<enum>I</enum><header>Research and Development</header> <section id="H8600DCB2C285497FA13700AFDFF2248C"><enum>101.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text> <paragraph id="HE577B9F0641944BC852DEA87C9C20603"><enum>(1)</enum><header>National coordination office</header><text>The term National Coordination Office means the National Coordination Office for the Networking and Information Technology Research and Development program.</text> </paragraph><paragraph id="HD04533F939AD445A96A444AE6B87B740"><enum>(2)</enum><header>Program</header><text>The term Program means the Networking and Information Technology Research and Development program which has been established under section 101 of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511</external-xref>).</text> </paragraph></section><section id="HC749427869BF47E58E127F9E5028684C"><enum>102.</enum><header>Findings</header><text display-inline="no-display-inline">Section 2 of the Cyber Security Research and Development Act (15 U.S.C. 7401) is amended—</text> <paragraph id="HA0EC24A13B8C4D8BBB1D9580A41A1EE2"><enum>(1)</enum><text>by amending paragraph (1) to read as follows:</text> <quoted-block id="H5255A5856870484087B708AF99BB4237" style="OLC"> <paragraph id="H9C3D4273CBF347BBA2339EEA9FD3C3D4"><enum>(1)</enum><text>Advancements in information and communications technology have resulted in a globally interconnected network of government, commercial, scientific, and education infrastructures, including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services.</text> </paragraph><after-quoted-block>;</after-quoted-block></quoted-block> </paragraph><paragraph id="H60A6B293832F425596CD81F8786C1154"><enum>(2)</enum><text>in paragraph (2), by striking <quote>Exponential increases in interconnectivity have facilitated enhanced communications, economic growth,</quote> and inserting <quote>These advancements have significantly contributed to the growth of the United States economy,</quote>;</text> </paragraph><paragraph id="H74433A9EBEAF495E9A2313F424485224"><enum>(3)</enum><text>by amending paragraph (3) to read as follows:</text> <quoted-block id="HB62021928DF04920AB2CFEBE00431B0C" style="OLC"> <paragraph id="HCA67FBDF312846009C268E8F1430C03D"><enum>(3)</enum><text>The Cyberspace Policy Review published by the President in May, 2009, concluded that our information technology and communications infrastructure is vulnerable and has <quote>suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information</quote>.</text> </paragraph><after-quoted-block>; and</after-quoted-block></quoted-block> </paragraph><paragraph id="H2D300267A278418A9811F494675F1681"><enum>(4)</enum><text>by amending paragraph (6) to read as follows:</text> <quoted-block id="HF55D8E3A1AC34DE6A560E7044BB5014D" style="OLC"> <paragraph id="H3322CDAECACC4988AF907884F8ADCDA5"><enum>(6)</enum><text>While African-Americans, Hispanics, and Native Americans constitute 33 percent of the college-age population, members of these minorities comprise less than 20 percent of bachelor degree recipients in the field of computer sciences.</text> </paragraph><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></section><section id="H37AEABA46B654D848100BDD5332F83AF"><enum>103.</enum><header>Cybersecurity strategic research and development plan</header> <subsection id="H63D41785D8F44950B31CA6B443FEC830"><enum>(a)</enum><header>In general</header><text>Not later than 12 months after the date of enactment of this Act, the agencies identified in subsection 101(a)(3)(B)(i) through (x) of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(3)(B)(i)</external-xref> through (x)) or designated under section 101(a)(3)(B)(xi) of such Act, working through the National Science and Technology Council and with the assistance of the National Coordination Office, shall transmit to Congress a strategic plan based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. Once every 3 years after the initial strategic plan is transmitted to Congress under this section, such agencies shall prepare and transmit to Congress an update of such plan.</text> </subsection><subsection id="HDD4A4DBD9030424CAAF1E133E0928A5B"><enum>(b)</enum><header>Contents of plan</header><text>The strategic plan required under subsection (a) shall—</text> <paragraph id="HDD08D090BA6C4B009A44437784FD479A"><enum>(1)</enum><text>specify and prioritize near-term, mid-term and long-term research objectives, including objectives associated with the research areas identified in section 4(a)(1) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) and how the near-term objectives complement research and development areas in which the private sector is actively engaged;</text> </paragraph><paragraph id="H2C6404A160424799B6ED39AD03B6660C"><enum>(2)</enum><text>describe how the Program will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;</text> </paragraph><paragraph id="H4F9F41E7123D40AEBFAE430A8754FD7C"><enum>(3)</enum><text>describe how the Program will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;</text> </paragraph><paragraph id="H6939BB15DCB84864A1BD779052E7CD2C"><enum>(4)</enum><text>describe how the Program will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems;</text> </paragraph><paragraph id="H971AD889DA964EA28554C99044380342"><enum>(5)</enum><text>describe how the Program will facilitate access by academic researchers to the infrastructure described in paragraph (4), as well as to relevant data, including event data;</text> </paragraph><paragraph id="HA8EC653CC8B148D1A1A3537129088428"><enum>(6)</enum><text>describe how the Program will engage females and individuals identified in section 33 or 34 of the Science and Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b) to foster a more diverse workforce in this area; and</text> </paragraph><paragraph id="H01470ECD23F8490BBE7F69FDC6869895"><enum>(7)</enum><text display-inline="yes-display-inline">describe how the Program will help to recruit and prepare veterans for the Federal cybersecurity workforce.</text> </paragraph></subsection><subsection id="H905DF18365A942A59076EF1132BEC714"><enum>(c)</enum><header>Development of roadmap</header><text>The agencies described in subsection (a) shall develop and annually update an implementation roadmap for the strategic plan required in this section. Such roadmap shall—</text> <paragraph id="H7C6F21E88510431291CBF263165D7C19"><enum>(1)</enum><text>specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;</text> </paragraph><paragraph id="H0F2A6F103FE84C6995E5E52CC96838AC"><enum>(2)</enum><text>specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and</text> </paragraph><paragraph id="HFAF696193A3540B1965D0F89604D768E"><enum>(3)</enum><text>estimate the funding required for each major research objective of the strategic plan for the following 3 fiscal years.</text> </paragraph></subsection><subsection id="HFC7DCE46F0AD41B38320075998AF761F"><enum>(d)</enum><header>Recommendations</header><text>In developing and updating the strategic plan under subsection (a), the agencies involved shall solicit recommendations and advice from—</text> <paragraph id="H71DB4F0281ED4097A49E25FE97533E05"><enum>(1)</enum><text>the advisory committee established under section 101(b)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(b)(1)); and</text> </paragraph><paragraph id="H992A5B0E343644B7887414BF282535B2"><enum>(2)</enum><text>a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions.</text> </paragraph></subsection><subsection id="HAD4DC276C47E4BFBB884A7832FAAC237"><enum>(e)</enum><header>Appending to report</header><text>The implementation roadmap required under subsection (c), and its annual updates, shall be appended to the report required under section 101(a)(2)(D) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)(D)).</text> </subsection><subsection id="H3CCE644D698D4818A4D471864BC910EC"><enum>(f)</enum><header>Cybersecurity research database</header><text>The agencies involved in developing and updating the strategic plan under subsection (a) shall establish, in coordination with the Office of Management and Budget, a mechanism to track ongoing and completed Federal cybersecurity research and development projects and associated funding, and shall make such information publically available.</text> </subsection></section><section id="HF3083829349342119B8BF49014693332"><enum>104.</enum><header>Social and behavioral research in cybersecurity</header><text display-inline="no-display-inline">Section 4(a)(1) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) is amended—</text> <paragraph id="H239A9133E6804AD88984EDD511A9F7BF"><enum>(1)</enum><text>by inserting <quote>and usability</quote> after <quote>to the structure</quote>;</text> </paragraph><paragraph id="H1CA25A8354994B3DB7FFFDA3D61876D2"><enum>(2)</enum><text>in subparagraph (H), by striking <quote>and</quote> after the semicolon;</text> </paragraph><paragraph id="H9A51DCE88F004E54BA3FBB38CF0C0EEE"><enum>(3)</enum><text>in subparagraph (I), by striking the period at the end and inserting <quote>; and</quote>; and</text> </paragraph><paragraph id="H189BEAADE104400E92F53EF9B4133A7E"><enum>(4)</enum><text>by adding at the end the following new subparagraph:</text> <quoted-block id="H9A5B0B29E2ED4B779D0377DB1DD320FF" style="OLC"> <subparagraph id="HDF9ACB4819CD4035ACDE7FB0C102327F"><enum>(J)</enum><text>social and behavioral factors, including human-computer interactions, usability, and user motivations.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></section><section id="H72682DDFA1E944BE89BD79B506BC23B8"><enum>105.</enum><header>National Science Foundation cybersecurity research and development programs</header> <subsection id="H586D6BBD649C4805A7126B9FB79D11F8"><enum>(a)</enum><header>Computer and network security research areas</header><text>Section 4(a)(1) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) is amended—</text> <paragraph id="H68DF824C223B43B38FA7D72E4D4E867D"><enum>(1)</enum><text>in subparagraph (A) by inserting <quote>identity management,</quote> after <quote>cryptography,</quote>; and</text> </paragraph><paragraph id="H8495AF8D27714BE88AEB8D28BE541C48"><enum>(2)</enum><text>in subparagraph (I), by inserting <quote>, crimes against children, and organized crime</quote> after <quote>intellectual property</quote>.