[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1835 Reported in Senate (RS)]
<DOC>
Calendar No. 382
118th CONGRESS
2d Session
S. 1835
[Report No. 118-171]
To require the Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security to develop a campaign program to raise
awareness regarding the importance of cybersecurity in the United
States.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 6, 2023
Mr. Peters (for himself and Mr. Cassidy) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
May 9, 2024
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require the Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security to develop a campaign program to raise
awareness regarding the importance of cybersecurity in the United
States.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``National Cybersecurity
Awareness Act''.</DELETED>
<DELETED>SEC. 2. FINDINGS.</DELETED>
<DELETED> Congress finds the following:</DELETED>
<DELETED> (1) The presence of ubiquitous internet-connected
devices in the everyday lives of citizens of the United States
has created opportunities for constant connection and
modernization.</DELETED>
<DELETED> (2) A connected society is subject to
cybersecurity threats that can compromise even the most
personal and sensitive of information.</DELETED>
<DELETED> (3) Connected critical infrastructure is subject
to cybersecurity threats that can compromise fundamental
economic and health and safety functions.</DELETED>
<DELETED> (4) The Government of the United States plays an
important role in safeguarding the nation from malicious cyber
activity.</DELETED>
<DELETED> (5) A citizenry that is knowledgeable regarding
cybersecurity is critical to building a robust cybersecurity
posture and reducing the threat of cyber attackers stealing
sensitive information and causing public harm.</DELETED>
<DELETED> (6) While Cybersecurity Awareness Month is
critical to supporting national cybersecurity awareness, it
cannot be a once-a-year activity and must be a sustained,
constant effort.</DELETED>
<DELETED>SEC. 3. CYBERSECURITY AWARENESS.</DELETED>
<DELETED> (a) In General.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the
end the following:</DELETED>
<DELETED>``SEC. 2220F. CYBERSECURITY AWARENESS CAMPAIGNS.</DELETED>
<DELETED> ``(a) Definition.--In this section, the term `Campaign
Program' means the campaign program established under subsection
(b).</DELETED>
<DELETED> ``(b) Awareness Campaign Program.--</DELETED>
<DELETED> ``(1) In general.--Not later than 90 days after
the date of enactment of the National Cybersecurity Awareness
Act, the Director shall establish a program for planning and
coordinating Federal cybersecurity awareness
campaigns.</DELETED>
<DELETED> ``(2) Activities.--In carrying out the Campaign
Program, the Director shall--</DELETED>
<DELETED> ``(A) inform non-Federal entities of
voluntary cyber hygiene best practices, including
information on how to--</DELETED>
<DELETED> ``(i) prevent cyberattacks;
and</DELETED>
<DELETED> ``(ii) mitigate cybersecurity
risks; and</DELETED>
<DELETED> ``(B) consult with private sector
entities, State, local, Tribal, and territorial
governments, academia, and civil society--</DELETED>
<DELETED> ``(i) to promote cyber hygiene
best practices, including by focusing on
tactics that are cost effective and result in
significant cybersecurity improvement, such
as--</DELETED>
<DELETED> ``(I) maintaining strong
passwords and the use of password
managers;</DELETED>
<DELETED> ``(II) enabling multi-
factor authentication, including
phishing-resistant multi-factor
authentication;</DELETED>
<DELETED> ``(III) regularly
installing software updates;</DELETED>
<DELETED> ``(IV) using caution with
email attachments and website links;
and</DELETED>
<DELETED> ``(V) other cyber hygienic
considerations, as
appropriate;</DELETED>
<DELETED> ``(ii) to promote awareness of
cybersecurity risks and mitigation with respect
to malicious applications on internet-connected
devices, including applications to control
those devices or use devices for unauthorized
surveillance of users;</DELETED>
<DELETED> ``(iii) to help consumers identify
products that are designed to support user and
product security, such as products designed
using the Secure-by-Design and Secure-by-
Default principles of the Agency;</DELETED>
<DELETED> ``(iv) to coordinate with other
Federal agencies and departments, as determined
appropriate by the Director, to--</DELETED>
<DELETED> ``(I) promote relevant
cybersecurity-related awareness
activities; and</DELETED>
<DELETED> ``(II) ensure the Federal
Government is coordinated in
communicating accurate and timely
cybersecurity information;
and</DELETED>
