- TXT
-
PDF
(PDF provides a complete and accurate display of this text.)
Tip
?
Calendar No. 549
107th Congress Report
SENATE
2d Session 107-239
_______________________________________________________________________
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
__________
R E P O R T
OF THE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 2182
August 1, 2002.--Ordered to be printed
__________
U.S. GOVERNMENT PRINTING OFFICE
99-010 WASHINGTON : 2002
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred seventh congress
second session
ERNEST F. HOLLINGS, South Carolina, Chairman
DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona
JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska
Virginia CONRAD BURNS, Montana
JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi
JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
RON WYDEN, Oregon SAM BROWNBACK, Kansas
MAX CLELAND, Georgia GORDON SMITH, Oregon
BARBARA BOXER, California PETER G. FITZGERALD, Illinois
JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada
JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia
BILL NELSON, Florida
Kevin D. Kayes, Staff Director
Moses Boyd, Chief Counsel
Gregg Elias, General Counsel
Jeanne Bumpus, Republican Staff Director and General Counsel
Ann Begeman, Republican Deputy Staff Director
Calendar No. 549
107th Congress Report
SENATE
2d Session 107-239
======================================================================
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
_______
August 1, 2002.--Ordered to be printed
_______
Mr. Hollings, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 2182]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 2182) to authorize funding for
computer and network security research and development and
research fellowship programs, and for other purposes, having
considered the same, reports favorably thereon with an
amendment in the nature of a substitute and recommends that the
bill, as amended, do pass.
Purpose of the Bill
The purpose of the bill, as reported, is to establish and
authorize funding for programs at the National Science
Foundation (NSF) and the National Institute of Standards and
Technology (NIST) and to better coordinate information
technology security research among government, industry and
academia.
Background and Needs
With the advent of high-speed access to the Internet,
computer networks are growing in size and complexity, creating
new opportunities for those who would mount malicious computer
attacks. At the same time, computer hacking is no longer the
sole realm of computer geniuses. Instructions (known as
scripts) for exploiting vulnerabilities of computer systems are
widely available to anyone with access to the Internet. In some
cases, all that is needed to launch an attack is a website
address. Moreover, while some vulnerabilities are well known,
the companies and individuals who own computers connected to
the Internet do not always fix (or ``patch'') obvious security
holes, even when the ``patch'' is free and easy to install.
Computer attacks not only threaten the integrity of systems
and data connected to the Internet, but also have the effect of
undermining public trust in Internet-based electronic commerce,
potentially hindering its further development and adoption. If
Internet usage is to continue its growth, businesses and
consumers must have confidence in the security of their
information and the identity of the person or company with whom
they are engaging in commerce or conversation. The threat of
malicious hacking--and media coverage of high profile computer
attacks--has the potential to disturb that trust and the future
growth of the Internet and electronic commerce.
It is not just our economic security that is vulnerable to
cyber attack. Critical infrastructures, which are increasingly
reliant on the Internet for exchange of data and control
functions, also are highly susceptible. For example, the
systems that control floodgates for dams or distribution of
power are accessible via the Internet. Additionally, the
potential threat from terrorist hackers (cyber terrorists) to
the Federal government's strategic military systems is real.
Security experts note that Department of Defense systems face
daily attacks, many of which originate on foreign-based
computers.
Despite these enormous challenges, however, the United
States has failed to conduct an adequate program of world-
class, basic research needed to address cyber security needs.
While a number of information technology companies support
research and development (R&D;) on network security,
inadequacies in our security arsenal cannot be addressed solely
through short-term industry-based applied research. Industry
relies heavily on the fundamental research supported by the
Federal government and the training of future researchers,
including computer scientists, mathematicians, and many others,
that Federally funded research programs support.
Unfortunately, with the possible exception of encryption-
related research, cyber security research is under-funded, and
basic research into the fundamental technological cyber
security challenges is not sufficient to support the Nation's
needs. Many experts believe that because of these historic
funding patterns, there is a severe shortage of researchers in
the country with the experience and expertise needed to conduct
cutting-edge research in cyber security. For example, experts
estimate that there are currently only a total of 45 to 75
cyber security researchers nationwide, compared to 60 or more
faculty members per computer science department at typical
United States research universities.
This shortage of personnel is not merely a problem for the
academic and research community. Federal agencies are finding
it increasingly difficult to recruit and hire professional
staff with the knowledge and experience needed to analyze risks
and manage and secure their own computer networks.
S. 2182 would substantially increase the government's
commitment to cyber security research and development by
creating a broad program of cyber security R&D; at NSF and NIST.
The program would support R&D;, student scholarships, improved
faculty development, and upgrades of networks and facilities. A
broad range of institutions would be able to participate,
including institutions of higher education (as well as,
consortia thereof and community colleges), non-profits,
governmental laboratories, and private industry.
Legislative History
On July 16, 2001, and April 24, 2002, the Subcommittee on
Science, Technology, and Space conducted hearings on cyber
security. At the July 16, 2001, hearing entitled ``Holes in the
Net: Security Risk and the E-Consumer,'' witnesses included:
Dr. Vinton G. Cerf, Senior Vice President, Internet
Architecture and Technology, WorldCom; Mr. Harris N. Miller,
President, Information Technology Association of America; and
Mr. Bruce Schneier, Chief Technical Officer, Counterpane
Internet Security, Inc. At the April 24, 2002, hearing,
entitled ``Homeland Security and the Technology Sector,''which
focused on both S. 2182 and S. 2037, witnesses included: The
Honorable Sherwood Boehlert, Chairman of the House Science
Committee; Dr. George Strawn, Acting Assistant Director for
Computer Information Science and Engineering at the National
Science Foundation; Dr. Lance Hoffman, Department of Computer
Science, George Washington University; Mr. W. Wyatt Starnes,
President and Chief Executive Officer, Tripwire, Inc.; and Mr.
Ronil Hira, Chairman of the Research and Development Policy
Committee of the Institute of Electrical and Electronics
Engineers.
On April 17, 2002, Senator Wyden, Chairman of the
Subcommittee on Science, Technology, and Space, introduced S.
2182, the Cyber Security Research and Development Act.
