Appendix 3. Model Civilian Cyber Corps (C3) Law

This Model Civilian Cyber Corps (C3) Law incorporates the key legal provisions from Appendix 2 into statutory language that states can use as a template to draft their own C3 law. The statutory language should be adapted as needed to conform to the legal statutes of a particular state. Brackets ([]) are used in this Model C3 Law to indicate: (1) where information will need to be completed as applicable to each state; and (2) where language might differ depending on whether a C3 is part of a state military defense force or another state department or agency.

Table of Contents

Section 1. Title

Section 2. Definitions

Section 3. Creation of Civilian Cyber Corps and Purpose

Section 4. Relationship with other Entities

Section 5. Recruiting and Qualifications of Volunteers; Relationship with the State

Section 6. Contract with Volunteers

Section 7. Contract with Beneficiaries

Section 8. Volunteer Training

Section 9. Civil Liability

Section 10. Volunteer Deployment

Section 11. Confidential Information

Section 12. Volunteer Expense Reimbursement

Section 13. Volunteer Equipment and Facilities

Section 14. Civilian Cyber Corps Advisory Council

Section 15. Additional Rulemaking Authority

Section 1. Title

This Act shall be known and may be cited as the [State] Civilian Cyber Corps (C3) Law.

Section 2. Definitions

As used in this Act, the following terms shall have these meanings:

1. “Civilian Cyber Corps” means the volunteer-based cybersecurity organization established under Section 3.
2. “Beneficiary” means any of the following that meet the eligibility criteria established by the [department/Governor] to receive and request assistance from the Civilian Cyber Corps: (1) the state or any local government, or any of their departments, agencies, or political subdivisions, including an institution of higher education; and (2) any business identified by the [department/Governor] as operating critical infrastructure or key resources within the State.
3. “Volunteer” means an individual who has entered into a volunteer agreement with the [department/State] to serve as a deployable volunteer in the Civilian Cyber Corps.

Section 3. Creation of Civilian Cyber Corps and Purpose

The [department/Governor] shall establish and maintain a Civilian Cyber Corps capable of being deployed to assist Beneficiaries to improve their resilience to, and ability to recover from, adverse cyber events. The Civilian Cyber Corps shall be known as the [State] Civilian Cyber Corps.

Section 4. Relationship with other Entities

1. The Civilian Cyber Corps shall be part of the [department/[State] organized militia under the Adjutant General's Department]. The [department/Adjutant General] shall coordinate the provision of cybersecurity services to be performed by Civilian Cyber Corps Volunteers with other state and federal agencies and departments that may also provide cybersecurity services to Beneficiaries, including by, but not limited to, establishing roles and responsibilities responding to adverse cybersecurity events.
2. Upon request by the governor of another state, the Governor may authorize the [department/Adjutant General], pursuant to a written agreement [or memorandum of understanding] and subject to the laws of this State and the United States, to deploy the Civilian Cyber Corps to assist the other state’s National Guard or civilian cyber corps with matters within the scope of services of the Civilian Cyber Corps. The [department / Adjutant General] shall develop rules for assistance to another state under this Section in consultation with the Advisory Council established under Section 14.

Section 5. Recruiting and Qualifications of Volunteers; Relationship with the State

1. The [department/Adjutant General] shall be responsible for recruiting qualified volunteers to participate in the Civilian Cyber Corps. The [department/Adjutant General] shall prescribe eligibility criteria for participation as a volunteer member of the Civilian Cyber Corps, including, as appropriate, requirements to perform specific duties as a volunteer.
2. Applicants for membership in the Civilian Cyber Corps shall be subject to an appropriate background check, in accordance with rules adopted by the [department/Adjutant General], before admittance into the Civilian Cyber Corps.
3. A volunteer is not an agent, employee, or independent contractor of this State for any purpose and has no authority to obligate this State to a third party. [When called to state active duty by the Governor, Civilian Cyber Corps members shall function as civilian members of the [State] organized militia and shall be paid at the rates established by the Adjutant General.]

Section 6. Contract with Volunteers

The [department/Adjutant General] shall enter into a contract with each volunteer who meets the qualifications established by the [department/Adjutant General] and who the [department/Adjutant General] approves to join the Civilian Cyber Corps. At a minimum, the contract must address the following: consent to the background screening process, confidentiality of information obtained by the volunteer in the course of their service, conflicts of interest that may arise during membership, liability of the state relating to volunteers’ services, and an acknowledgement and an attestation that the volunteer will comply with such rules, policies, and guidelines as the [department/Adjutant General] may issue in order to maintain membership.

Section 7. Contract with Beneficiaries

1. The [department/Adjutant General] shall enter into a contract with each Beneficiary that is eligible to receive assistance from the Civilian Cyber Corps and that requests such assistance. At a minimum, the contract must address the following: confidentiality of information obtained from the Beneficiary, liability of the state and of volunteers relating volunteers’ services, indemnification for claims relating to assistance provided, obligations for data breach and notifications, if applicable, consent to permit volunteers to access the Beneficiary’s information systems and/or facilities as necessary for the purpose of providing the requested assistance, and protections for the Beneficiary’s intellectual property.
2. Nothing in this Act prohibits the Beneficiary from entering into a contract with a Volunteer or modifies any pre-existing agreements between a Beneficiary and a Volunteer.

Section 8. Volunteer Training

The [department/Adjutant General] shall provide appropriate training to Civilian Cyber Corps members and shall require each member to participate in at least two (2) training or education events annually.

