[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1353 Reported in Senate (RS)]
Calendar No. 490
113th CONGRESS
2d Session
S. 1353
To provide for an ongoing, voluntary public-private partnership to
improve cybersecurity, and to strengthen cybersecurity research and
development, workforce development and education, and public awareness
and preparedness, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 24, 2013
Mr. Rockefeller (for himself and Mr. Thune) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
July 24, 2014
Reported by Mr. Rockefeller, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To provide for an ongoing, voluntary public-private partnership to
improve cybersecurity, and to strengthen cybersecurity research and
development, workforce development and education, and public awareness
and preparedness, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>
<DELETED> (a) Short Title.--This Act may be cited as the
``Cybersecurity Act of 2013''.</DELETED>
<DELETED> (b) Table of Contents.--The table of contents of this Act
is as follows:</DELETED>
<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Definitions.
<DELETED>Sec. 3. No regulatory authority.
<DELETED>TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
<DELETED>Sec. 101. Public-private collaboration on cybersecurity.
<DELETED>TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT
<DELETED>Sec. 201. Federal cybersecurity research and development.
<DELETED>Sec. 202. Computer and network security research centers.
<DELETED>TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT
<DELETED>Sec. 301. Cybersecurity competitions and challenges.
<DELETED>Sec. 302. Federal cyber scholarship-for-service program.
<DELETED>Sec. 303. Study and analysis of education, accreditation,
training, and certification of information
infrastructure and cybersecurity
professionals.
<DELETED>TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS
<DELETED>Sec. 401. National cybersecurity awareness and preparedness
campaign.
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Cybersecurity mission.--The term
``cybersecurity mission'' means activities that encompass the
full range of threat reduction, vulnerability reduction,
deterrence, international engagement, incident response,
resiliency, and recovery policies and activities, including
computer network operations, information assurance, law
enforcement, diplomacy, military, and intelligence missions as
such activities relate to the security and stability of
cyberspace.</DELETED>
<DELETED> (2) Information infrastructure.--The term
``information infrastructure'' means the underlying framework
that information systems and assets rely on to process,
transmit, receive, or store information electronically,
including programmable electronic devices, communications
networks, and industrial or supervisory control systems and any
associated hardware, software, or data.</DELETED>
<DELETED> (3) Information system.--The term ``information
system'' has the meaning given that term in section 3502 of
title 44, United States Code.</DELETED>
<DELETED>SEC. 3. NO REGULATORY AUTHORITY.</DELETED>
<DELETED> Nothing in this Act shall be construed to confer any
regulatory authority on any Federal, State, tribal, or local department
or agency.</DELETED>
<DELETED>TITLE I--PUBLIC-PRIVATE COLLABORATION ON
CYBERSECURITY</DELETED>
<DELETED>SEC. 101. PUBLIC-PRIVATE COLLABORATION ON
CYBERSECURITY.</DELETED>
<DELETED> (a) Cybersecurity.--Section 2(c) of the National Institute
of Standards and Technology Act (15 U.S.C. 272(c)) is amended--
</DELETED>
<DELETED> (1) by redesignating paragraphs (15) through (22)
as paragraphs (16) through (23), respectively; and</DELETED>
<DELETED> (2) by inserting after paragraph (14) the
following:</DELETED>
<DELETED> ``(15) on an ongoing basis, facilitate and support
the development of a voluntary, industry-led set of standards,
guidelines, best practices, methodologies, procedures, and
processes to reduce cyber risks to critical infrastructure (as
defined under subsection (e));''.</DELETED>
<DELETED> (b) Scope and Limitations.--Section 2 of the National
Institute of Standards and Technology Act (15 U.S.C. 272) is amended by
adding at the end the following:</DELETED>
<DELETED> ``(e) Cyber Risks.--</DELETED>
<DELETED> ``(1) In general.--In carrying out the activities
under subsection (c)(15), the Director--</DELETED>
<DELETED> ``(A) shall--</DELETED>
<DELETED> ``(i) coordinate closely and
continuously with relevant private sector
personnel and entities, critical infrastructure
owners and operators, sector coordinating
councils, Information Sharing and Analysis
Centers, and other relevant industry
organizations, and incorporate industry
expertise;</DELETED>
<DELETED> ``(ii) consult with the heads of
agencies with national security
responsibilities, sector-specific agencies,
State and local governments, the governments of
other nations, and international
organizations;</DELETED>
<DELETED> ``(iii) identify a prioritized,
flexible, repeatable, performance-based, and
cost-effective approach, including information
security measures and controls, that may be
voluntarily adopted by owners and operators of
critical infrastructure to help them identify,
assess, and manage cyber risks;</DELETED>
<DELETED> ``(iv) include methodologies--
</DELETED>
<DELETED> ``(I) to identify and
mitigate impacts of the cybersecurity
measures or controls on business
confidentiality; and</DELETED>
<DELETED> ``(II) to protect
individual privacy and civil
liberties;</DELETED>
<DELETED> ``(v) incorporate voluntary
consensus standards and industry best
practices;</DELETED>
<DELETED> ``(vi) align with voluntary
international standards to the fullest extent
possible;</DELETED>
<DELETED> ``(vii) prevent duplication of
regulatory processes and prevent conflict with
or superseding of regulatory requirements,
mandatory standards, and related processes;
and</DELETED>
<DELETED> ``(viii) include such other
similar and consistent elements as the Director
considers necessary; and</DELETED>
<DELETED> ``(B) shall not prescribe or otherwise
require--</DELETED>
<DELETED> ``(i) the use of specific
solutions;</DELETED>
<DELETED> ``(ii) the use of specific
information or communications technology
products or services; or</DELETED>
<DELETED> ``(iii) that information or
communications technology products or services
be designed, developed, or manufactured in a
particular manner.</DELETED>
<DELETED> ``(2) Limitation.--Information shared with or
provided to the Institute for the purpose of the activities
described under subsection (c)(15) shall not be used by any
Federal, State, tribal, or local department or agency to
regulate the activity of any entity.</DELETED>
<DELETED> ``(3) Definitions.--In this subsection:</DELETED>
<DELETED> ``(A) Critical infrastructure.--The term
`critical infrastructure' has the meaning given the
term in section 1016(e) of the USA PATRIOT Act of 2001
(42 U.S.C. 5195c(e)).</DELETED>
<DELETED> ``(B) Sector-specific agency.--The term
`sector-specific agency' means the Federal department
or agency responsible for providing institutional
knowledge and specialized expertise as well as leading,
facilitating, or supporting the security and resilience
programs and associated activities of its designated
critical infrastructure sector in the all-hazards
environment.''.</DELETED>
<DELETED>TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT</DELETED>
<DELETED>SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND
DEVELOPMENT.</DELETED>
<DELETED> (a) Fundamental Cybersecurity Research.--</DELETED>
<DELETED> (1) In general.--The Director of the Office of
Science and Technology Policy, in coordination with the head of
any relevant Federal agency, shall build upon programs and
plans in effect as of the date of enactment of this Act to
develop a Federal cybersecurity research and development plan
to meet objectives in cybersecurity, such as--</DELETED>
<DELETED> (A) how to design and build complex
software-intensive systems that are secure and reliable
when first deployed;</DELETED>
<DELETED> (B) how to test and verify that software
and hardware, whether developed locally or obtained
from a third party, is free of significant known
security flaws;</DELETED>
<DELETED> (C) how to test and verify that software
and hardware obtained from a third party correctly
implements stated functionality, and only that
functionality;</DELETED>
<DELETED> (D) how to guarantee the privacy of an
individual, including that individual's identity,
information, and lawful transactions when stored in
distributed systems or transmitted over
networks;</DELETED>
<DELETED> (E) how to build new protocols to enable
the Internet to have robust security as one of the key
capabilities of the Internet;</DELETED>
<DELETED> (F) how to determine the origin of a
message transmitted over the Internet;</DELETED>
<DELETED> (G) how to support privacy in conjunction
with improved security;</DELETED>
<DELETED> (H) how to address the growing problem of
insider threats;</DELETED>
<DELETED> (I) how improved consumer education and
digital literacy initiatives can address human factors
that contribute to cybersecurity;</DELETED>
<DELETED> (J) how to protect information processed,
transmitted, or stored using cloud computing or
transmitted through wireless services; and</DELETED>
<DELETED> (K) any additional objectives the Director
of the Office of Science and Technology Policy, in
coordination with the head of any relevant Federal
agency and with input from stakeholders, including
industry and academia, determines
appropriate.</DELETED>
<DELETED> (2) Requirements.--</DELETED>
<DELETED> (A) In general.--The Federal cybersecurity
research and development plan shall identify and
prioritize near-term, mid-term, and long-term research
in computer and information science and engineering to
meet the objectives under paragraph (1), including
research in the areas described in section 4(a)(1) of
the Cyber Security Research and Development Act (15
U.S.C. 7403(a)(1)).</DELETED>
<DELETED> (B) Private sector efforts.--In
developing, implementing, and updating the Federal
cybersecurity research and development plan, the
Director of the Office of Science and Technology Policy
shall work in close cooperation with industry,
academia, and other interested stakeholders to ensure,
to the extent possible, that Federal cybersecurity
research and development is not duplicative of private
sector efforts.</DELETED>
<DELETED> (3) Triennial updates.--</DELETED>
<DELETED> (A) In general.--The Federal cybersecurity
research and development plan shall be updated
triennially.</DELETED>
<DELETED> (B) Report to congress.--The Director of
the Office of Science and Technology Policy shall
submit the plan, not later than 1 year after the date
of enactment of this Act, and each updated plan under
this section to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on
Science, Space, and Technology of the House of
Representatives.</DELETED>
<DELETED> (b) Cybersecurity Practices Research.--The Director of the
National Science Foundation shall support research that--</DELETED>
<DELETED> (1) develops, evaluates, disseminates, and
integrates new cybersecurity practices and concepts into the
core curriculum of computer science programs and of other
programs where graduates of such programs have a substantial
probability of developing software after graduation, including
new practices and concepts relating to secure coding education
and improvement programs; and</DELETED>
<DELETED> (2) develops new models for professional
development of faculty in cybersecurity education, including
secure coding development.</DELETED>
<DELETED> (c) Cybersecurity Modeling and Test Beds.--</DELETED>
<DELETED> (1) Review.--Not later than 1 year after the date
of enactment of this Act, the Director the National Science
Foundation, in coordination with the Director of the Office of
Science and Technology Policy, shall conduct a review of
cybersecurity test beds in existence on the date of enactment
of this Act to inform the grants under paragraph (2). The
review shall include an assessment of whether a sufficient
number of cybersecurity test beds are available to meet the
research needs under the Federal cybersecurity research and
development plan.</DELETED>
<DELETED> (2) Additional cybersecurity modeling and test
beds.--</DELETED>
<DELETED> (A) In general.--If the Director of the
National Science Foundation, after the review under
paragraph (1), determines that the research needs under
the Federal cybersecurity research and development plan
require the establishment of additional cybersecurity
test beds, the Director of the National Science
Foundation, in coordination with the Secretary of
Commerce and the Secretary of Homeland Security, may
award grants to institutions of higher education or
research and development non-profit institutions to
establish cybersecurity test beds.</DELETED>
<DELETED> (B) Requirement.--The cybersecurity test
beds under subparagraph (A) shall be sufficiently large
in order to model the scale and complexity of real-time
cyber attacks and defenses on real world networks and
environments.</DELETED>
<DELETED> (C) Assessment required.--The Director of
the National Science Foundation, in coordination with
the Secretary of Commerce and the Secretary of Homeland
Security, shall evaluate the effectiveness of any
grants awarded under this subsection in meeting the
objectives of the Federal cybersecurity research and
development plan under subsection (a) no later than 2
years after the review under paragraph (1) of this
subsection, and periodically thereafter.</DELETED>
<DELETED> (d) Coordination With Other Research Initiatives.--In
accordance with the responsibilities under section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511), the Director the
Office of Science and Technology Policy shall coordinate, to the extent
practicable, Federal research and development activities under this
section with other ongoing research and development security-related
initiatives, including research being conducted by--</DELETED>
<DELETED> (1) the National Science Foundation;</DELETED>
<DELETED> (2) the National Institute of Standards and
Technology;</DELETED>
<DELETED> (3) the Department of Homeland Security;</DELETED>
<DELETED> (4) other Federal agencies;</DELETED>
<DELETED> (5) other Federal and private research
laboratories, research entities, and universities;</DELETED>
<DELETED> (6) institutions of higher education;</DELETED>
<DELETED> (7) relevant nonprofit organizations;
and</DELETED>
<DELETED> (8) international partners of the United
States.</DELETED>
<DELETED> (e) National Science Foundation Computer and Network
Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security
Research and Development Act (15 U.S.C. 7403(a)(1)) is amended--
</DELETED>
<DELETED> (1) in subparagraph (H), by striking ``and'' at
the end;</DELETED>
<DELETED> (2) in subparagraph (I), by striking the period at
the end and inserting a semicolon; and</DELETED>