On May 17, 2002, the Committee met in open executive
session and, by a voice vote, ordered S. 2182 to be reported
with a substitute amendment offered by Senator Wyden and
Senator Edwards. The substitute included provisions from
Senator Edwards's cyber security bills, S. 1900 and S. 1901,
dealing with: (1) the establishment of an NSF program of
forgivable loans to doctoral students in cyber security who
agree to teach for 5 years; and (2) the development of
information security benchmarks by NIST which will be
implemented by Federal agencies. In addition, the substitute
included provisions to enhance ethnic and racial diversity as a
goal in NSF's new cyber security programs. The substitute also
contained provisions to raise the profile of NIST's Computer
Security Division to allow for cost sharing of new NIST grants,
and to allow for a discretionary Director's Fund to permit NIST
to fund promising projects in a more expeditious manner.
On February 7, 2002, the House of Representatives passed
the companion measure to S. 2182, H.R. 3394, which was
subsequently received in the Senate and referred to the
Committee.
Summary of Major Provisions
AUTHORIZATION OF APPROPRIATIONS
S. 2182, as reported, would authorize appropriations to NSF
and NIST for cyber security R&D.; A total of $126.56 million
would be authorized to be appropriated in fiscal year (FY)
2003, increasing to $249.05 million by FY 2007, for a 5-year
total of $978.65 million.
NSF PROGRAMS
At the NSF, S. 2182, as reported, would establish and
authorize: (1) merit-based grants in cyber security that would
support innovative approaches from individual researchers to
enhance cyber security; (2) Centers for Computer and Network
Security Research, which would generate innovative approaches
to computer security by conducting cutting-edge, multi-
disciplinary research; (3) capacity building grants to
institutions to improve their undergraduate or master's cyber
security programs; (4) grants to improve cyber security
education at community colleges as part of NSF's existing
program pursuant to the Scientific and Advanced Technology Act
of 1992, (46 U.S.C. 1862i); (5) graduate traineeships in
computer and network security, which are merit-based grants to
institutions to award fellowships to students pursuing cyber
security doctoral degrees; (6) the inclusion of cyber security
as an approved field of specialization supported by the
Graduate Research Fellowships Program established under section
10 of NSF's Organic Act (42 U.S.C. 1869); and (7) a cyber
security faculty development program to award merit-based
grants to institutions that would award fellowships, in the
form of loans, to students pursuing cyber security doctoral
degrees, where 20 percent of the loan would be forgiven for
each year the fellow remains a full time faculty professor in
the cyber security field upon graduation.
NIST PROGRAMS
At NIST, S. 2182, as reported, would establish and
authorize: (1) grants to colleges and universities that partner
with for-profit entities to support long-term cyber security
research; (2) research fellowships for post-doctoral students
in cyber security, information technology, or related fields
wishing to transfer into the cyber security field; (3)
development of benchmark cyber security standards for Federal
agencies; and (4) establishment of an Office for Information
Security Programs, headed by a Director who reports directly to
the NIST Director.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
U.S. Congress,
Congressional Budget Office,
Washington, DC, May 28, 2002.
Hon. Ernest F. Hollings,
Chairman, Committee on Commerce, Science, and Transportation,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S.2182, the Cyber
Security Research and Development Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contracts are Kathleen
Gramp and Ken Johnson.
Sincerely,
Barry B. Anderson
(For Dan L. Crippen, Director).
Enclosure.
Congressional Budget Office Cost Estimate
S. 2182--Cyber Security Research and Development Act
Summary: S. 2182 would authorize, appropriations for
several research initiatives related to computer security at
two agencies--the National Science Foundation (NSF) and the
National Institute of Standards and Technology (NIST). The bill
would establish the terms and conditions for awarding grants,
fellowships, cooperative agreements, and loans for certain
doctoral fellowship related to computer security, and would
authorize NIST to conduct similar research at its laboratories.
It would authorize the appropriation of $978 million over the
2002-2007 period for these activities. This total would include
funding for the ongoing activities of the Computer System
Security and Privacy Advisory Board and a study by the National
Academy of Sciences on the vulnerability of nation's computer
network infrastructure.
Assuming appropriation of the specified amounts, CBO
estimates that implementing this bill would cost $671 million
over the 2002-2007 period. the bill would not affect direct
spending or receipts; therefore, pay-as-you-go procedures would
not apply.
S. 2182 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA)
and would impose no costs on state, local, or tribal
governments.
Estimated cost to the Federal Government: the estimated
budgetary impact of S. 2182 is shown in the following table.
The costs of this legislation fall within budget functions 250
(general science, space, and technology) and 370 (commerce and
housing credit).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in million of dollars--
---------------------------------------------------
2002 2003 2004 2005 2006 2007
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
National Science Foundation: \1\
Authorization Level..................................... 0 78 110 128 134 142
Estimated Outlays....................................... 0 15 58 93 114 125
National Institute of Standards and Technology: \2\
Authorization Level..................................... 2 47 62 76 92 107
Estimated Outlays....................................... 0 23 37 53 69 84
Total Changes:
Authorization Level..................................... 2 125 172 204 226 249
Estimated Outlays....................................... 0 38 95 146 183 209
----------------------------------------------------------------------------------------------------------------
\1\ NSF has a total appropriation of $4.9 billion in 2002.
\2\ Thus far, NIST has a total appropriation of $680 million in 2002.
Basis of estimate: S. 2182 would authorize the
appropriation of $592 million for NSF and $386 million for NIST
over the 2002-2007 period for these agencies to carry out a
variety of grant, fellowship, loan, and other programs related
to research on computer security. Based on the spending
patterns of similar NSF and NIST programs, CBO estimates that
implementing the bill would cost NSF and about $405 million and
NIST about $266 million over the 2002-2007 period, assuming the
appropriation of the authorized amounts. For this estimate, CBO
assumes that funds will be appropriated near the beginning of
each fiscal year, with the exception of the $2 million
authorization for NIST in 2002 (which we assume will be
provided this summer).
CBO expects that the doctoral fellowships authorized by
this bill would be treated as direct loans and would be subject
to credit reform procedures. S. 2182 would require that such
fellowships be repaid but would forgive specified amounts if
the recipient is employed as a full-time faculty member. For
this estimate, CBO assumes that NSF would use the $5 million
authorized annually for these fellowships to cover the subsidy
cost of such loans.
Pay-as-you-go considerations: None.
Estimated impact on state, local, and tribal governments:
S. 2182 contains no intergovernmental mandates as defined in
UMRA and would impose no costs on state, local, or tribal
governments. The bill would benefit public universities by
authorizing the appropriation of $978 million, much of which
would be for grant programs to institutions of higher
education, including public universities, for a number of
projects aimed at improving computer and network security. Any
costs incurred by public universities would be voluntary.
