Text: H.R.5835 — 109th Congress (2005-2006)All Bill Information (Except Text)

Text available as:

Shown Here:
Referred in Senate (11/13/2006)


109th CONGRESS
2d Session
H. R. 5835

IN THE SENATE OF THE UNITED STATES
September 27, 2006

Received

November 13, 2006

Read twice and referred to the Committee on Veterans' Affairs


AN ACT

To amend title 38, United States Code, to improve information management within the Department of Veterans Affairs, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Veterans Identity and Credit Security Act of 2006”.

SEC. 2. Federal agency data breach notification requirements.

(a) Authority of director of Office of Management and Budget to establish data breach policies.—Section 3543(a) of title 44, United States Code, is amended—

(1) by striking “and” at the end of paragraph (7);

(2) by striking the period and inserting “; and” at the end of paragraph (8); and

(3) by adding at the end the following:

“(9) establishing policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result, specifically including—

“(A) a requirement for timely notice to be provided to those individuals whose sensitive personal information could be compromised as a result of such breach, except no notice shall be required if the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct regarding such individual;

“(B) guidance on determining how timely notice is to be provided; and

“(C) guidance regarding whether additional special actions are necessary and appropriate, including data breach analysis, fraud resolution services, identity theft insurance, and credit protection or monitoring services.”.

(b) Authority of chief information officer to enforce data breach policies and develop and maintain inventories.—Section 3544(a)(3) of title 44, United States Code, is amended—

(1) by inserting after “authority to ensure compliance with” the following: “and, to the extent determined necessary and explicitly authorized by the head of the agency, to enforce”;

(2) by striking “and” at the end of subparagraph (D);

(3) by inserting “and” at the end of subparagraph (E); and

(4) by adding at the end the following:

“(F) developing and maintaining an inventory of all personal computers, laptops, or any other hardware containing sensitive personal information;”.

(c) Inclusion of data breach notification in agency information security programs.—Section 3544(b) of title 44, United States Code, is amended—

(1) by striking “and” at the end of paragraph (7);

(2) by striking the period and inserting “; and” at the end of paragraph (8); and

(3) by adding at the end the following:

“(9) procedures for notifying individuals whose sensitive personal information is compromised consistent with policies, procedures, and standards established under section 3543(a)(9) of this title.”.

(d) Authority of agency chief human capital officers to assess federal personal property.—Section 1402(a) of title 5, United States Code, is amended—

(1) by striking “, and” at the end of paragraph (5) and inserting a semicolon;

(2) by striking the period and inserting “; and” at the end of paragraph (6); and

(3) by adding at the end the following:

“(7) prescribing policies and procedures for exit interviews of employees, including a full accounting of all Federal personal property that was assigned to the employee during the course of employment.”.

(e) Sensitive personal information definition.—Section 3542(b) of title 44, United States Code, is amended by adding at the end the following new paragraph:

“(4) The term ‘sensitive personal information’, with respect to an individual, means any information about the individual maintained by an agency, including—

“(A) education, financial transactions, medical history, and criminal or employment history;

“(B) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records; or

“(C) any other personal information that is linked or linkable to the individual.”.

SEC. 3. Under Secretary for Information Services.

(a) Under Secretary.—Chapter 3 of title 38, United States Code, is amended by inserting after section 307 the following new section:

§ 307A. Under Secretary for Information Services

“(a) Under Secretary.—There is in the Department an Under Secretary for Information Services, who is appointed by the President, by and with the advice and consent of the Senate. The Under Secretary shall be the head of the Office of Information Services and shall perform such functions as the Secretary shall prescribe.

“(b) Service as Chief Information Officer.—Notwithstanding any other provision of law, the Under Secretary for Information Services shall serve as the Chief Information Officer of the Department under section 310 of this title.”.

(b) Clerical amendment.—The table of sections at the beginning of such chapter is amended by inserting after the item relating to section 307 the following new item:


“307A. Under Secretary for Information Services.”.

(c) Conforming amendment.—Section 308(b) of such title is amended by striking paragraph (5) and redesignating paragraphs (6) through (11) as paragraphs (5) through (10), respectively.