<DELETED> (3) by adding at the end the following:</DELETED>
<DELETED> ``(J) secure fundamental protocols that
are integral to inter-network communications and data
exchange;</DELETED>
<DELETED> ``(K) secure software engineering and
software assurance, including--</DELETED>
<DELETED> ``(i) programming languages and
systems that include fundamental security
features;</DELETED>
<DELETED> ``(ii) portable or reusable code
that remains secure when deployed in various
environments;</DELETED>
<DELETED> ``(iii) verification and
validation technologies to ensure that
requirements and specifications have been
implemented; and</DELETED>
<DELETED> ``(iv) models for comparison and
metrics to assure that required standards have
been met;</DELETED>
<DELETED> ``(L) holistic system security that--
</DELETED>
<DELETED> ``(i) addresses the building of
secure systems from trusted and untrusted
components;</DELETED>
<DELETED> ``(ii) proactively reduces
vulnerabilities;</DELETED>
<DELETED> ``(iii) addresses insider threats;
and</DELETED>
<DELETED> ``(iv) supports privacy in
conjunction with improved security;</DELETED>
<DELETED> ``(M) monitoring and detection;</DELETED>
<DELETED> ``(N) mitigation and rapid recovery
methods;</DELETED>
<DELETED> ``(O) security of wireless networks and
mobile devices; and</DELETED>
<DELETED> ``(P) security of cloud infrastructure and
services.''.</DELETED>
<DELETED> (f) Research on the Science of Cybersecurity.--The head of
each agency and department identified under section 101(a)(3)(B) of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)),
through existing programs and activities, shall support research that
will lead to the development of a scientific foundation for the field
of cybersecurity, including research that increases understanding of
the underlying principles of securing complex networked systems,
enables repeatable experimentation, and creates quantifiable security
metrics.</DELETED>
<DELETED>SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH
CENTERS.</DELETED>
<DELETED> Section 4(b) of the Cyber Security Research and
Development Act (15 U.S.C. 7403(b)) is amended--</DELETED>
<DELETED> (1) by striking ``the center'' in paragraph (4)(D)
and inserting ``the Center''; and</DELETED>
<DELETED> (2) in paragraph (5)--</DELETED>
<DELETED> (A) by striking ``and'' at the end of
subparagraph (C);</DELETED>
<DELETED> (B) by striking the period at the end of
subparagraph (D) and inserting a semicolon;
and</DELETED>
<DELETED> (C) by adding at the end the
following:</DELETED>
<DELETED> ``(E) the demonstrated capability of the
applicant to conduct high performance computation
integral to complex computer and network security
research, through on-site or off-site
computing;</DELETED>
<DELETED> ``(F) the applicant's affiliation with
private sector entities involved with industrial
research described in subsection (a)(1);</DELETED>
<DELETED> ``(G) the capability of the applicant to
conduct research in a secure environment;</DELETED>
<DELETED> ``(H) the applicant's affiliation with
existing research programs of the Federal
Government;</DELETED>
<DELETED> ``(I) the applicant's experience managing
public-private partnerships to transition new
technologies into a commercial setting or the
government user community; and</DELETED>
<DELETED> ``(J) the capability of the applicant to
conduct interdisciplinary cybersecurity research, such
as in law, economics, or behavioral
sciences.''.</DELETED>
<DELETED>TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT</DELETED>
<DELETED>SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.</DELETED>
<DELETED> (a) In General.--The Secretary of Commerce, Director of
the National Science Foundation, and Secretary of Homeland Security
shall--</DELETED>
<DELETED> (1) support competitions and challenges under
section 105 of the America COMPETES Reauthorization Act of 2010
(124 Stat. 3989) or any other provision of law, as
appropriate--</DELETED>
<DELETED> (A) to identify, develop, and recruit
talented individuals to perform duties relating to the
security of information infrastructure in Federal,
State, and local government agencies, and the private
sector; or</DELETED>
<DELETED> (B) to stimulate innovation in basic and
applied cybersecurity research, technology development,
and prototype demonstration that has the potential for
application to the information technology activities of
the Federal Government; and</DELETED>
<DELETED> (2) ensure the effective operation of the
competitions and challenges under this section.</DELETED>
<DELETED> (b) Participation.--Participants in the competitions and
challenges under subsection (a)(1) may include--</DELETED>
<DELETED> (1) students enrolled in grades 9 through
12;</DELETED>
<DELETED> (2) students enrolled in a postsecondary program
of study leading to a baccalaureate degree at an institution of
higher education;</DELETED>
<DELETED> (3) students enrolled in a postbaccalaureate
program of study at an institution of higher
education;</DELETED>
<DELETED> (4) institutions of higher education and research
institutions;</DELETED>
<DELETED> (5) veterans; and</DELETED>
<DELETED> (6) other groups or individuals that the Secretary
of Commerce, Director of the National Science Foundation, and
Secretary of Homeland Security determine appropriate.</DELETED>
<DELETED> (c) Affiliation and Cooperative Agreements.--Competitions
and challenges under this section may be carried out through
affiliation and cooperative agreements with--</DELETED>
<DELETED> (1) Federal agencies;</DELETED>
<DELETED> (2) regional, State, or school programs supporting
the development of cyber professionals;</DELETED>
<DELETED> (3) State, local, and tribal governments;
or</DELETED>
<DELETED> (4) other private sector organizations.</DELETED>
<DELETED> (d) Areas of Skill.--Competitions and challenges under
subsection (a)(1)(A) shall be designed to identify, develop, and
recruit exceptional talent relating to--</DELETED>
<DELETED> (1) ethical hacking;</DELETED>
<DELETED> (2) penetration testing;</DELETED>
<DELETED> (3) vulnerability assessment;</DELETED>
<DELETED> (4) continuity of system operations;</DELETED>
<DELETED> (5) security in design;</DELETED>
<DELETED> (6) cyber forensics;</DELETED>
<DELETED> (7) offensive and defensive cyber operations;
and</DELETED>
<DELETED> (8) other areas the Secretary of Commerce,
Director of the National Science Foundation, and Secretary of
Homeland Security consider necessary to fulfill the
cybersecurity mission.</DELETED>
<DELETED> (e) Topics.--In selecting topics for competitions and
challenges under subsection (a)(1), the Secretary of Commerce, Director
of the National Science Foundation, and Secretary of Homeland
Security--</DELETED>
<DELETED> (1) shall consult widely both within and outside
the Federal Government; and</DELETED>
<DELETED> (2) may empanel advisory committees.</DELETED>
<DELETED> (f) Internships.--The Director of the Office of Personnel
Management may support, as appropriate, internships or other work
experience in the Federal Government to the winners of the competitions
and challenges under this section.</DELETED>
<DELETED>SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE
PROGRAM.</DELETED>
<DELETED> (a) In General.--The Director of the National Science
Foundation, in coordination with the Director of the Office of
Personnel Management and Secretary of Homeland Security, shall continue
a Federal Cyber Scholarship-for-Service program to recruit and train
