U.S. Congress - Text of S.773 as Reported in Senate Cybersecurity Act of 2009
The easiest way to email your members of Congress
Donate NowS.773 - Cybersecurity Act of 2009
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
| Version | Word Count | Changes From Previous Version | Percent Change |
|---|---|---|---|
| Introduced in Senate | 8,921 | n/a | n/a |
| Reported in Senate | 19,822 | 303 Show Changes Hide Changes | 86% |
Key: changed or removed text inserted or modified text
Most commented sections:
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 773 IS 111th CONGRESS
Calendar No. 707CommentsClose CommentsPermalink
111th CONGRESSCommentsClose CommentsPermalink
2d SessionCommentsClose CommentsPermalink
S. 773CommentsClose CommentsPermalink
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.CommentsClose CommentsPermalink
IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink
April 1, 2009CommentsClose CommentsPermalink
April 1, 2009CommentsClose CommentsPermalink
Mr. ROCKEFELLER (for himself, Ms. SNOWE, and Mr. NELSON of Florida, Mr. BAYH, and Ms. MIKULSKI) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationCommentsClose CommentsPermalink
December 17, 2010CommentsClose CommentsPermalink
December 17, 2010CommentsClose CommentsPermalink
Reported by Mr. Rockefeller, with an amendmentCommentsClose CommentsPermalink
[Strike all after the enacting clause and insert the part printed in italic]CommentsClose CommentsPermalink
[Strike all after the enacting clause and insert the part printed in italic]CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the ‘Cybersecurity Act of 200910’. CommentsClose CommentsPermalink
(b) TABLE OF CONTENTS- The table of contents for this Act is as follows: CommentsClose CommentsPermalink
Sec. 1. Short title; table of contents. CommentsClose CommentsPermalink
Sec. 2. Findings. CommentsClose CommentsPermalink
Sec. 3. Cybersecurity Advisory PanelDefinitions. CommentsClose CommentsPermalink
Sec. 4. Real-time cybersecurity dashboard. Sec. 5. State and regional cybersecurity enhancement program. Sec. 6. NIST standards development and compliance.
TITLE I--WORKFORCE DEVELOPMENT
Sec. 101. Certification and training of cybersecurity professionals. CommentsClose CommentsPermalink
Sec. 8. Review of NTIA domain name contracts. Sec. 9. Secure domain name addressing system. Sec. 10. Promoting cybersecurity awareness. Sec. 11. Federal cybersecurity research and development.
Sec. 103. Cybersecurity competition and challenge. CommentsClose CommentsPermalink
Sec. 14. Public-private clearinghouse. Sec. 15. Cybersecurity risk management report. Sec. 16. Legal framework review and report.
Sec. 1805. Measures of cybersecurity hiring effectiveness. CommentsClose CommentsPermalink
TITLE II--PLANS AND AUTHORITY
Sec. 201. Cybersecurity responsibilities and authorities. CommentsClose CommentsPermalink
Sec. 19. Quadr202. Biennial cyber review. CommentsClose CommentsPermalink
Sec. 203. Cybersecurity dashboard pilot project. CommentsClose CommentsPermalink
Sec. 204. NIST cybersecurity guidance. CommentsClose CommentsPermalink
Sec. 205. Legal framework review and report. CommentsClose CommentsPermalink
Sec. 206. Joint intelligence threat and vulnerability assessment. CommentsClose CommentsPermalink
Sec. 2107. International norms and cybersecurity deterrence measures. CommentsClose CommentsPermalink
Sec. 22. Federal Secure Products and Services Acquisitions Board08. Federal secure products and services acquisitions. CommentsClose CommentsPermalink
Sec. 23. Definitions09. Private sector access to classified information. CommentsClose CommentsPermalink
Sec. 210. Authentication and civil liberties report. CommentsClose CommentsPermalink
Sec. 211. Report on evaluation of certain identity authentication functionalities. CommentsClose CommentsPermalink
TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT
Sec. 301. Promoting cybersecurity awareness and education. CommentsClose CommentsPermalink
Sec. 302. Federal cybersecurity research and development. CommentsClose CommentsPermalink
Sec. 303. Development of curricula for incorporating cybersecurity into educational programs for future industrial control system designers. CommentsClose CommentsPermalink
TITLE IV--PUBLIC-PRIVATE COLLABORATION
Sec. 401. Cybersecurity Advisory Panel. CommentsClose CommentsPermalink
Sec. 402. State and regional cybersecurity enhancement program. CommentsClose CommentsPermalink
Sec. 403. Public-private clearinghouse. CommentsClose CommentsPermalink
Sec. 404. Cybersecurity risk management report. CommentsClose CommentsPermalink
SEC. 2. FINDINGS.
The Congress finds the following: CommentsClose CommentsPermalink
(1) America’s failure tos a fundamental principle, cyberspace is a vital asset for the nation and the United States should protect cyberspace is one of the most urgent national security problems facing the country.(2) Since intellectual property is now often stored in digital form, industrial espionage that exploits weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, whereit using all instruments of national power, in order to ensure national security, public safety, economic strength and technological leadership are vital components of national power, failing to secure cyberspace puts us at a disadvantageprosperity, and the delivery of critical services to the American public. CommentsClose CommentsPermalink
(2) President Obama has rightfully determined that ‘our digital infrastructure--the networks and computers we depend on every day--will be treated . . . as a strategic national asset’. CommentsClose CommentsPermalink
(3) According to the 2009Obama Administration Cyberspace Policy Review, ‘the architecture of the Nation’s digital infrastructure is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations.’. CommentsClose CommentsPermalink
(4) With more than 85 percent of the Nation’s critical infrastructure owned and operated by the private sector, it is vital that the public and private sectors cooperate to protect this strategic national asset. CommentsClose CommentsPermalink
(5) According to the 2010 Annual Threat Assessment, ‘a successful cyber attack against a major financial service provider could severely impact the national economy, while cyber attacks against physical infrastructure computer systems such as those that control power grids or oil refineries have the potential to disrupt services for hours or weeks’ and that ‘Nation states and criminals target ourthat ‘sensitive information is stolen daily from both government and private sector information networks to gain competitive advantage in the commercial sectornetworks’ and that ‘we cannot protect cyberspace without a coordinated and collaborative effort that incorporates both the US private sector and our international partners.’. CommentsClose CommentsPermalink
(46) The Director of National Intelligence testified before the Congress on February 19, 2009, that2, 2010, that intrusions are a stark reminder of the importance of these cyber assets and should serve as ‘a growing array of state and non-state adversaries are increasingly targeting-for exploitation and potentially disruption or destruction-our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries’ and these trends are likely to continue.(5) John Brennan, the Assistant to the President for Homeland Security and Counterterrorism wrotewake-up call to those who have not taken this problem seriously.’. CommentsClose CommentsPermalink
(7) The National Cybersecurity Coordinator, Howard Schmidt, stated on March 2, 2009, that ‘our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated10, ‘we will not defeat our cyber adversaries because they are weakening, we will defeat them by becoming collectively stronger, through stronger technology, a stronger cadre of security professionals, and stronger partnerships.’. CommentsClose CommentsPermalink
(68) According to the National Journal, Mike McConnell, the former Director of National Intelligence, told President Bush in May 2007 that if the 9/11 attackers had chosen computers instead of airplanes as their weapons and had waged a massive assault on a United States bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center. Mike McConnell has subsequently referred to cybersecurity as the ‘soft underbelly of this country’. CommentsClose CommentsPermalink
(9) Paul Kurtz, a Ppartner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recentlyhas stated that the United States is unprepared to respond to a ‘cyber-Katrina’ and that ‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.’. (7) The Cyber Strategic Inquiry 2008, sponsored by Business Executives for National Security and executed by Booz Allen Hamilton, recommended to ‘establish a single voice for cybersecurity within government’ concluding that the ‘unique nature of cybersecurity requires a new leadership paradigm.’. (8) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers create new tools to scale the wall. What is particularly important in this analogy is that, unlike conventional warfare where deployment takes time and money and is quite visible, in the cyber world, when the attackers find a new weapon, they can attack millions of computers, and successfully infect hundreds of thousands, in a few hours or days, and remain completely hidden.’.
(10) According to the February 2003 National Strategy to Secure Cyberspace, ‘our nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system-- the control system of our country’ and that ‘the cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership.’.(10) According to the National Journal, Mike McConnell, the former Director of National Intelligence, told President Bush in May 2007 that if the 9/11 attackers had chosen computers instead of airplanes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center. Mike McConnell has subsequently referred to cybersecurity as the ‘soft underbelly of this country.’. CommentsClose CommentsPermalink
(11) The Center for Strategic and International Studies report on Cybersecurity for the 44th Presidency concluded that (A) cybersecurity is now a major national security problem for the United States, (B) decisions and actions must respect privacy and civil liberties, and (C) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure. The report continuedThe report continued, stating that the United States faces ‘a long-term challenge in cyberspace from foreign intelligence agencies and militaries, criminals, and others, and that losing this struggle will wreak serious damage on the economic health and national security of the United States.’. CommentsClose CommentsPermalink
(12) James Lewis, Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies, testified on behalf of the Center for Strategic and International Studies that ‘the United States is not organized for, and lacks a coherent national strategy for addressing’ cybersecurity. (13) President Obama said in a speech at Purdue University on July 16, 2008, that ‘every American depends--directly or indirectly--on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.’ Moreover, President Obama stated that ‘we need to build the capacity to identify, isolate, and respond to any cyber-attack.’.
(13) The Cyber Strategic Inquiry 2008, sponsored by Business Executives for National Security and executed by Booz Allen Hamilton, recommended to ‘establish a single voice for cybersecurity within government’ concluding that the ‘unique nature of cybersecurity requires a new leadership paradigm’. CommentsClose CommentsPermalink
(14) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘Congress can replicate itself and be carried across networks to cause damage in other systems.duce the threat of damage from these new cyber attacks both against government and against the critical infrastructure by shifting the government’s cyber security emphasis from report writing to automated, real-time defenses’ and that ‘only active White House leadership will get the job done’. CommentsClose CommentsPermalink
(15) A 2009 Partnership for Public Service study and analysis reports concluded that ‘the Federal government will be unable to combat cyber threats without a more coordinated, sustained effort to increase cybersecurity expertise in the federal workforce’ and that ‘the President’s success in combating these threats . . . must include building a vibrant, highly trained and dedicated cybersecurity workforce in this country’. CommentsClose CommentsPermalink
SEC. 3. CYBERSECURITYDEFINITIONS.