Estimated impact on the private sector: This bill contains
no new private-sector mandates as defined in UMRA.
Previous CBO estimate: On December 17, 2001, CBO
transmitted a cost estimate for H.R. 3394, the Cyber Security
Research and Development Act, as ordered reported by the House
Committee on Science on December 6, 2001. H.R. 3394 is very
similar to S. 2182, although H.R. 3394 would authorize the
appropriation of $878 million over the 2002-2007 period. CBO
estimated that implementing H.R. 3394 would cost $420 million
during the 2002-2006 period, assuming the appropriation of the
necessary amounts.
Estimate prepared by: Federal costs: Kathleen Gramp (NSF)
and Ken Johnson (NIST); impact on state, local, and tribal
governments: Elyse Goldman; impact on the private sector: Cecil
McPherson.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
The Committee believes that the bill would not subject any
individuals or businesses affected by the legislation to any
additional regulation. Neither NSF nor NIST are regulatory
agencies; therefore they have no regulatory authority. Section
8(c) of the bill would require NIST to adopt Federal agency
benchmark security standards to be implemented by Federal
civilian agencies. The standards would not directly impose any
requirements on individuals or businesses to further
regulation.
ECONOMIC IMPACT
This legislation would not have an adverse economic impact
on the Nation. It would authorize significant funding for
research and development in computer and information security,
promoting sustained economic growth through better protection
of our critical infrastructures that have become increasingly
dependent on electronic networks. In addition, this legislation
would significantly enhance the growth and development of the
computer and information security field in this country.
PRIVACY
S. 2182 would not have a negative impact on the personal
privacy of individuals. The purpose of this legislation is to
support research and development in information security, which
should lead to increased protection for personal data stored on
computer networks.
PAPERWORK
This legislation would not increase paperwork requirements
for private individuals or businesses. It would require four
Federal reports: (1) within 180 days of enactment, the Director
of NIST must submit a report to the Senate Committee on
Commerce, Science, and Transportation, the House Committee on
Science, and the House and Senate Appropriations Committees
identifying specific Federal agency benchmark security
standards that should be developed over the following 12 month
period, and recommending, in consultation with the Office of
Management and Budget any additional funding that may be
necessary; (2) not later than 1 year after the date of the
report referred to above, the Director of NIST, in consultation
with appropriate public and private entities, must submit a
follow-up report containing recommendations for specific,
reasonable Federal agency benchmark security standards to the
Secretary of Commerce and the Chairman of the Federal Chief
Information Officers (CIOs) Council. The Director of NIST shall
review the recommended standards not less than once every 6
months and update such standards or issue new standards as
necessary. The Director is not prohibited from updating any
portion of such recommended standards more frequently if
circumstances so require. The Secretary of Commerce shall
widely disseminate the report, along with any updates; (3) not
later than 36 months after the date of enactment, the Chairman
of the Federal CIOs Council must submit a report to Congress
describing the status of, costs associated with, and barriers
to implementation of the Federal agency benchmark security
standards at each agency/department of the government; and (4)
within 3 months after the date of enactment, NIST must arrange
for the National Academy of Sciences to conduct a study to
examine the impact of requiring Federal agencies to implement
benchmark security standards on national cyber security
preparedness. NIST would be directed to transmit the report
containing the results of the study to Congress not later than
21 months after the date of enactment of this Act.
S. 2182, as reported, would also require the Chairman of
the Federal CIOs Council to provide to the NIST Director a
classified list of current Federal government security
standards not later than 90 days after the date of enactment.
Section-by-Section Analysis
Section 1. Short title
Section 1 would give the short title of the bill, the
``Cyber Security Research and Development Act.''
Section 2. Findings
Section 2 presents the findings concerning: the
interdependent nature of critical infrastructures brought about
by advancements in computing and communications technology; the
increased consequences of failure of communications and
computer systems stemming from exponential increases in
interconnectivity; the Nation's lack of preparedness for a
coordinated cyber and physical attack; the shortage of
outstanding researchers in the field of cyber security; the
lack of coordination among government, academia, and industry
for computer security; the need to significantly increase the
Federal investment in computer and network security research
and development; and the level of minority participation in the
United States computer and information science workforce.
Section 3. Definitions
Section 3 includes the following definitions: (1) the term
``Director'' means the Director of the National Science
Foundation (NSF), except in section 8 where it refers to the
Director of the National Institute for Standards and Technology
(NIST); (2) the term ``institution of higher education'' is
given the meaning found in the Higher Education Act of 1965;
and (3) ``Federal agency benchmark security standards'' means a
baseline minimum security configuration for specific computer
hardware or software components, an operational procedure or
practice, or organizational structure that increases the
security of the information technology assets of an agency or
department of the Federal government.
Section 4. National Science Foundation research
Section 4(a) would establish an NSF program to award merit-
reviewed, competitively based grants for basic research on
innovative approaches to enhance computer security. Research
areas include authentication and cryptography; computer
forensics and intrusion detection; reliability of computer and
network applications, middleware, operating systems, and
communications infrastructure; privacy and confidentiality;
network security architecture, including tools for security
administration and analysis such as firewall technology;
emerging threats, including malicious such as viruses and
worms; vulnerability assessments; operations and control
systems management; management of interoperable digital
certificates or digital watermarking; and remote access and
wirelesssecurity. This subsection would also authorize
appropriations of $35 million for FY 2003, $40 million for FY 2004, $46
million for FY 2005, $52 million for FY 2006, and $60 million for FY
2007.
Section 4(b) would establish an NSF program to award multi-
year grants to institutions of higher education (or consortia
thereof) to establish multidisciplinary Centers for Computer
and Network Security Research. Institutions (or consortia)
receiving grants may partner with one or more government
laboratories or for-profit institutions. Applications for these
grants would be reviewed on the basis of the ability of the
institution (or consortium) to generate innovative approaches
to computer and network security research; the applicant's
experience in conducting research on computer and network
security and capacity to foster new multi-discipline
collaborations; the applicant's support for students pursuing
research in computer and network security; and the extent to
which government laboratories or industry partners will
participate in the Center's research activities. This
subsection would require the Director to convene an annual
meeting of Centers to foster greater collaboration and
communication. Appropriations of $12 million for FY 2003, $24
million for FY 2004, $36 million for FY 2005, $36 million for
FY 2006, and $36 million for FY 2007 would be authorized.