the next generation of information technology professionals, industrial
control system security professionals, and security managers to meet
the needs of the cybersecurity mission for Federal, State, local, and
tribal governments.</DELETED>
<DELETED> (b) Program Description and Components.--The Federal Cyber
Scholarship-for-Service program shall--</DELETED>
<DELETED> (1) provide scholarships to students who are
enrolled in programs of study at institutions of higher
education leading to degrees or specialized program
certifications in the cybersecurity field;</DELETED>
<DELETED> (2) provide the scholarship recipients with summer
internship opportunities or other meaningful temporary
appointments in the Federal information technology workforce;
and</DELETED>
<DELETED> (3) provide a procedure by which the National
Science Foundation or a Federal agency, consistent with
regulations of the Office of Personnel Management, may request
and fund security clearances for scholarship recipients,
including providing for clearances during internships or other
temporary appointments and after receipt of their
degrees.</DELETED>
<DELETED> (c) Scholarship Amounts.--Each scholarship under
subsection (b) shall be in an amount that covers the student's tuition
and fees at the institution under subsection (b)(1) and provides the
student with an additional stipend.</DELETED>
<DELETED> (d) Scholarship Conditions.--Each scholarship recipient,
as a condition of receiving a scholarship under the program, shall
enter into an agreement under which the recipient agrees to work in the
cybersecurity mission of a Federal, State, local, or tribal agency for
a period equal to the length of the scholarship following receipt of
the student's degree.</DELETED>
<DELETED> (e) Hiring Authority.--</DELETED>
<DELETED> (1) Appointment in excepted service.--
Notwithstanding any provision of chapter 33 of title 5, United
States Code, governing appointments in the competitive service,
an agency shall appoint in the excepted service an individual
who has completed the academic program for which a scholarship
was awarded.</DELETED>
<DELETED> (2) Noncompetitive conversion.--Except as provided
in paragraph (4), upon fulfillment of the service term, an
employee appointed under paragraph (1) may be converted
noncompetitively to term, career-conditional or career
appointment.</DELETED>
<DELETED> (3) Timing of conversion.--An agency may
noncompetitively convert a term employee appointed under
paragraph (2) to a career-conditional or career appointment
before the term appointment expires.</DELETED>
<DELETED> (4) Authority to decline conversion.--An agency
may decline to make the noncompetitive conversion or
appointment under paragraph (2) for cause.</DELETED>
<DELETED> (f) Eligibility.--To be eligible to receive a scholarship
under this section, an individual shall--</DELETED>
<DELETED> (1) be a citizen or lawful permanent resident of
the United States;</DELETED>
<DELETED> (2) demonstrate a commitment to a career in
improving the security of information infrastructure;
and</DELETED>
<DELETED> (3) have demonstrated a high level of proficiency
in mathematics, engineering, or computer sciences.</DELETED>
<DELETED> (g) Repayment.--If a scholarship recipient does not meet
the terms of the program under this section, the recipient shall refund
the scholarship payments in accordance with rules established by the
Director of the National Science Foundation, in coordination with the
Director of the Office of Personnel Management and Secretary of
Homeland Security.</DELETED>
<DELETED> (h) Evaluation and Report.--The Director of the National
Science Foundation shall evaluate and report periodically to Congress
on the success of recruiting individuals for scholarships under this
section and on hiring and retaining those individuals in the public
sector workforce.</DELETED>
<DELETED>SEC. 303. STUDY AND ANALYSIS OF EDUCATION, ACCREDITATION,
TRAINING, AND CERTIFICATION OF INFORMATION INFRASTRUCTURE
AND CYBERSECURITY PROFESSIONALS.</DELETED>
<DELETED> (a) Study.--The Director of the National Science
Foundation and the Secretary of Homeland Security shall undertake to
enter into appropriate arrangements with the National Academy of
Sciences to conduct a comprehensive study of government, academic, and
private-sector education, accreditation, training, and certification
programs for the development of professionals in information
infrastructure and cybersecurity. The agreement shall require the
National Academy of Sciences to consult with sector coordinating
councils and relevant governmental agencies, regulatory entities, and
nongovernmental organizations in the course of the study.</DELETED>
<DELETED> (b) Scope.--The study shall include--</DELETED>
<DELETED> (1) an evaluation of the body of knowledge and
various skills that specific categories of professionals in
information infrastructure and cybersecurity should possess in
order to secure information systems;</DELETED>
<DELETED> (2) an assessment of whether existing government,
academic, and private-sector education, accreditation,
training, and certification programs provide the body of
knowledge and various skills described in paragraph
(1);</DELETED>
<DELETED> (3) an evaluation of--</DELETED>
<DELETED> (A) the state of cybersecurity education
at institutions of higher education in the United
States;</DELETED>
<DELETED> (B) the extent of professional development
opportunities for faculty in cybersecurity principles
and practices;</DELETED>
<DELETED> (C) the extent of the partnerships and
collaborative cybersecurity curriculum development
activities that leverage industry and government needs,
resources, and tools;</DELETED>
<DELETED> (D) the proposed metrics to assess
progress toward improving cybersecurity education;
and</DELETED>
<DELETED> (E) the descriptions of the content of
cybersecurity courses in undergraduate computer science
curriculum;</DELETED>
<DELETED> (4) an analysis of any barriers to the Federal
Government recruiting and hiring cybersecurity talent,
including barriers relating to compensation, the hiring
process, job classification, and hiring flexibility;
and</DELETED>
<DELETED> (5) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and expertise
sought by the Federal Government and the private sector, an
examination of the current and future capacity of United States
institutions of higher education, including community colleges,
to provide current and future cybersecurity professionals,
through education and training activities, with those skills
sought by the Federal Government, State and local entities, and
the private sector.</DELETED>
<DELETED> (c) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academy of Sciences shall submit to
the President and Congress a report on the results of the study. The
report shall include--</DELETED>
<DELETED> (1) findings regarding the state of information
infrastructure and cybersecurity education, accreditation,
training, and certification programs, including specific areas
of deficiency and demonstrable progress; and</DELETED>
<DELETED> (2) recommendations for further research and the
improvement of information infrastructure and cybersecurity
education, accreditation, training, and certification
programs.</DELETED>
<DELETED>TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS</DELETED>
<DELETED>SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND PREPAREDNESS
CAMPAIGN.</DELETED>
<DELETED> (a) National Cybersecurity Awareness and Preparedness