In this Act: CommentsClose CommentsPermalink
(1) ADVISORY PANEL. (a) IN GENERAL- The President shall establish or designate a Cybersecurity Advisory Panel. (b) QUALIFICATIONS- The President-- (1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and (2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations. (c) DUTIES- The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess-- (1) trends and developments in cybersecurity science research and development; (2) progress made in implementing the strategy; (3) the need to revise the strategy; (4) the balance among the components of the national strategy, including funding for program components; (5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity; (6) the management, coordination, implementation, and activities of the strategy; and (7) whether societal and civil liberty concerns are adequately addressed. (d) REPORTS- The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.
(2) CYBERSECURITY- The term ‘cybersecurity’ means information security (as defined in
(3) Cybersecurity professional- The term ‘cybersecurity professional’ means a person who maintains a certification under section 101 of this Act. CommentsClose CommentsPermalink
(4) Information system- The term ‘information system’ has the meaning given that term by
(5) INTERNET- The term ‘Internet’ has the meaning given that term by section 4(4) of the High-Performance Computing Act of 1991 (
(6) UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEM- The term ‘United States critical infrastructure information system’ means an information system designated under section 4 of this Act. CommentsClose CommentsPermalink
SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.The Secretary of Commerce shall--
(1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce; and
(2) implement the plan within 1 year after the date of enactment of this Act.
SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAMPROCEDURE FOR DESIGNATION OF CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS.
(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section. (b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States through-- (1) the transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology to Centers and, through them, to small- and medium-sized companies throughout the United States; (2) the participation of individuals from industry, universities, State governments, other Federal agencies, and, when appropriate, the Institute in cooperative technology transfer activities; (3) efforts to make new cybersecurity technology, standards, and processes usable by United States-based small- and medium-sized companies; (4) the active dissemination of scientific, engineering, technical, and management information about cybersecurity to industrial firms, including small- and medium-sized companies; and (5) the utilization, when appropriate, of the expertise and capability that exists in Federal laboratories other than the Institute. (c) ACTIVITIES- The Centers shall-- (1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer; (2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies to protect against and mitigate the risk of cyber attacks to a wide range of companies and enterprises, particularly small- and medium-sized businesses; and (3) make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees. (c) Duration and Amount of Support; Program Descriptions; Applications; Merit Review; Evaluations of Assistance- (1) FINANCIAL SUPPORT- The Secretary may provide financial support, not to exceed 50 percent of its annual operating and maintenance costs, to any Center for a period not to exceed 6 years (except as provided in paragraph (5)(D)). (A) a description of the program; (B) procedures to be followed by applicants; (C) criteria for determining qualified applicants; (D) criteria, including those described in paragraph (4), for choosing recipients of financial assistance under this section from among the qualified applicants; and (E) maximum support levels expected to be available to Centers under the program in the fourth through sixth years of assistance under this section. (4) AWARD CRITERIA- Awards shall be made on a competitive, merit-based review. In making a decision whether to approve an application and provide financial support under this section, the Secretary shall consider, at a minimum-- (A) the merits of the application, particularly those portions of the application regarding technology transfer, training and education, and adaptation of cybersecurity technologies to the needs of particular industrial sectors; (B) the quality of service to be provided; (C) geographical diversity and extent of service area; and (D) the percentage of funding and amount of in-kind commitment from other sources. (5) Third year evaluation- (B) EVALUATION PANEL- Each evaluation panel shall be composed of private experts, none of whom shall be connected with the involved Center, and Federal officials. An official of the Institute shall chair the panel. Each evaluation panel shall measure the Center’s performance against the objectives specified in this section. (C) POSITIVE EVALUATION REQUIRED FOR CONTINUED FUNDING- The Secretary may not provide funding for the fourth through the sixth years of a Center’s operation unless the evaluation by the evaluation panel is positive. If the evaluation is positive, the Secretary may provide continued funding through the sixth year at declining levels. (D) FUNDING AFTER SIXTH YEAR- After the sixth year, the Secretary may provide additional financial support to a Center if it has received a positive evaluation through an independent review, under procedures established by the Institute. An additional independent review shall be required at least every 2 years after the sixth year of operation. Funding received for a fiscal year under this section after the sixth year of operation may not exceed one third of the annual operating and maintenance costs of the Center.
(b) Threshold Requirements- The final rule, at a minimum, shall-- CommentsClose CommentsPermalink
(1) set forth objective criteria that meet the standard in section (a) for such designations generally; CommentsClose CommentsPermalink
(2) provide for emergency and temporary designations when necessary and in the public interest; CommentsClose CommentsPermalink
(3) ensure the protection of confidential and proprietary information associated with nongovernmental systems from disclosure; CommentsClose CommentsPermalink
(4) ensure the protection of classified and sensitive security information; and CommentsClose CommentsPermalink
(5) establish a procedure, in accordance with chapter 187 of title 35, United States Code, shall (to the extent not inconsistent with this section) apply to the promotion of technology from research by Centers under this section except for contracts for such specific technology extension or transfer services as may be specified by statute or by the President, or the President’s designee.(d) ACCEPTANCE OF FUNDS FROM OTHER FEDERAL DEPARTMENTS AND AGENCIES-5, United States Code, by which the owner or operator of an information system may appeal, or request modification of, the designation of that system or network as a critical infrastructure information system under this Act. CommentsClose CommentsPermalink
TITLE I--WORKFORCE DEVELOPMENT
CommentsClose CommentsPermalink
TITLE I--WORKFORCE DEVELOPMENT CommentsClose CommentsPermalink
SEC. 101. CERTIFICATION AND TRAINING OF CYBERSECURITY PROFESSIONALS.
(a) Study- CommentsClose CommentsPermalink
(1) In addition to such sums as may be authorized and appropriated to the Secretary and President, or the President’s designee, to operate the Centers program, the Secretary and the President, or the President’s designee, also may accept funds from other Federal departments and agencies for the purpose of providing Federal funds to support Centers. Any Center which is supported with funds which originally came from other Federal departments and agencies shall be selected and operated according to the provisions of this section.SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standardgeneral- The President shall enter into an agreement with the National Academies to conduct a comprehensive study of government, academic, and private-sector accreditation, training, and certification programs for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:(1) CYBERSECURITY METRICS RESEARCH- The Director of the National Institute of Standards and Technology shall establish a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. These metrics should measure risk reduction and the cost of defense. The research shall include the development automated tools to assess vulnerability and compliancepersonnel working in cybersecurity. The agreement shall require that the National Academies consult with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations in the course of the study. CommentsClose CommentsPermalink
(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks. (3) SOFTWARE SECURITY- The Institute shall establish standards for measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities. The Institute will also establish a separate set of such standards for measuring security in embedded software such as that found in industrial control systems. (4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE- The Institute shall, establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.
(A) an evaluation of the body of knowledge and various skills that specific categories of personnel working in cybersecurity should possess in order to secure information systems; CommentsClose CommentsPermalink
(B) an assessment of whether existing government, academic, and private-sector owned critical infrastructure information systems and networks. (6) VULNERABILITY SPECIFICATION LANGUAGE- The Institute shall establish standard computer-readable language for specifying vulnerabilities in software to enable software vendors to communicate vulnerability data to software users in real time.
(C) any other factors that should be considered for any accreditation, training, and certification programs. CommentsClose CommentsPermalink
(3) Report- Not later than 1 year after the date of enactment of this Act, the National Academies shall submit to the President and the Congress a report on the results of the study required by this subsection. The report shall include-- CommentsClose CommentsPermalink
(A) PROTOCOL- The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal Government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks. to ensure that it-- (i) meets the software security standards of paragraph (2); and (ii) does not require or cause any changes to be made in the standard configurations described in paragraph (4). (B) COMPLIANCE- The Institute shall develop a process or procedure to verify that--
(B) recommendations for the improvement of cybersecurity accreditation, training, and certification programs. CommentsClose CommentsPermalink
(b) Federal Information Systems- Beginning no later than 6 months after receiving the report under subsection (a)(3), the President, in close and regular consultation with sector coordinating councils and relevant governmental agencies, regulatory entities, industry sectors, and nongovernmental organizations, shall-- CommentsClose CommentsPermalink
(1) develop and annually review and update-- CommentsClose CommentsPermalink
(A) during the software development process; and (ii) testing results showing evidence of adequate testing and defect reduction are provided to the Federal Government prior to deployment of software. (b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles. (c) INTERNATIONAL STANDARDS- The Director, through the Institute and in coordination with appropriate Federal agencies, shall be responsible for United States representation in all international standards development related to cybersecurity, and shall develop and implement a strategy to optimize the United States position with respect to international cybersecurity standards.