Section 5. National Science Foundation Computer and Network Security
programs
Section 5(a) (capacity building) would establish a
competitive, merit-based NSF program to award grants to
institutions of higher education (or consortia thereof) to
create or improve undergraduate and master's degree programs in
computer security. Grants would be used for purposes including
curriculum development, equipment acquisition, faculty
enhancement, and the establishment of a student internship
program in government or industry. Applicants must describe the
plan for building increased capacity in computer and network
security, must articulate the roles and responsibilities of
each partnering institution or collaborative group, and must
provide evidence of high potential for success in educating and
placing students in relevant jobs or graduate programs. The
Director would be required to evaluate the impact of the
program on increasing the quality and quantity of computer and
network security professionals not later than 5 years after
establishment. The program would authorize $15 million for FY
2003 and $20 million for each of fiscal years 2004-2007.
Section 5(b) would expand NSF's existing program for
community colleges (established by the Scientific and Advanced
Technology Act of 1992, P.L. 102-476) to include grants to
improve education in fields related to computer and network
security. It would authorize $1 million for FY 2003 and $1.25
million for each of fiscal years 2004-2007.
Section 5(c) (Graduate Traineeships in Computer and Network
Security Research) would establish a competitive, merit-based
NSF program to award grants to institutions of higher education
to establish traineeship programs for graduate students
pursuing studies in computer and network security research
leading to a doctorate degree. Grant funds would be used to
support student fellowships of at least $25,000 per year to pay
student tuition and fees, and to support students in scientific
internship programs. Appropriations of $10 million for FY 2003,
and $20 million for each of fiscal years 2004-2007 would be
authorized.
Section 5(d) would direct NSF to include computer and network
security as an approved field of specialization under its
current Graduate Research Fellowships program.
Section 5(e) (Cyber Security Faculty Development Fellowship
Program) would establish an NSF program to award grants to
institutions of higher learning to establish traineeship
programs to enable graduate students to pursue academic careers
in cyber security upon completion of doctoral degrees. Funds
received by an institution would be made available to fellows,
in the form of loans, for up to 5 years on a merit-reviewed,
competitive basis to cover tuition and fees for doctoral study
and a $25,000 per year stipend. Loans would be forgiven at 20%
for each year the fellow is employed as a full-time faculty
member at an institution, thereby forgiving the loan in total
if the fellow teaches for 5 years. Appropriations of $5 million
per year for fiscal years 2003-2007 would be authorized.
Section 6. Consultation
Section 6 would require the NSF Director to consult with
other Federal agencies in carrying out the programs described
in Sections 4 and 5.
Section 7. Fostering research and education in computer and network
security
Section 7 of the bill would amend the National Science
Foundation Act of 1950 to require NSF to take a leading role in
fostering and supporting research and education in computer and
network security.
Section 8. National Institute of Standards and Technology research
program
Section 8(a) would amend the National Institute of Standards
and Technology Act by creating a new section 22 to establish a
program that provides assistance to institutions of higher
education that partner with for-profit entities to support
multidisciplinary, long-term research to improve the security
of computer systems. Partnerships may also include government
laboratories.
The new section 22(b) would authorize the NIST Director to
award research fellowships to post-doctoral researchers engaged
in computer security research and to senior researchers who
wish to transition from other research fields to computer
security research. The new section 22(c) would authorize the
Director to award grants or cooperative agreements and would
set forth applicant eligibility requirements.
The new section 22(d) would require cost-sharing (up to 50%)
by the for-profit entities pursuant to a sliding scale, with
the least amount required for projects that will be broadly
applicable and widely shared. The new section 22(e) would
instruct the NIST Director to select program managers who are
responsible for establishing the research goals for the
program, soliciting applications for specific research projects
to address these goals, and selecting research projects for
funding. The new section 22(f) would give the NIST Director the
responsibility of reviewing, periodically, the portfolio of
research awards in consultation with NIST's existing Computer
System Security and Privacy Advisory Board. The Director would
also be instructed to contract with the National
ResearchCouncil to conduct a formal review of the program during its
fifth year and to submit a report of this review to Congress no later
than 6 years after the initiation of the program.
Section 8(b) would amend the definition of Computer System by
amending Section 20(d)(1)(B)(i) of the NIST Act to read
``computers and computer networks.''
Section 8(c)(1) would require the Director of NIST to submit
a report to the Senate Committee on Commerce, Science, and
Transportation; the House Committee on Science; and the House
and Senate Appropriations Committees, not later than 180 days
after enactment of this Act, identifying specific Federal
agency benchmark security standards that should be developed by
NIST over the following 12 month period, and recommending (in
consultation with the Office of Management and Budget (OMB))
any additional funding authorization that may be necessary.
Section 8(c)(2) would require NIST to submit a follow-up
report selecting and adopting Federal agency benchmark security
standards. The Director of NIST, in consultation with
appropriate public and private entities, must submit the report
to the Secretary of Commerce and the Chairman of the Federal
CIOs Council not later than 1 year after the date of the report
issued in section 8(c)(1). The Director shall review these
standards not less than once every 6 months, and update such
standards or issue new standards as necessary. Nothing in this
title shall prohibit the Director from updating any portion of
such recommended standards more frequently if it is determined
that circumstances so require. The Secretary of Commerce would
widely disseminate the report and any updates. Section 8(c)(3)
would require civilian departments and agencies to implement
the standards recommended by the report not later than 90 days
after the date of the report. The Committee understands
civilian agencies to be those agencies not excluded under
section 20 of the NIST Organic Act. Updates must be similarly
implemented not later than 30 days. To facilitate NIST's duties
under this section, not later than 90 days after the enactment
of this Act, the Chairman of the Federal CIOs Council shall
provide to the NIST Director a classified list of the current
Federal government security standards. Appropriations are
authorized for activities under this subsection of $15 million
per year for fiscal years 2003-2007.
Section 8(d) would require two reports to Congress. Within 36
months after the date of enactment, the Chairman of the Federal
CIOs Council is directed to submit a report to Congress
describing the status of, costs associated with, and barriers
to implementation and recommendations for over-coming such
barriers of the Federal agency benchmark security standards at
each department and agency of the Federal government. Not later
than 3 months after the date of enactment, NIST would arrange
for the National Academy of Sciences to conduct a study
analyzing the effect of implementation of Federal agency
benchmark security standards on the state of national cyber
security preparedness. Appropriations of $800,000 would be
authorized for this report.