SEC. 4. Department of Veterans Affairs information security.

(a) Information security.—Chapter 57 of title 38, United States Code, is amended by adding at the end the following new subchapter:

“SUBCHAPTER IIIINFORMATION SECURITY

§ 5721. Definitions

“For the purposes of this subchapter:

“(1) The term ‘sensitive personal information’, with respect to an individual, means any information about the individual maintained by an agency, including—

“(A) education, financial transactions, medical history, and criminal or employment history;

“(B) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records; or

“(C) any other personal information that is linked or linkable to the individual.

“(2) The term ‘data breach’ means the loss, theft, or other unauthorized access to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.

“(3) The term ‘data breach analysis’ means the identification of any misuse of sensitive personal information involved in a data breach.

“(4) The term ‘fraud resolution services’ means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.

“(5) The term ‘identity theft’ has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).

“(6) The term ‘identity theft insurance’ means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with the identity theft of the insured individual.

“(7) The term ‘principal credit reporting agency’ means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

§ 5722. Office of the Under Secretary for Information Services

“(a) Deputy Under Secretaries.—The Office of the Under Secretary for Information Services shall consist of the following:

“(1) The Deputy Under Secretary for Information Services for Security, who shall serve as the Senior Information Security Officer of the Department.

“(2) The Deputy Under Secretary for Information Services for Operations and Management.

“(3) The Deputy Under Secretary for Information Services for Policy and Planning.

“(b) Appointments.—Appointments under subsection (a) shall be made by the Secretary, notwithstanding the limitations of section 709 of this title.

“(c) Qualifications.—At least one of positions established and filled under subsection (a) shall be filled by an individual who has at least five years of continuous service in the Federal civil service in the executive branch immediately preceding the appointment of the individual as a Deputy Under Secretary. For purposes of determining such continuous service of an individual, there shall be excluded any service by such individual in a position—

“(1) of a confidential, policy-determining, policy-making, or policy-advocating character;

“(2) in which such individual served as a noncareer appointee in the Senior Executive Service, as such term is defined in section 3132(a)(7) of title 5; or

“(3) to which such individual was appointed by the President.

§ 5723. Information security management

“(a) Responsibilities of Chief Information Officer.—To support the economical, efficient, and effective execution of subtitle III of chapter 35 of title 44, and policies and plans of the Department, the Secretary shall ensure that the Chief Information Officer of the Department has the authority and control necessary to develop, approve, implement, integrate, and oversee the policies, procedures, processes, activities, and systems of the Department relating to that subtitle, including the management of all related mission applications, information resources, personnel, and infrastructure.

“(b) Annual compliance report.—Not later than March 1 of each year, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives, the Committee on Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate, a report on the Department’s compliance with subtitle III of chapter 35 of title 44. The information in such report shall be displayed in the aggregate and separately for each Administration, office, and facility of the Department.

“(c) Reports to Secretary of compliance deficiencies.—(1) At least once every month, the Chief Information Officer shall report to the Secretary any deficiency in the compliance with subtitle III of chapter 35 of title 44 of the Department or any Administration, office, or facility of the Department.

“(2) The Chief Information Officer shall immediately report to the Secretary any significant deficiency in such compliance.

“(d) Data breaches.—(1) The Chief Information Officer shall immediately provide notice to the Secretary of any data breach.

“(2) Immediately after receiving notice of a data breach under paragraph (1), the Secretary shall provide notice of such breach to the Director of the Office of Management and Budget, the Inspector General of the Department, and, if appropriate, the Federal Trade Commission and the United States Secret Service.

“(e) Budgetary matters.—When the budget for any fiscal year is submitted by the President to Congress under section 1105 of title 31, the Secretary shall submit to Congress a report that identifies amounts requested for Department implementation and remediation of and compliance with this subchapter and subtitle III of chapter 35 of title 44. The report shall set forth those amounts both for each Administration within the Department and for the Department in the aggregate and shall identify, for each such amount, how that amount is aligned with and supports such implementation and compliance.

