[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9262 Introduced in House (IH)]

<DOC>






117th CONGRESS
  2d Session
                                H. R. 9262

   To make improvements to cybersecurity acquisition policies of the 
             Department of Defense, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            November 3, 2022

   Mrs. Bice of Oklahoma (for herself and Mr. Larsen of Washington) 
 introduced the following bill; which was referred to the Committee on 
                             Armed Services

_______________________________________________________________________

                                 A BILL


 
   To make improvements to cybersecurity acquisition policies of the 
             Department of Defense, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. CURRICULA ON SOFTWARE ACQUISITIONS AND CYBERSECURITY 
              SOFTWARE OR HARDWARE ACQUISITIONS FOR COVERED 
              INDIVIDUALS.

    (a) Curricula.--The President of the Defense Acquisition University 
shall develop training curricula related to software acquisitions and 
cybersecurity software or hardware acquisitions and offer such 
curricula to covered individuals to increase digital literacy related 
to such acquisitions by developing the ability of such covered 
individuals to use technology to identify, critically evaluate, and 
synthesize data and information related to such acquisitions.
    (b) Elements.--Curricula developed pursuant to subsection (a) shall 
provide information on--
            (1) cybersecurity, information technology systems, computer 
        networks, cloud computing, artificial intelligence, machine 
        learning, and quantum technologies;
            (2) cybersecurity threats and capabilities;
            (3) operational efforts of United States Cyber Command to 
        combat cyber threats;
            (4) mission requirements and current capabilites and 
        systems of United States Cyber Command;
            (5) activities that encompass the full range of threat 
        reduction, vulnerability reduction, deterrence, incident 
        response, resiliency, and recovery policies and activities, 
        including activities relating to computer network operations, 
        information assurance, military missions, and intelligence 
        missions to the extent such activities relate to the security 
        and stability of cyberspace; and
            (6) industry best practices relating to software 
        acquisitions and cybersecurity software or hardware 
        acquisitions.
    (c) Plan.--Not later than 180 days after the date of the enactment 
of this Act, the Secretary of Defense, in consultation with the 
President of the Defense Acquisition University, shall submit to 
Congress a comprehensive plan to implement the curricula developed 
under subsection (a). Such plan shall include a list of resources 
required for and costs associated with such implementation, including--
            (1) curriculum development;
            (2) hiring instructors to teach the curriculum;
            (3) facilities; or
            (4) website development.
    (d) Implementation.--Not later than one year after the date on 
which the plan described in subsection (c) is submitted to Congress, 
the President of the Defense Acquisition University shall offer the 
curricula developed under subsection (a) to covered individuals.
    (e) Report.--Not later than one year after the date on which the 
plan described in subsection (c) is submitted to Congress, the 
Secretary of Defense, in consultation with the President of the Defense 
Acquisition University, shall submit to Congress a report assessing the 
costs and benefits of requiring all covered individuals to complete the 
curricula developed under subsection (a).
    (f) Covered Individuals Defined.--In this section, the term 
``covered individuals'' means--
            (1) a contracting officer of the Department of Defense with 
        responsibilities related to software acquisitions or 
        cybersecurity software or hardware acquisitions; or
            (2) a individual serving in a position designated under 
        section 1721(b) of title 10, United States Code, who is 
        regularly consulted for software acquisitions or cybersecurity 
        software or hardware acquisitions.

SEC. 2. REPORT ON STREAMLINING OF INFORMATION ASSURANCE AND 
              CYBERSECURITY APPROVAL PROCESSES IN SOFTWARE 
              ACQUISITIONS.

    (a) Plan Required.--Not later than 180 days after the date of the 
enactment of this Act, the Secretary of Defense shall submit to 
Congress a report detailing a plan to streamline approval processes 
related to information assurance and cybersecurity for software 
acquisitions.
    (b) Elements.--The Secretary shall include the following in the 
plan required by subsection (a):
            (1) Areas of duplication or overlapping processes and 
        methods to streamline such processes.
            (2) Recommendations on how to adapt requirements processes 
        to be more iterative to meet the needs of modern software 
        acquisitions.
            (3) Recommendations for modifying the requirements 
        processes to become a threat-focused process.
            (4) An annex with information on staffing and funding 
        levels and the impact on the efficiency of approval processes 
        related to information assurance and cybersecurity for software 
        acquisitions.
                                 <all>