Campaign.--The Director of the National Institute of Standards and
Technology (referred to in this section as the ``Director''), in
consultation with appropriate Federal agencies, shall continue to
coordinate a national cybersecurity awareness and preparedness
campaign, such as--</DELETED>
<DELETED> (1) a campaign to increase public awareness of
cybersecurity, cyber safety, and cyber ethics, including the
use of the Internet, social media, entertainment, and other
media to reach the public;</DELETED>
<DELETED> (2) a campaign to increase the understanding of
State and local governments and private sector entities of--
</DELETED>
<DELETED> (A) the benefits of ensuring effective
risk management of the information infrastructure
versus the costs of failure to do so; and</DELETED>
<DELETED> (B) the methods to mitigate and remediate
vulnerabilities;</DELETED>
<DELETED> (3) support for formal cybersecurity education
programs at all education levels to prepare skilled
cybersecurity and computer science workers for the private
sector and Federal, State, and local government; and</DELETED>
<DELETED> (4) initiatives to evaluate and forecast future
cybersecurity workforce needs of the Federal government and
develop strategies for recruitment, training, and
retention.</DELETED>
<DELETED> (b) Considerations.--In carrying out the authority
described in subsection (a), the Director, in consultation with
appropriate Federal agencies, shall leverage existing programs designed
to inform the public of safety and security of products or services,
including self-certifications and independently verified assessments
regarding the quantification and valuation of information security
risk.</DELETED>
<DELETED> (c) Strategic Plan.--The Director, in cooperation with
relevant Federal agencies and other stakeholders, shall build upon
programs and plans in effect as of the date of enactment of this Act to
develop and implement a strategic plan to guide Federal programs and
activities in support of the national cybersecurity awareness and
preparedness campaign under subsection (a).</DELETED>
<DELETED> (d) Report.--Not later than 1 year after the date of
enactment of this Act, and every 5 years thereafter, the Director shall
transmit the strategic plan under subsection (c) to the Committee on
Commerce, Science, and Transportation of the Senate and the Committee
on Science, Space, and Technology of the House of
Representatives.</DELETED>
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Cybersecurity Act
of 2013''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. No regulatory authority.
TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
Sec. 101. Public-private collaboration on cybersecurity.
TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 201. Federal cybersecurity research and development.
Sec. 202. Computer and network security research centers.
TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT
Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.
Sec. 303. Study and analysis of education, accreditation, training, and
certification of information infrastructure
and cybersecurity professionals.
TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS
Sec. 401. National cybersecurity awareness and preparedness campaign.
SEC. 2. DEFINITIONS.
In this Act:
(1) Cybersecurity mission.--The term ``cybersecurity
mission'' means activities that encompass the full range of
threat reduction, vulnerability reduction, deterrence,
international engagement, incident response, resiliency, and
recovery policies and activities, including computer network
operations, information assurance, law enforcement, diplomacy,
military, and intelligence missions as such activities relate
to the security and stability of cyberspace.
(2) Information infrastructure.--The term ``information
infrastructure'' means the underlying framework that
information systems and assets rely on to process, transmit,
receive, or store information electronically, including
programmable electronic devices, communications networks, and
industrial or supervisory control systems and any associated
hardware, software, or data.
(3) Information system.--The term ``information system''
has the meaning given that term in section 3502 of title 44,
United States Code.
SEC. 3. NO REGULATORY AUTHORITY.
Nothing in this Act shall be construed to confer any regulatory
authority on any Federal, State, tribal, or local department or agency.
TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.
(a) Cybersecurity.--Section 2(c) of the National Institute of
Standards and Technology Act (15 U.S.C. 272(c)) is amended--
(1) by redesignating paragraphs (15) through (22) as
paragraphs (16) through (23), respectively; and
(2) by inserting after paragraph (14) the following:
``(15) on an ongoing basis, facilitate and support the
development of a voluntary, industry-led set of standards,
guidelines, best practices, methodologies, procedures, and
processes to reduce cyber risks to critical infrastructure (as
defined under subsection (e));''.
(b) Scope and Limitations.--Section 2 of the National Institute of
Standards and Technology Act (15 U.S.C. 272) is amended by adding at
the end the following:
``(e) Cyber Risks.--
``(1) In general.--In carrying out the activities under
subsection (c)(15), the Director--
``(A) shall--
``(i) coordinate closely and continuously
with relevant private sector personnel and
entities, critical infrastructure owners and
operators, sector coordinating councils,
Information Sharing and Analysis Centers, and
other relevant industry organizations, and
incorporate industry expertise;
``(ii) consult with the heads of agencies
with national security responsibilities,
sector-specific agencies, State and local
governments, the governments of other nations,
and international organizations;
``(iii) identify a prioritized, flexible,
repeatable, performance-based, and cost-
effective approach, including information
security measures and controls, that may be
voluntarily adopted by owners and operators of
critical infrastructure to help them identify,
assess, and manage cyber risks;
``(iv) include methodologies--
``(I) to identify and mitigate
impacts of the cybersecurity measures
or controls on business
confidentiality; and
``(II) to protect individual
privacy and civil liberties;
``(v) incorporate voluntary consensus
standards and industry best practices;
``(vi) align with voluntary international
standards to the fullest extent possible;
``(vii) prevent duplication of regulatory
processes and prevent conflict with or
superseding of regulatory requirements,
mandatory standards, and related processes; and
``(viii) include such other similar and
consistent elements as the Director considers
necessary; and
``(B) shall not prescribe or otherwise require--
``(i) the use of specific solutions;
``(ii) the use of specific information or
communications technology products or services;
or
``(iii) that information or communications
technology products or services be designed,
developed, or manufactured in a particular
manner.
``(2) Limitation.--Information shared with or provided to
the Institute for the purpose of the activities described under
subsection (c)(15) shall not be used by any Federal, State,
tribal, or local department or agency to regulate the activity
of any entity.
``(3) Definitions.--In this subsection:
``(A) Critical infrastructure.--The term `critical
infrastructure' has the meaning given the term in
section 1016(e) of the USA PATRIOT Act of 2001 (42
U.S.C. 5195c(e)).