§ 5724. Congressional reporting and notification of data breaches

“(a) Quarterly reports.—(1) Not later than 30 days after the last day of a fiscal quarter, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report on any data breach with respect to sensitive personal information processed or maintained by the Department that occurred during that quarter.

“(2) Each report submitted under paragraph (1) shall identify, for each data breach covered by the report, the Administration and facility of the Department responsible for processing or maintaining the sensitive personal information involved in the data breach.

“(b) Notification of significant data breaches.—(1) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that the Secretary determines is significant, the Secretary shall provide notice of such breach to the Committees on Veterans’ Affairs of the Senate and House of Representatives.

“(2) Notice under paragraph (1) shall be provided promptly following the discovery of such a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

§ 5725. Data breaches

“(a) Independent risk analysis.—(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall ensure that, as soon as possible after the data breach, a non-Department entity conducts an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach.

“(2) If the Secretary determines, based on the findings of a risk analysis conducted under paragraph (1), that a reasonable risk exists for the potential misuse of sensitive information involved in a data breach, the Secretary shall provide credit protection services in accordance with section 5726 of this title.

“(b) Notification.—(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall provide to an individual whose sensitive personal information is involved in that breach notice of the data breach—

“(A) in writing; or

“(B) by email, if—

“(i) the Department's primary method of communication with the individual is by email; and

“(ii) the individual has consented to receive such notification.

“(2) Notice provided under paragraph (1) shall—

“(A) describe the circumstances of the data breach and the risk that the breach could lead to misuse, including identity theft, involving the sensitive personal information of the individual;

“(B) describe the specific types of sensitive personal information that was compromised as a part of the data breach;

“(C) describe the actions the Department is taking to remedy the data breach;

“(D) inform the individual that the individual may request a fraud alert and credit security freeze under this section;

“(E) clearly explain the advantages and disadvantages to the individual of receiving fraud alerts and credit security freezes under this section; and

“(F) includes such other information as the Secretary determines is appropriate.

“(3) The notice required under paragraph (1) shall be provided promptly following the discovery of a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

“(c) Report.—For each data breach with respect to sensitive personal information processed or maintained by the Secretary, the Secretary shall promptly submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report containing the findings of any independent risk analysis conducted under subsection (a)(1), any determination of the Secretary under subsection (a)(2), and a description of any credit protection services provided under section 5726 of this title.

“(d) Final determination.—Notwithstanding sections 511 and 7104(a) of this title, any determination of the Secretary under subsection (a)(2) with respect to the reasonable risk for the potential misuse of sensitive information involved in a data breach is final and conclusive and may not be reviewed by any other official, administrative body, or court, whether by an action in the nature of mandamus or otherwise.

“(e) Fraud alerts.—(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall arrange, upon the request of an individual whose sensitive personal information is involved in the breach to a principal credit reporting agency with which the Secretary has entered into a contract under section 5726(d) and at no cost to the individual, for the principal credit reporting agency to provide fraud alert services for that individual for a period of not less than one year, beginning on the date of such request, unless the individual requests that such fraud alert be removed before the end of such period, and the agency receives appropriate proof of the identity of the individual for such purpose.

“(2) The Secretary shall arrange for each principal credit reporting agency referred to in paragraph (1) to provide any alert requested under such subsection in the file of the individual along with any credit score generated in using that file, for a period of not less than one year, beginning on the date of such request, unless the individual requests that such fraud alert be removed before the end of such period, and the agency receives appropriate proof of the identity of the individual for such purpose.

“(f) Credit security freeze.—(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall arrange, upon the request of an individual whose sensitive personal information is involved in the breach and at no cost to the individual, for each principal credit reporting agency to apply a security freeze to the file of that individual for a period of not less than one year, beginning on the date of such request, unless the individual requests that such security freeze be removed before the end of such period, and the agency receives appropriate proof of the identity of the individual for such purpose.

