. The State and Local IT Modernization and Cybersecurity Act will dramatically improve e-government services, protect workers, and significantly enhance security. I am indebted to the Solarium Commissioners, especially our co-chairs, for working to develop this proposal and for my House colleagues like Congressmen Richmond and Hurd, whose thought leadership is reflected in the final bill. The Solarium Commission released the pandemic white paper to call attention to immediate cybersecurity needs in light of COVID-19, and we need to act now.”

“America’s cybersecurity strategy cannot occur at only the federal level – if we are to take the necessary steps to protect our people and our data, each layer of our government must be prepared for cyber threats,” said Senator King. “This legislation will help our states and localities update their systems, which will improve their security and provide the added benefit of helping state and local governments operate more efficiently in the digital age. It’s necessary for our security, and it will strengthen online services for the American people – a win-win, and one I’m proud to introduce with Representatives Langevin and Gallagher.”

"Outdated legacy systems not only threaten state and local governments' ability to deliver critical services, but can also expose sensitive data to cyber threats," said Congressman Gallagher. "An ounce of prevention is worth a pound of cure, and modernizing IT infrastructure is an important step towards ensuring our country is well-defended in cyberspace across all levels of government. I'm proud to join Representative Langevin in introducing this bipartisan bill."

In alignment with recommendations from the Cyberspace Solarium Commission’s paper “Cybersecurity Lessons from the Pandemic,” the State and Local IT Modernization and Cybersecurity Act would establish a Public Health Emergency Information Technology Grant Program and a Modernizing Information Technology Program. The former would address immediate needs of governments as they deal with unprecedented demand on their IT infrastructure. The latter would allow for the migration of legacy systems to new, secure platforms in line with and state IT modernization strategies reviewed by the Cybersecurity and Infrastructure Security Agency (CISA). The aid made available through this bill is critical as states continue to adapt to working remotely and providing services online while facing significant technical challenges with antiquated systems.

The State and Local IT Modernization and Cybersecurity Act also includes a sustained investment in cybersecurity for states based on Congressman Richmond’s State and Local Cybersecurity Improvement Act (H.R. 5823). Many state platforms are decades old, making defending them from nation-state adversaries like China or Russia next to impossible. However, even when upgraded, states on the front lines of gray zone conflict in cyberspace need federal support to defend their networks against these high-tier threat actors.

“Since I came to Congress, I have worked to ensure the federal government is modernizing its IT to save taxpayer dollars and make government services more efficient. We created the Technology Modernization Fund to update federal agencies’ dated, weak IT systems, but that’s not enough,” said Congressman Hurd, Ranking Member of the House Permanent Select Committee on Intelligence’s Subcommittee on Intelligence Modernization and Readiness. “Today, I’m proud to bring that model to state and local governments. We need to ensure states can also update their systems because we rely on them today, as we work through the virus, and every day. All online infrastructure should be strong regardless of whether it’s for the state, local or federal government. With the State and Local IT Modernization and Cybersecurity Act, we can bring this infrastructure into the 21st century.”

“As a former County Executive, I understand the challenges facing state and local governments as they work to confront cybersecurity threats, especially from global actors like China, Russia, Iran and North Korea. The Covid-19 pandemic has only exacerbated the economic pressures facing our state and local government,” said Congressman Ruppersberger, former Ranking Member of the House Permanent Select Committee on Intelligence. “Federal assistance is needed now more than ever to modernize information technology and security. This bipartisan bill will help ensure the day-to-day operations and services our constituents rely on are available.”

“As more Americans rely on services provided by state and local governments, we are witnessing these entities struggle with fulfilling an influx of requests due to a dependence on an out-of-date IT infrastructure,” said Congressman McCaul, former Chair of the Homeland Security Committee and currently the Republican Leader on the House Foreign Affairs Committee. “Simply put, this increase in demand has strained our networks and technology making them more vulnerable to cyberattacks. By increasing our federal support for IT modernization, our state and local governments will be able to build up their services and capabilities while also simultaneously strengthening their cybersecurity. I am proud to join my colleagues in introducing this legislation that will provide our governments at the state and local level the support they need to modernize their IT infrastructure and security.”