``(B) Sector-specific agency.--The term `sector-
specific agency' means the Federal department or agency
responsible for providing institutional knowledge and
specialized expertise as well as leading, facilitating,
or supporting the security and resilience programs and
associated activities of its designated critical
infrastructure sector in the all-hazards
environment.''.
(c) Study and Report.--
(1) Study.--The Comptroller General of the United States
shall conduct a study that assesses--
(A) the progress made by the Director of the
National Institute of Standards and Technology in
facilitating the development of standards and
procedures to reduce cyber risks to critical
infrastructure in accordance with section 2(c)(15) of
the National Institute of Standards and Technology Act,
as added by this section;
(B) the extent to which the Director's facilitation
efforts are consistent with the directive in such
section that the development of such standards and
procedures be voluntary and led by industry
representatives;
(C) the extent to which sectors of critical
infrastructure (as defined in section 1016(e) of the
USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e))) have
adopted a voluntary, industry-led set of standards,
guidelines, best practices, methodologies, procedures,
and processes to reduce cyber risks to critical
infrastructure in accordance with such section
2(c)(15);
(D) the reasons behind the decisions of sectors of
critical infrastructure (as defined in subparagraph
(C)) to adopt or to not adopt the voluntary standards
described in subparagraph (C); and
(E) the extent to which such voluntary standards
have proved successful in protecting critical
infrastructure from cyber threats.
(2) Reports.--Not later than 1 year after the date of the
enactment of this Act, and every 2 years thereafter for the
following 6 years, the Comptroller General shall submit a
report, which summarizes the findings of the study conducted
under paragraph (1), to--
(A) the Committee on Commerce, Science, and
Transportation of the Senate;
(B) the Committee on Energy and Commerce of the
House of Representatives; and
(C) the Committee on Science, Space, and Technology
of the House of Representatives.
TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) Fundamental Cybersecurity Research.--
(1) In general.--The Director of the Office of Science and
Technology Policy, in coordination with the head of any
relevant Federal agency, shall build upon programs and plans in
effect as of the date of enactment of this Act to develop a
Federal cybersecurity research and development plan to meet
objectives in cybersecurity, such as--
(A) how to design and build complex software-
intensive systems that are secure and reliable when
first deployed;
(B) how to test and verify that software and
hardware, whether developed locally or obtained from a
third party, is free of significant known security
flaws;
(C) how to test and verify that software and
hardware obtained from a third party correctly
implements stated functionality, and only that
functionality;
(D) how to guarantee the privacy of an individual,
including that individual's identity, information, and
lawful transactions when stored in distributed systems
or transmitted over networks;
(E) how to build new protocols to enable the
Internet to have robust security as one of the key
capabilities of the Internet;
(F) how to determine the origin of a message
transmitted over the Internet;
(G) how to support privacy in conjunction with
improved security;
(H) how to address the growing problem of insider
threats;
(I) how improved consumer education and digital
literacy initiatives can address human factors that
contribute to cybersecurity;
(J) how to protect information processed,
transmitted, or stored using cloud computing or
transmitted through wireless services; and
(K) any additional objectives the Director of the
Office of Science and Technology Policy, in
coordination with the head of any relevant Federal
agency and with input from stakeholders, including
appropriate national laboratories, industry, and
academia, determines appropriate.
(2) Requirements.--
(A) In general.--The Federal cybersecurity research
and development plan shall identify and prioritize
near-term, mid-term, and long-term research in computer
and information science and engineering to meet the
objectives under paragraph (1), including research in
the areas described in section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C.
7403(a)(1)).
(B) Private sector efforts.--In developing,
implementing, and updating the Federal cybersecurity
research and development plan, the Director of the
Office of Science and Technology Policy shall work in
close cooperation with industry, academia, and other
interested stakeholders to ensure, to the extent
possible, that Federal cybersecurity research and
development is not duplicative of private sector
efforts.
(3) Triennial updates.--
(A) In general.--The Federal cybersecurity research
and development plan shall be updated triennially.
(B) Report to congress.--The Director of the Office
of Science and Technology Policy shall submit the plan,
not later than 1 year after the date of enactment of
this Act, and each updated plan under this section to
the Committee on Commerce, Science, and Transportation
of the Senate and the Committee on Science, Space, and
Technology of the House of Representatives.
(b) Cybersecurity Practices Research.--The Director of the National
Science Foundation shall support research that--
(1) develops, evaluates, disseminates, and integrates new
cybersecurity practices and concepts into the core curriculum
of computer science programs and of other programs where
graduates of such programs have a substantial probability of
developing software after graduation, including new practices
and concepts relating to secure coding education and
improvement programs; and
(2) develops new models for professional development of
faculty in cybersecurity education, including secure coding
development.
(c) Cybersecurity Modeling and Test Beds.--
(1) Review.--Not later than 1 year after the date of
enactment of this Act, the Director the National Science
Foundation, in coordination with the Director of the Office of
Science and Technology Policy, shall conduct a review of
cybersecurity test beds in existence on the date of enactment
of this Act to inform the grants under paragraph (2). The
review shall include an assessment of whether a sufficient
number of cybersecurity test beds are available to meet the
research needs under the Federal cybersecurity research and
development plan.
(2) Additional cybersecurity modeling and test beds.--
(A) In general.--If the Director of the National
Science Foundation, after the review under paragraph
(1), determines that the research needs under the
Federal cybersecurity research and development plan
require the establishment of additional cybersecurity
test beds, the Director of the National Science
Foundation, in coordination with the Secretary of
Commerce and the Secretary of Homeland Security, may
award grants to institutions of higher education or
research and development non-profit institutions to
establish cybersecurity test beds.
(B) Requirement.--The cybersecurity test beds under
subparagraph (A) shall be sufficiently large in order
to model the scale and complexity of real-time cyber
attacks and defenses on real world networks and
environments.
(C) Assessment required.--The Director of the
National Science Foundation, in coordination with the
Secretary of Commerce and the Secretary of Homeland
Security, shall evaluate the effectiveness of any
grants awarded under this subsection in meeting the
objectives of the Federal cybersecurity research and
development plan under subsection (a) no later than 2
years after the review under paragraph (1) of this
subsection, and periodically thereafter.
(d) Coordination With Other Research Initiatives.--In accordance
with the responsibilities under section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511), the Director the Office of
Science and Technology Policy shall coordinate, to the extent
practicable, Federal research and development activities under this
section with other ongoing research and development security-related
initiatives, including research being conducted by--
(1) the National Science Foundation;
(2) the National Institute of Standards and Technology;
(3) the Department of Homeland Security;
(4) other Federal agencies;
(5) other Federal and private research laboratories,
research entities, and universities;
(6) institutions of higher education;
(7) relevant nonprofit organizations; and
(8) international partners of the United States.