“(2) The Secretary shall arrange for a principal credit reporting agency applying a security freeze under paragraph (1)—

“(A) to send a written confirmation of the security freeze to the individual within five business days of applying the freeze;

“(B) to refer the information regarding the security freeze to other consumer reporting agencies;

“(C) to provide the individual with a unique personal identification number or password to be used by the individual when providing authorization for the release of the individual’s credit for a specific party or period of time; and

“(D) upon the request of the individual, to temporarily lift the freeze for a period of time specified by the individual, beginning not later than three business days after the date on which the agency receives the request.

§ 5726. Provision of credit protection services

“(a) Covered individual.—For purposes of this section, a covered individual is an individual whose sensitive personal information that is processed or maintained by the Department (or any third-party entity acting on behalf of the Department) is involved, on or after August 1, 2005, in a data breach for which the Secretary determines a reasonable risk exists for the potential misuse of sensitive personal information under section 5725(a)(2) of this title.

“(b) Notification.—(1) In addition to any notice required under subsection 5725(b) of this title, the Secretary shall provide to a covered individual notice in writing that—

“(A) the individual may request credit protection services under this section;

“(B) clearly explains the advantages and disadvantages to the individual of receiving credit protection services under this section;

“(E) includes a notice of which principal credit reporting agency the Secretary has entered into a contract with under subsection (d), and information about requesting services through that agency;

“(C) describes actions the individual can or should take to reduce the risk of identity theft; and

“(D) includes such other information as the Secretary determines is appropriate.

“(2) The notice required under paragraph (1) shall be made as promptly as possible and without unreasonable delay following the discovery of a data breach for which the Secretary determines a reasonable risk exists for the potential misuse of sensitive personal information under section 5725(a)(2) of this title and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.

“(3) The Secretary shall ensure that each notification under paragraph (1) includes a form or other means for readily requesting the credit protection services under this section. Such form or other means may include a telephone number, email address, or Internet website address.

“(c) Availability of services through other Government agencies.—If a service required to be provided under this section is available to a covered individual through another department or agency of the Government, the Secretary and the head of that department or agency may enter into an agreement under which the head of that department or agency agrees to provide that service to the covered individual.

“(d) Contract with credit reporting agency.—Subject to the availability of appropriations and notwithstanding any other provision of law, the Secretary shall enter into contracts or other agreements as necessary with one or more principal credit reporting agencies in order to ensure, in advance, the provision of credit protection services under this section and fraud alerts and security freezes under section 5725 of this title. Any such contract or agreement may include provisions for the Secretary to pay the expenses of such a credit reporting agency for the provision of such services.

“(e) Data breach analysis.—The Secretary shall arrange, upon the request of a covered individual and at no cost to the individual, to provide data breach analysis for the individual for a period of not less than one year, beginning on the date of such request.

“(f) Provision of credit monitoring services and identity theft insurance.—During the one-year period beginning on the date on which the Secretary notifies a covered individual that the individual’s sensitive personal information is involved in a data breach, the Secretary shall arrange, upon the request of the individual and without charge to the individual, for the provision of credit monitoring services to the individual. Credit monitoring services under this subsection shall include each of the following:

“(1) One copy of the credit report of the individual every three months.

“(2) Fraud resolution services for the individual.

“(3) Identity theft insurance in a coverage amount that does not exceed $30,000 in aggregate liability for the insured.

§ 5727. Contracts for data processing or maintenance

“(a) Contract requirements.—If the Secretary enters into a contract for the performance of any Department function that requires access to sensitive personal information, the Secretary shall require as a condition of the contract that—

“(1) the contractor shall not, directly or through an affiliate of the contractor, disclose such information to any other person unless the disclosure is lawful and is expressly permitted under the contract;

“(2) the contractor, or any subcontractor for a subcontract of the contract, shall promptly notify the Secretary of any data breach that occurs with respect to such information.

“(b) Liquidated damages.—Each contract subject to the requirements of subsection (a) shall provide for liquidated damages to be paid by the contractor to the Secretary in the event of a data breach with respect to any sensitive personal information processed or maintained by the contractor or any subcontractor under that contract.

