Appendix 2. Key Legal Provisions for State Civilian Cyber Corps (“C3”) Laws

The legal provisions below are intended for consideration by states when drafting legislation to establish and govern a volunteer state-led civilian cyber corps (C3s). Each provision listed below includes additional information to explain the importance of the provision and, in some cases, additional considerations that may be relevant. These provisions are intended to be referred to as a checklist in drafting civilian cyber corps legislation, while Appendix 3 incorporates these key legal provisions into a Model C3 Law.¹

• Establish the C3 and the authority under which it will operate. For the 18 states and Puerto Rico that have an active state defense force under 32 U.S.C. § 109, the civilian cyber corps can operate under the authority of the state defense force. In other states, the C3s can operate under the relevant department responsible for IT, homeland security, or emergency management. In all cases, the individuals responsible for overseeing the organization should be required to have cybersecurity experience.
• Define the purpose and mission of the C3. The purpose of the C3 should be flexible enough that the C3 can provide services to SMBs, even if SMBs are not routine beneficiaries. In the event of a significant regional or national cybersecurity event, support may be required from volunteers to help mitigate impacts to SMBs that manage critical infrastructure or operate essential services.
• Set up civilian cyber corps contracts. The state must enter into written agreements with volunteers and beneficiaries, which can be separate agreements or a tripartite agreement between the parties.
  • Between volunteers and the state. The C3 statute should require the relevant department to enter into an agreement with each volunteer that addresses certain requirements, such as the scope of volunteer activities, consent to a background check, confidentiality, conflicts of interest, the employment relationship between the parties, reimbursement of expenses, and the conditions of continued membership (e.g., compliance with applicable law and policies).
  • Between beneficiaries and the state. The statute should require the relevant department to enter into agreements with beneficiaries that address the scope of the civilian cyber corps’ services, consent and authorization for volunteers to provide services, confidentiality, a release and waiver of liability, indemnification of the state and of volunteers for damages incurred while providing services within the defined scope of work, and protection of the beneficiaries’ intellectual property.
• Determine volunteer qualifications and recruitment. The needs of a C3 different volunteer qualifications may change over time, so the C3 statute should authorize the responsible department to establish qualifications for civilian cyber corps members. The statute may set out minimum requirements, such as the requirement for U.S. citizenship or lawful permanent residency, that volunteers complete a background check, and that volunteers agree to abide by contract terms specified by the state. Given the number of hackers-turned-cybersecurity professionals, a criminal history might not be immediately disqualifying, but instead might require additional vetting or it might limit the types of activities in which a volunteer can participate. Further, the C3 statute should provide authority for the creation of rules to address the disclosure of potential conflicts of interest and situations where such a conflict might disqualify a volunteer from certain activities.
• Develop volunteer training. The responsible department should be required to develop appropriate training for volunteers and to ensure each volunteer participates in training at least annually.
• Procure civilian cyber corps equipment and facilities. Providing explicit authority for the civilian cyber corps to procure equipment and facilities, or certain exemptions from existing procurement laws, will help to avoid inadequate procurement processes.
• Plan for deployment of volunteers. The circumstances under which the volunteers can be deployed should be clearly defined but flexible. If the requirements for deployment are too restrictive, the C3 will not be underutilized, while if requirements are too permissive, the C3 could be over-utilized, creating an inability to provide adequate services to all beneficiaries or underinvestment in their own cybersecurity programs by beneficiaries. Regardless of where the ultimate authority rests, the statute should provide for delegation of that authority to a lower managerial level to determine when to activate the civilian cyber corps subject to other program criteria specified.
• Define the relationship of volunteers with the state and beneficiaries. The statute should expressly state the relationship of volunteers with the state and beneficiaries, and it should disclaim any employment, agency, or independent contractor relationship between the volunteer and the state and beneficiaries as a result of participation in the program.
• Establish liability protections.
  • For volunteers. The statute should expressly state that volunteers are authorized by the state to conduct the activities permitted under the statute and are subject to the protections for volunteers under the Volunteer Protection Act of 1997 while acting within the scope of their services and while in compliance with laws, regulations, contracts, and policies governing the C3.
  • For the state. The statute should disclaim liability of the state to beneficiaries for services rendered by a volunteer. It should also disclaim liability of the state to volunteers for injuries or damage to property incurred by a volunteer while performing services.
• Ensure confidentiality. Confidential information, including trade secrets, business plans, and cybersecurity plans and practices disclosed by beneficiaries should be exempt from disclosure under state freedom of information, access to public records, or equivalent laws. Additionally, volunteers’ personal information should be exempt from state freedom of information or access to public records laws because of the possibility that volunteers or their employers could become subject to cyber attacks because of the nature of the volunteer work.
• Determine volunteer compensation. Volunteers may incur necessary expenses, such as mileage or parking fees, in order to provide services to beneficiaries, for example, if volunteers need access to the servers of a beneficiary at a rural facility. The C3 statute should authorize the department to reimburse volunteers for reasonable, actual expenses incurred.
• Address volunteer resignation or refusal to serve. Volunteers should be able to refuse an assignment, and the C3 statute should expressly permit them to do so. However, C3 statutes can include a minimum amount of training or number of assignments that volunteers must complete each year in order to maintain membership. Volunteers should also be able to resign from the program at any time as their personal and professional circumstances change.
• Facilitate collaboration with other entities. C3s will need to collaborate with other state and federal entities responsible for cybersecurity incident response, including police, the National Guard, FBI, and CISA, and others. While various factors might dictate which entity begins or leads a particular engagement, a statute might require that a liaison be designated to facilitate coordination with those other entities.
• [Optional] Create an Advisory Council. It will be beneficial for states to establish an advisory council to support the responsible department to develop operational rules and guidance for the C3, especially where the responsible department has expertise in another domain, like emergency management, IT, or military defense, and does not have expertise in cybersecurity. Although it will be ideal to have someone with cybersecurity expertise to lead the C3, that may not be possible, so an advisory council that includes cybersecurity experts can provide appropriate guidance to the relevant department. An advisory council may not be necessary in all states, because some states already have a similar structure that can also provide guidance to the C3 and other states may have sufficient in-house expertise that an advisory council is not required.
• Institute authority for additional rules and guidance. Tactical matters, such as specific qualifications of volunteers and equipment to be used, should be left to the discretion of the responsible department. It is important to leave flexibility for the responsible department to enact rules and guidance to address those matters. C3 statutes should also set a requirement to collect and share operational metrics. While this issue of evaluation is not currently addressed in many C3 statutes, it should be addressed and should allow for the responsible department to develop detailed requirements for data collection and reporting of metrics under the statute.