</text> </paragraph></subsection><subsection id="H270BDDCEB5D04F14AFC58DFE055F2884"><enum>(b)</enum><header>Computer and network security research grants</header><text>Section 4(a)(3) of such Act (15 U.S.C. 7403(a)(3)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="HB1C11E39A0744C48A1599905EDF23EB6" style="OLC"> <subparagraph id="H628020FF08BB4E11ACFF2B690A246365"><enum>(A)</enum><text>$119,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H035E3CD29D0B4A7B8D0E76E5ECB6A639"><enum>(B)</enum><text>$119,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="HCF911D86DD1746A9942D9F623F3973E8"><enum>(C)</enum><text>$119,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H5FA9D02615D64F17BBA2E28DE26A0BB5"><enum>(c)</enum><header>Computer and network security research centers</header><text>Section 4(b) of such Act (15 U.S.C. 7403(b)) is amended—</text> <paragraph id="HDAE21DE407CB40C18CFEB9012374C44E"><enum>(1)</enum><text>in paragraph (4)—</text> <subparagraph id="H50E49ACAE4954008893BD0DC5BD606A0"><enum>(A)</enum><text>in subparagraph (C), by striking <quote>and</quote> after the semicolon;</text> </subparagraph><subparagraph id="HC52D183BF69D444CB95A60A79E5049C1"><enum>(B)</enum><text>in subparagraph (D), by striking the period and inserting <quote>; and</quote>; and</text> </subparagraph><subparagraph id="H31F911A6325842D3A71227245F922111"><enum>(C)</enum><text>by adding at the end the following new subparagraph:</text> <quoted-block id="H00903893879347BCBEA466142531C462" style="OLC"> <subparagraph id="H36CE5DCEF2AA4518BB68A0BB3A15DD6D"><enum>(E)</enum><text>how the center will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions.</text> </subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block> </subparagraph></paragraph><paragraph id="H7BEAA51A768B49D49F6369CF1B9665FE"><enum>(2)</enum><text>in paragraph (7) by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="H5E4C0009FBC34030922088EA0DE4BA91" style="OLC"> <subparagraph id="H7F24CFFD345643FDB94EFF3C4DEC6CA3"><enum>(A)</enum><text>$5,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H492880D631C6403998CF268C07A41B31"><enum>(B)</enum><text>$5,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="H1193BF0E287A40C6A7C1520447EB525F"><enum>(C)</enum><text>$5,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></subsection><subsection id="HA2C8A2F5CB73469DB78DDDD270224AD8"><enum>(d)</enum><header>Computer and network security capacity building grants</header><text>Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="HBA25804B1C2D4E519ABD93F4FCF2BA43" style="OLC"> <subparagraph id="H16846C18A5EA4C3281E414FC58EABA8A"><enum>(A)</enum><text>$25,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H5DA6830F4C534A838FF818D8F034FD0D"><enum>(B)</enum><text>$25,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="HA048E327833947A29F24402A43B4D363"><enum>(C)</enum><text>$25,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="HC808AEB734E444BC80EA8A4B79080CC9"><enum>(e)</enum><header>Scientific and advanced technology act grants</header><text>Section 5(b)(2) of such Act (15 U.S.C. 7404(b)(2)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="H4DE072F3E0F545A2BFE29470BBC129FD" style="OLC"> <subparagraph id="H92CE933430754E66ABB76E8CCBC92DAD"><enum>(A)</enum><text>$4,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H2D929909B97C41B29C359C64259CD893"><enum>(B)</enum><text>$4,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="H27B13673D99C48E08903EB5E1A325618"><enum>(C)</enum><text>$4,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="HAD95F2B4BC7B4ECFB7794A42BBB87F1F"><enum>(f)</enum><header>Graduate traineeships in computer and network security</header><text>Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="H40C7BC09FCE84592BA250ECDFBF475D9" style="OLC"> <subparagraph id="HA4437E98A42C41DE973EA9377CC5AF6A"><enum>(A)</enum><text>$32,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H32B5B59918534C3F9061888CF3C24902"><enum>(B)</enum><text>$32,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="HB6BBD50D503E4793BC8DBD7BED4CBA73"><enum>(C)</enum><text>$32,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H0A332349B959469196B2316C3D355EC3"><enum>(g)</enum><header>Cyber security faculty development traineeship program</header><text>Section 5(e) of such Act (15 U.S.C. 7404(e)) is repealed.</text> </subsection></section><section id="H739788EEAE714CFA88337EF02A685DB4"><enum>106.</enum><header>Federal cyber scholarship for service program</header> <subsection id="H5D442CC6D15E41A7AF6FDDDFCD387A5D"><enum>(a)</enum><header>In general</header><text>The Director of the National Science Foundation shall continue a Scholarship for Service program under section 5(a) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7404">15 U.S.C. 7404(a)</external-xref>) to recruit and train the next generation of Federal cybersecurity professionals and to increase the capacity of the higher education system to produce an information technology workforce with the skills necessary to enhance the security of the Nation’s communications and information infrastructure.</text> </subsection><subsection id="HA5A0D6EED864439D8F392D1EF317378E"><enum>(b)</enum><header>Characteristics of program</header><text>The program under this section shall—</text> <paragraph id="HFC99A082C11B4AD985D0F009E741AD17"><enum>(1)</enum><text>provide, through qualified institutions of higher education, including community colleges, scholarships that provide tuition, fees, and a competitive stipend for up to 2 years to students pursing a bachelor’s or master’s degree and up to 3 years to students pursuing a doctoral degree in a cybersecurity field;</text> </paragraph><paragraph id="H87228222016B4E01936BCAF6FB3FEA13"><enum>(2)</enum><text>provide the scholarship recipients with summer internship opportunities or other meaningful temporary appointments in the Federal information technology workforce; and</text> </paragraph><paragraph id="H1CA950A9C9FB485EBBAD804ABBEDBDCF"><enum>(3)</enum><text>increase the capacity of institutions of higher education throughout all regions of the United States to produce highly qualified cybersecurity professionals, through the award of competitive, merit-reviewed grants that support such activities as—</text> <subparagraph id="H65DD188EFEA944068D7335A4584871F1"><enum>(A)</enum><text>faculty professional development, including technical, hands-on experiences in the private sector or government, workshops, seminars, conferences, and other professional development opportunities that will result in improved instructional capabilities;</text> </subparagraph><subparagraph id="HD44D230BEF284C2D9D9E036E951724AA"><enum>(B)</enum><text>institutional partnerships, including minority serving institutions and community colleges;</text> </subparagraph><subparagraph id="H634DC95FC1A44670A7954D5E6D8FAD85"><enum>(C)</enum><text>development and evaluation of cybersecurity-related courses and curricula; and</text> </subparagraph><subparagraph id="H20FD78649E7D46F1BCF37E5D045CF644"><enum>(D)</enum><text display-inline="yes-display-inline">public-private partnerships that will integrate research experiences and hands-on learning into cybersecurity degree programs.</text> </subparagraph></paragraph></subsection><subsection id="HB8C64C543110477C91226D46359D7DE0"><enum>(c)</enum><header>Scholarship requirements</header> <paragraph id="H3367AD44F8E14094A32E067A0647418B"><enum>(1)</enum><header>Eligibility</header><text>Scholarships under this section shall be available only to students who—</text> <subparagraph id="HE9A345D4019E4D8A91A7F688B2CB1063"><enum>(A)</enum><text>are citizens or permanent residents of the United States;</text> </subparagraph><subparagraph id="H6CB4CE3388F942448858A4DCFE4C89BF"><enum>(B)</enum><text>are full-time students in an eligible degree program, as determined by the Director, that is focused on computer security or information assurance at an awardee institution; and</text> </subparagraph><subparagraph id="H3396D31103D94F76AD0320B26E7455DD"><enum>(C)</enum><text>accept the terms of a scholarship pursuant to this section.</text> </subparagraph></paragraph><paragraph id="HF73F6BEF00A54EA986CD531013FF0CF6"><enum>(2)</enum><header>Selection</header><text>Individuals shall be selected to receive scholarships primarily on the basis of academic merit, with consideration given to financial need, to the goal of promoting the participation of females and individuals identified in section 33 or 34 of the Science and Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b), and to veterans. For purposes of this paragraph, the term <quote>veteran</quote> means a person who—</text> <subparagraph id="HD1A39C8D8F2948369C02DF9D522FE2BB"><enum>(A)</enum><text>served on active duty (other than active duty for training) in the Armed Forces of the United States for a period of more than 180 consecutive days, and who was discharged or released therefrom under conditions other than dishonorable; or</text> </subparagraph><subparagraph id="H83F0F81F00F345B38B10BBAA395AFC0E"><enum>(B)</enum><text>served on active duty (other than active duty for training) in the Armed Forces of the United States and was discharged or released from such service for a service-connected disability before serving 180 consecutive days.</text> </subparagraph><continuation-text continuation-text-level="paragraph">For purposes of subparagraph (B), the term <quote>service-connected</quote> has the meaning given such term under <external-xref legal-doc="usc" parsable-cite="usc/38/101">section 101</external-xref> of title 38, United States Code.</continuation-text></paragraph><paragraph id="H188D97BC840E4EBEB5EBC4390D675D92"><enum>(3)</enum><header>Service obligation</header><text>If an individual receives a scholarship under this section, as a condition of receiving such scholarship, the individual upon completion of their degree must serve as a cybersecurity professional within the Federal workforce for a period of time as provided in paragraph (5). If a scholarship recipient is not offered employment by a Federal agency or a federally funded research and development center, the service requirement can be satisfied at the Director’s discretion by—</text> <subparagraph id="HF0ED2FFE90A34E36ABE17F26B04C8FEF"><enum>(A)</enum><text>serving as a cybersecurity professional in a State, local, or tribal government agency; or</text> </subparagraph><subparagraph id="H4C138EE8CA1A4A02ADD48AD02AA7D3FB"><enum>(B)</enum><text>teaching cybersecurity courses at an institution of higher education.</text> </subparagraph></paragraph><paragraph id="H55EA15CCBBA948928332977929C6060D"><enum>(4)</enum><header>Conditions of support</header><text>As a condition of acceptance of a scholarship under this section, a recipient shall agree to provide the awardee institution with annual verifiable documentation of employment and up-to-date contact information.