“States and local governments have expressed justifiable fear of cyber-attacks for years,” said Congressman Rose, Chair of the House Homeland Security Committee’s Subcommittee on Intelligence and Counterterrorism. “Now is the time to act and with this bill we will get them the help they need to stay secure. As more and more of us are now using online platforms to work, go to school, see a doctor, and receive critical services from state and local governments like unemployment during the pandemic, it’s more important than ever to ensure that our systems are safe.”

“With the over 600 percent rise of phishing attacks that are related to COVID-19 since March, we need to make sure that state and tribal governments are able to deliver their services in a secure manner,” said Congressman Bacon, a member of the House Armed Services Committee. “This bill will help state and tribal governments modernize their IT infrastructure in accordance with the Cyberspace Solarium Commission’s recommendation.”

In May, Congressmen Langevin, McCaul, Richmond, and Gallagher led a bipartisan letter to Congressional leadership requesting that they consider funds for state and local IT modernization in a future COVID aid package, and laying out four principles for such aid. The State and Local IT Modernization and Cybersecurity Act delivers on these principles, which are:

  • Maximum flexibility for systems eligible to receive funding –Flexibility ensures that federal support can be used to maximum effect by allowing states to prioritize systems that they judge are at highest risk based on the specific threats to, vulnerabilities in, and consequences of a breach of those systems.
  • Certification baselines and security planning requirements – Modernization should prioritize a cloud-first approach using vendors that achieve certification against industry-developed standards.
  • Local needs considered –Any modernization plan should ensure that local governments are able to access a portion of the funding for their needs and that a state will offer shared services to local governments that reflect their needs.
  • Investments for today and for the future –Some portion of funding should be available to meet immediate equipment and license needs while the bulk is available for more substantive projects that will ensure we can withstand this public health crisis and the resultant economic downturn.

“On behalf of the nation’s state chief information officers (CIOs), NASCIO sincerely appreciates the introduction of the bipartisan, State and Local IT Modernization and Cybersecurity Act,” said National Association of State Chief Information Officers Executive Director Doug Robinson. “As states are charged with administering critically important federal programs and benefits, this legislation aims to make significant investments in modernizing state and local IT infrastructure. We also appreciate the sponsors recognition of the vital role of state CIOs and IT agencies, who throughout the ongoing pandemic have continued to experience unprecedented demands to ensure the delivery of timely and critical services to citizens while maintaining and protecting the continuity of government. We look forward to working together with the House and Senate to ensure the passage of the State and Local IT Modernization and Cybersecurity Act."

"It is paramount we ensure the security, reliability and resiliency of our state and municipal IT infrastructure and connected systems," said Rhode Island State Senator Louis DiPalma. "Especially during these unprecedented times of the COVID-19 pandemic, we continue to see an ever-increasing migration to 'cloud-based services,' which have enabled a continuity of operations. I applaud Congressman Langevin, and his team for their leadership and bold initiative as it is needed now more than ever."

The Public Health Emergency Information Technology Modernization Grant Program makes $1,000,000,000 in funding available for states to receive grants based on population, with a small state minimum of $5,000,000. Funds can be used to assist with emergency COVID-19 expenses for information technology services and equipment to help improve the delivery of services and the ability of employees to work from home. Recipients would need to meet federal security standards and requirements and would need to reserve at least 40 percent for subgrants for local government.    

The Modernizing Information Technology Program authorizes $25,000,000,000 for grants to enhance state and local government systems to better provide the digital delivery of government emergency, benefit and entitlement, and administrative services with recipients eligible for a minimum of $100,000,000 over an award period of five years. Recipients would be required to submit a State Information Technology Modernization Plan, match five percent of funds received, and allocate at least 40 percent of funding for subgrants in support of local governments. Additionally, grantees would be required to maintain funding levels for information technology support and modernization of the lesser Fiscal Year 19, or the average of Fiscal Years 17,18, and 19.

Further, the legislation establishes a State and Local Cybersecurity Grant Program to provide assistance for the implementation of a State Cybersecurity Plan or related cybersecurity activities to address risks and threats with approval from the Secretary of Homeland Security and the Director of the CISA. $2,000,000,000 in federal funds would be authorized for Fiscal Years 21-25. To apply, states need to establish a Cybersecurity Planning Committee to assist with the development, implementation, and revision of a cybersecurity plan. The CISA Director would also be tasked with establishing a 15-member State and Local Cybersecurity Resiliency Committee to assist the federal government with local stakeholder expertise, situational awareness, and recommendations to improve the ability of local government to address cybersecurity threats.

Full text of bill.