(B) requirements for certification of personnel for categories identified under subparagraph (A); and CommentsClose CommentsPermalink
(2) annually evaluate compliance with the requirements in paragraph (1)(B). CommentsClose CommentsPermalink
(c) United States Critical Infrastructure Information Systems- CommentsClose CommentsPermalink
(1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and (2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section. (a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(A) guidance for the identification and categorization of positions for personnel conducting cybersecurity functions within their respective information systems; and CommentsClose CommentsPermalink
(B) requirements for certification of personnel for categories identified under subparagraph (A). CommentsClose CommentsPermalink
(2) Accreditation, training, and certification programs- Not later than 6 months after receiving the certification requirements submitted under paragraph (1)(B), the President, in consultation with sector coordinating councils, relevant governmental agencies, regulatory entities, and nongovernmental organizations, shall convene sector specific working groups to establish auditable private-sector developed accreditation, training, and certification programs for critical infrastructure information system personnel working in cybersecurity. CommentsClose CommentsPermalink
(3) Positive recognition- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS. (a) IN GENERAL- No action by the Assistant Secretary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel-- (1) has reviewed the action; (2) considered the commercial and national security implications of the action; and (3) approved the action. (b) APPROVAL PROCEDURE- If the Advisory Panel does not approve such an action, it shall immediately notify the Assistant Secretary in writing of the disapproval and the reasons therefor. The Advisory Panel may provide recommendations to the Assistant Secretary in the notice for any modifications the it deems necessary to secure approval of the action. (a) IN GENERAL- Within 3 years after the date of enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall develop a strategy to implement a secure domain name addressing system. The Assistant Secretary shall publish notice of the system requirements in the Federal Register together with an implementation schedule for Federal agencies and information systems or networks designated by the President, or the President’s designee, as critical infrastructure information systems or networks. (b) COMPLIANCE REQUIRED- The President shall ensure that each Federal agency and each such system or network implements the secure domain name addressing system in accordance with the schedule published by the Assistant Secretary. The Secretary of Commerce shall develop and implement a national cybersecurity awareness campaign that-- (1) is designed to heighten public awareness of cybersecurity issues and concerns; (2) communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities; and (3) utilizes public and private sector means of providing information to the public, including public service announcements. (a) FUNDAMENTAL CYBERSECURITY RESEARCH- The Director of the National Science Foundation shall give priority to computer and information science and engineering research to ensure substantial support is provided to meet the following challenges in cybersecurity:
(A) recognize and promote auditable private-sector developed locally or obtained from a third party, is free of significant known security flaws. (3) How to test and verify that software obtained from a third party correctly implements stated functionality, and only that functionality. (4) How to guarantee the privacy of an individual’s identity, information, or lawful transactions when stored in distributed systems or transmitted over networks. (5) How to build new protocols to enable the Internet to have robust security as one of its key capabilities. (6) How to determine the origin of a message transmitted over the Internet. (7) How to support privacy in conjunction with improved security. (8) How to address the growing problem of insider threat. (b) SECURE CODING RESEARCH- The Director shall support research that evaluates selected secure coding education and improvement programs. The Director shall also support research on new methods of integrating secure coding improvement into the core curriculum of computer science programs and of other programs where graduates have a substantial probability of developing software after graduation. (c) ASSESSMENT OF SECURE CODING EDUCATION IN COLLEGES AND UNIVERSITIES- Within one year after the date of enactment of this Act, the Director shall submit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology a report on the state of secure coding education in America’s colleges and universities for each school that received National Science Foundation funding in excess of $1,000,000 during fiscal year 2008. The report shall include-- (1) the number of students who earned undergraduate degrees in computer science or in each other program where graduates have a substantial probability of being engaged in software design or development after graduation; (2) the percentage of those students who completed substantive secure coding education or improvement programs during their undergraduate experience; and (3) descriptions of the length and content of the education and improvement programs, and a measure of the effectiveness of those programs in enabling the students to master secure coding and design.
(B) on an ongoing basis, but not less frequently than annually, review and reconsider recognitions under subparagraph (A) in order to model the scale and complexity of real world networks and environments. (e) NSF COMPUTER AND NETWORK SECURITY RESEARCH GRANT AREAS- Section 4(a)(1) of the Cybersecurity Research and Development Act ( (1) by striking ‘and’ after the semicolon in subparagraph (H); (2) by striking ‘property.’ in subparagraph (I) and inserting ‘property;’; and (3) by adding at the end the following: ‘(J) secure fundamental protocols that are at the heart of inter-network communications and data exchange; ‘(K) secure software engineering and software assurance, including-- ‘(i) programming languages and systems that include fundamental security features; ‘(ii) portable or reusable code that remains secure when deployed in various environments; ‘(iii) verification and validation technologies to ensure that requirements and specifications have been implemented; and ‘(iv) models for comparison and metrics to assure that required standards have been met; ‘(L) holistic system security that-- ‘(i) addresses the building of secure systems from trusted and untrusted components; ‘(ii) proactively reduces vulnerabilities; ‘(iii) addresses insider threats; and ‘(iv) supports privacy in conjunction with improved security; ‘(M) monitoring and detection; and ‘(N) mitigation and rapid recovery methods.’. (f) NSF COMPUTER AND NETWORK SECURITY GRANTS- Section 4(a)(3) of the Cybersecurity Research and Development Act ( (1) by striking ‘and’ in subparagraph (D); (2) by striking ‘2007’ in subparagraph (E) and inserting ‘2007;’; and (3) by adding at the end of the following: ‘(F) $150,000,000 for fiscal year 2010; ‘(G) $155,000,000 for fiscal year 2011; ‘(H) $160,000,000 for fiscal year 2012; ‘(I) $165,000,000 for fiscal year 2013; and ‘(J) $170,000,000 for fiscal year 2014.’. (g) COMPUTER AND NETWORK SECURITY CENTERS- Section 4(b)(7) of such Act ( (1) by striking ‘and’ in subparagraph (D); (2) by striking ‘2007’ in subparagraph (E) and inserting ‘2007;’; and (3) by adding at the end of the following: ‘(F) $50,000,000 for fiscal year 2010; ‘(G) $52,000,000 for fiscal year 2011; ‘(H) $54,000,000 for fiscal year 2012; ‘(I) $56,000,000 for fiscal year 2013; and ‘(J) $58,000,000 for fiscal year 2014.’. (h) COMPUTER AND NETWORK SECURITY CAPACITY BUILDING GRANTS- Section 5(a)(6) of such Act ( (1) by striking ‘and’ in subparagraph (D); (2) by striking ‘2007’ in subparagraph (E) and inserting ‘2007;’; and (3) by adding at the end of the following: ‘(F) $40,000,000 for fiscal year 2010; ‘(G) $42,000,000 for fiscal year 2011; ‘(H) $44,000,000 for fiscal year 2012; ‘(I) $46,000,000 for fiscal year 2013; and ‘(J) $48,000,000 for fiscal year 2014.’. (i) SCIENTIFIC AND ADVANCED TECHNOLOGY ACT GRANTS- Section 5(b)(2) of such Act ( (1) by striking ‘and’ in subparagraph (D); (2) by striking ‘2007’ in subparagraph (E) and inserting ‘2007;’; and (3) by adding at the end of the following: ‘(F) $5,000,000 for fiscal year 2010; ‘(G) $6,000,000 for fiscal year 2011; ‘(H) $7,000,000 for fiscal year 2012; ‘(I) $8,000,000 for fiscal year 2013; and ‘(J) $9,000,000 for fiscal year 2014.’. (j) GRADUATE TRAINEESHIPS IN COMPUTER AND NETWORK SECURITY RESEARCH- Section 5(c)(7) of such Act ( (1) by striking ‘and’ in subparagraph (D); (2) by striking ‘2007’ in subparagraph (E) and inserting ‘2007;’; and (3) by adding at the end of the following: ‘(F) $20,000,000 for fiscal year 2010; ‘(G) $22,000,000 for fiscal year 2011; ‘(H) $24,000,000 for fiscal year 2012; ‘(I) $26,000,000 for fiscal year 2013; and ‘(J) $28,000,000 for fiscal year 2014.’. (k) CYBERSECURITY FACULTY DEVELOPMENT TRAINEESHIP PROGRAM- Section 5(e)(9) of such Act ( (l) NETWORKING AND INFORMATION TECHNOLOGY RESEARCH AND DEVELOPMENT PROGRAM- Section 204(a)(1) of the High-Performance Computing Act of 1991 ( (1) by striking ‘and’ after the semicolon in subparagraph (B); and
(4) United States critical infrastructure information systems compliance- CommentsClose CommentsPermalink
(A) In general- Beginning no later than 1 year after the President first recognizes a program under paragraph (3)(A), and on a semi-annual basis thereafter, the President shall require each owner or operator of a United States critical infrastructure information system to report the results of independent audits that evaluate compliance with the accreditation, training, and certification programs recognized under paragraph (3). CommentsClose CommentsPermalink
(B) Positive recognition- The President, in consultation with sector coordinating councils, relevant governmental agencies, and regulatory entities, and with the consent of individual companies, may publicly recognize those owners and operators of United States critical infrastructure information systems whose independent audits demonstrate compliance with the accreditation, training, and certification programs recognized under paragraph (3). CommentsClose CommentsPermalink
(C) the following:‘(D) develop and propose standards and guidelines, and develop measurement techniques and test methods, for enhanced cybersecurity for computer networks and common user interfaces to systems; and’Collaborative remediation- The President shall require owners or operators of United States critical infrastructure information systems that fail to demonstrate substantial compliance with the accreditation, training, and certification programs recognized under paragraph (3) through 2 consecutive independent audits, in consultation with sector coordinating councils, relevant governmental agencies, and regulatory entities, to collaboratively develop and implement a remediation plan. CommentsClose CommentsPermalink
(d) Reference List for Consumers- The President, in close and regular consultation with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations, shall annually-- CommentsClose CommentsPermalink
(1) evaluate the cybersecurity accreditation, training, and certification programs identified in this section; CommentsClose CommentsPermalink
(2) identify those cybersecurity accreditation, training, and certification programs whose rigor and effectiveness are beneficial to cybersecurity; and CommentsClose CommentsPermalink
(3) publish a noncompulsory reference list of those programs identified under paragraph (2). CommentsClose CommentsPermalink
SEC. 102. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) IN GENERAL- The Director of the National Science Foundation shall establish a Federal Cyber Scholarship-for-Service program to recruit and train the next generation of Federal information technology workers and security managerprofessionals and security managers for Federal, State, local, and tribal governments. CommentsClose CommentsPermalink
(b) PROGRAM DESCRIPTION AND COMPONENTS- The program--(1) shall provide scholarships, shall-- CommentsClose CommentsPermalink
(1) provide scholarships that provide full tuition, fees, and a stipend, for up to 1,000 students per year in their pursuit of undergraduate or graduate degrees in the cybersecurity field; CommentsClose CommentsPermalink
(2) shall require scholarship recipients, as a condition of receiving a scholarship under the program, to agree to serve in the Federal information technology a Federal, State, local, or tribal information technology workforce for a period equal to the length of the scholarship following graduation if offered employment in that field by a Federal agency;(3) shall, State, local, or tribal agency; CommentsClose CommentsPermalink
(3) provide a procedure by which the Foundation or a Federal agency may, consistent with regulations of the Office of Personnel Management, request and fund security clearances for scholarship recipients; CommentsClose CommentsPermalink
(4) provide opportunities for students to receive temporary appointments for meaningful employment in the Federal information technology workforce during school vacation periods and for internships; CommentsClose CommentsPermalink
(4) shall provide a 5) provide a procedure for identifying promising K-12 students for participation in summer work and internship programs that would lead to certification of Federal information technology workforce standards and possible future employment; and CommentsClose CommentsPermalink
(5) shall6) examine and develop, if appropriate, programs to promote computer security awareness in secondary and high school classrooms. CommentsClose CommentsPermalink
(c) HIRING AUTHORITY- For purposes of any law or regulation governing the appointment of individuals in the Federal civil service, upon the successful completion of their studies, students receiving a scholarship under the program shall be hired under the authority provided for in section 213.3102(r) of title 5, Code of Federal Regulations, and be exempt from competitive service. Upon satisfactory fulfillment of the service term, such individuals shallmay be converted to a competitive service position without competition if the individual meets the requirements for that position. CommentsClose CommentsPermalink
(d) ELIGIBILITY- To be eligible to receive a scholarship under this section, an individual shall-- CommentsClose CommentsPermalink
(1) be a citizen of the United States; CommentsClose CommentsPermalink
and(2) demonstrate a commitment to a career in improving the Nation’s cyber defenses; and CommentsClose CommentsPermalink
(3) have demonstrated a level of proficiency in math or computer sciences. CommentsClose CommentsPermalink
(e) CONSIDERATION AND PREFERENCE- In making selections for scholarships under this section, the Director shall-- (1) consider, to the extent possible, a diverse pool of applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as the technical dimensions of cyber security; and (2) give preference to applicants that have participated in the competition and challenge described in section 13.