</text> </paragraph><paragraph id="HF970C2E074C2444B96C94735C6AD060E"><enum>(5)</enum><header>Length of service</header><text>The length of service required in exchange for a scholarship under this subsection shall be 1 year more than the number of years for which the scholarship was received.</text> </paragraph></subsection><subsection id="H1960FDDA997E4EF6A52071B6C1CE3628"><enum>(d)</enum><header>Failure To complete service obligation</header> <paragraph id="HBB5D04C2C68C4F1FBD9EC8A6394E2898"><enum>(1)</enum><header>General rule</header><text>If an individual who has received a scholarship under this section—</text> <subparagraph id="H68418421188449159FA4F844F96785CB"><enum>(A)</enum><text>fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director;</text> </subparagraph><subparagraph id="H7778F5DBEDAE4C83BB3323D2171BCB30"><enum>(B)</enum><text>is dismissed from such educational institution for disciplinary reasons;</text> </subparagraph><subparagraph id="H3FAD99AB880243C690B645C2CA7851FF"><enum>(C)</enum><text>withdraws from the program for which the award was made before the completion of such program;</text> </subparagraph><subparagraph id="H4300FB0906ED4621B11A52DA8B40C698"><enum>(D)</enum><text>declares that the individual does not intend to fulfill the service obligation under this section; or</text> </subparagraph><subparagraph id="H477B25D91B9645EEBF5A8FC8716F09A8"><enum>(E)</enum><text>fails to fulfill the service obligation of the individual under this section,</text> </subparagraph><continuation-text continuation-text-level="paragraph">such individual shall be liable to the United States as provided in paragraph (3).</continuation-text></paragraph><paragraph id="H0BB77B5FE71A434F82811CAC09F567A6"><enum>(2)</enum><header>Monitoring compliance</header><text>As a condition of participating in the program, a qualified institution of higher education receiving a grant under this section shall—</text> <subparagraph id="HD316DE7C40BF4B35B065CD1EAA71FFD8"><enum>(A)</enum><text>enter into an agreement with the Director of the National Science Foundation to monitor the compliance of scholarship recipients with respect to their service obligation; and</text> </subparagraph><subparagraph id="HC53CE5D0886C46FCA26B3702BE457AAF"><enum>(B)</enum><text>provide to the Director, on an annual basis, post-award employment information required under subsection (c)(4) for scholarship recipients through the completion of their service obligation.</text> </subparagraph></paragraph><paragraph id="HF16D0789A651479190B68FD543A41D23"><enum>(3)</enum><header>Amount of repayment</header> <subparagraph id="H618EBE5F236B4556B42D7E18FFEB81CE"><enum>(A)</enum><header>Less than one year of service</header><text>If a circumstance described in paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid or such amount shall be treated as a loan to be repaid in accordance with subparagraph (C).</text> </subparagraph><subparagraph id="H1488B06425CE42BABE8F4C41BC84B1E3"><enum>(B)</enum><header>More than one year of service</header><text>If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid or such amount shall be treated as a loan to be repaid in accordance with subparagraph (C).</text> </subparagraph><subparagraph id="HC06F6E057896404DA62162B4F1E47FCB"><enum>(C)</enum><header>Repayments</header><text>A loan described in subparagraph (A) or (B) shall be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher Education Act of 1965 (20 U.S.C. 1087a and following), and shall be subject to repayment, together with interest thereon accruing from the date of the scholarship award, in accordance with terms and conditions specified by the Director (in consultation with the Secretary of Education) in regulations promulgated to carry out this paragraph.</text> </subparagraph></paragraph><paragraph id="H0E2278B59E464C338730D006B4254160"><enum>(4)</enum><header>Collection of repayment</header> <subparagraph id="H43C46C1232D1446FAABA90656E04677B"><enum>(A)</enum><header>In general</header><text>In the event that a scholarship recipient is required to repay the scholarship under this subsection, the institution providing the scholarship shall—</text> <clause id="H63B20147A7874FE9BCA14FAF8B1C3161"><enum>(i)</enum><text>be responsible for determining the repayment amounts and for notifying the recipient and the Director of the amount owed; and</text> </clause><clause id="HF9963590AC4F4EE9A5597E0498BD1C30"><enum>(ii)</enum><text>collect such repayment amount within a period of time as determined under the agreement described in paragraph (2), or the repayment amount shall be treated as a loan in accordance with paragraph (3)(C).</text> </clause></subparagraph><subparagraph id="HABBB3A9C9E134BFD87DB29E4511C6458"><enum>(B)</enum><header>Returned to treasury</header><text>Except as provided in subparagraph (C) of this paragraph, any such repayment shall be returned to the Treasury of the United States.</text> </subparagraph><subparagraph id="HE22902DD359A4C218290F50EF2B870E9"><enum>(C)</enum><header>Retain percentage</header><text>An institution of higher education may retain a percentage of any repayment the institution collects under this paragraph to defray administrative costs associated with the collection. The Director shall establish a single, fixed percentage that will apply to all eligible entities.</text> </subparagraph></paragraph><paragraph id="HCBD53AAD325344368E84B2C68F364DC0"><enum>(5)</enum><header>Exceptions</header><text>The Director may provide for the partial or total waiver or suspension of any service or payment obligation by an individual under this section whenever compliance by the individual with the obligation is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.</text> </paragraph></subsection><subsection display-inline="no-display-inline" id="H22C232921C884945A1C8D2541B97BDCF"><enum>(e)</enum><header>Hiring Authority</header> <paragraph id="HA760DE9478194F9B8C893D8FB06A529B"><enum>(1)</enum><header>Appointment in excepted service</header><text display-inline="yes-display-inline">Notwithstanding any provision of chapter 33 of title 5, United States Code, governing appointments in the competitive service, an agency shall appoint in the excepted service an individual who has completed the academic program for which a scholarship was awarded.</text> </paragraph><paragraph id="HDF52E54C5D9D4BB994C050D871126806"><enum>(2)</enum><header>Noncompetitive conversion</header><text>Except as provided in paragraph (4), upon fulfillment of the service term, an employee appointed under paragraph (1) may be converted noncompetitively to term, career-conditional or career appointment.</text> </paragraph><paragraph id="H83CE29ABB2164EA19E64DF3A2B83571E"><enum>(3)</enum><header>Timing of conversion</header><text>An agency may noncompetitively convert a term employee appointed under paragraph (2) to a career-conditional or career appointment before the term appointment expires.</text> </paragraph><paragraph id="H8B12FD81750D4574914C78B0B5F576C9"><enum>(4)</enum><header>Authority to decline conversion</header><text>An agency may decline to make the noncompetitive conversion or appointment under paragraph (2) for cause.</text> </paragraph></subsection></section><section id="H9448FC91A9C54F2283C1041892C43839"><enum>107.</enum><header>Cybersecurity workforce assessment</header><text display-inline="no-display-inline">Not later than 180 days after the date of enactment of this Act the President shall transmit to the Congress a report addressing the cybersecurity workforce needs of the Federal Government. The report shall include—</text> <paragraph id="HACF8C0A7C1424F909136AC06B3DB0D8B"><enum>(1)</enum><text>an examination of the current state of and the projected needs of the Federal cybersecurity workforce, including a comparison of the different agencies and departments, and an analysis of the capacity of such agencies and departments to meet those needs;</text> </paragraph><paragraph id="H64BDDD2620354453860BE82E101B7EA0"><enum>(2)</enum><text>an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector, and a description of how successful programs are engaging the talents of females and individuals identified in section 33 or 34 of the Science and Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b);</text> </paragraph><paragraph id="H5B234DE12E904F22A69A2831A43E63FE"><enum>(3)</enum><text>an examination of the effectiveness of the National Centers of Academic Excellence in Information Assurance Education, the Centers of Academic Excellence in Research, and the Federal Cyber Scholarship for Service programs in promoting higher education and research in cybersecurity and information assurance and in producing a growing number of professionals with the necessary cybersecurity and information assurance expertise, including individuals from States or regions in which the unemployment rate exceeds the national average;</text> </paragraph><paragraph id="HA8DA9C9455024481B6DFDAC2CA7DE8AE"><enum>(4)</enum><text>an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibilities; and</text> </paragraph><paragraph id="HBAA5E972C9CF470DACE00B7A9B8ECCDF"><enum>(5)</enum><text>recommendations for Federal policies to ensure an adequate, well-trained Federal cybersecurity workforce.</text> </paragraph></section><section id="H0C9F14A9E195422783823800F67792C7"><enum>108.</enum><header>Cybersecurity university-industry task force</header> <subsection id="HB0DE61D6117443D4B9672EBA0DC5B48F"><enum>(a)</enum><header>Establishment of university-Industry task force</header><text>Not later than 180 days after the date of enactment of this Act, the Director of the Office of Science and Technology Policy shall convene a task force to explore mechanisms for carrying out collaborative research, development, education, and training activities for cybersecurity through a consortium or other appropriate entity with participants from institutions of higher education and industry.</text> </subsection><subsection id="H9341B76E828641B6B6846D1F661666AF"><enum>(b)</enum><header>Functions</header><text>The task force shall—</text> <paragraph id="HAFC0C81B9C24441A9F26CEA94B8E5977"><enum>(1)</enum><text>develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities;</text> </paragraph><paragraph display-inline="no-display-inline" id="H64B0D9DE894944219B5AE4DB1F34D141"><enum>(2)</enum><text>identify and prioritize at least three cybersecurity grand challenges, focused on nationally significant problems requiring collaborative and interdisciplinary solutions;</text> </paragraph><paragraph id="H840FC507F14E42F89B59F8B968E458C3"><enum>(3)</enum><text display-inline="yes-display-inline">propose a process for developing a research and development agenda for such entity to address the grand challenges identified under paragraph (2);</text> </paragraph><paragraph id="H1D02BAB1FC064D4CADC207848CAFC909"><enum>(4)</enum><text>define the roles and responsibilities for the participants from institutions of higher education and industry in such entity;</text> </paragraph><paragraph id="HD3C17C26735143D5BD6FC28D4BF11EB6"><enum>(5)</enum><text>propose guidelines for assigning intellectual property rights and for the transfer of research and development results to the private sector; and</text> </paragraph><paragraph id="HC72338ED7C6347A9A90655E7D236438C"><enum>(6)</enum><text>make recommendations for how such entity could be funded from Federal, State, and nongovernmental sources.