“(c) Provision of credit protection services.—Any amount collected by the Secretary under subsection (b) shall be deposited in or credited to the Department account from which the contractor was paid and shall remain available for obligation without fiscal year limitation exclusively for the purpose of providing credit protection services in accordance with section 5726 of this title.

§ 5728. Authorization of appropriations

“There are authorized to be appropriated to carry out this subchapter such sums as may be necessary for each fiscal year.”.

(b) Clerical amendment.—The table of sections at the beginning of such chapter is amended by adding at the end the following new items:

“SUBCHAPTER III—INFORMATION SECURITY”.

“5721. Definitions.

“5722. Office of the Under Secretary for Information Services.

“5723. Information security management.

“5724. Congressional reporting and notification of data breaches.

“5725. Data breaches.

“5726. Provision of credit protection services.

“5727. Contracts for data processing or maintenance.

“5728. Authorization of appropriations.”.

(c) Deadline for regulations.—Not later than 60 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall publish regulations to carry out subchapter III of chapter 57 of title 38, United States Code, as added by subsection (a).

SEC. 5. Report on feasibility of using personal identification numbers for identification.

Not later than 180 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall submit to Congress a report containing the assessment of the Secretary with respect to the feasibility of using personal identification numbers instead of Social Security numbers for the purpose of identifying individuals whose sensitive personal information (as that term is defined in section 5721 of title 38, United States Code, as added by section 4) is processed or maintained by the Secretary.

SEC. 6. Deadline for appointments.

(a) Deadline.—Not later than 180 days after the date of the enactment of this Act—

(1) the President shall nominate an individual to serve as the Under Secretary of Veterans Affairs for Information Services under section 307A of title 38, United States Code, as added by section 3; and

(2) the Secretary of Veterans Affairs shall appoint an individual to serve as each of the Deputy Under Secretaries of Veterans Affairs for Information Services under section 5722 of such title, as added by section 4.

(b) Report.—Not later than 30 days after the date of the enactment of this Act, and every 30 days thereafter until the appointments described in subsection (a) are made, the Secretary of Veterans Affairs shall submit to Congress a report describing the progress of such appointments.

SEC. 7. Information security education assistance program.

(a) Program required.—Title 38, United States Code, is amended by inserting after chapter 78 the following new chapter:


“Sec.

“7901.  Programs; purpose.

“7902.  Scholarship program.

“7903.  Education debt reduction program.

“7904.  Preferences in awarding financial assistance.

“7905.  Requirement of honorable discharge for veterans receiving assistance.

“7906. Regulations.

“7907. Termination.

§ 7901. Programs; purpose

“(a) In General.—To encourage the recruitment and retention of Department personnel who have the information security skills necessary to meet Department requirements, the Secretary shall carry out programs in accordance with this chapter to provide financial support for education in computer science and electrical and computer engineering at accredited institutions of higher education.

“(b) Types of Programs.—The programs authorized under this chapter are as follows:

“(1) Scholarships for pursuit of doctoral degrees in computer science and electrical and computer engineering at accredited institutions of higher education.

“(2) Education debt reduction for Department personnel who hold doctoral degrees in computer science and electrical and computer engineering at accredited institutions of higher education.

§ 7902. Scholarship program

“(a) Authority.—(1) Subject to the availability of appropriations, the Secretary shall establish a scholarship program under which the Secretary shall, subject to subsection (d), provide financial assistance in accordance with this section to a qualified person—

“(A) who is pursuing a doctoral degree in computer science or electrical or computer engineering at an accredited institution of higher education; and

“(B) who enters into an agreement with the Secretary as described in subsection (b).

“(2)(A) Except as provided under subparagraph (B), the Secretary may provide financial assistance under this section to an individual for up to five years.

“(B) The Secretary may waive the limitation under subparagraph (A) if the Secretary determines that such a waiver is appropriate.

“(3)(A) The Secretary may award up to five scholarships for any academic year to individuals who did not receive assistance under this section for the preceding academic year.

“(B) Not more than one scholarship awarded under subparagraph (A) may be awarded to an individual who is an employee of the Department when the scholarship is awarded.