(e) National Science Foundation Computer and Network Security
Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research
and Development Act (15 U.S.C. 7403(a)(1)) is amended--
(1) in subparagraph (H), by striking ``and'' at the end;
(2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are
integral to inter-network communications and data
exchange;
``(K) secure software engineering and software
assurance, including--
``(i) programming languages and systems
that include fundamental security features;
``(ii) portable or reusable code that
remains secure when deployed in various
environments;
``(iii) verification and validation
technologies to ensure that requirements and
specifications have been implemented; and
``(iv) models for comparison and metrics to
assure that required standards have been met;
``(L) holistic system security that--
``(i) addresses the building of secure
systems from trusted and untrusted components;
``(ii) proactively reduces vulnerabilities;
``(iii) addresses insider threats; and
``(iv) supports privacy in conjunction with
improved security;
``(M) monitoring and detection;
``(N) mitigation and rapid recovery methods;
``(O) security of wireless networks and mobile
devices; and
``(P) security of cloud infrastructure and
services.''.
(f) Research on the Science of Cybersecurity.--The head of each
agency and department identified under section 101(a)(3)(B) of the
High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)),
through existing programs and activities, shall support research that
will lead to the development of a scientific foundation for the field
of cybersecurity, including research that increases understanding of
the underlying principles of securing complex networked systems,
enables repeatable experimentation, and creates quantifiable security
metrics.
SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.
Section 4(b) of the Cyber Security Research and Development Act (15
U.S.C. 7403(b)) is amended--
(1) in paragraph (3), by striking ``the research areas''
and inserting the following: ``improving the security and
resiliency of information infrastructure, reducing cyber
vulnerabilities, and anticipating and mitigating consequences
of cyber attacks on critical infrastructure, by conducting
research in the areas'';
(2) by striking ``the center'' in paragraph (4)(D) and
inserting ``the Center''; and
(3) in paragraph (5)--
(A) by striking ``and'' at the end of subparagraph
(C);
(B) by striking the period at the end of
subparagraph (D) and inserting a semicolon; and
(C) by adding at the end the following:
``(E) the demonstrated capability of the applicant
to conduct high performance computation integral to
complex computer and network security research, through
on-site or off-site computing;
``(F) the applicant's affiliation with private
sector entities involved with industrial research
described in subsection (a)(1);
``(G) the capability of the applicant to conduct
research in a secure environment;
``(H) the applicant's affiliation with existing
research programs of the Federal Government;
``(I) the applicant's experience managing public-
private partnerships to transition new technologies
into a commercial setting or the government user
community;
``(J) the capability of the applicant to conduct
interdisciplinary cybersecurity research, basic and
applied, such as in law, economics, or behavioral
sciences; and
``(K) the capability of the applicant to conduct
research in areas such as systems security, wireless
security, networking and protocols, formal methods and
high-performance computing, nanotechnology, or
industrial control systems.''.
TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT
SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.
(a) In General.--The Secretary of Commerce, Director of the
National Science Foundation, and Secretary of Homeland Security, in
consultation with the Director of the Office of Personnel Management,
shall--
(1) support competitions and challenges under section 105
of the America COMPETES Reauthorization Act of 2010 (124 Stat.
3989) or any other provision of law, as appropriate--
(A) to identify, develop, and recruit talented
individuals to perform duties relating to the security
of information infrastructure in Federal, State, and
local government agencies, and the private sector; or
(B) to stimulate innovation in basic and applied
cybersecurity research, technology development, and
prototype demonstration that has the potential for
application to the information technology activities of
the Federal Government; and
(2) ensure the effective operation of the competitions and
challenges under this section.
(b) Participation.--Participants in the competitions and challenges
under subsection (a)(1) may include--
(1) students enrolled in grades 9 through 12;
(2) students enrolled in a postsecondary program of study
leading to a baccalaureate degree at an institution of higher
education;
(3) students enrolled in a postbaccalaureate program of
study at an institution of higher education;
(4) institutions of higher education and research
institutions;
(5) veterans; and
(6) other groups or individuals that the Secretary of
Commerce, Director of the National Science Foundation, and
Secretary of Homeland Security determine appropriate.
(c) Affiliation and Cooperative Agreements.--Competitions and
challenges under this section may be carried out through affiliation
and cooperative agreements with--
(1) Federal agencies;
(2) regional, State, or school programs supporting the
development of cyber professionals;
(3) State, local, and tribal governments; or
(4) other private sector organizations.
(d) Areas of Skill.--Competitions and challenges under subsection
(a)(1)(A) shall be designed to identify, develop, and recruit
exceptional talent relating to--
(1) ethical hacking;
(2) penetration testing;
(3) vulnerability assessment;
(4) continuity of system operations;
(5) security in design;
(6) cyber forensics;
(7) offensive and defensive cyber operations; and
(8) other areas the Secretary of Commerce, Director of the
National Science Foundation, and Secretary of Homeland Security
consider necessary to fulfill the cybersecurity mission.
(e) Topics.--In selecting topics for competitions and challenges
under subsection (a)(1), the Secretary of Commerce, Director of the
National Science Foundation, and Secretary of Homeland Security--
(1) shall consult widely both within and outside the
Federal Government; and
(2) may empanel advisory committees.
(f) Internships.--The Director of the Office of Personnel
Management may support, as appropriate, internships or other work
experience in the Federal Government to the winners of the competitions
and challenges under this section.
SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science Foundation,
in coordination with the Director of the Office of Personnel Management
and Secretary of Homeland Security, shall continue a Federal Cyber
Scholarship-for-Service program to recruit and train the next
generation of information technology professionals, industrial control
system security professionals, and security managers to meet the needs
of the cybersecurity mission for Federal, State, local, and tribal
governments.
(b) Program Description and Components.--The Federal Cyber
Scholarship-for-Service program shall--
(1) provide scholarships to students who are enrolled in
programs of study at institutions of higher education leading
to degrees or specialized program certifications in the
cybersecurity field;
(2) provide the scholarship recipients with summer
internship opportunities or other meaningful temporary
appointments in the Federal information technology workforce;
and
(3) provide a procedure by which the National Science
Foundation or a Federal agency, consistent with regulations of
the Office of Personnel Management, may request and fund
security clearances for scholarship recipients, including
providing for clearances during internships or other temporary
appointments and after receipt of their degrees.
(c) Scholarship Amounts.--Each scholarship under subsection (b)
shall be in an amount that covers the student's tuition and fees at the
institution under subsection (b)(1) and provides the student with an
additional stipend.