(f) AUTHORIZATION OF APPROPRIATIONS- There are authorized to be appropriated to the National Science Foundation to carry out this section-- CommentsClose CommentsPermalink
(1) $50,000,000 for fiscal year 2010; CommentsClose CommentsPermalink
(2) $55,000,000 for fiscal year 2011; CommentsClose CommentsPermalink
(3) $60,000,000 for fiscal year 2012; CommentsClose CommentsPermalink
(4) $65,000,000 for fiscal year 2013; and CommentsClose CommentsPermalink
(5) $70,000,000 for fiscal year 2014. CommentsClose CommentsPermalink
SEC. 103. CYBERSECURITY COMPETITION AND CHALLENGE.
(a) IN GENERAL- The Director of the National Institute of Standards and Technology, directly or through appropriate Federal entities, shall establish cybersecurity competitions and challenges with cash prizes, and promulgate rules for participation in such competitions and challenges, in order to-- CommentsClose CommentsPermalink
(1) attract, identify, evaluate, and recruit talented individuals for the Federal information technology workforce; and CommentsClose CommentsPermalink
(2) stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that have thes the potential for application to the Federal information technology activities of the Federal Government. CommentsClose CommentsPermalink
(b) TYPES OF COMPETITIONS AND CHALLENGES- The Director shall establish different competitions and challenges targeting the following groups: CommentsClose CommentsPermalink
(1) HighMiddle school students. CommentsClose CommentsPermalink
(2) UndergraduateHigh school students. CommentsClose CommentsPermalink
(3) GUndergraduate students. CommentsClose CommentsPermalink
(4) Graduate students. CommentsClose CommentsPermalink
(5) Academic and research institutions. CommentsClose CommentsPermalink
(c) TOPICS- In selecting topics for prize competitions, the Director shall consult widely both within and outside the Federal Government, and may empanel advisory committees. CommentsClose CommentsPermalink
(d) ADVERTISING- The Director shall widely advertise prize competitions, in coordination with the awareness campaign under section 10301, to encourage participation. CommentsClose CommentsPermalink
(e) REQUIREMENTS AND REGISTRATION- For each prize competition, the Director shall publish a notice in the Federal Register announcing the subject of the competition, the rules for being eligible to participate in the competition, the amount of the prize, and the basis on which a winner will be selected. CommentsClose CommentsPermalink
(f) ELIGIBILITY- To be eligible to win a prize under this section, an individual or entity-- CommentsClose CommentsPermalink
(1) shall have registered to participate in the competition pursuant to any rules promulgated by the Director under subsection (da); CommentsClose CommentsPermalink
(2) shall have complied with all the requirements under this section; CommentsClose CommentsPermalink
(3) in the case of a private ublic or private entity, shall be incorporated in and maintain a primary place of business in the United States, and in the case of an individual, whether participating singly or in a group, shall be a citizen or permanent resident of the United States; and CommentsClose CommentsPermalink
(4) shall not be a Federal entity or Federal employee acting within the scope of his or her employment. CommentsClose CommentsPermalink
(g) JUDGES- For each competition, the Director, either directly or through an agreement under subsection (h), shall assemble a panel of qualified judges to select the winner or winners of the prize competition. Judges for each competition shall include individuals from the private sector. A judge may not-- CommentsClose CommentsPermalink
(1) have personal or financial interests in, or be an employee, officer, director, or agent of any entity that is a registered participant in a competition; or CommentsClose CommentsPermalink
(2) have a familial or financial relationship with an individual who is a registered participant. CommentsClose CommentsPermalink
(h) ADMINISTERING THE COMPETITION- The Director may enter into an agreement with a private, nonprofit entity to administer the prize competition, subject to the provisions of this section. CommentsClose CommentsPermalink
(i) Funding- CommentsClose CommentsPermalink
(1) PRIZES- Prizes under this section may consist of Federal appropriated funds and funds provided by the private sector for such cash prizes. The Director may accept funds from other Federal agencies for such cash prizes. The Director may not give special consideration to any private sector entity in return for a donation. CommentsClose CommentsPermalink
(2) USE OF UNEXPENDED FUNDS- Notwithstanding any other provision of law, funds appropriated for prize awards under this section shall remain available until expended, and may be transferred, reprogrammed, or expended for other purposes only after the expiration of 10 fiscal years after the fiscal year for which the funds were originally appropriated. No provision in this section permits obligation or payment of funds in violation of the Anti-Deficiency Act (
(A) notice of the increase is provided in the same manner as the initial notice of the prize; and CommentsClose CommentsPermalink
(B) the funds needed to pay out the announced amount of the increase have been appropriated or committed in writing by a private source. CommentsClose CommentsPermalink
(43) NOTICE REQUIRED FOR LARGE AWARDS- No prize competition under this section may offer a prize in an amount greater than $5,000,000 unless 30 days have elapsed after written notice has been transmitted to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology. CommentsClose CommentsPermalink
(54) DIRECTOR’S APPROVAL REQUIRED FOR CERTAIN AWARDS- No prize competition under this section may result in the award of more than $1,000,000 in cash prizes without the approval of the Director. CommentsClose CommentsPermalink
(j) USE OF FEDERAL INSIGNIA- A registered participant in a competition under this section may use any Federal agency’s name, initials, or insignia only after prior review and written approval by the Director. CommentsClose CommentsPermalink
(k) COMPLIANCE WITH EXISTING LAW- The Federal Government shall not, by virtue of offering or providing a prize under this section, be responsible for compliance by registered participants in a prize competition with Federal law, including licensing, export control, and non-proliferation laws and related regulations. CommentsClose CommentsPermalink
(l) AUTHORIZATION OF APPROPRIATIONS- There are authorized to be appropriated to the National Institute of Standards and Technology to carry out this section $15,000,000 for each of fiscal years 2010 through 2014. CommentsClose CommentsPermalink
SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE04. CYBERSECURITY WORKFORCE PLAN.
(a) DESIGNATION- The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks. (b) FUNCTIONS- The Secretary of Commerce-- (1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access; (2) shall manage the sharing of Federal Government and other critical infrastructure threat and vulnerability information between the Federal Government and the persons primarily responsible for the operation and maintenance of the networks concerned; and (3) shall report regularly to the Congress on threat information held by the Federal Government that is not shared with the persons primarily responsible for the operation and maintenance of the networks concerned. (1) the rules and procedures on how the Federal Government will share cybersecurity threat and vulnerability information with private sector critical infrastructure information systems and networks owners; (2) the criteria in which private sector owners of critical infrastructure information systems and networks shall share actionable cybersecurity threat and vulnerability information and relevant data with the Federal Government; and (3) any other rule or procedure that will enhance the sharing of cybersecurity threat and vulnerability information between private sector owners of critical infrastructure information systems and networks and the Federal Government. (1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and (2) requiring cybersecurity to be a factor in all bond ratings. (a) IN GENERAL- Within 1 year after the date of enactment of this Act, the President, or the President’s designee, through an appropriate entity, shall complete a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States, including-- (1) the Privacy Protection Act of 1980 ( (2) the Electronic Communications Privacy Act of 1986 ( (3) the Computer Security Act of 1987 ( (5) the E-Government Act of 2002 ( (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.); (7) any other Federal law bearing upon cyber-related activities; and
(1) cybersecurity hiring projections, including occupation and grade level, over a 2-year period; CommentsClose CommentsPermalink
(2) long-term and short-term strategic planning to address critical skills deficiencies, including analysis of the numbers of and reasons for cybersecurity employee attrition; CommentsClose CommentsPermalink
(3) recruitment strategies, including the use of student internships, to attract highly qualified candidates from diverse backgrounds; CommentsClose CommentsPermalink
(4) an assessment of the sources and availability of talent with needed expertise; CommentsClose CommentsPermalink
(5) streamlining the hiring process; CommentsClose CommentsPermalink
(6) a specific analysis of the capacity of the agency workforce to manage contractors who are performing cybersecurity work on behalf of the Federal government; CommentsClose CommentsPermalink
(7) an analysis of the barriers to recruiting and hiring cybersecurity talent, including compensation, classification, hiring flexibilities, and the hiring process, and recommendations to overcome those barriers; and, CommentsClose CommentsPermalink
(8) a cybersecurity-related training and development plan to enhance or keep current the knowledge level of employees. CommentsClose CommentsPermalink
(b) REPORT- Upon completion of the review, the President, or the President’s designee, shall submit a report to the Senate Committee on Commerce, Science, and Transportation, the House of Representatives Committee on Science and Technology, and other appropriate Congressional Committees containing the President’s, or the President’s designee’s, findings, conclusions, and recommendations.SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT.Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networksHIRING PROJECTIONS- Each Federal agency shall make hiring projections made under its strategic cybersecurity workforce plan available to the public, including on its website. CommentsClose CommentsPermalink
(c) CLASSIFICATION- Based on the agency analyses and recommendations made under subsection (a)(7) of this section and other relevant information, the President or the President’s designee, in consultation with affected Federal agencies and councils, shall coordinate the establishment of new job classifications for cybersecurity functions in government and certification requirements for each job category. CommentsClose CommentsPermalink
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.The President-05. MEASURES OF CYBERSECURITY HIRING EFFECTIVENESS.