</text> </paragraph></subsection><subsection id="H081B6C5C429C4FFAACB70D5BEA8F4D4A"><enum>(c)</enum><header>Composition</header><text>In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education, including minority-serving institutions and community colleges, and from industry with knowledge and expertise in cybersecurity.</text> </subsection><subsection id="HCB6EA00A76874B4F8E74423D0E046CC1"><enum>(d)</enum><header>Report</header><text>Not later than 12 months after the date of enactment of this Act, the Director of the Office of Science and Technology Policy shall transmit to the Congress a report describing the findings and recommendations of the task force.</text> </subsection><subsection id="H78AAA64F42044A3EA8503D8A3F0C46BD"><enum>(e)</enum><header>Termination</header><text>The task force shall terminate upon transmittal of the report required under subsection (d).</text> </subsection><subsection id="HABCB9FE0A8C146A6A31F2D8011BEAE60"><enum>(f)</enum><header>Compensation and expenses</header><text>Members of the task force shall serve without compensation.</text> </subsection></section><section id="HDA846F59332A4E2BBD2938449027142D"><enum>109.</enum><header>Cybersecurity automation and checklists for government systems</header><text display-inline="no-display-inline">Section 8(c) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7406">15 U.S.C. 7406(c)</external-xref>) is amended to read as follows:</text> <quoted-block id="HB02BB198C6E04C58A4D994F9B5BE2E28" style="OLC"> <subsection id="HAFA1FADD69124BC88D2E1CDEBBBE9004"><enum>(c)</enum><header>Security automation and checklists for government systems</header> <paragraph id="H5A853DC966464E2D823CA0604E0A7817"><enum>(1)</enum><header>In general</header><text>The Director of the National Institute of Standards and Technology shall develop, and revise as necessary, security automation standards, associated reference materials (including protocols), and checklists providing settings and option selections that minimize the security risks associated with each information technology hardware or software system and security tool that is, or is likely to become, widely used within the Federal Government in order to enable standardized and interoperable technologies, architectures, and frameworks for continuous monitoring of information security within the Federal Government.</text> </paragraph><paragraph id="H7FC189CF9884467DACAA77EA6EE4F84D"><enum>(2)</enum><header>Priorities for development</header><text>The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference materials, and checklists under this subsection on the basis of—</text> <subparagraph id="H68529D5064D844D29BDD6CFB4E0F942C"><enum>(A)</enum><text>the security risks associated with the use of the system;</text> </subparagraph><subparagraph id="H95A9AB156F3E4E758CE93B328FBADBF5"><enum>(B)</enum><text>the number of agencies that use a particular system or security tool;</text> </subparagraph><subparagraph id="H1BE27A9512534F0C8BFB63651E7A3304"><enum>(C)</enum><text>the usefulness of the standards, reference materials, or checklists to Federal agencies that are users or potential users of the system;</text> </subparagraph><subparagraph id="H37386569BD9B4D42BFD794B66807D3FA"><enum>(D)</enum><text>the effectiveness of the associated standard, reference material, or checklist in creating or enabling continuous monitoring of information security; or</text> </subparagraph><subparagraph id="HBAE8EBB1BFDF41C685E92B7F050EAB79"><enum>(E)</enum><text>such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate.</text> </subparagraph></paragraph><paragraph id="H178C670B0EED46F296233DFDC55F92B5"><enum>(3)</enum><header>Excluded systems</header><text>The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any information technology hardware or software system or security tool for which such Director determines that the development of a standard, reference material, or checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the inutility or impracticability of developing a standard, reference material, or checklist for the system.</text> </paragraph><paragraph id="HAF11921F1E7B49119633ABC4287B0807"><enum>(4)</enum><header>Dissemination of standards and related materials</header><text>The Director of the National Institute of Standards and Technology shall ensure that Federal agencies are informed of the availability of any standard, reference material, checklist, or other item developed under this subsection.</text> </paragraph><paragraph id="H1692C0FD11D546B7B5D2017C6934AD76"><enum>(5)</enum><header>Agency use requirements</header><text>The development of standards, reference materials, and checklists under paragraph (1) for an information technology hardware or software system or tool does not—</text> <subparagraph id="H1FA143A192454A2CA118BAC0FBB96D28"><enum>(A)</enum><text>require any Federal agency to select the specific settings or options recommended by the standard, reference material, or checklist for the system;</text> </subparagraph><subparagraph id="H5F018FF01EBF4587A44F8C9B86086E1B"><enum>(B)</enum><text>establish conditions or prerequisites for Federal agency procurement or deployment of any such system;</text> </subparagraph><subparagraph id="HFE1571BE7CB54A5DA66AC837222EF0AC"><enum>(C)</enum><text>imply an endorsement of any such system by the Director of the National Institute of Standards and Technology; or</text> </subparagraph><subparagraph id="H88275C34329D4288944F6BB78E7FB3A5"><enum>(D)</enum><text>preclude any Federal agency from procuring or deploying other information technology hardware or software systems for which no such standard, reference material, or checklist has been developed or identified under paragraph (1).</text> </subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </section><section id="H566F40613376496394A36DCAD64BE541"><enum>110.</enum><header>National Institute of Standards and Technology cybersecurity research and development</header><text display-inline="no-display-inline">Section 20 of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) is amended by redesignating subsection (e) as subsection (f), and by inserting after subsection (d) the following:</text> <quoted-block id="HB4522E9E7A204CD8BDBE3FBC66235CBC" style="OLC"> <subsection id="HAD6B80E5038B4E73A2369F68E926E6BF"><enum>(e)</enum><header>Intramural security research</header><text>As part of the research activities conducted in accordance with subsection (d)(3), the Institute shall—</text> <paragraph id="HF0B72FE372074B699C6B68DCE2A64B03"><enum>(1)</enum><text>conduct a research program to develop a unifying and standardized identity, privilege, and access control management framework for the execution of a wide variety of resource protection policies and that is amenable to implementation within a wide variety of existing and emerging computing environments;</text> </paragraph><paragraph id="H88751BEE8AA14516BD1254F093362E85"><enum>(2)</enum><text>carry out research associated with improving the security of information systems and networks;</text> </paragraph><paragraph id="H3456D8C5CD574813B9C2D08AB90F0B2D"><enum>(3)</enum><text>carry out research associated with improving the testing, measurement, usability, and assurance of information systems and networks;</text> </paragraph><paragraph id="H55913544653E451093C360D1FB85E208"><enum>(4)</enum><text>carry out research associated with improving security of industrial control systems; and</text> </paragraph><paragraph id="H09F2979034954FFBADD3C050276F8ED5"><enum>(5)</enum><text display-inline="yes-display-inline">carry out research associated with improving the security and integrity of the information technology supply chain.</text> </paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </section><section id="HE30AEFD30FE842D79E48CE8D0F51EE90"><enum>111.</enum><header>Research on the science of cybersecurity</header><text display-inline="no-display-inline">The Director of the National Science Foundation and the Director of the National Institute of Standards and Technology shall, through existing programs and activities, support research that will lead to the development of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation, and creates quantifiable security metrics.</text> </section>

113 HR 756 : Cybersecurity Enhancement Act of 2013 U.S. House of Representatives 2013-04-17 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

Short title

This Act may be cited as the

Cybersecurity Enhancement Act of 2013