<DELETED> ``(v) to expand nontraditional
outreach mechanisms to ensure that entities
including low-income and rural communities,
small and medium sized businesses and
institutions, and State, local, Tribal, and
territorial partners receive cybersecurity
awareness outreach in an equitable
manner.</DELETED>
<DELETED> ``(3) Reporting.--</DELETED>
<DELETED> ``(A) In general.--Not later than 180 days
after the date of enactment of the National
Cybersecurity Awareness Act, and annually thereafter,
the Director shall, in consultation with the heads of
appropriate Federal agencies, submit to the appropriate
congressional committees a report regarding the
Campaign Program.</DELETED>
<DELETED> ``(B) Contents.--Each report submitted
pursuant to subparagraph (A) shall include--</DELETED>
<DELETED> ``(i) a summary of the activities
of the Agency that support promoting
cybersecurity awareness under the Campaign
Program, including consultations made under
paragraph (2)(B);</DELETED>
<DELETED> ``(ii) an assessment of the
effectiveness of techniques and methods used to
promote national cybersecurity awareness under
the Campaign Program; and</DELETED>
<DELETED> ``(iii) recommendations on how to
best promote cybersecurity awareness
nationally.</DELETED>
<DELETED> ``(c) Cybersecurity Campaign Resources.--</DELETED>
<DELETED> ``(1) In general.--Not later than 180 days after
the date of enactment of the National Cybersecurity Awareness
Act, the Director shall develop and maintain a central
repository for the resources, tools, and public communications
of the Agency that promote cybersecurity awareness.</DELETED>
<DELETED> ``(2) Requirements.--The resources described in
paragraph (1) shall be--</DELETED>
<DELETED> ``(A) made publicly available online;
and</DELETED>
<DELETED> ``(B) regularly updated to ensure the
public has access to relevant and timely cybersecurity
awareness information.''.</DELETED>
<DELETED> (b) Responsibilities of the Cybersecurity and
Infrastructure Security Agency.--Section 2202(c) of the Homeland
Security Act of 2002 (6 U.S.C. 652(c)) is amended--</DELETED>
<DELETED> (1) in paragraph (13), by striking ``; and'' and
inserting a semicolon;</DELETED>
<DELETED> (2) by redesignating paragraph (14) as paragraph
(15); and</DELETED>
<DELETED> (3) by inserting after paragraph (13) the
following:</DELETED>
<DELETED> ``(14) lead and coordinate Federal efforts to
promote national cybersecurity awareness; and''.</DELETED>
<DELETED> (c) Clerical Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116
Stat. 2135) is amended by inserting after the item relating to section
2220E the following:</DELETED>
<DELETED>``Sec. 2220F. Cybersecurity awareness campaigns''.
SECTION 1. SHORT TITLE.
This Act may be cited as the ``National Cybersecurity Awareness
Act''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) The presence of ubiquitous internet-connected devices
in the everyday lives of citizens of the United States has
created opportunities for constant connection and
modernization.
(2) A connected society is subject to cybersecurity threats
that can compromise even the most personal and sensitive of
information.
(3) Connected critical infrastructure is subject to
cybersecurity threats that can compromise fundamental economic,
health, and safety functions.
(4) The Government of the United States plays an important
role in safeguarding the nation from malicious cyber activity.
(5) A citizenry that is knowledgeable regarding
cybersecurity is critical to building a robust cybersecurity
posture and reducing the threat of cyber attackers stealing
sensitive information and causing public harm.
(6) While Cybersecurity Awareness Month is critical to
supporting national cybersecurity awareness, it cannot be a
once-a-year activity, and there must be a sustained, constant
effort to raise awareness about cyber hygiene, encourage
individuals in the United States to learn cyber skills, and
communicate the ways that cyber skills and careers in cyber
advance individual and societal security, privacy, safety, and
well-being.
SEC. 3. CYBERSECURITY AWARENESS.
(a) In General.--Subtitle A of title XXII of the Homeland Security
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the
following:
``SEC. 2220F. CYBERSECURITY AWARENESS CAMPAIGNS.
``(a) Definition.--In this section, the term `Campaign Program'
means the campaign program established under subsection (b)(1).
``(b) Awareness Campaign Program.--
``(1) In general.--Not later than 90 days after the date of
enactment of the National Cybersecurity Awareness Act, the
Director, in coordination with appropriate Federal agencies,
shall establish a program for planning and coordinating Federal
cybersecurity awareness campaigns.