(a) IN GENERAL- Each agency shall measure and collect information on cybersecurity hiring effectiveness with respect to the following: CommentsClose CommentsPermalink
(1) Recruiting and hiring- CommentsClose CommentsPermalink
(A) Ability to reach and recruit well-qualified talent from diverse talent pools. CommentsClose CommentsPermalink
(B) Use and impact of special hiring authorities and flexibilities to recruit most qualified applicants, including the use of student internship and scholarship programs as a talent pool for permanent hires. CommentsClose CommentsPermalink
(C) Use and impact of special hiring authorities and flexibilities to recruit diverse candidates, including veteran, minority, and disabled candidates. CommentsClose CommentsPermalink
(D) The age, educational level, and source of applicants. CommentsClose CommentsPermalink
(2) Hiring manager assessment- CommentsClose CommentsPermalink
(A) Manager satisfaction with the quality of the applicants interviewed and new hires. CommentsClose CommentsPermalink
(B) Manager satisfaction with the match between the skills of newly hired individuals and the needs of the agency. CommentsClose CommentsPermalink
(C) Manager satisfaction with the hiring process and hiring outcomes. CommentsClose CommentsPermalink
(D) Mission-critical deficiencies closed by new hires and the connection between mission-critical deficiencies and annual agency performance. CommentsClose CommentsPermalink
(E) Manager satisfaction with the length of time to fill a position. CommentsClose CommentsPermalink
(3) APPLICANT ASSESSMENT- Applicant satisfaction with the hiring process (including clarity of job announcement, reasons for withdrawal of application should that apply, user-friendliness of the application process, communication regarding status of application, and timeliness of job offer). CommentsClose CommentsPermalink
(4) New hire assessment- CommentsClose CommentsPermalink
(A) New hire satisfaction with the hiring process (including clarity of job announcement, user-friendliness of the application process, communication regarding status of application, and timeliness of hiring decision). CommentsClose CommentsPermalink
(B) Satisfaction with the onboarding experience (including timeliness of onboarding after the hiring decision, welcoming and orientation processes, and being provided with timely and useful new employee information and assistance). CommentsClose CommentsPermalink
(C) New hire attrition, including by performance level and occupation. CommentsClose CommentsPermalink
(D) Investment in training and development for employees during their first year of employment. CommentsClose CommentsPermalink
(E) Exit interview results. CommentsClose CommentsPermalink
(F) Other indicators and measures as required by the Office of Personnel Management. CommentsClose CommentsPermalink
(b) Reports- CommentsClose CommentsPermalink
(1) IN GENERAL- Each agency shall submit the information collected under subsection (a) to the Office of Personnel Management annually in accordance with the regulations prescribed under subsection (c). CommentsClose CommentsPermalink
(2) AVAILABILITY OF RECRUITING AND HIRING INFORMATION- Each year the Office of Personnel Management shall provide the information received under paragraph (1) in a consistent format to allow for a comparison of hiring effectiveness and experience across demographic groups and agencies to-- CommentsClose CommentsPermalink
(A) the Congress before that information is made publicly available; and CommentsClose CommentsPermalink
(B) the public on the website of the Office within 1 year after the date of enactment of this Act, shall90 days after receipt of the information under subsection (b)(1). CommentsClose CommentsPermalink
(c) REGULATIONS- Not later than 180 days after the date of enactment of this Act, the Director of the Office of Personnel Management shall prescribe regulations establishing the methodology, timing, and reporting of the data described in subsection (a). CommentsClose CommentsPermalink
TITLE II--PLANS AND AUTHORITY
CommentsClose CommentsPermalink
TITLE II--PLANS AND AUTHORITY CommentsClose CommentsPermalink
SEC. 201. CYBERSECURITY RESPONSIBILITIES AND AUTHORITIES.
(a) In General- The President shall-- CommentsClose CommentsPermalink
(1) within 180 days after the date of enactment of this Act, after notice and opportunity for public comment, develop and implement a comprehensive national cybersecurity strategy, which shall include-- CommentsClose CommentsPermalink
(A) a long-term vision of the Nation’s cybersecurity future; and CommentsClose CommentsPermalink
(B) a plan that encompaaddresses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers; (2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network; (3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);
(2) in consultation with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations, review critical functions likely to be impacted by a cyber attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment; (5) shall direct the periodic mapping of Federal Government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process; (6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
(3) through the Office of Science and Technology Policy, direct an annual review of all Federal cyber technology research and development investments; (8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;
(4) through the Office of Personnel Management, promulgate rules for Federal professional responsibilities regarding cybersecurity, and shall provide to the Congress an annual report on Federal agency compliance with those rules; (10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules, and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action; and
(b) Collaborative Emergency Response and Restoration- The President-- CommentsClose CommentsPermalink
(1) shall, in collaboration with owners and operators of United States critical infrastructure information systems, sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations, develop and rehearse detailed response and restoration plans that clarify specific roles, responsibilities, and authorities of government and private sector actors during cybersecurity emergencies, and that identify the types of events and incidents that would constitute a cybersecurity emergency; CommentsClose CommentsPermalink
(2) may, in the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information systems-- CommentsClose CommentsPermalink
(A) declare a cybersecurity emergency; and CommentsClose CommentsPermalink
(B) implement the collaborative emergency response and restoration plans developed under paragraph (1); CommentsClose CommentsPermalink
(3) shall, in the event of a declaration of a cybersecurity emergency-- CommentsClose CommentsPermalink
(A) within 48 hours after providing a cyber-related certification of legality to a United States personsubmit to Congress a report in writing setting forth-- CommentsClose CommentsPermalink
(i) the circumstances necessitating the emergency declaration; and CommentsClose CommentsPermalink
(ii) the estimated scope and duration of the emergency; and CommentsClose CommentsPermalink
(B) so long as the cybersecurity emergency declaration remains in effect, report to the Congress periodically, but in no event less frequently than once every 30 days, on the status of emergency as well as on the scope and duration of the emergency. CommentsClose CommentsPermalink
(c) Rule of Construction- This section does not authorize, and shall not be construed to authorize, an expansion of existing Presidential authorities. CommentsClose CommentsPermalink
SEC. 19. QUADR202. BIENNIAL CYBER REVIEW.
(a) IN GENERAL- Beginning with 20130 and in every fourthsecond year thereafter, the President, or the President’s designee, shall complete a review of the cyber posture of the United States, including an unclassified summary of roles, missions, accomplishments, plans, and programs. The review shall include a comprehensive examination of the cyber strategy, force structure, personnel, modernization plans, infrastructure, budget plan, the Nation’s ability to recover from a cyber emergency, and other elements of the cyber program and policies with a view toward determining and expressing the cyber strategy of the United States and establishing a revised cyber program for the next 42 years. CommentsClose CommentsPermalink
(b) INVOLVEMENT OF CYBERSECURITY ADVISORY PANEL- CommentsClose CommentsPermalink
(1) The President, or the President’s designee, shall apprise the Cybersecurity Advisory Panel established or designated under section 3401, on an ongoing basis, of the work undertaken in the conduct of the review. CommentsClose CommentsPermalink
(2) Not later than 1 year before the completion date for the review, the Chairman of the Advisory Panel shall submit to the President, or the President’s designee, the Panel’s assessment of work undertaken in the conduct of the review as of that date and shall include in the assessment the recommendations of the Panel for improvements to the review, including recommendations for additional matters to be covered in the review. CommentsClose CommentsPermalink
(c) ASSESSMENT OF REVIEW- Upon completion of the review, the Chairman of the Advisory Panel, on behalf of the Panel, shall prepare and submit to the President, or the President’s designee, an assessment of the review in time for the inclusion of the assessment in its entirety in the report under subsection (d). CommentsClose CommentsPermalink
(d) REPORT- Not later than September 30, 20130, and every 42 years thereafter, the President, or the President’s designee, shall submit to the relevant congressional Committees a comprehensive report on the review. The report shall include-- CommentsClose CommentsPermalink
(1) the results of the review, including a comprehensive discussion of the cyber strategy of the United States and the collaboration between the public and private sectors best suited to implement that strategy; CommentsClose CommentsPermalink
(2) the threats examined for purposes of the review and the scenarios developed in the examination of such threats; CommentsClose CommentsPermalink
(3) the assumptions used in the review, including assumptions relating to the cooperation of other countries and levels of acceptable risk; and CommentsClose CommentsPermalink
(4) the Advisory Panel’s assessment. CommentsClose CommentsPermalink
SEC. 203. CYBERSECURITY DASHBOARD PILOT PROJECT.
The Secretary of Commerce shall-- CommentsClose CommentsPermalink
(1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems managed by the Department of Commerce, including an inventory of such, vulnerabilities of such systems, and corrective action plans for those vulnerabilities; CommentsClose CommentsPermalink
(2) implement the plan within 1 year after the date of enactment of this Act; and CommentsClose CommentsPermalink
(3) submit a report to the Congress on the implementation of the plan. CommentsClose CommentsPermalink
SEC. 204. NIST CYBERSECURITY GUIDANCE.