<enum>I</enum><header>Research and Development</header> <section id="H8600DCB2C285497FA13700AFDFF2248C"><enum>101.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text> <paragraph id="HE577B9F0641944BC852DEA87C9C20603"><enum>(1)</enum><header>National coordination office</header><text>The term National Coordination Office means the National Coordination Office for the Networking and Information Technology Research and Development program.</text> </paragraph><paragraph id="HD04533F939AD445A96A444AE6B87B740"><enum>(2)</enum><header>Program</header><text>The term Program means the Networking and Information Technology Research and Development program which has been established under section 101 of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511</external-xref>).</text> </paragraph></section><section id="HC749427869BF47E58E127F9E5028684C"><enum>102.</enum><header>Findings</header><text display-inline="no-display-inline">Section 2 of the Cyber Security Research and Development Act (15 U.S.C. 7401) is amended—</text> <paragraph id="HA0EC24A13B8C4D8BBB1D9580A41A1EE2"><enum>(1)</enum><text>by amending paragraph (1) to read as follows:</text> <quoted-block id="H5255A5856870484087B708AF99BB4237" style="OLC"> <paragraph id="H9C3D4273CBF347BBA2339EEA9FD3C3D4"><enum>(1)</enum><text>Advancements in information and communications technology have resulted in a globally interconnected network of government, commercial, scientific, and education infrastructures, including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services.</text> </paragraph><after-quoted-block>;</after-quoted-block></quoted-block> </paragraph><paragraph id="H60A6B293832F425596CD81F8786C1154"><enum>(2)</enum><text>in paragraph (2), by striking <quote>Exponential increases in interconnectivity have facilitated enhanced communications, economic growth,</quote> and inserting <quote>These advancements have significantly contributed to the growth of the United States economy,</quote>;</text> </paragraph><paragraph id="H74433A9EBEAF495E9A2313F424485224"><enum>(3)</enum><text>by amending paragraph (3) to read as follows:</text> <quoted-block id="HB62021928DF04920AB2CFEBE00431B0C" style="OLC"> <paragraph id="HCA67FBDF312846009C268E8F1430C03D"><enum>(3)</enum><text>The Cyberspace Policy Review published by the President in May, 2009, concluded that our information technology and communications infrastructure is vulnerable and has <quote>suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information</quote>.</text> </paragraph><after-quoted-block>; and</after-quoted-block></quoted-block> </paragraph><paragraph id="H2D300267A278418A9811F494675F1681"><enum>(4)</enum><text>by amending paragraph (6) to read as follows:</text> <quoted-block id="HF55D8E3A1AC34DE6A560E7044BB5014D" style="OLC"> <paragraph id="H3322CDAECACC4988AF907884F8ADCDA5"><enum>(6)</enum><text>While African-Americans, Hispanics, and Native Americans constitute 33 percent of the college-age population, members of these minorities comprise less than 20 percent of bachelor degree recipients in the field of computer sciences.</text> </paragraph><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></section><section id="H37AEABA46B654D848100BDD5332F83AF"><enum>103.</enum><header>Cybersecurity strategic research and development plan</header> <subsection id="H63D41785D8F44950B31CA6B443FEC830"><enum>(a)</enum><header>In general</header><text>Not later than 12 months after the date of enactment of this Act, the agencies identified in subsection 101(a)(3)(B)(i) through (x) of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(3)(B)(i)</external-xref> through (x)) or designated under section 101(a)(3)(B)(xi) of such Act, working through the National Science and Technology Council and with the assistance of the National Coordination Office, shall transmit to Congress a strategic plan based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. Once every 3 years after the initial strategic plan is transmitted to Congress under this section, such agencies shall prepare and transmit to Congress an update of such plan.</text> </subsection><subsection id="HDD4A4DBD9030424CAAF1E133E0928A5B"><enum>(b)</enum><header>Contents of plan</header><text>The strategic plan required under subsection (a) shall—</text> <paragraph id="HDD08D090BA6C4B009A44437784FD479A"><enum>(1)</enum><text>specify and prioritize near-term, mid-term and long-term research objectives, including objectives associated with the research areas identified in section 4(a)(1) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) and how the near-term objectives complement research and development areas in which the private sector is actively engaged;</text> </paragraph><paragraph id="H2C6404A160424799B6ED39AD03B6660C"><enum>(2)</enum><text>describe how the Program will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;</text> </paragraph><paragraph id="H4F9F41E7123D40AEBFAE430A8754FD7C"><enum>(3)</enum><text>describe how the Program will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;</text> </paragraph><paragraph id="H6939BB15DCB84864A1BD779052E7CD2C"><enum>(4)</enum><text>describe how the Program will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems;</text> </paragraph><paragraph id="H971AD889DA964EA28554C99044380342"><enum>(5)</enum><text>describe how the Program will facilitate access by academic researchers to the infrastructure described in paragraph (4), as well as to relevant data, including event data;</text> </paragraph><paragraph id="HA8EC653CC8B148D1A1A3537129088428"><enum>(6)</enum><text>describe how the Program will engage females and individuals identified in section 33 or 34 of the Science and Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b) to foster a more diverse workforce in this area; and</text> </paragraph><paragraph id="H01470ECD23F8490BBE7F69FDC6869895"><enum>(7)</enum><text display-inline="yes-display-inline">describe how the Program will help to recruit and prepare veterans for the Federal cybersecurity workforce.</text> </paragraph></subsection><subsection id="H905DF18365A942A59076EF1132BEC714"><enum>(c)</enum><header>Development of roadmap</header><text>The agencies described in subsection (a) shall develop and annually update an implementation roadmap for the strategic plan required in this section. Such roadmap shall—</text> <paragraph id="H7C6F21E88510431291CBF263165D7C19"><enum>(1)</enum><text>specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;</text> </paragraph><paragraph id="H0F2A6F103FE84C6995E5E52CC96838AC"><enum>(2)</enum><text>specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year; and</text> </paragraph><paragraph id="HFAF696193A3540B1965D0F89604D768E"><enum>(3)</enum><text>estimate the funding required for each major research objective of the strategic plan for the following 3 fiscal years.</text> </paragraph></subsection><subsection id="HFC7DCE46F0AD41B38320075998AF761F"><enum>(d)</enum><header>Recommendations</header><text>In developing and updating the strategic plan under subsection (a), the agencies involved shall solicit recommendations and advice from—</text> <paragraph id="H71DB4F0281ED4097A49E25FE97533E05"><enum>(1)</enum><text>the advisory committee established under section 101(b)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(b)(1)); and</text> </paragraph><paragraph id="H992A5B0E343644B7887414BF282535B2"><enum>(2)</enum><text>a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions.</text> </paragraph></subsection><subsection id="HAD4DC276C47E4BFBB884A7832FAAC237"><enum>(e)</enum><header>Appending to report</header><text>The implementation roadmap required under subsection (c), and its annual updates, shall be appended to the report required under section 101(a)(2)(D) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)(D)).</text> </subsection><subsection id="H3CCE644D698D4818A4D471864BC910EC"><enum>(f)</enum><header>Cybersecurity research database</header><text>The agencies involved in developing and updating the strategic plan under subsection (a) shall establish, in coordination with the Office of Management and Budget, a mechanism to track ongoing and completed Federal cybersecurity research and development projects and associated funding, and shall make such information publically available.</text> </subsection></section><section id="HF3083829349342119B8BF49014693332"><enum>104.</enum><header>Social and behavioral research in cybersecurity</header><text display-inline="no-display-inline">Section 4(a)(1) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) is amended—</text> <paragraph id="H239A9133E6804AD88984EDD511A9F7BF"><enum>(1)</enum><text>by inserting <quote>and usability</quote> after <quote>to the structure</quote>;</text> </paragraph><paragraph id="H1CA25A8354994B3DB7FFFDA3D61876D2"><enum>(2)</enum><text>in subparagraph (H), by striking <quote>and</quote> after the semicolon;</text> </paragraph><paragraph id="H9A51DCE88F004E54BA3FBB38CF0C0EEE"><enum>(3)</enum><text>in subparagraph (I), by striking the period at the end and inserting <quote>; and</quote>; and</text> </paragraph><paragraph id="H189BEAADE104400E92F53EF9B4133A7E"><enum>(4)</enum><text>by adding at the end the following new subparagraph:</text> <quoted-block id="H9A5B0B29E2ED4B779D0377DB1DD320FF" style="OLC"> <subparagraph id="HDF9ACB4819CD4035ACDE7FB0C102327F"><enum>(J)</enum><text>social and behavioral factors, including human-computer interactions, usability, and user motivations.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></section><section id="H72682DDFA1E944BE89BD79B506BC23B8"><enum>105.</enum><header>National Science Foundation cybersecurity research and development programs</header> <subsection id="H586D6BBD649C4805A7126B9FB79D11F8"><enum>(a)</enum><header>Computer and network security research areas</header><text>Section 4(a)(1) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) is amended—</text> <paragraph id="H68DF824C223B43B38FA7D72E4D4E867D"><enum>(1)</enum><text>in subparagraph (A) by inserting <quote>identity management,</quote> after <quote>cryptography,</quote>; and</text> </paragraph><paragraph id="H8495AF8D27714BE88AEB8D28BE541C48"><enum>(2)</enum><text>in subparagraph (I), by inserting <quote>, crimes against children, and organized crime</quote> after <quote>intellectual property</quote>.</text> </paragraph></subsection><subsection id="H270BDDCEB5D04F14AFC58DFE055F2884"><enum>(b)</enum><header>Computer and network security research grants</header><text>Section 4(a)(3) of such Act (15 U.S.C. 7403(a)(3)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="HB1C11E39A0744C48A1599905EDF23EB6" style="OLC"> <subparagraph id="H628020FF08BB4E11ACFF2B690A246365"><enum>(A)</enum><text>$119,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H035E3CD29D0B4A7B8D0E76E5ECB6A639"><enum>(B)</enum><text>$119,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="HCF911D86DD1746A9942D9F623F3973E8"><enum>(C)</enum><text>$119,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H5FA9D02615D64F17BBA2E28DE26A0BB5"><enum>(c)</enum><header>Computer and network security research centers</header><text>Section 4(b) of such Act (15 U.S.C. 7403(b)) is amended—</text> <paragraph id="HDAE21DE407CB40C18CFEB9012374C44E"><enum>(1)</enum><text>in paragraph (4)—</text> <subparagraph id="H50E49ACAE4954008893BD0DC5BD606A0"><enum>(A)</enum><text>in subparagraph (C), by striking <quote>and</quote> after the semicolon;</text> </subparagraph><subparagraph id="HC52D183BF69D444CB95A60A79E5049C1"><enum>(B)</enum><text>in subparagraph (D), by striking the period and inserting <quote>; and</quote>; and</text> </subparagraph><subparagraph id="H31F911A6325842D3A71227245F922111"><enum>(C)</enum><text>by adding at the end the following new subparagraph:</text> <quoted-block id="H00903893879347BCBEA466142531C462" style="OLC"> <subparagraph id="H36CE5DCEF2AA4518BB68A0BB3A15DD6D"><enum>(E)</enum><text>how the center will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions.</text> </subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block> </subparagraph></paragraph><paragraph id="H7BEAA51A768B49D49F6369CF1B9665FE"><enum>(2)</enum><text>in paragraph (7) by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="H5E4C0009FBC34030922088EA0DE4BA91" style="OLC"> <subparagraph id="H7F24CFFD345643FDB94EFF3C4DEC6CA3"><enum>(A)</enum><text>$5,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H492880D631C6403998CF268C07A41B31"><enum>(B)</enum><text>$5,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="H1193BF0E287A40C6A7C1520447EB525F"><enum>(C)</enum><text>$5,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </paragraph></subsection><subsection id="HA2C8A2F5CB73469DB78DDDD270224AD8"><enum>(d)</enum><header>Computer and network security capacity building grants</header><text>Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="HBA25804B1C2D4E519ABD93F4FCF2BA43" style="OLC"> <subparagraph id="H16846C18A5EA4C3281E414FC58EABA8A"><enum>(A)</enum><text>$25,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H5DA6830F4C534A838FF818D8F034FD0D"><enum>(B)</enum><text>$25,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="HA048E327833947A29F24402A43B4D363"><enum>(C)</enum><text>$25,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="HC808AEB734E444BC80EA8A4B79080CC9"><enum>(e)</enum><header>Scientific and advanced technology act grants</header><text>Section 5(b)(2) of such Act (15 U.S.C. 7404(b)(2)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="H4DE072F3E0F545A2BFE29470BBC129FD" style="OLC"> <subparagraph id="H92CE933430754E66ABB76E8CCBC92DAD"><enum>(A)</enum><text>$4,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H2D929909B97C41B29C359C64259CD893"><enum>(B)</enum><text>$4,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="H27B13673D99C48E08903EB5E1A325618"><enum>(C)</enum><text>$4,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="HAD95F2B4BC7B4ECFB7794A42BBB87F1F"><enum>(f)</enum><header>Graduate traineeships in computer and network security</header><text>Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is amended by striking subparagraphs (A) through (E) and inserting the following new subparagraphs:</text> <quoted-block id="H40C7BC09FCE84592BA250ECDFBF475D9" style="OLC"> <subparagraph id="HA4437E98A42C41DE973EA9377CC5AF6A"><enum>(A)</enum><text>$32,000,000 for fiscal year 2014;</text> </subparagraph><subparagraph id="H32B5B59918534C3F9061888CF3C24902"><enum>(B)</enum><text>$32,000,000 for fiscal year 2015; and</text> </subparagraph><subparagraph id="HB6BBD50D503E4793BC8DBD7BED4CBA73"><enum>(C)</enum><text>$32,000,000 for fiscal year 2016.</text> </subparagraph><after-quoted-block>.</after-quoted-block></quoted-block> </subsection><subsection id="H0A332349B959469196B2316C3D355EC3"><enum>(g)</enum><header>Cyber security faculty development traineeship program</header><text>Section 5(e) of such Act (15 U.S.C. 7404(e)) is repealed.</text> </subsection></section><section id="H739788EEAE714CFA88337EF02A685DB4"><enum>106.</enum><header>Federal cyber scholarship for service program</header> <subsection id="H5D442CC6D15E41A7AF6FDDDFCD387A5D"><enum>(a)</enum><header>In general</header><text>The Director of the National Science Foundation shall continue a Scholarship for Service program under section 5(a) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7404">15 U.S.C. 7404(a)</external-xref>) to recruit and train the next generation of Federal cybersecurity professionals and to increase the capacity of the higher education system to produce an information technology workforce with the skills necessary to enhance the security of the Nation’s communications and information infrastructure.</text> </subsection><subsection id="HA5A0D6EED864439D8F392D1EF317378E"><enum>(b)</enum><header>Characteristics of program</header><text>The program under this section shall—</text> <paragraph id="HFC99A082C11B4AD985D0F009E741AD17"><enum>(1)</enum><text>provide, through qualified institutions of higher education, including community colleges, scholarships that provide tuition, fees, and a competitive stipend for up to 2 years to students pursing a bachelor’s or master’s degree and up to 3 years to students pursuing a doctoral degree in a cybersecurity field;</text> </paragraph><paragraph id="H87228222016B4E01936BCAF6FB3FEA13"><enum>(2)</enum><text>provide the scholarship recipients with summer internship opportunities or other meaningful temporary appointments in the Federal information technology workforce; and</text> </paragraph><paragraph id="H1CA950A9C9FB485EBBAD804ABBEDBDCF"><enum>(3)</enum><text>increase the capacity of institutions of higher education throughout all regions of the United States to produce highly qualified cybersecurity professionals, through the award of competitive, merit-reviewed grants that support such activities as—</text> <subparagraph id="H65DD188EFEA944068D7335A4584871F1"><enum>(A)</enum><text>faculty professional development, including technical, hands-on experiences in the private sector or government, workshops, seminars, conferences, and other professional development opportunities that will result in improved instructional capabilities;</text> </subparagraph><subparagraph id="HD44D230BEF284C2D9D9E036E951724AA"><enum>(B)</enum><text>institutional partnerships, including minority serving institutions and community colleges;</text> </subparagraph><subparagraph id="H634DC95FC1A44670A7954D5E6D8FAD85"><enum>(C)</enum><text>development and evaluation of cybersecurity-related courses and curricula; and</text> </subparagraph><subparagraph id="H20FD78649E7D46F1BCF37E5D045CF644"><enum>(D)</enum><text display-inline="yes-display-inline">public-private partnerships that will integrate research experiences and hands-on learning into cybersecurity degree programs.</text> </subparagraph></paragraph></subsection><subsection id="HB8C64C543110477C91226D46359D7DE0"><enum>(c)</enum><header>Scholarship requirements</header> <paragraph id="H3367AD44F8E14094A32E067A0647418B"><enum>(1)</enum><header>Eligibility</header><text>Scholarships under this section shall be available only to students who—</text> <subparagraph id="HE9A345D4019E4D8A91A7F688B2CB1063"><enum>(A)</enum><text>are citizens or permanent residents of the United States;</text> </subparagraph><subparagraph id="H6CB4CE3388F942448858A4DCFE4C89BF"><enum>(B)</enum><text>are full-time students in an eligible degree program, as determined by the Director, that is focused on computer security or information assurance at an awardee institution; and</text> </subparagraph><subparagraph id="H3396D31103D94F76AD0320B26E7455DD"><enum>(C)</enum><text>accept the terms of a scholarship pursuant to this section.</text> </subparagraph></paragraph><paragraph id="HF73F6BEF00A54EA986CD531013FF0CF6"><enum>(2)</enum><header>Selection</header><text>Individuals shall be selected to receive scholarships primarily on the basis of academic merit, with consideration given to financial need, to the goal of promoting the participation of females and individuals identified in section 33 or 34 of the Science and Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b), and to veterans. For purposes of this paragraph, the term <quote>veteran</quote> means a person who—</text> <subparagraph id="HD1A39C8D8F2948369C02DF9D522FE2BB"><enum>(A)</enum><text>served on active duty (other than active duty for training) in the Armed Forces of the United States for a period of more than 180 consecutive days, and who was discharged or released therefrom under conditions other than dishonorable; or</text> </subparagraph><subparagraph id="H83F0F81F00F345B38B10BBAA395AFC0E"><enum>(B)</enum><text>served on active duty (other than active duty for training) in the Armed Forces of the United States and was discharged or released from such service for a service-connected disability before serving 180 consecutive days.</text> </subparagraph><continuation-text continuation-text-level="paragraph">For purposes of subparagraph (B), the term <quote>service-connected</quote> has the meaning given such term under <external-xref legal-doc="usc" parsable-cite="usc/38/101">section 101</external-xref> of title 38, United States Code.</continuation-text></paragraph><paragraph id="H188D97BC840E4EBEB5EBC4390D675D92"><enum>(3)</enum><header>Service obligation</header><text>If an individual receives a scholarship under this section, as a condition of receiving such scholarship, the individual upon completion of their degree must serve as a cybersecurity professional within the Federal workforce for a period of time as provided in paragraph (5). If a scholarship recipient is not offered employment by a Federal agency or a federally funded research and development center, the service requirement can be satisfied at the Director’s discretion by—</text> <subparagraph id="HF0ED2FFE90A34E36ABE17F26B04C8FEF"><enum>(A)</enum><text>serving as a cybersecurity professional in a State, local, or tribal government agency; or</text> </subparagraph><subparagraph id="H4C138EE8CA1A4A02ADD48AD02AA7D3FB"><enum>(B)</enum><text>teaching cybersecurity courses at an institution of higher education.</text> </subparagraph></paragraph><paragraph id="H55EA15CCBBA948928332977929C6060D"><enum>(4)</enum><header>Conditions of support</header><text>As a condition of acceptance of a scholarship under this section, a recipient shall agree to provide the awardee institution with annual verifiable documentation of employment and up-to-date contact information.</text> </paragraph><paragraph id="HF970C2E074C2444B96C94735C6AD060E"><enum>(5)</enum><header>Length of service</header><text>The length of service required in exchange for a scholarship under this subsection shall be 1 year more than the number of years for which the scholarship was received.</text> </paragraph></subsection><subsection id="H1960FDDA997E4EF6A52071B6C1CE3628"><enum>(d)</enum><header>Failure To complete service obligation</header> <paragraph id="HBB5D04C2C68C4F1FBD9EC8A6394E2898"><enum>(1)</enum><header>General rule</header><text>If an individual who has received a scholarship under this section—</text> <subparagraph id="H68418421188449159FA4F844F96785CB"><enum>(A)</enum><text>fails to maintain an acceptable level of academic standing in the educational institution in which the individual is enrolled, as determined by the Director;</text> </subparagraph><subparagraph id="H7778F5DBEDAE4C83BB3323D2171BCB30"><enum>(B)</enum><text>is dismissed from such educational institution for disciplinary reasons;</text> </subparagraph><subparagraph id="H3FAD99AB880243C690B645C2CA7851FF"><enum>(C)</enum><text>withdraws from the program for which the award was made before the completion of such program;</text> </subparagraph><subparagraph id="H4300FB0906ED4621B11A52DA8B40C698"><enum>(D)</enum><text>declares that the individual does not intend to fulfill the service obligation under this section; or</text> </subparagraph><subparagraph id="H477B25D91B9645EEBF5A8FC8716F09A8"><enum>(E)</enum><text>fails to fulfill the service obligation of the individual under this section,</text> </subparagraph><continuation-text continuation-text-level="paragraph">such individual shall be liable to the United States as provided in paragraph (3).