S-2665 : Still Just a Bill

State and Local Cyber Protection Act of 2016

This bill amends the Homeland Security Act of 2002 to require the Department of Homeland Security's (DHS's) national cybersecurity and communications integration center (NCCIC) to assist state and local governments with cybersecurity by:

• upon request, identifying system vulnerabilities and information security protections to address unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by, or information systems used or operated by, state or local governments or other organizations or contractors on their behalf;
• providing via a web portal updated resources and guidelines related to information security;
• coordinating through national associations to implement information security tools and policies to ensure the resiliency of state and local information systems;
• providing training on cybersecurity, privacy, and civil liberties;
• providing requested technical assistance to deploy technology that continuously diagnoses and mitigates cyber threats and to conduct threat and vulnerability assessments;
• coordinating vulnerability disclosures under standards developed by the National Institute of Standards and Technology; and
• ensuring that state and local governments are aware of DHS resources and other federal tools to ensure the security and resiliency of federal civilian information systems.

The NCCIC's privacy and civil liberties training must include: (1) reasonable limits on the receipt, retention, use, and disclosure of information associated with specific persons that is not necessary for cybersecurity purposes; (2) data integrity standards requiring the prompt removal and destruction of obsolete or erroneous names and personal information that is unrelated to the risk or incident information; (3) safeguards and confidentiality protections for cyber threat indicators and defensive measures, including information that is proprietary or business-sensitive that may be used to identify specific persons from unauthorized access or acquisition; and (4) methods to ensure that information obtained from efforts to address cybersecurity risks and incidents is used only for such purposes or as specifically authorized by law.