Section 8(e) would amend the National Institute of Standards
and Technology Act to establish an Office for Information
Security Programs. The Computer Security Division already
exists at NIST; this subsection renames that office and
elevates Information Security Programs to be on par with NIST's
other laboratories with a Director reporting to the Director of
NIST.
Section 9. Computer security review, public meetings, and information
This section would authorize funding ($1,060,000 for FY 2003
and $1,090,000 for FY 2004) to enable NIST's Computer System
Security and Privacy Advisory Board to identify emerging
issues, including research needs related to computer security,
privacy, and cryptography and, as appropriate, to convene
public meetings on those subjects, receive presentations, and
generate reports for public distribution.
Section 10. Intramural security research
Section 10 would amend the National Institute of Standards
and Technology Act to authorize NIST to pursue, as part of the
agency's in-house research program, research related to
computer security, including the development of emerging
technologies to ensure security of networked systems assembled
from components, improved security of real-time computing and
communications systems used in industrial and critical
infrastructure operations, and multidisciplinary, high-risk,
long-term research on ways to improve security of computer
systems.
Section 11. Authorization of appropriations
This section would authorize appropriations for sections 8
and 10 of the bill. For the research programs in section 8, it
would authorize $25 million for FY 2003, $40 million for FY
2004, $55 million for FY 2005, $70 million for FY 2006, and $85
million for FY 2007. For section 10, it would authorize $6
million for FY 2003, $6.2 million for FY 2004, $6.4 million for
FY 2005, $6.6 million for FY 2006, and $6.8 million for FY
2007.
Section 12. National Academy of Sciences Study on Computer and Network
Security in Critical Infrastructures
Section 12 would authorize the Director of NIST to enter into
an agreement with the National Research Council to conduct a
study of the vulnerabilities of the nation's critical
infrastructure networks and make recommendations for
appropriate improvements not later than 3 months after the date
of enactment of the Act. The study would require the NRC to
review existing data to identify gaps in the security of
critical infrastructure networks, make recommendations for
research priorities to address these gaps, and review the
security of network-related infrastructure including industrial
process controls. A report of the study results is to be
submitted to Congress. For the purpose of carrying out the
study, $700,000 is authorized.
Section 13
This section would give the Office of Science and Technology
Policy (OSTP) the responsibility to coordinate Federal cyber
security R&D;, and ensure consultation with the Office of
Homeland Security, the President's Critical Infrastructure
Protection Board, and other relevant agencies. This section
also would encourage OSTP to promote cooperation between the
Federal government, academia, and private industry.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
material is printed in italic, existing law in which no change
is proposed is shown in roman):
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
COMPUTERS STANDARDS PROGRAM.
[15 U.S.C. 278G-3]
Sec. 20. (a) Development of Standards, Guidelines, Methods,
and Techniques for Computer Systems.--The Institute shall--
(1) have the mission of developing standards,
guidelines, and associated methods and techniques for
computer systems;
(2) except as described in paragraph (3) of this
subsection (relating to security standards), develop
uniform standards and guidelines for Federal computer
systems, except those systems excluded by section 2315
of title 10, United States Code, or section 3502(9) of
title 44, United States Code;
(3) have responsibility within the Federal Government
for developing technical, management, physical, and
administrative standards and guidelines for the cost-
effective security and privacy of sensitive information
in Federal computer systems except--
(A) those systems excluded by section 2315 of
title 10, United States Code, or section
3502(9) of title 44, United States Code; and
(B) those systems which are protected at all
times by procedures established for information
which has been specifically authorized under
criteria established by an Executive order or
an Act of Congress to be kept secret in the
interest of national defense or foreign policy,
the primary purpose of which standards and
guidelines shall be to control loss and
unauthorized modification or disclosure of
sensitive information in such systems and to
prevent computer-related fraud and misuse;
(4) submit standards and guidelines developed
pursuant to paragraphs (2) and (3) of this subsection,
along with recommendations as to the extent to which
these should be made compulsory and binding, to the
Secretary of Commerce for promulgation under section
5131 of the Clinger-Cohen Act of 1996;
(5) develop guidelines for use by operators of
Federal computer systems that contain sensitive
information in training their employees in security
awareness and accepted security practice, as required
by section 5 of the Computer Security Act of 1987; and
(6) develop validation procedures for, and evaluate
the effectiveness of, standards and guidelines
developed pursuant to paragraphs (1), (2), and (3) of
this subsection through research and liaison with other
government and private agencies.
(b) Technical Assistance and Implementation of Standards
Developed.--In fulfilling subsection (a) of this section, the
Institute is authorized--
(1) to assist the private sector, upon request, in
using and applying the results of the programs and
activities under this section;
(2) as requested, to provide to operators of Federal
computer systems technical assistance in implementing
the standards and guidelines promulgated pursuant to
section 5131 of the Clinger-Cohen Act of 1996;
(3) to assist, as appropriate, the Office of
Personnel Management in developing regulations
pertaining to training, as required by section 5 of the
Computer Security Act of 1987;
(4) to perform research and to conduct studies, as
needed, to determine the nature and extent of the
vulnerabilities of, and to devise techniques for the
cost-effective security and privacy of sensitive
information in Federal computer systems; and
(5) to coordinate closely with other agencies and
offices (including, but not limited to, the Departments
of Defense and Energy, the National Security Agency,
the General Accounting Office, the Office of Technology
Assessment, and the Office of Management and Budget)--
(A) to assure maximum use of all existing and
planned programs, materials, studies, and
reports relating to computer systems security
and privacy, in order to avoid unnecessary and
costly duplication of effort; and
(B) to assure, to the maximum extent
feasible, that standards developed pursuant to
subsection (a)(3) and (5) are consistent and
compatible with standards and procedures
developed for the protection of information in
Federal computer systems which is authorized
under criteria established by Executive order
or an Act of Congress to be kept secret in the
interest of national defense or foreign policy.
(c) Protection of Sensitive Information.--For the purposes
of--
(1) developing standards and guidelines for the
protection of sensitive information in Federal computer
systems under subsections (a)(1) and (a)(3), and
(2) performing research and conducting studies under
subsection (b)(5), the Institute shall draw upon
computer system technical security guidelines developed
by the National Security Agency to the extent that the
National Bureau of Standards determines that such
guidelines are consistent with the requirements for
protecting sensitive information in Federal computer
systems.