</continuation-text></paragraph><paragraph id="H0BB77B5FE71A434F82811CAC09F567A6"><enum>(2)</enum><header>Monitoring compliance</header><text>As a condition of participating in the program, a qualified institution of higher education receiving a grant under this section shall—</text> <subparagraph id="HD316DE7C40BF4B35B065CD1EAA71FFD8"><enum>(A)</enum><text>enter into an agreement with the Director of the National Science Foundation to monitor the compliance of scholarship recipients with respect to their service obligation; and</text> </subparagraph><subparagraph id="HC53CE5D0886C46FCA26B3702BE457AAF"><enum>(B)</enum><text>provide to the Director, on an annual basis, post-award employment information required under subsection (c)(4) for scholarship recipients through the completion of their service obligation.</text> </subparagraph></paragraph><paragraph id="HF16D0789A651479190B68FD543A41D23"><enum>(3)</enum><header>Amount of repayment</header> <subparagraph id="H618EBE5F236B4556B42D7E18FFEB81CE"><enum>(A)</enum><header>Less than one year of service</header><text>If a circumstance described in paragraph (1) occurs before the completion of 1 year of a service obligation under this section, the total amount of awards received by the individual under this section shall be repaid or such amount shall be treated as a loan to be repaid in accordance with subparagraph (C).</text> </subparagraph><subparagraph id="H1488B06425CE42BABE8F4C41BC84B1E3"><enum>(B)</enum><header>More than one year of service</header><text>If a circumstance described in subparagraph (D) or (E) of paragraph (1) occurs after the completion of 1 year of a service obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall be repaid or such amount shall be treated as a loan to be repaid in accordance with subparagraph (C).</text> </subparagraph><subparagraph id="HC06F6E057896404DA62162B4F1E47FCB"><enum>(C)</enum><header>Repayments</header><text>A loan described in subparagraph (A) or (B) shall be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher Education Act of 1965 (20 U.S.C. 1087a and following), and shall be subject to repayment, together with interest thereon accruing from the date of the scholarship award, in accordance with terms and conditions specified by the Director (in consultation with the Secretary of Education) in regulations promulgated to carry out this paragraph.</text> </subparagraph></paragraph><paragraph id="H0E2278B59E464C338730D006B4254160"><enum>(4)</enum><header>Collection of repayment</header> <subparagraph id="H43C46C1232D1446FAABA90656E04677B"><enum>(A)</enum><header>In general</header><text>In the event that a scholarship recipient is required to repay the scholarship under this subsection, the institution providing the scholarship shall—</text> <clause id="H63B20147A7874FE9BCA14FAF8B1C3161"><enum>(i)</enum><text>be responsible for determining the repayment amounts and for notifying the recipient and the Director of the amount owed; and</text> </clause><clause id="HF9963590AC4F4EE9A5597E0498BD1C30"><enum>(ii)</enum><text>collect such repayment amount within a period of time as determined under the agreement described in paragraph (2), or the repayment amount shall be treated as a loan in accordance with paragraph (3)(C).</text> </clause></subparagraph><subparagraph id="HABBB3A9C9E134BFD87DB29E4511C6458"><enum>(B)</enum><header>Returned to treasury</header><text>Except as provided in subparagraph (C) of this paragraph, any such repayment shall be returned to the Treasury of the United States.</text> </subparagraph><subparagraph id="HE22902DD359A4C218290F50EF2B870E9"><enum>(C)</enum><header>Retain percentage</header><text>An institution of higher education may retain a percentage of any repayment the institution collects under this paragraph to defray administrative costs associated with the collection. The Director shall establish a single, fixed percentage that will apply to all eligible entities.</text> </subparagraph></paragraph><paragraph id="HCBD53AAD325344368E84B2C68F364DC0"><enum>(5)</enum><header>Exceptions</header><text>The Director may provide for the partial or total waiver or suspension of any service or payment obligation by an individual under this section whenever compliance by the individual with the obligation is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.</text> </paragraph></subsection><subsection display-inline="no-display-inline" id="H22C232921C884945A1C8D2541B97BDCF"><enum>(e)</enum><header>Hiring Authority</header> <paragraph id="HA760DE9478194F9B8C893D8FB06A529B"><enum>(1)</enum><header>Appointment in excepted service</header><text display-inline="yes-display-inline">Notwithstanding any provision of chapter 33 of title 5, United States Code, governing appointments in the competitive service, an agency shall appoint in the excepted service an individual who has completed the academic program for which a scholarship was awarded.</text> </paragraph><paragraph id="HDF52E54C5D9D4BB994C050D871126806"><enum>(2)</enum><header>Noncompetitive conversion</header><text>Except as provided in paragraph (4), upon fulfillment of the service term, an employee appointed under paragraph (1) may be converted noncompetitively to term, career-conditional or career appointment.</text> </paragraph><paragraph id="H83CE29ABB2164EA19E64DF3A2B83571E"><enum>(3)</enum><header>Timing of conversion</header><text>An agency may noncompetitively convert a term employee appointed under paragraph (2) to a career-conditional or career appointment before the term appointment expires.</text> </paragraph><paragraph id="H8B12FD81750D4574914C78B0B5F576C9"><enum>(4)</enum><header>Authority to decline conversion</header><text>An agency may decline to make the noncompetitive conversion or appointment under paragraph (2) for cause.</text> </paragraph></subsection></section><section id="H9448FC91A9C54F2283C1041892C43839"><enum>107.</enum><header>Cybersecurity workforce assessment</header><text display-inline="no-display-inline">Not later than 180 days after the date of enactment of this Act the President shall transmit to the Congress a report addressing the cybersecurity workforce needs of the Federal Government. The report shall include—</text> <paragraph id="HACF8C0A7C1424F909136AC06B3DB0D8B"><enum>(1)</enum><text>an examination of the current state of and the projected needs of the Federal cybersecurity workforce, including a comparison of the different agencies and departments, and an analysis of the capacity of such agencies and departments to meet those needs;</text> </paragraph><paragraph id="H64BDDD2620354453860BE82E101B7EA0"><enum>(2)</enum><text>an analysis of the sources and availability of cybersecurity talent, a comparison of the skills and expertise sought by the Federal Government and the private sector, an examination of the current and future capacity of United States institutions of higher education, including community colleges, to provide current and future cybersecurity professionals, through education and training activities, with those skills sought by the Federal Government, State and local entities, and the private sector, and a description of how successful programs are engaging the talents of females and individuals identified in section 33 or 34 of the Science and Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b);</text> </paragraph><paragraph id="H5B234DE12E904F22A69A2831A43E63FE"><enum>(3)</enum><text>an examination of the effectiveness of the National Centers of Academic Excellence in Information Assurance Education, the Centers of Academic Excellence in Research, and the Federal Cyber Scholarship for Service programs in promoting higher education and research in cybersecurity and information assurance and in producing a growing number of professionals with the necessary cybersecurity and information assurance expertise, including individuals from States or regions in which the unemployment rate exceeds the national average;</text> </paragraph><paragraph id="HA8DA9C9455024481B6DFDAC2CA7DE8AE"><enum>(4)</enum><text>an analysis of any barriers to the Federal Government recruiting and hiring cybersecurity talent, including barriers relating to compensation, the hiring process, job classification, and hiring flexibilities; and</text> </paragraph><paragraph id="HBAA5E972C9CF470DACE00B7A9B8ECCDF"><enum>(5)</enum><text>recommendations for Federal policies to ensure an adequate, well-trained Federal cybersecurity workforce.</text> </paragraph></section><section id="H0C9F14A9E195422783823800F67792C7"><enum>108.</enum><header>Cybersecurity university-industry task force</header> <subsection id="HB0DE61D6117443D4B9672EBA0DC5B48F"><enum>(a)</enum><header>Establishment of university-Industry task force</header><text>Not later than 180 days after the date of enactment of this Act, the Director of the Office of Science and Technology Policy shall convene a task force to explore mechanisms for carrying out collaborative research, development, education, and training activities for cybersecurity through a consortium or other appropriate entity with participants from institutions of higher education and industry.</text> </subsection><subsection id="H9341B76E828641B6B6846D1F661666AF"><enum>(b)</enum><header>Functions</header><text>The task force shall—</text> <paragraph id="HAFC0C81B9C24441A9F26CEA94B8E5977"><enum>(1)</enum><text>develop options for a collaborative model and an organizational structure for such entity under which the joint research and development activities could be planned, managed, and conducted effectively, including mechanisms for the allocation of resources among the participants in such entity for support of such activities;</text> </paragraph><paragraph display-inline="no-display-inline" id="H64B0D9DE894944219B5AE4DB1F34D141"><enum>(2)</enum><text>identify and prioritize at least three cybersecurity grand challenges, focused on nationally significant problems requiring collaborative and interdisciplinary solutions;</text> </paragraph><paragraph id="H840FC507F14E42F89B59F8B968E458C3"><enum>(3)</enum><text display-inline="yes-display-inline">propose a process for developing a research and development agenda for such entity to address the grand challenges identified under paragraph (2);</text> </paragraph><paragraph id="H1D02BAB1FC064D4CADC207848CAFC909"><enum>(4)</enum><text>define the roles and responsibilities for the participants from institutions of higher education and industry in such entity;</text> </paragraph><paragraph id="HD3C17C26735143D5BD6FC28D4BF11EB6"><enum>(5)</enum><text>propose guidelines for assigning intellectual property rights and for the transfer of research and development results to the private sector; and</text> </paragraph><paragraph id="HC72338ED7C6347A9A90655E7D236438C"><enum>(6)</enum><text>make recommendations for how such entity could be funded from Federal, State, and nongovernmental sources.