(d) Scholarship Conditions.--Each scholarship recipient, as a
condition of receiving a scholarship under the program, shall enter
into an agreement under which the recipient agrees to work in the
cybersecurity mission of a Federal, State, local, or tribal agency for
a period equal to the length of the scholarship following receipt of
the student's degree.
(e) Hiring Authority.--
(1) Appointment in excepted service.--Notwithstanding any
provision of chapter 33 of title 5, United States Code,
governing appointments in the competitive service, an agency
shall appoint in the excepted service an individual who has
completed the academic program for which a scholarship was
awarded.
(2) Noncompetitive conversion.--Except as provided in
paragraph (4), upon fulfillment of the service term, an
employee appointed under paragraph (1) may be converted
noncompetitively to term, career-conditional or career
appointment.
(3) Timing of conversion.--An agency may noncompetitively
convert a term employee appointed under paragraph (2) to a
career-conditional or career appointment before the term
appointment expires.
(4) Authority to decline conversion.--An agency may decline
to make the noncompetitive conversion or appointment under
paragraph (2) for cause.
(f) Eligibility.--To be eligible to receive a scholarship under
this section, an individual shall--
(1) be a citizen or lawful permanent resident of the United
States;
(2) demonstrate a commitment to a career in improving the
security of information infrastructure; and
(3) have demonstrated a high level of proficiency in
mathematics, engineering, or computer sciences.
(g) Repayment.--If a scholarship recipient does not meet the terms
of the program under this section, the recipient shall refund the
scholarship payments in accordance with rules established by the
Director of the National Science Foundation, in coordination with the
Director of the Office of Personnel Management and Secretary of
Homeland Security.
(h) Evaluation and Report.--The Director of the National Science
Foundation shall evaluate and report periodically to Congress on the
success of recruiting individuals for scholarships under this section
and on hiring and retaining those individuals in the public sector
workforce.
SEC. 303. STUDY AND ANALYSIS OF EDUCATION, ACCREDITATION, TRAINING, AND
CERTIFICATION OF INFORMATION INFRASTRUCTURE AND
CYBERSECURITY PROFESSIONALS.
(a) Study.--The Director of the National Science Foundation, the
Director of the Office of Personnel Management, and the Secretary of
Homeland Security shall undertake to enter into appropriate
arrangements with the National Academy of Sciences to conduct a
comprehensive study of government, academic, and private-sector
education, accreditation, training, and certification programs for the
development of professionals in information infrastructure and
cybersecurity. The agreement shall require the National Academy of
Sciences to consult with sector coordinating councils and relevant
governmental agencies, regulatory entities, and nongovernmental
organizations in the course of the study.
(b) Scope.--The study shall include--
(1) an evaluation of the body of knowledge and various
skills that specific categories of professionals in information
infrastructure and cybersecurity should possess in order to
secure information systems;
(2) an assessment of whether existing government, academic,
and private-sector education, accreditation, training, and
certification programs provide the body of knowledge and
various skills described in paragraph (1);
(3) an evaluation of--
(A) the state of cybersecurity education at
institutions of higher education in the United States;
(B) the extent of professional development
opportunities for faculty in cybersecurity principles
and practices;
(C) the extent of the partnerships and
collaborative cybersecurity curriculum development
activities that leverage industry and government needs,
resources, and tools;
(D) the proposed metrics to assess progress toward
improving cybersecurity education; and
(E) the descriptions of the content of
cybersecurity courses in undergraduate computer science
curriculum;
(4) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including barriers
relating to compensation, the hiring process, job
classification, and hiring flexibility; and
(5) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and expertise
sought by the Federal Government and the private sector, an
examination of the current and future capacity of United States
institutions of higher education, including community colleges,
to provide current and future cybersecurity professionals,
through education and training activities, with those skills
sought by the Federal Government, State and local entities, and
the private sector.
(c) Report.--Not later than 1 year after the date of enactment of
this Act, the National Academy of Sciences shall submit to the
President and Congress a report on the results of the study. The report
shall include--
(1) findings regarding the state of information
infrastructure and cybersecurity education, accreditation,
training, and certification programs, including specific areas
of deficiency and demonstrable progress; and
(2) recommendations for further research and the
improvement of information infrastructure and cybersecurity
education, accreditation, training, and certification programs.
TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS
SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND PREPAREDNESS CAMPAIGN.
(a) National Cybersecurity Awareness and Preparedness Campaign.--
The Director of the National Institute of Standards and Technology
(referred to in this section as the ``Director''), in consultation with
appropriate Federal agencies, shall continue to coordinate a national
cybersecurity awareness and preparedness campaign, such as--
(1) a campaign to increase public awareness of
cybersecurity, cyber safety, and cyber ethics, including the
use of the Internet, social media, entertainment, and other
media to reach the public;
(2) a campaign to increase the understanding of State and
local governments, institutions of higher education, and
private sector entities of--
(A) the benefits of ensuring effective risk
management of the information infrastructure versus the
costs of failure to do so; and
(B) the methods to mitigate and remediate
vulnerabilities;
(3) support for formal cybersecurity education programs at
all education levels to prepare skilled cybersecurity and
computer science workers for the private sector and Federal,
State, and local government; and
(4) initiatives to evaluate and forecast future
cybersecurity workforce needs of the Federal government and
develop strategies for recruitment, training, and retention.
(b) Considerations.--In carrying out the authority described in
subsection (a), the Director, in consultation with appropriate Federal
agencies, shall leverage existing programs designed to inform the
public of safety and security of products or services, including self-
certifications and independently verified assessments regarding the
quantification and valuation of information security risk.
(c) Strategic Plan.--The Director, in cooperation with relevant
Federal agencies and other stakeholders, shall build upon programs and
plans in effect as of the date of enactment of this Act to develop and
implement a strategic plan to guide Federal programs and activities in
support of the national cybersecurity awareness and preparedness
campaign under subsection (a).
(d) Report.--Not later than 1 year after the date of enactment of
this Act, and every 5 years thereafter, the Director shall transmit the
strategic plan under subsection (c) to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee on Science,
Space, and Technology of the House of Representatives.
Calendar No. 490
113th CONGRESS
2d Session
S. 1353
_______________________________________________________________________
A BILL
To provide for an ongoing, voluntary public-private partnership to
improve cybersecurity, and to strengthen cybersecurity research and
development, workforce development and education, and public awareness
and preparedness, and for other purposes.
_______________________________________________________________________
July 24, 2014
Reported with an amendment