(a) In General- Beginning no later than 1 year after the date of enactment of this Act, the National Institute of Standards and Technology, in close and regular consultation with sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations, shall-- CommentsClose CommentsPermalink
(1) recognize and promote auditable, private sector developed cybersecurity risk measurement techniques, risk management measures and best practices for all Federal Government and United States critical infrastructure information systems; and CommentsClose CommentsPermalink
(2) on an ongoing basis, but not less frequently than semi-annually, review and reconsider its recognitions under paragraph (1) in order to account for advances in cybersecurity risk measurement techniques, risk management measures, and best practices. CommentsClose CommentsPermalink
(b) Federal Information Systems- Within 1 year after the National Institute of Standards and Technology issues guidance under subsection (a)(1), the President shall require all Federal departments and agencies to measure their risk in each operating unit using the techniques recognized under subsection (a) and to comply with or exceed the cybersecurity risk management measures and best practices recognized under subsection (a). CommentsClose CommentsPermalink
(c) United States Critical Infrastructure Information Systems- CommentsClose CommentsPermalink
(1) In general- On the earlier of the date on which the final rule in the rulemaking required by section 4 is promulgated, or 1 year after the President first recognizes the cybersecurity risk measurement techniques, risk management measures and best practices under subsection (a), and on a semi-annual basis thereafter, the President shall require each owner or operator of a United States critical infrastructure information system to report the results of independent audits that evaluate compliance with cybersecurity risk measurement techniques, risk management measures, and best practices recognized under subsection (a). CommentsClose CommentsPermalink
(2) Positive recognition- The President, in consultation with sector coordinating councils, relevant governmental agencies, and regulatory entities, and with the consent of individual companies, may publicly recognize those owners and operators of United States critical infrastructure information systems whose independent audits demonstrate compliance with cybersecurity risk measurement techniques, risk management measures, and best practices recognized under subsection (a); CommentsClose CommentsPermalink
(3) Collaborative remediation- The President shall require owners or operators of United States critical infrastructure information systems that fail to demonstrate substantial compliance with cybersecurity risk measurement techniques, risk management measures, and best practices recognized under subsection (a) through 2 consecutive independent audits, in consultation with sector coordinating councils, relevant governmental agencies, and regulatory entities, to collaboratively develop and implement a remediation plan. CommentsClose CommentsPermalink
(d) International Standards Development- Within 1 year after the date of enactment of this Act, the Director, in coordination with the Department of State and other relevant governmental agencies and regulatory entities, and in consultation with sector coordinating councils and relevant nongovernmental organizations, shall-- CommentsClose CommentsPermalink
(1) direct United States cybersecurity efforts before all international standards development bodies related to cybersecurity; CommentsClose CommentsPermalink
(2) develop and implement a strategy to engage international standards bodies with respect to the development of technical standards related to cybersecurity; and CommentsClose CommentsPermalink
(3) submit the strategy to the Congress. CommentsClose CommentsPermalink
(e) Criteria for Federal Information Systems- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline pertaining to the distinction between national security systems and civilian agency systems, the Institute shall adopt a risk-based approach in the development of Federal cybersecurity guidance for Federal information systems. CommentsClose CommentsPermalink
(f) FCC Broadband Cybersecurity Review- Within 1 year after the date of enactment of this Act, the Federal Communications Commission shall report to Congress on effective and efficient means to ensure the cybersecurity of commercial broadband networks as related to public safety, consumer welfare, healthcare, education, energy, government, security and other national purposes. This report should also consider consumer education and outreach programs to assist individuals in protecting their home and personal computers and other devices. CommentsClose CommentsPermalink
(g) Elimination of Duplicative Requirements- The President shall direct the National Institute of Standards and Technology and other appropriate Federal agencies to identify private sector entities already required to report their compliance with cybersecurity laws, directives, and regulations to streamline compliance with duplicative reporting requirements. CommentsClose CommentsPermalink
SEC. 205. LEGAL FRAMEWORK REVIEW AND REPORT.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Comptroller General shall complete a comprehensive review of the Federal statutory and legal framework applicable to cybersecurity-related activities in the United States, including-- CommentsClose CommentsPermalink
(1) the Privacy Protection Act of 1980 (
(2) the Electronic Communications Privacy Act of 1986 (
(3) the Computer Security Act of 1987 (
(4) the Federal Information Security Management Act of 2002 (
(5) the E-Government Act of 2002 (
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.); CommentsClose CommentsPermalink
(7)
(8) the Federal Advisory Committee Act (5 U.S.C. App.); CommentsClose CommentsPermalink
(9) any other Federal law bearing upon cybersecurity-related activities; and CommentsClose CommentsPermalink
(10) any applicable Executive Order or agency rule, regulation, or guideline. CommentsClose CommentsPermalink
(b) REPORT- Upon completion of the review the Comptroller General shall submit a report to the Congress containing the Comptroller General’s, findings, conclusions, and recommendations regarding changes needed to advance cybersecurity and protect civil liberties in light of new cybersecurity measures. CommentsClose CommentsPermalink
SEC. 206. JOINT INTELLIGENCE THREAT AND VULNERABILITY ASSESSMENT.
The Director of National Intelligence and, the Secretary of Commerce shall submit to the Congress an annual, the Secretary of Homeland Security, the Attorney General, the Secretary of Defense, and the Secretary of State shall submit to the Congress a joint assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructureFederal information systems and United States critical infrastructure information systems. CommentsClose CommentsPermalink
SEC. 2107. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.
The President shall-- CommentsClose CommentsPermalink
(1) work with representatives of foreign governments, private sector entities, and nongovernmental organizations-- CommentsClose CommentsPermalink
(A) to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity; and CommentsClose CommentsPermalink
(B) to encourage international cooperation in improving cybersecurity on a global basis; and CommentsClose CommentsPermalink
(2) provide an annual report to the Congress on the progress of international initiatives undertaken pursuant to subparagraph (A). CommentsClose CommentsPermalink
SEC. 2208. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD.
(a) ESTABLISHMENT- There is established a Secure Products andAcquisition Requirements- The Administrator of the General Services Acquisitions Board. The Board shall be responsible for cybersecurity review and approval of high value products and services acquisition and, in coordination with the National Institute of Standards and Technology, for the establishment of appropriate standards for the validation of software to be acquired by the Federal Government. The Director of the National Institute of Standards and Technology shall develop the review process and provide guidance to the Board. In reviewing software under this subsection, the Board may consider independent secure software validation and verification as key factor for approval.(b) ACQUISITION STANDARDS- The Directordministration, in cooperation with the Office of Management and Budget and other appropriate Federal agencies, shall ensure that the Board approval is included as a prerequisite to the acquisition of any product or service-- (1) subject to review by the Board; and (2) subject to Federal acquisition standards.
(b) Acquisition Compliance- After the publication of the standards developed under subsection (a), any proposal submitted in response torequirements established by the Administrator under subsection (a), a Federal agency may not issue a request for proposals issued by a Federal agency shall demonstrate compliance with any such applicable standard in order to ensure that cybersecurityfor Federal information systems products and services are designed to be an integral part of the overall acquisitionthat does not comply with the requirements. CommentsClose CommentsPermalink
SEC. 23. DEFINITIONS.In this Act:
(1) ADVISORY PANEL- The term ‘Advisory Panel’ means the Cybersecurity Advisory Panel established or designated under section 309. PRIVATE SECTOR ACCESS TO CLASSIFIED INFORMATION.
(a) Evaluation- The President shall conduct an annual evaluation of the sufficiency of present access to classified information among owners and operators of United States critical infrastructure information systems and submit a report to the Congress on the evaluation. CommentsClose CommentsPermalink
(b) Security Clearances- To the extent determined by the President to be necessary to enhance public-private information sharing and cybersecurity collaboration, the President may-- CommentsClose CommentsPermalink
(1) grant additional security clearances to owners and operators of United States critical infrastructure information systems; and CommentsClose CommentsPermalink
(2) delegate original classification authority to appropriate Federal officials on matters related to cybersecurity. CommentsClose CommentsPermalink
SEC. 210. AUTHENTICATION AND CIVIL LIBERTIES REPORT.
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, in consultation with sector coordinating councils, relevant governmental agencies, regulatory entities, and nongovernmental organizations, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for Federal government and United States critical infrastructure information systems. CommentsClose CommentsPermalink
SEC. 211. REPORT ON EVALUATION OF CERTAIN IDENTITY AUTHENTICATION FUNCTIONALITIES.
(a) In General- Not later than 90 days after the date of enactment of this Act, the National Institute of Standards and Technology shall issue a public report evaluating identity authentication solutions to determine the necessary level of functionality and privacy protection, based on risk, commensurate with the level of data assurance and sensitivity, as defined by OMB e-Authentication Guidance Memorandum 04-04 (OMB 04-04). CommentsClose CommentsPermalink
(b) Contents- The report shall-- CommentsClose CommentsPermalink
(1) assess strategies and best practices for mapping the 4 authentication levels with authentication functionalities appropriate for each level; and CommentsClose CommentsPermalink
(2) address specifically authentication levels and appropriate functionalities necessary and available for the protection of electronic medical records and health information. CommentsClose CommentsPermalink
TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT
CommentsClose CommentsPermalink
TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT CommentsClose CommentsPermalink
SEC. 301. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.
(a) IN GENERAL- The Secretary of Commerce, in consultation with sector coordinating councils, relevant governmental agencies, regulatory entities, and nongovernmental organizations, shall develop and implement a national cybersecurity awareness campaign that-- CommentsClose CommentsPermalink
(1) calls a new generation of Americans to service in the field of cybersecurity; CommentsClose CommentsPermalink
(2) heightens public awareness of cybersecurity issues and concerns; CommentsClose CommentsPermalink
(3) communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities; and CommentsClose CommentsPermalink
(4) utilizes public and private sector means of providing information to the public, including public service announcements. CommentsClose CommentsPermalink
(b) EDUCATIONAL PROGRAMS- The Secretary of Education, in consultation with State school superintendents, relevant Federal agencies, industry sectors, and nongovernmental organizations, shall identify and promote age appropriate information and programs for grades K-12 regarding cyber safety, cybersecurity, and cyber ethics. CommentsClose CommentsPermalink
SEC. 302. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) FUNDAMENTAL CYBERSECURITY RESEARCH- The Director of the National Science Foundation, in coordination with the Office of Science and Technology Policy, and drawing on the recommendations of the Office of Science and Technology Policy’s annual review of all Federal cyber technology research and development investments required by section 201(a)(3), shall develop a national cybersecurity research and development plan. The plan shall encourage computer and information science and engineering research to meet the following challenges in cybersecurity: CommentsClose CommentsPermalink
(1) How to design and build complex software-intensive systems that are secure and reliable when first deployed. CommentsClose CommentsPermalink
(2) CYBER- The term ‘cyber’ means--(A) any process, program, or protocol relating to the use of the Internet or an intranet, automaticHow to test and verify that software, whether developed locally or obtained from a third party, is free of significant known security flaws. CommentsClose CommentsPermalink
(3) How to test and verify that software obtained from a third party correctly implements stated functionality, and only that functionality. CommentsClose CommentsPermalink
(4) How to guarantee the privacy of an individual’s identity, information, or lawful transactions when stored in distributed systems or transmitted over networks. CommentsClose CommentsPermalink
(5) How to build new protocols to enable the Internet to have robust security as one of its key capabilities. CommentsClose CommentsPermalink
(6) How to determine the origin of a message transmitted over the Internet. CommentsClose CommentsPermalink
(7) How to support privacy in conjunction with improved security. CommentsClose CommentsPermalink
(8) How to address the growing problem of insider threat. CommentsClose CommentsPermalink
(9) How improved consumer education and digital literacy initiatives can address human factors that contribute to cybersecurity. CommentsClose CommentsPermalink
(b) SECURE CODING RESEARCH- The Director shall support research that evaluates selected secure coding education and improvement programs. The Director shall also support research on new methods of integrating secure coding improvement into the core curriculum of computer science programs and of other programs where graduates have a substantial probability of developing software after graduation. CommentsClose CommentsPermalink
(c) ASSESSMENT OF SECURE CODING EDUCATION IN COLLEGES AND UNIVERSITIES- Within 1 year after the date of enactment of this Act, the Director shall submit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology a report on the state of secure coding education in America’s colleges and universities for each school that received National Science Foundation funding in excess of $1,000,000 during fiscal year 2008. The report shall include-- CommentsClose CommentsPermalink
(1) the number of students who earned undergraduate degrees in computer science or in each other program where graduates have a substantial probability of being engaged in software design or development after graduation; CommentsClose CommentsPermalink
(2) the percentage of those students who completed substantive secure coding education or improvement programs during their undergraduate experience; and CommentsClose CommentsPermalink
(3) descriptions of the length and content of the education and improvement programs and an evaluation of the effectiveness of those programs based on the students’ scores on standard tests of secure coding and design skills. CommentsClose CommentsPermalink
(d) CYBERSECURITY MODELING AND TESTBEDS- Within 1 year after the date of enactment of this Act, the Director shall conduct a review of existing cybersecurity testbeds. Based on the results of that review, the Director shall establish a program to award grants to institutions of higher education to establish cybersecurity testbeds capable of realistic modeling of real-time cyber attacks and defenses. The purpose of this program is to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real-world environment. The testbeds shall be sufficiently large in order to model the scale and complexity of real world networks and environments. CommentsClose CommentsPermalink
(e) NSF COMPUTER AND NETWORK SECURITY RESEARCH GRANT AREAS- Section 4(a)(1) of the Cybersecurity Research and Development Act (
(1) by striking ‘and’ after the semicolon in subparagraph (H); CommentsClose CommentsPermalink
(2) by striking ‘property.’ in subparagraph (I) and inserting ‘property;’; and CommentsClose CommentsPermalink
(3) by adding at the end the following: CommentsClose CommentsPermalink
‘(J) secure fundamental protocols that are at the heart of inter-network communications and data processing or transmission, or telecommunication via the Internet or an intranet; and
(B) any matter relating to, or involving the use of, computers or computer networks.