(d) Establishment of an Office for Information Security
Programs.--
(1) In general.--There is established in the
Institute an Office for Information Security
Programs.
(2) Head.--The Office for Information
Security Programs shall be headed by a
Director, who shall be a senior executive and
shall be compensated at a level in the Senior
Executive Service under section 5382 of title
5, United States Code, as determined by the
Secretary of Commerce.
(3) Function.--The Director of the Institute
shall delegate to the Director of the Office of
Information Security Programs the authority to
administer all functions under this section,
except that any such delegation shall not
relieve the Director of the Institute of
responsibility for the administration of such
functions. The Director of the Office of
Information Security Programs shall serve as
principal adviser to the Director of the
Institute on all functions under this section.
[(d)] (e) Definitions.--As used in this section--
(1) the term ``computer system''--
(A) means any equipment or interconnected
system or subsystems of equipment that is used
in the automatic acquisition, storage,
manipulation, management, movement, control,
display, switching, interchange, transmission,
or reception, of data or information; and
(B) includes--
[(i) computers;] (i) computers and
computer networks;
(ii) ancillary equipment;
(iii) software, firmware, and similar
procedures;
(iv) services, including support
services; and
(v) related resources;
(2) the term ``Federal computer system'' means a
computer system operated by a Federal agency or by a
contractor of a Federal agency or other organization
that processes information (using a computer system) on
behalf of the Federal Government to accomplish a
Federal function;
(3) the term ``operator of a Federal computer
system'' means a Federal agency, contractor of a
Federal agency, or other organization that processes
information using a computer system on behalf of the
Federal Government to accomplish a Federal function;
(4) the term ``sensitive information'' means any
information, the loss, misuse, or unauthorized access
to or modification of which could adversely affect the
national interest or the conduct of Federal programs,
or the privacy to which individuals are entitled under
section 552a of title 5, United States Code (the
Privacy Act), but which has not been specifically
authorized under criteria established by an Executive
order or an Act of Congress to be kept secret in the
interest of national defense or foreign policy; and
(5) the term ``Federal agency'' has the meaning given
such term by section 3(b) of the Federal Property and
Administrative Services Act of 1949 .
(f) Intramural Security Research.--As part of the research
activities conducted in accordance with subsection (b)(4), the
Institute shall--
(1) conduct a research program to address emerging
technologies associated with assembling a networked
computer system from components while ensuring it
maintains desired security properties;
(2) carry out research associated with improving the
security of real-time computing and communications
systems for use in process control; and
(3) carry out multidisciplinary, long-term, high-risk
research on ways to improve the security of computer
systems.
(g) Authorization of Appropriations.--There are authorized to
be appropriated to the Secretary $1,060,000 for fiscal year
2003 and $1,090,000 for fiscal year 2004 to enable the Computer
System Security and Privacy Advisory Board, established by
section 21, to identify emerging issues, including research
needs, related to computer security, privacy, and cryptography
and, as appropriate, to convene public meetings on those
subjects, receive presentations, and publish reports, digests,
and summaries for public distribution on those subjects.
* * * * * * *
RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS
Sec. 22. (a) Establishment.--The Director, through the
Director of the Office for Information Security Programs, shall
establish a program of assistance to institutions of higher
education that enter into partnerships with for-profit entities
to support research to improve the security of computer
systems. The partnerships may also include government
laboratories. The program shall--
(1) include multidisciplinary, long-term research;
(2) include research directed toward addressing needs
identified through the activities of the Computer
System Security and Privacy Advisory Board under
section 20(f); and
(3) promote the development of a robust research
community working at the leading edge of knowledge in
subject areas relevant to the security of computer
systems by providing support for graduate students,
post-doctoral researchers, and senior researchers.
(b) Fellowships.--
(1) In general.--The Director is authorized to
establish a program to award post-doctoral research
fellowships to individuals who are citizens, nationals,
or lawfully admitted permanent resident aliens of the
United States and are seeking research positions at
institutions, including the Institute, engaged in
research activities related to the security of computer
systems, including the research areas described in
section 4(a)(1) of the Cyber Security Research and
Development Act.
(2) Senior research fellowships.--The Director is
authorized to establish a program to award senior
research fellowships to individuals seeking research
positions at institutions, including the Institute,
engaged in research activities related to the security
of computer systems, including the research areas
described in section 4(a)(1) of the Cyber Security
Research and Development Act. Senior research
fellowships shall be made available for established
researchers at institutions of higher education who
seek to change research fields and pursue studies
related to the security of computer systems.
(3) Eligibility.--
(A) In general.--To be eligible for an award
under this subsection, an individual shall
submit an application to the Director at such
time, in such manner, and containing such
information as the Director may require.
(B) Stipends.--Under this subsection, the
Director is authorized to provide stipends for
post-doctoral research fellowships at the level
of the Institute's Post Doctoral Research
Fellowship Program and senior research
fellowships at levels consistent with support
for a faculty member in a sabbatical position.
(c) Awards; Applications.--
(1) In general.--The Director is authorized to award
grants or cooperative agreements to institutions of
higher education to carry out the program established
under subsection (a).
(2) Eligibility.--To be eligible for an award under
this section, an institution of higher education shall
submit an application to the Director at such time, in
such manner, and containing such information as the
Director may require. The application shall include, at
a minimum, a description of--
(A) the number of graduate students
anticipated to participate in the research
project and the level of support to be provided
to each;
(B) the number of post-doctoral research
positions included under the research project
and the level of support to be provided to
each;
(C) the number of individuals, if any,
intending to change research fields and pursue
studies related to the security of computer
systems to be included under the research
project and the level of support to be provided
to each; and
(D) how the for-profit entities and any other
partners will participate in developing and
carrying out the research and education agenda
of the partnership.
(d) Sliding Scale Cost-sharing.--In awarding a grant under
this section, the Director shall require up to 50 percent of
the costs of the project funded by the grant to be met by the
for-profit entity or entities in the partnership. The Director
shall base the percentage of cost-sharing required under this
paragraph on a sliding scale reflecting the degree to which the
results of the research undertaken by a partnership may
reasonably be expected to be applied and shared, with--
(1) the smallest percentage of cost-sharing required
for projects the anticipated results of which are
reasonably expected to be of broadest potential
application and broadly shared; and
(2) the greatest percentage of cost-sharing required
for projects the anticipated results of which are
reasonably expected--
(A) to be of narrow or proprietary
application; or
(B) not to be broadly shared.