Section 9. Civil Liability

1. A member of the Civilian Cyber Corps shall not be liable for harm caused by an act or omission of the volunteer as set forth in the Volunteer Protection Act 1997, 42 U.S.C. §§ 14501-14505.
2. Except for willful or criminal misconduct, gross negligence, reckless misconduct, or a conscious or flagrant indifference to the rights or safety of the individual harmed, no volunteer acting within the scope of the volunteer’s services shall be liable for economic loss (as defined under 42 U.S.C. § 14505) incurred by a Beneficiary.
3. Nothing in this Act shall restrict or limit the obligations or duties of a Beneficiary to make [data breach or other notifications], as applicable, under state or federal law, or as may otherwise be required of the Beneficiary.

Section 10. Volunteer Deployment

1. The Governor, or the Governor’s designee, [or executive branch authority] may deploy volunteers in response to a request for assistance or through a standing order permitting the [department/Adjutant General] to establish criteria to determine[, in consultation with the Advisory Council,] when to deploy the Civilian Cyber Corps. The Governor [or executive branch authority] may issue an order to deploy the Civilian Cyber Corps in cases where the [designee/department/Adjutant General] has not done so pursuant to a standing order or other authority.
2. A volunteer may only accept a deployment under this Act in writing. A volunteer may decline to accept a deployment for any reason.

Section 11. Confidential Information

1. Information written, produced, collected, assembled, or maintained by the [department/Adjutant General], in consultation with the Advisory Council, that relates to the Civilian Cyber Corps’ services provided to Beneficiaries and that is designated and marked by the [department/Adjutant General] as [Highly Confidential] is confidential and is not subject to disclosure under [state freedom of information or access to public records law, or equivalent(s)].
2. Information written, produced, collected, assembled, or maintained for, or disclosed to, the [department/Adjutant General] in connection with the deployment of the Civilian Cyber Corps is confidential and shall not be subject to disclosure under [state freedom of information or access to public records law, or equivalent(s)] solely because of the production, collection, assembly, or maintenance or disclosure by a Beneficiary to the [department/Adjutant General] for purposes of evaluating or receiving assistance from the Civilian Cyber Corps.
3. Information written, produced, collected, assembled, or maintained by the [department/Adjutant General], a participating entity, the Advisory Council, or a volunteer in the implementation of this subchapter is confidential and not subject to disclosure under the [state freedom of information or access to public records law, or equivalent(s)] if the information:
   • contains the postal address, city or county, email address, or phone number information for a volunteer; or
   • identifies or provides a means of identifying a person who may, as a result of disclosure of the information, become a victim of a cybersecurity event.

Section 12. Volunteer Expense Reimbursement

[The department may provide compensation for actual and necessary expenses incurred for travel and subsistence by Civilian Cyber Corps members on a deployment at the discretion of the department.] / [The Adjutant General shall establish and may revise, in accordance with applicable [State law], the rates of pay for Civilian Cyber Corps members when called to state active duty.]

Section 13. Volunteer Equipment and Facilities

[Each year, the department shall propose a budget and request funds sufficient to operate the Civilian Cyber Corps. The department may also utilize such federal funding as may be available to support the Civilian Cyber Corps. The department shall allocate appropriate equipment and facilities for the operations of the Civilian Cyber Corps.] / [The Governor may requisition from the United States Department of Defense, for the use of the Civilian Cyber Corps, equipment that may be in the possession and can be furnished by the Department, and make available to the Civilian Cyber Corps the facilities of state armories and equipment and other state premises and property that may be available.]

Section 14. Civilian Cyber Corps Advisory Council

• The [department/Adjutant General] shall establish and lead a Civilian Cyber Corps Advisory Council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters concerning the maintenance and operation of the Civilian Cyber Corps.
• The Advisory Council shall be comprised of at least one (1) member of the [department / Adjutant General’s Office]; one (1) member from the public sector; and two (2) members of the private sector.
• The Advisory Council shall review and make non-binding recommendations to the [department/Adjutant General] regarding the policies and procedures used by the [department/Adjutant General] as set forth in this Act and with respect to any additional rules promulgated by the [department/Adjutant General] to implement this Act.]

Section 15. Additional Rulemaking Authority and Guidance

The [department/Adjutant General] shall consult with the Advisory Council to develop and issue additional rules and guidance as needed regarding the operations of the Civilian Cyber Corps, including, but not limited to, the following:

• The experience and qualifications necessary for applicants to become members of the Civilian Cyber Corps.
• Contract terms and conditions to be entered into with Volunteers and Beneficiaries.
• Appropriate training for members of the Civilian Cyber Corps.
• Equipment and facilities to be utilized by the Civilian Cyber Corps.
• Policies and procedures for the operation of the Civilian Cyber Corps.
• Requirements for a Beneficiary to receive assistance from the Civilian Cyber Corps.
• The process for a Beneficiary to request assistance from the Civilian Cyber Corps.
• Fees, if any, to be collected from Beneficiaries receiving incident response assistance, so long as the amount of fees collected does not exceed the [department's /Adjutant General’s] costs to provide the incident response assistance.
• The provision of assistance to the civilian cyber corps of another state.
• Any additional rules the [department / Adjutant General] considers necessary to implement this Act.

The rules, guidance and contract forms developed by the [department / Adjutant General] shall be made publicly available, except for those designated and marked by the [department / Adjutant General] as [Highly Confidential] pursuant to Section 11 of because their disclosure could diminish the cybersecurity posture of the State, the [department / Adjutant General’s Office], the Civilian Cyber Corps, or Beneficiaries.