“(b) Service Agreement for Scholarship Recipients.—(1) To receive financial assistance under this section an individual shall enter into an agreement to accept and continue employment in the Department for the period of obligated service determined under paragraph (2).

“(2) For the purposes of this subsection, the period of obligated service for a recipient of financial assistance under this section shall be the period determined by the Secretary as being appropriate to obtain adequate service in exchange for the financial assistance and otherwise to achieve the goals set forth in section 7901(a) of this title. In no event may the period of service required of a recipient be less than the period equal to two times the total period of pursuit of a degree for which the Secretary agrees to provide the recipient with financial assistance under this section. The period of obligated service is in addition to any other period for which the recipient is obligated to serve on active duty or in the civil service, as the case may be.

“(3) An agreement entered into under this section by a person pursuing an doctoral degree shall include terms that provide the following:

“(A) That the period of obligated service begins on a date after the award of the degree that is determined under the regulations prescribed under section 7906 of this title.

“(B) That the individual will maintain satisfactory academic progress, as determined in accordance with those regulations, and that failure to maintain such progress constitutes grounds for termination of the financial assistance for the individual under this section.

“(C) Any other terms and conditions that the Secretary determines appropriate for carrying out this section.

“(c) Amount of Assistance.—(1) The amount of the financial assistance provided for an individual under this section shall be the amount determined by the Secretary as being necessary to pay—

“(A) the tuition and fees of the individual; and

“(B) $1500 to the individual each month (including a month between academic semesters or terms leading to the degree for which such assistance is provided or during which the individual is not enrolled in a course of education but is pursuing independent research leading to such degree) for books, laboratory expenses, and expenses of room and board.

“(2) In no case may the amount of assistance provided for an individual under this section for an academic year exceed $50,000.

“(3) In no case may the total amount of assistance provided for an individual under this section exceed $200,000.

“(4) Notwithstanding any other provision of law, financial assistance paid an individual under this section shall not be considered as income or resources in determining eligibility for, or the amount of benefits under, any Federal or federally assisted program.

“(d) Repayment for Period of Unserved Obligated Service.—(1) An individual who receives financial assistance under this section shall repay to the Secretary an amount equal to the unearned portion of the financial assistance if the individual fails to satisfy the requirements of the service agreement entered into under subsection (b), except in certain circumstances authorized by the Secretary.

“(2) The Secretary may establish, by regulations, procedures for determining the amount of the repayment required under this subsection and the circumstances under which an exception to the required repayment may be granted.

“(3) An obligation to repay the Secretary under this subsection is, for all purposes, a debt owed the United States. A discharge in bankruptcy under title 11 does not discharge a person from such debt if the discharge order is entered less than five years after the date of the termination of the agreement or contract on which the debt is based.

“(e) Waiver or suspension of compliance.—The Secretary shall prescribe regulations providing for the waiver or suspension of any obligation of a individual for service or payment under this section (or an agreement under this section) whenever noncompliance by the individual is due to circumstances beyond the control of the individual or whenever the Secretary determines that the waiver or suspension of compliance is in the best interest of the United States.

“(f) Internships.—(1) The Secretary may offer a compensated internship to an individual for whom financial assistance is provided under this section during a period between academic semesters or terms leading to the degree for which such assistance is provided. Compensation provided for such an internship shall be in addition to the financial assistance provided under this section.

“(2) An internship under this subsection shall not be counted toward satisfying a period of obligated service under this section.

“(g) Ineligibility of individuals receiving Montgomery GI Bill education assistance payments.—An individual who receives a payment of educational assistance under chapter 30, 31, 32, 34, or 35 of this title or chapter 1606 or 1607 of title 10 for a month in which the individual is enrolled in a course of education leading to a doctoral degree in information security is not eligible to receive financial assistance under this section for that month.

§ 7903. Education debt reduction program

“(a) Authority.—(1) Subject to the availability of appropriations, the Secretary shall establish an education debt reduction program under which the Secretary shall make education debt reduction payments under this section to qualified individuals eligible under subsection (b) for the purpose of reimbursing such individuals for payments by such individuals of principal and interest on loans described in paragraph (2) of that subsection.