(e) Program Operation.--
(1) Management.--The program established under
subsection (a) shall be headed by the Director of the
Office for Information Security Programs and managed by
individuals who shall have both expertise in research
related to the security of computer systems and
knowledge of the vulnerabilities of existing computer
systems. The Director shall designate such individuals,
on a competitive basis, as program managers.
(2) Managers may be employees.--Program managers
designated under paragraph (1) may be new or existing
employees of the Institute.
(3) Manager responsibility.--Program managers
designated under paragraph (1) shall be responsible
for--
(A) establishing and publicizing the broad
research goals for the program;
(B) soliciting applications for specific
research projects to address the goals
developed under subparagraph (A);
(C) selecting research projects for support
under the program from among applications
submitted to the Institute, following
consideration of--
(i) the novelty and scientific and
technical merit of the proposed
projects;
(ii) the demonstrated capabilities of
the individual or individuals
submitting the applications to
successfully carry out the proposed
research;
(iii) the impact the proposed
projects will have on increasing the
number of computer security
researchers;
(iv) the nature of the participation
by for-profit entities and the extent
to which the proposed projects address
the concerns of industry; and
(v) other criteria determined by the
Director, based on information
specified for inclusion in applications
under subsection (c); and
(D) monitoring the progress of research
projects supported under the program.
(4) From amounts available for awards under
subsection (c), the Director, in consultation with the
Director of the Office for Information Security
Programs established in section 20 of this Act, may
assign up to 5 percent to a Directors Fund which may be
awarded throughout the fiscal year at the discretion of
the Director to promising projects designed to fulfill
the goals Stated in subsection (a). Such projects
should be innovative in nature and should meet emerging
needs in computer security.
(f) Review of Program.--
(1) Periodic review.--The Director shall periodically
review the portfolio of research awards monitored by
each program manager designated in accordance with
subsection (e). In conducting those reviews, the
Director shall seek the advice of the Computer System
Security and Privacy Advisory Board, established under
section 21, on the appropriateness of the research
goals and on the quality and utility of research
projects managed by program managers in accordance with
subsection (e).
(2) Comprehensive 5-year review.--The Director shall
also contract with the National Research Council for a
comprehensive review of the program established under
subsection (a) during the 5th year of the program. Such
review shall include an assessment of the scientific
quality of the research conducted, the relevance of the
research results obtained to the goals of the program
established under subsection (e)(3)(A), and the
progress of the program in promoting the development of
a substantial academic research community working at the
leading edge of knowledge in the field. The Director shall
submit to Congress a report on the results of the review
under this paragraph no later than 6 years after the
initiation of the program.
(g) Definitions.--In this section:
(1) Computer system.--The term ``computer system''
has the meaning given that term in section 20(d)(1).
(2) Institution of higher education.--The term
``institution of higher education'' has the meaning
given that term in section 101 of the Higher Education
Act of 1965 (20 United States Code 1001).
APPROPRIATIONS; AVAILABILITY
[15 U.S.C. 278H]
Sec. [22.] 32. Appropriations to carry out the provisions of
this Act may remain available for obligation and expenditure
for such period or periods as may be specified in the Acts
making such appropriations.
* * * * * * *
NATIONAL SCIENCE FOUNDATION ACT OF 1950
SEC. 3. FUNCTIONS.
[42 U.S.C. 1862]
(a) Initiation and Support of Studies and Programs;
Scholarships; Current Register of Scientific and Technical
Personnel.--The Foundation is authorized and directed--
(1) to initiate and support basic scientific research
and programs to strengthen scientific research
potential and science education programs at all levels
in the mathematical, physical, medical, biological,
social, and other sciences, and to initiate and support
research fundamental to the engineering process and
programs to strengthen engineering research potential
and engineering education programs at all levels in the
various fields of engineering, by making contracts or
other arrangements (including grants, loans, and other
forms of assistance) to support such scientific,
engineering, and educational activities and to appraise
the impact of research upon industrial development and
upon the general welfare;
(2) to award, as provided in section 10, scholarships
and graduate fellowships for study and research in the
sciences or in engineering;
(3) to foster the interchange of scientific and
engineering information among scientists and engineers
in the United States and foreign countries;
(4) to foster and support the development and use of
computer and other scientific and engineering methods
and technologies, primarily for research and education
in the sciences and engineering;
(5) to evaluate the status and needs of the various
sciences and fields of engineering as evidenced by
programs, projects, and studies undertaken by agencies
of the Federal Government, by individuals, and by
public and private research groups, employing by grant
or contract such consulting services as it may deem
necessary for the purpose of such evaluations; and to
take into consideration the results of such evaluations
in correlating the research and educational programs
undertaken or supported by the Foundation with
programs, projects, and studies undertaken by agencies
of the Federal Government, by individuals, and by
public and private research groups;
(6) to provide a central clearinghouse for the
collection, interpretation, and analysis of data on
scientific and engineering resources and to provide a
source of information for policy formulation by other
agencies of the Federal Government; [and]
(7) to initiate and maintain a program for the
determination of the total amount of money for
scientific and engineering research, including money
allocated for the construction of the facilities
wherein such research is conducted, received by each
educational institution and appropriate nonprofit
organization in the United States, by grant, contract,
or other arrangement from agencies of the Federal
Government, and to report annually thereon to the
President and the [Congress.] Congress; and
(8) to take a leading role in fostering and
supporting research and education activities to improve
the security of networked information systems.
(b) Contracts, Grants, Loans, etc. for Scientific and
Engineering Activities; Financing of Programs.--The Foundation
is authorized to initiate and support specific scientific and
engineering activities in connection with matters relating to
international cooperation, national security, and the effects
of scientific and engineering applications upon society by
making contracts or other arrangements (including grants,
loans, and other forms of assistance) for the conduct of such
activities. When initiated or supported pursuant to requests
made by any other Federal department or agency, including the
Office of Technology Assessment, such activities shall be
financed whenever feasible from funds transferred to the
Foundation by the requesting official as provided in section
14(f), and any such activities shall be unclassified and shall
be identified by the Foundation as being undertaken at the
request of the appropriate official.