(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTUREexchange; CommentsClose CommentsPermalink‘(K) secure software engineering and software assurance, including-- CommentsClose CommentsPermalink
‘(i) programming languages and systems that include fundamental security features; CommentsClose CommentsPermalink
‘(ii) portable or reusable code that remains secure when deployed in various environments; CommentsClose CommentsPermalink
‘(iii) verification and validation technologies to ensure that requirements and specifications have been implemented; and CommentsClose CommentsPermalink
‘(iv) models for comparison and metrics to assure that required standards have been met; CommentsClose CommentsPermalink
‘(L) holistic system security that-- CommentsClose CommentsPermalink
‘(i) addresses the building of secure systems from trusted and untrusted components; CommentsClose CommentsPermalink
‘(ii) proactively reduces vulnerabilities; CommentsClose CommentsPermalink
‘(iii) addresses insider threats; and CommentsClose CommentsPermalink
‘(iv) supports privacy in conjunction with improved security; CommentsClose CommentsPermalink
‘(M) monitoring and detection; and CommentsClose CommentsPermalink
‘(N) mitigation and rapid recovery methods.’. CommentsClose CommentsPermalink
(f) NSF COMPUTER AND NETWORK SECURITY GRANTS- Section 4(a)(3) of the Cybersecurity Research and Development Act (
(1) by striking ‘and’ in subparagraph (D); CommentsClose CommentsPermalink
(2) by striking ‘2007.’ in subparagraph (E) and inserting ‘2007;’; and CommentsClose CommentsPermalink
(3) by adding at the end of the following: CommentsClose CommentsPermalink
‘(F) $150,000,000 for fiscal year 2010; CommentsClose CommentsPermalink
‘(G) $155,000,000 for fiscal year 2011; CommentsClose CommentsPermalink
‘(H) $160,000,000 for fiscal year 2012; CommentsClose CommentsPermalink
‘(I) $165,000,000 for fiscal year 2013; and CommentsClose CommentsPermalink
‘(J) $170,000,000 for fiscal year 2014.’. CommentsClose CommentsPermalink
(g) COMPUTER AND NETWORK SECURITY CENTERS- Section 4(b)(7) of such Act (
(1) by striking ‘and’ in subparagraph (D); CommentsClose CommentsPermalink
(2) by striking ‘2007.’ in subparagraph (E) and inserting ‘2007;’; and CommentsClose CommentsPermalink
(3) by adding at the end of the following: CommentsClose CommentsPermalink
‘(F) $50,000,000 for fiscal year 2010; CommentsClose CommentsPermalink
‘(G) $52,000,000 for fiscal year 2011; CommentsClose CommentsPermalink
‘(H) $54,000,000 for fiscal year 2012; CommentsClose CommentsPermalink
‘(I) $56,000,000 for fiscal year 2013; and CommentsClose CommentsPermalink
‘(J) $58,000,000 for fiscal year 2014.’. CommentsClose CommentsPermalink
(h) COMPUTER AND NETWORK SECURITY CAPACITY BUILDING GRANTS- Section 5(a)(6) of such Act (
(1) by striking ‘and’ in subparagraph (D); CommentsClose CommentsPermalink
(2) by striking ‘2007.’ in subparagraph (E) and inserting ‘2007;’; and CommentsClose CommentsPermalink
(3) by adding at the end of the following: CommentsClose CommentsPermalink
‘(F) $40,000,000 for fiscal year 2010; CommentsClose CommentsPermalink
‘(G) $42,000,000 for fiscal year 2011; CommentsClose CommentsPermalink
‘(H) $44,000,000 for fiscal year 2012; CommentsClose CommentsPermalink
‘(I) $46,000,000 for fiscal year 2013; and CommentsClose CommentsPermalink
‘(J) $48,000,000 for fiscal year 2014.’. CommentsClose CommentsPermalink
(i) SCIENTIFIC AND ADVANCED TECHNOLOGY ACT GRANTS- Section 5(b)(2) of such Act (
(1) by striking ‘and’ in subparagraph (D); CommentsClose CommentsPermalink
(2) by striking ‘2007.’ in subparagraph (E) and inserting ‘2007;’; and CommentsClose CommentsPermalink
(3) by adding at the end of the following: CommentsClose CommentsPermalink
‘(F) $5,000,000 for fiscal year 2010; CommentsClose CommentsPermalink
‘(G) $6,000,000 for fiscal year 2011; CommentsClose CommentsPermalink
‘(H) $7,000,000 for fiscal year 2012; CommentsClose CommentsPermalink
‘(I) $8,000,000 for fiscal year 2013; and CommentsClose CommentsPermalink
‘(J) $9,000,000 for fiscal year 2014.’. CommentsClose CommentsPermalink
(j) GRADUATE TRAINEESHIPS IN COMPUTER AND NETWORK SECURITY RESEARCH- Section 5(c)(7) of such Act (
(1) by striking ‘and’ in subparagraph (D); CommentsClose CommentsPermalink
(2) by striking ‘2007.’ in subparagraph (E) and inserting ‘2007;’; and CommentsClose CommentsPermalink
(3) by adding at the end of the following: CommentsClose CommentsPermalink
‘(F) $20,000,000 for fiscal year 2010; CommentsClose CommentsPermalink
‘(G) $22,000,000 for fiscal year 2011; CommentsClose CommentsPermalink
‘(H) $24,000,000 for fiscal year 2012; CommentsClose CommentsPermalink
‘(I) $26,000,000 for fiscal year 2013; and CommentsClose CommentsPermalink
‘(J) $28,000,000 for fiscal year 2014.’. CommentsClose CommentsPermalink
(k) CYBERSECURITY FACULTY DEVELOPMENT TRAINEESHIP PROGRAM- Section 5(e)(9) of such Act (
(l) NETWORKING AND INFORMATION SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes-- (A) Federal Government information systems and networks; and (B) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.
(1) by striking ‘and’ after the semicolon in subparagraph (B); and CommentsClose CommentsPermalink
(2) by inserting after subparagraph (C) the following: CommentsClose CommentsPermalink
‘(D) develop and propose standards and guidelines, and develop measurement techniques and test methods, for enhanced cybersecurity for computer networks and common user interfaces to systems; and’. CommentsClose CommentsPermalink
SEC. 303. DEVELOPMENT OF CURRICULA FOR INCORPORATING CYBERSECURITY INTO EDUCATIONAL PROGRAMS FOR FUTURE INDUSTRIAL CONTROL SYSTEM DESIGNERS.
(a) In General- The Director of the National Science Foundation shall establish a grant program to fund public and private educational institutions to develop graduate and undergraduate level curricula that address cybersecurity in modern industrial control systems. In administering the program, the Director-- CommentsClose CommentsPermalink
(1) shall establish such requirements for the submission of applications containing such information, commitments, and assurances as the Director finds necessary and appropriate; CommentsClose CommentsPermalink
(2) shall award the grants on a competitive basis; CommentsClose CommentsPermalink
(3) shall require grant recipients to make the developed curricula and related materials to other public and private educational institutions; and CommentsClose CommentsPermalink
(4) may make up to 3 grants per year. CommentsClose CommentsPermalink
(b) Authorization of Appropriations- There are authorized to be appropriated to the Director to carry out the grant program under this section $2,000,000 for each of fiscal years 2011 and 2012. CommentsClose CommentsPermalink
TITLE IV--PUBLIC-PRIVATE COLLABORATION
CommentsClose CommentsPermalink
TITLE IV--PUBLIC-PRIVATE COLLABORATION CommentsClose CommentsPermalink
SEC. 401. CYBERSECURITY ADVISORY PANEL.
(a) IN GENERAL- The President shall establish or designate a Cybersecurity Advisory Panel. CommentsClose CommentsPermalink
(b) QUALIFICATIONS- The President-- CommentsClose CommentsPermalink
(1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, personnel, technology transfer, commercial application, or societal and civil liberty concerns; and CommentsClose CommentsPermalink
(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations. CommentsClose CommentsPermalink
(c) DUTIES- The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess-- CommentsClose CommentsPermalink
(1) trends and developments in cybersecurity science research and development; CommentsClose CommentsPermalink
(2) progress made in implementing the strategy; CommentsClose CommentsPermalink
(3) the need to revise the strategy; CommentsClose CommentsPermalink
(4) the readiness and capacity of the Federal and national workforces to implement the national cybersecurity program and strategy, and the steps necessary to improve workforce readiness and capacity; CommentsClose CommentsPermalink
(5) the balance among the components of the national strategy, including funding for program components; CommentsClose CommentsPermalink
(6) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity; CommentsClose CommentsPermalink
(7) the management, coordination, implementation, and activities of the strategy; CommentsClose CommentsPermalink
(8) whether the concerns of Federal, State, and local law enforcement entities are adequately addressed; and CommentsClose CommentsPermalink
(9) whether societal and civil liberty concerns are adequately addressed. CommentsClose CommentsPermalink
(d) REPORTS- The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy. CommentsClose CommentsPermalink
(e) TRAVEL EXPENSES OF NON-FEDERAL MEMBERS- Non-Federal members of the panel, while attending meetings of the panel or while otherwise serving at the request of the head of the panel while away from their homes or regular places of business, may be allowed travel expenses, including per diem in lieu of subsistence, as authorized by
(f) EXEMPTION FROM FACA SUNSET- Section 14 of the Federal Advisory Committee Act (5 U.S.C. 5503(5)).App.) shall not apply to the Advisory Panel. CommentsClose CommentsPermalink
SEC. 402. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.