“(2)(A) For each fiscal year, the Secretary may accept up to five individuals into the program established under paragraph (1)who did not receive such a payment during the preceding fiscal year.

“(B) Not more than one individual accepted into the program for a fiscal year under subsection (A) shall be a Department employee as of the date on which the individual is accepted into the program.

“(b) Eligibility.—An individual is eligible to participate in the program under this section if the individual—

“(1) has completed a doctoral degree a doctoral degree in computer science or electrical or computer engineering at an accredited institution of higher education during the five-year period preceding the date on which the individual is hired;

“(2) is an employee of the Department who serves in a position related to information security (as determined by the Secretary); and

“(3) owes any amount of principal or interest under a loan, the proceeds of which were used by or on behalf of that individual to pay costs relating to a doctoral degree in computer science or electrical or computer engineering at an accredited institution of higher education.

“(c) Amount of assistance.—(1) Subject to paragraph (2), the amount of education debt reduction payments made to an individual under this section may not exceed $82,500 over a total of five years, of which not more than $16,500 of such payments may be made in each year.

“(2) The total amount payable to an individual under this section for any year may not exceed the amount of the principal and interest on loans referred to in subsection (b)(3) that is paid by the individual during such year.

“(d) Payments.—(1) The Secretary shall make education debt reduction payments under this section on an annual basis.

“(2) The Secretary shall make such a payment—

“(A) on the last day of the one-year period beginning on the date on which the individual is accepted into the program established under subsection (a); or

“(B) in the case of an individual who received a payment under this section for the preceding fiscal year, on the last day of the one-year period beginning on the date on which the individual last received such a payment.

“(3) Notwithstanding any other provision of law, education debt reduction payments under this section shall not be considered as income or resources in determining eligibility for, or the amount of benefits under, any Federal or federally assisted program.

“(e) Performance requirement.—The Secretary may make education debt reduction payments to an individual under this section for a year only if the Secretary determines that the individual maintained an acceptable level of performance in the position or positions served by the individual during the year.

“(f) Notification of terms of provision of payments.—The Secretary shall provide to an individual who receives a payment under this section notice in writing of the terms and conditions that apply to such a payment.

“(g) Covered costs.—For purposes of subsection (b)(3), costs relating to a course of education or training include—

“(1) tuition expenses; and

“(2) all other reasonable educational expenses, including fees, books, and laboratory expenses;

§ 7904. Preferences in awarding financial assistance

“In awarding financial assistance under this chapter, the Secretary shall give a preference to qualified individuals who are otherwise eligible to receive the financial assistance in the following order of priority:

“(1) Veterans with service-connected disabilities.

“(2) Veterans.

“(3) Persons described in section 4215(a)(B) of this title.

“(4) Individuals who received or are pursuing degrees at institutions designated by the National Security Agency as Centers of Academic Excellence in Information Assurance Education.

“(5) Citizens of the United States.

§ 7905. Requirement of honorable discharge for veterans receiving assistance

“No veteran shall receive financial assistance under this chapter unless the veteran was discharged from the Armed Forces under honorable conditions.

§ 7906. Regulations

“The Secretary shall prescribe regulations for the administration of this chapter.

§ 7907. Termination

“The authority of the Secretary to make a payment under this chapter shall terminate on July 31, 2017.”.

(b) GAO report.—Not later than three years after the date of the enactment of this Act, the Comptroller General shall submit to Congress a report on the scholarship and education debt reduction programs under chapter 79 of title 38, United States Code, as added by subsection (a).

(c) Applicability of scholarships.—Section 7902 of title 38, United States Code, as added by subsection (a), shall apply with respect to financial assistance provided for an academic semester or term that begins on or after August 1, 2007.

(d) Clerical amendment.—The tables of chapters at the beginning of such title, and at the beginning of part V of such title, are amended by inserting after the item relating to chapter 78 the following new item:

“79. Information Security Education Assistance Program .......
7901”.

Passed the House of Representatives September 26, 2006.

Attest: karen l. haas,   
Clerk.