(c) Scientific and Engineering Research Programs at Academic
and Other Nonprofit Institutions; Applied Scientific Research
and Engineering Research Programs by Presidential Directive;
Employment of Consulting Services; Coordination of
Activities.--In addition to the authority contained in
subsections (a) and (b), the Foundation is authorized to
initiate and support scientific and engineering research,
including applied research, at academic and other nonprofit
institutions. When so directed by the President, the Foundation
is further authorized to support, through other appropriate
organizations, applied scientific research and engineering
research relevant to national problemsinvolving the public
interest. In exercising the authority contained in this subsection, the
Foundation may employ by grant or contract such consulting services as
it deems necessary, and shall coordinate and correlate its activities
with respect to any such problem with other agencies of the Federal
Government undertaking similar programs in that field.
(d) Promotion of Basic Research and Education in Science and
Engineering.--The Board and the Director shall recommend and
encourage the pursuit of national policies for the promotion of
research and education in science and engineering.
(e) Balancing of Research and Educational Activities in the
Sciences and Engineering.--In exercising the authority and
discharging the functions referred to in the foregoing
subsections, it shall be an objective of the Foundation to
strengthen research and education in the sciences and
engineering, including independent research by individuals,
throughout the United States, and to avoid undue concentration
of such research and education.
(f) Annual Report to the President and Congress.--The
Foundation shall render an annual report to the President for
submission on or before the 15th day of April of each year to
the Congress, summarizing the activities of the Foundation and
making such recommendations as it may deem appropriate. Such
report shall include information as to the acquisition and
disposition by the Foundation of any patents and patent rights.
(g) Support of Access to Computer Networks.--In carrying out
subsection (a)(4), the Foundation is authorized to foster and
support access by the research and education communities to
computer networks which may be used substantially for purposes
in addition to research and education in the sciences and
engineering, if the additional uses will tend to increase the
overall capabilities of the networks to support such research
and education activities.
NATIONAL SCIENCE AND TECHNOLOGY POLICY ACT
SEC. 205. POLICY PLANNING; ANALYSIS; ADVICE; ESTABLISHMENT OF ADVISORY
PANEL.
[42 U.S.C. 6614]
(a) The Office shall serve as a source of scientific and
technological analysis and judgment for the President with
respect to major policies, plans, and programs of the Federal
Government. In carrying out the provisions of this section, the
Director shall--
(1) seek to define coherent approaches for applying
science and technology to critical and emerging
national and international problems and for promoting
coordination of the scientific and technological
responsibilities and programs of the Federal
departments and agencies in the resolution of such
problems;
(2) assist and advise the President in the
preparation of the Science and Technology Report, in
accordance with section 209 of this Act;
(3) gather timely and authoritative information
concerning significant developments and trends in
science, technology, and in national priorities, both
current and prospective, to analyze and interpret such
information for the purpose of determining whether such
developments and trends are likely to affect
achievement of the priority goals of the Nation as set
forth in section 101(b) of this Act;
(4) encourage the development and maintenance of an
adequate data base for human resources in science,
engineering, and technology, including the development
of appropriate models to forecast future manpower
requirements, and assess the impact of major
governmental and public programs on human resources and
their utilization;
(5) initiate studies and analyses, including systems
analyses and technology assessments, of alternatives
available for the resolution of critical and emerging
national and international problems amendable to the
contributions of science and technology and, insofar as
possible, determine and compare probable costs,
benefits, and impacts of such alternatives;
(6) advise the President on the extent to which the
various scientific and technological programs,
policies, and activities of the Federal Government are
likely to affect the achievement of the priority goals
of the Nation as set forth in section 101(b) of this
Act;
(7) provide the President with periodic reviews of
Federal statutes and administrative regulations of the
various departments and agencies which affect research
and development activities, both internally and in
relation to the private sector, or which may interfere
with desirable technological innovation, together with
recommendations for their elimination, reform, or
updating as appropriate;
(8) develop, review, revise, and recommend criteria
for determining scientific and technological activities
warranting Federal support, and recommend Federal
policies designed to advance (A) the development and
maintenance of broadly based scientific and
technological capabilities, including human resources,
at all levels of government, academia, and industry,
and (B) the effective application of such capabilities
to national needs;
(9) assess and advise on policies for international
cooperation in science and technology which will
advance the national and international objectives of
the United States;
(10) identify and assess emerging and future areas in
which science and technology can be used effectively in
addressing national and international problems;
(11) report at least once each year to the President
and the Congress on the overall activities and
accomplishments of the Office, pursuant to section 206
of this Act;
(12) periodically survey the nature and needs of
national science and technology policy and make
recommendations to the President, for review and
transmission to the Congress, for the timely and
appropriate revision of such policy in accordance with
section 102(a)(6) of this Act; [and]
(13) develop strategies, in consultation with the
Office of Homeland Security, the President's Critical
Infrastructure Protection Board, and the relevant
Federal departments and agencies, to foster greater
coordination of Federal research and development
activities and promote cooperation between the Federal
Government, institutions of higher education, and
private industry in the field of cyber security; and
[(13)] (14) perform such other duties and functions
and make and furnish such studies and reports thereon,
and recommendations with respect to matters of policy
and legislation as the President may request.
(b)(1) The Director shall establish an Intergovernmental
Science, Engineering, and Technology Advisory Panel
(hereinafter referred to as the ``Panel''), whose purpose shall
be to (A) identify and define civilian problems at State,
regional, and local levels which science, engineering, and
technology may assist in resolving or ameliorating; (B)
recommend priorities for addressing such problems; and (C)
advise and assist the Director in identifying and fostering
policies to facilitate the transfer and utilization of research
and development results so as to maximize their application to
civilian needs.
(2) The Panel shall be composed of (A) the Director of the
Office, or his representative; (B) at least ten members
representing the interests of the States, appointed by the
Director of the Office after consultation with State officials;
and (C) the Director of the National Science Foundation, or his
representative.
(3)(A) The Director of the Office, or his representative,
shall serve as Chairman of the Panel.
(B) The Panel shall perform such functions as the Chairman
may prescribe, and shall meet at the call of the Chairman.
(4) Each member of the Panel shall, while serving on business
of the Panel, be entitled to receive compensation at a rate not
to exceed the daily rate prescribed for GS-18 of the General
Schedule under section 5332 of title 5, United States Code,
including traveltime, and, while so serving away from his home
or regular place of business, he may be allowed travel
expenses, including per diem in lieu of subsistence in the same
manner as the expenses authorized by section 5703(b) of title
5, United States Code, for persons in government service
employed intermittently.