``(2) Activities.--In carrying out the Campaign Program,
the Director shall--
``(A) inform non-Federal entities of voluntary
cyber hygiene best practices, including information on
how to--
``(i) prevent cyberattacks; and
``(ii) mitigate cybersecurity risks; and
``(B) consult with private sector entities, State,
local, Tribal, and territorial governments, academia,
nonprofit organizations, and civil society--
``(i) to promote cyber hygiene best
practices and the importance of cyber skills,
including by focusing on tactics that are cost
effective and result in significant
cybersecurity improvement, such as--
``(I) maintaining strong passwords
and the use of password managers;
``(II) enabling multi-factor
authentication, including phishing-
resistant multi-factor authentication;
``(III) regularly installing
software updates;
``(IV) using caution with email
attachments and website links; and
``(V) other cyber hygienic
considerations, as appropriate;
``(ii) to promote awareness of
cybersecurity risks and mitigation with respect
to malicious applications on internet-connected
devices, including applications to control
those devices or use devices for unauthorized
surveillance of users;
``(iii) to help consumers identify products
that are designed to support user and product
security, such as products designed using the
Secure-by-Design and Secure-by-Default
principles of the Agency or the Recommended
Criteria for Cybersecurity Labeling for
Consumer Internet of Things (IoT) Products of
the National Institute of Standards and
Technology, published February 4, 2022 (or any
subsequent version);
``(iv) to coordinate with other Federal
agencies, as determined appropriate by the
Director, to--
``(I) develop and promote relevant
cybersecurity-related and cyber skills-
related awareness activities and
resources; and
``(II) ensure the Federal
Government is coordinated in
communicating accurate and timely
cybersecurity information;
``(v) to expand nontraditional outreach
mechanisms to ensure that entities, including
low-income and rural communities, small and
medium sized businesses and institutions, and
State, local, Tribal, and territorial partners,
receive cybersecurity awareness outreach in an
equitable manner; and
``(vi) to encourage participation in cyber
workforce development ecosystems and to expand
adoption of best practices to grow the national
cyber workforce.
``(3) Reporting.--
``(A) In general.--Not later than 180 days after
the date of enactment of the National Cybersecurity
Awareness Act, and annually thereafter, the Director,
in consultation with the heads of appropriate Federal
agencies, shall submit to the appropriate congressional
committees a report regarding the Campaign Program.
``(B) Contents.--Each report submitted pursuant to
subparagraph (A) shall include--
``(i) a summary of the activities of the
Agency that support promoting cybersecurity
awareness under the Campaign Program, including
consultations made under paragraph (2)(B);
``(ii) an assessment of the effectiveness
of techniques and methods used to promote
national cybersecurity awareness under the
Campaign Program; and
``(iii) recommendations on how to best
promote cybersecurity awareness nationally.
``(c) Cybersecurity Campaign Resources.--
``(1) In general.--Not later than 180 days after the date
of enactment of the National Cybersecurity Awareness Act, the
Director shall develop and maintain a repository for the
resources, tools, and public communications of the Agency that
promote cybersecurity awareness.
``(2) Requirements.--The resources described in paragraph
(1) shall be--
``(A) made publicly available online; and
``(B) regularly updated to ensure the public has
access to relevant and timely cybersecurity awareness
information.''.
(b) Responsibilities of the Cybersecurity and Infrastructure
Security Agency.--Section 2202(c) of the Homeland Security Act of 2002
(6 U.S.C. 652(c)) is amended--
(1) in paragraph (13), by striking ``; and'' and inserting
a semicolon;
(2) by redesignating paragraph (14) as paragraph (15); and
(3) by inserting after paragraph (13) the following:
``(14) lead and coordinate Federal efforts to promote
national cybersecurity awareness; and''.
(c) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135)
is amended by inserting after the item relating to section 2220E the
following:
``Sec. 2220F. Cybersecurity awareness campaigns.''.
Calendar No. 382
118th CONGRESS
2d Session
S. 1835
[Report No. 118-171]
_______________________________________________________________________
A BILL
To require the Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security to develop a campaign program to raise
awareness regarding the importance of cybersecurity in the United
States.
_______________________________________________________________________
May 9, 2024
Reported with an amendment