(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion of private sector developed cybersecurity risk measurement techniques, risk management measures, and best practices. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section. CommentsClose CommentsPermalink
(b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in the United States through-- CommentsClose CommentsPermalink
(1) the promotion of private sector developed cybersecurity risk measurement techniques, risk management measures, and best practices to small- and medium-sized companies throughout the United States; CommentsClose CommentsPermalink
(2) the voluntary participation of individuals from industry, universities, State governments, other Federal agencies, and, when appropriate, the Institute in cooperative technology transfer activities in accordance with existing technology transfer rules and intellectual property protection measures; CommentsClose CommentsPermalink
(3) efforts to make new cybersecurity technology, standards, and processes usable by United States-based small- and medium-sized companies; CommentsClose CommentsPermalink
(4) the active dissemination of scientific, engineering, technical, and management information about cybersecurity to industrial firms, including small- and medium-sized companies; CommentsClose CommentsPermalink
(5) the utilization, when appropriate, of the expertise and capability that exists in Federal laboratories other than the Institute; and CommentsClose CommentsPermalink
(6) the performance of these and related activities in a manner that supplements or coordinates with, and does not compete with or duplicate, private sector activities. CommentsClose CommentsPermalink
(c) ACTIVITIES- The Centers shall-- CommentsClose CommentsPermalink
(1) disseminate cybersecurity technologies, standards, and processes based on research by the Institute for the purpose of demonstrations and technology transfer; CommentsClose CommentsPermalink
(2) actively transfer and disseminate private sector developed cybersecurity risk measurement techniques, risk management measures, and best practices to protect against and mitigate the risk of cyber attacks to a wide range of companies and enterprises, particularly small- and medium-sized businesses; and CommentsClose CommentsPermalink
(3) make loans, on a selective, short-term basis, of items of advanced protective cybersecurity measures to small businesses with less than 100 employees. CommentsClose CommentsPermalink
(c) Duration and Amount of Support; Program Descriptions; Applications; Merit Review; Evaluations of Assistance- CommentsClose CommentsPermalink
(1) FINANCIAL SUPPORT- The Secretary may provide financial support, not to exceed 50 percent of the Center’s annual operating and maintenance costs, to any Center for a period not to exceed 6 years (except as provided in paragraph (5)(D)). CommentsClose CommentsPermalink
(2) PROGRAM DESCRIPTION- Within 90 days after the date of enactment of this Act, the Secretary shall publish in the Federal Register a draft description of a program for establishing Centers and, after a 30-day comment period, shall publish a final description of the program. The description shall include-- CommentsClose CommentsPermalink
(A) a description of the program; CommentsClose CommentsPermalink
(B) procedures to be followed by applicants; CommentsClose CommentsPermalink
(C) criteria for determining qualified applicants; CommentsClose CommentsPermalink
(D) criteria, including those described in paragraph (4), for choosing recipients of financial assistance under this section from among the qualified applicants; and CommentsClose CommentsPermalink
(E) maximum support levels expected to be available to Centers under the program in the fourth through sixth years of assistance under this section. CommentsClose CommentsPermalink
(3) APPLICATIONS; SUPPORT COMMITMENT- Any nonprofit institution, or consortia of nonprofit institutions, may submit to the Secretary an application for financial support under this section, in accordance with the procedures established by the Secretary. In order to receive assistance under this section, an applicant shall provide adequate assurances that it will contribute 50 percent or more of the proposed Center’s annual operating and maintenance costs for the first 3 years and an increasing share for each of the next 3 years. CommentsClose CommentsPermalink
(4) AWARD CRITERIA- Awards shall be made on a competitive, merit-based review. In making a decision whether to approve an application and provide financial support under this section, the Secretary shall consider, at a minimum-- CommentsClose CommentsPermalink
(A) the merits of the application, particularly those portions of the application regarding technology transfer, training and education, and adaptation of cybersecurity technologies to the needs of particular industrial sectors; CommentsClose CommentsPermalink
(B) the quality of service to be provided; CommentsClose CommentsPermalink
(C) geographical diversity and extent of service area; and CommentsClose CommentsPermalink
(D) the percentage of funding and amount of in-kind commitment from other sources. CommentsClose CommentsPermalink
(5) Third year evaluation- CommentsClose CommentsPermalink
(A) IN GENERAL- Each Center which receives financial assistance under this section shall be evaluated during its third year of operation by an evaluation panel appointed by the Secretary. CommentsClose CommentsPermalink
(B) EVALUATION PANEL- Each evaluation panel shall be composed of private experts and Federal officials, none of whom shall be connected with the involved Center. Each evaluation panel shall measure the Center’s performance against the objectives specified in this section and ensure that the Center is not competing with, or duplicating, private sector activities. CommentsClose CommentsPermalink
(C) POSITIVE EVALUATION REQUIRED FOR CONTINUED FUNDING- The Secretary may not provide funding for the fourth through the sixth years of a Center’s operation unless the evaluation by the evaluation panel is positive. If the evaluation is positive, the Secretary may provide continued funding through the sixth year at declining levels. CommentsClose CommentsPermalink
(D) FUNDING AFTER SIXTH YEAR- After the sixth year, the Secretary may provide additional financial support to a Center if it has received a positive evaluation through an independent review, under procedures established by the Institute. An additional independent review shall be required at least every 2 years after the sixth year of operation. Funding received for a fiscal year under this section after the sixth year of operation may not exceed one third of the annual operating and maintenance costs of the Center. CommentsClose CommentsPermalink
(6) PATENT RIGHTS TO INVENTIONS- The provisions of chapter 18 of title 35, United States Code, shall (to the extent not inconsistent with this section) apply to the promotion of technology from research by Centers under this section except for contracts for such specific technology extension or transfer services as may be specified by statute or by the President, or the President’s designee. CommentsClose CommentsPermalink
(d) ACCEPTANCE OF FUNDS FROM OTHER FEDERAL DEPARTMENTS AND AGENCIES- In addition to such sums as may be authorized and appropriated to the Secretary and President, or the President’s designee, to operate the Centers program, the Secretary and the President, or the President’s designee, also may accept funds from other Federal departments and agencies for the purpose of providing Federal funds to support Centers. Any Center which is supported with funds which originally came from other Federal departments and agencies shall be selected and operated according to the provisions of this section. CommentsClose CommentsPermalink
SEC. 403. PUBLIC-PRIVATE CLEARINGHOUSE.
(a) SURVEY OF EXISTING MODELS OF INTERAGENCY AND PUBLIC-PRIVATE INFORMATION SHARING- Within 180 days after the date of enactment of this Act, the President, or the President’s designee, in consultation with sector coordinating councils, relevant governmental agencies and regulatory entities, and nongovernmental organizations, shall conduct a review and assessment of existing information sharing models used by Federal agencies. CommentsClose CommentsPermalink
(b) DESIGNATION- Pursuant to the results of the review and assessment required by subsection (a), the President shall establish or designate a facility to serve as the central cybersecurity threat and vulnerability information clearinghouse for the Federal Government and United States critical infrastructure information systems. The facility shall incorporate the best practices and concepts of operations of existing information sharing models in order to effectively promote the sharing of public-private cybersecurity threat and vulnerability information. CommentsClose CommentsPermalink
(c) INFORMATION SHARING RULES AND PROCEDURES- The President, or the President’s designee, in consultation with sector coordinating councils, relevant governmental agencies and regulatory entities, and nongovernmental organizations, shall promulgate rules and procedures regarding cybersecurity threat and vulnerability information sharing, that-- CommentsClose CommentsPermalink
(1) expand the Federal Government’s sharing of cybersecurity threat and vulnerability information with owners and operators of United States critical infrastructure information systems; CommentsClose CommentsPermalink
(2) ensure confidentiality and privacy protections for individuals and personally identifiable information; CommentsClose CommentsPermalink
(3) ensure confidentiality and privacy protections for private sector-owned intellectual property and proprietary information; CommentsClose CommentsPermalink
(4) establish criteria under which owners or operators of United States critical infrastructure information systems share actionable cybersecurity threat and vulnerability information and relevant data with the Federal Government; CommentsClose CommentsPermalink
(5) protect against, or mitigate, civil and criminal liability implicated by information shared; and CommentsClose CommentsPermalink
(6) otherwise will enhance the sharing of cybersecurity threat and vulnerability information between owners or operators of United States critical infrastructure information systems and the Federal Government. CommentsClose CommentsPermalink
SEC. 404. CYBERSECURITY RISK MANAGEMENT REPORT.
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall report to the Congress on the feasibility of creating a market for cybersecurity risk management. CommentsClose CommentsPermalink
Calendar No. 707CommentsClose CommentsPermalink
111th CONGRESSCommentsClose CommentsPermalink
2d SessionCommentsClose CommentsPermalink
S. 773CommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.CommentsClose CommentsPermalink
December 17, 2010CommentsClose CommentsPermalink
December 17, 2010CommentsClose CommentsPermalink
Reported with an amendmentCommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
Top-Rated Comments
- “I've been looking for this one. Where in the constitution is the congres...” Ocyris
- “Enough is enough. What is it going to take for you people to get off yo...” rmcc4444
OC Blog Articles Related To This Bill
- Videos from Personal Democracy Forum Conference 2012 Jun 13, 2012
- With SOPA Shelved, Congress Readies its Next Attack on the Internet Feb 13, 2012
- Anti-Web Censorship Bill Protest from Our Perspective at OC Feb 08, 2012
- Join the Public Mark-up of SOPA Nov 19, 2011
- Good luck with that pivot Aug 05, 2011