</text> </paragraph></subsection><subsection id="H081B6C5C429C4FFAACB70D5BEA8F4D4A"><enum>(c)</enum><header>Composition</header><text>In establishing the task force under subsection (a), the Director of the Office of Science and Technology Policy shall appoint an equal number of individuals from institutions of higher education, including minority-serving institutions and community colleges, and from industry with knowledge and expertise in cybersecurity.</text> </subsection><subsection id="HCB6EA00A76874B4F8E74423D0E046CC1"><enum>(d)</enum><header>Report</header><text>Not later than 12 months after the date of enactment of this Act, the Director of the Office of Science and Technology Policy shall transmit to the Congress a report describing the findings and recommendations of the task force.</text> </subsection><subsection id="H78AAA64F42044A3EA8503D8A3F0C46BD"><enum>(e)</enum><header>Termination</header><text>The task force shall terminate upon transmittal of the report required under subsection (d).</text> </subsection><subsection id="HABCB9FE0A8C146A6A31F2D8011BEAE60"><enum>(f)</enum><header>Compensation and expenses</header><text>Members of the task force shall serve without compensation.</text> </subsection></section><section id="HDA846F59332A4E2BBD2938449027142D"><enum>109.</enum><header>Cybersecurity automation and checklists for government systems</header><text display-inline="no-display-inline">Section 8(c) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7406">15 U.S.C. 7406(c)</external-xref>) is amended to read as follows:</text> <quoted-block id="HB02BB198C6E04C58A4D994F9B5BE2E28" style="OLC"> <subsection id="HAFA1FADD69124BC88D2E1CDEBBBE9004"><enum>(c)</enum><header>Security automation and checklists for government systems</header> <paragraph id="H5A853DC966464E2D823CA0604E0A7817"><enum>(1)</enum><header>In general</header><text>The Director of the National Institute of Standards and Technology shall develop, and revise as necessary, security automation standards, associated reference materials (including protocols), and checklists providing settings and option selections that minimize the security risks associated with each information technology hardware or software system and security tool that is, or is likely to become, widely used within the Federal Government in order to enable standardized and interoperable technologies, architectures, and frameworks for continuous monitoring of information security within the Federal Government.</text> </paragraph><paragraph id="H7FC189CF9884467DACAA77EA6EE4F84D"><enum>(2)</enum><header>Priorities for development</header><text>The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference materials, and checklists under this subsection on the basis of—</text> <subparagraph id="H68529D5064D844D29BDD6CFB4E0F942C"><enum>(A)</enum><text>the security risks associated with the use of the system;</text> </subparagraph><subparagraph id="H95A9AB156F3E4E758CE93B328FBADBF5"><enum>(B)</enum><text>the number of agencies that use a particular system or security tool;</text> </subparagraph><subparagraph id="H1BE27A9512534F0C8BFB63651E7A3304"><enum>(C)</enum><text>the usefulness of the standards, reference materials, or checklists to Federal agencies that are users or potential users of the system;</text> </subparagraph><subparagraph id="H37386569BD9B4D42BFD794B66807D3FA"><enum>(D)</enum><text>the effectiveness of the associated standard, reference material, or checklist in creating or enabling continuous monitoring of information security; or</text> </subparagraph><subparagraph id="HBAE8EBB1BFDF41C685E92B7F050EAB79"><enum>(E)</enum><text>such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate.</text> </subparagraph></paragraph><paragraph id="H178C670B0EED46F296233DFDC55F92B5"><enum>(3)</enum><header>Excluded systems</header><text>The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any information technology hardware or software system or security tool for which such Director determines that the development of a standard, reference material, or checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the inutility or impracticability of developing a standard, reference material, or checklist for the system.</text> </paragraph><paragraph id="HAF11921F1E7B49119633ABC4287B0807"><enum>(4)</enum><header>Dissemination of standards and related materials</header><text>The Director of the National Institute of Standards and Technology shall ensure that Federal agencies are informed of the availability of any standard, reference material, checklist, or other item developed under this subsection.</text> </paragraph><paragraph id="H1692C0FD11D546B7B5D2017C6934AD76"><enum>(5)</enum><header>Agency use requirements</header><text>The development of standards, reference materials, and checklists under paragraph (1) for an information technology hardware or software system or tool does not—</text> <subparagraph id="H1FA143A192454A2CA118BAC0FBB96D28"><enum>(A)</enum><text>require any Federal agency to select the specific settings or options recommended by the standard, reference material, or checklist for the system;</text> </subparagraph><subparagraph id="H5F018FF01EBF4587A44F8C9B86086E1B"><enum>(B)</enum><text>establish conditions or prerequisites for Federal agency procurement or deployment of any such system;</text> </subparagraph><subparagraph id="HFE1571BE7CB54A5DA66AC837222EF0AC"><enum>(C)</enum><text>imply an endorsement of any such system by the Director of the National Institute of Standards and Technology; or</text> </subparagraph><subparagraph id="H88275C34329D4288944F6BB78E7FB3A5"><enum>(D)</enum><text>preclude any Federal agency from procuring or deploying other information technology hardware or software systems for which no such standard, reference material, or checklist has been developed or identified under paragraph (1).</text> </subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </section><section id="H566F40613376496394A36DCAD64BE541"><enum>110.</enum><header>National Institute of Standards and Technology cybersecurity research and development</header><text display-inline="no-display-inline">Section 20 of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) is amended by redesignating subsection (e) as subsection (f), and by inserting after subsection (d) the following:</text> <quoted-block id="HB4522E9E7A204CD8BDBE3FBC66235CBC" style="OLC"> <subsection id="HAD6B80E5038B4E73A2369F68E926E6BF"><enum>(e)</enum><header>Intramural security research</header><text>As part of the research activities conducted in accordance with subsection (d)(3), the Institute shall—</text> <paragraph id="HF0B72FE372074B699C6B68DCE2A64B03"><enum>(1)</enum><text>conduct a research program to develop a unifying and standardized identity, privilege, and access control management framework for the execution of a wide variety of resource protection policies and that is amenable to implementation within a wide variety of existing and emerging computing environments;</text> </paragraph><paragraph id="H88751BEE8AA14516BD1254F093362E85"><enum>(2)</enum><text>carry out research associated with improving the security of information systems and networks;</text> </paragraph><paragraph id="H3456D8C5CD574813B9C2D08AB90F0B2D"><enum>(3)</enum><text>carry out research associated with improving the testing, measurement, usability, and assurance of information systems and networks;</text> </paragraph><paragraph id="H55913544653E451093C360D1FB85E208"><enum>(4)</enum><text>carry out research associated with improving security of industrial control systems; and</text> </paragraph><paragraph id="H09F2979034954FFBADD3C050276F8ED5"><enum>(5)</enum><text display-inline="yes-display-inline">carry out research associated with improving the security and integrity of the information technology supply chain.</text> </paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block> </section><section id="HE30AEFD30FE842D79E48CE8D0F51EE90"><enum>111.</enum><header>Research on the science of cybersecurity</header><text display-inline="no-display-inline">The Director of the National Science Foundation and the Director of the National Institute of Standards and Technology shall, through existing programs and activities, support research that will lead to the development of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation, and creates quantifiable security metrics.</text> </section><enum>II</enum><header>Advancement of Cybersecurity Technical Standards</header> <section id="HA207BFE87AFE49E89F13087ED001B105"><enum>201.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text> <paragraph id="H8AC2180539CF4DE5B8852FEA654E793C"><enum>(1)</enum><header>Director</header><text>The term <quote>Director</quote> means the Director of the National Institute of Standards and Technology.</text> </paragraph><paragraph id="H700E284451A7445B975CE2406FB83B50"><enum>(2)</enum><header>Institute</header><text>The term <quote>Institute</quote> means the National Institute of Standards and Technology.</text> </paragraph></section><section id="HA0282896015C43469922B9344F15BCE6"><enum>202.</enum><header>International cybersecurity technical standards</header> <subsection id="H398A6E2CA9D44D95AA35001EB13A3E59"><enum>(a)</enum><header>In general</header><text>The Director, in coordination with appropriate Federal authorities, shall—</text> <paragraph id="H462232E08105424C82C10E0C6FFBDE54"><enum>(1)</enum><text>as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and</text> </paragraph><paragraph id="H027B531478CE4FC29F48D02D080F75D0"><enum>(2)</enum><text>not later than 1 year after the date of enactment of this Act, develop and transmit to the Congress a plan for ensuring such Federal agency coordination.</text> </paragraph></subsection><subsection id="H724FDC112ECD401697D1AADAED9CCE48"><enum>(b)</enum><header>Consultation with the private sector</header><text>In carrying out the activities specified in subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders.</text> </subsection></section><section id="HAEBC510CBF8E47D8A72552BF11A0E1E9"><enum>203.</enum><header>Cloud computing strategy</header> <subsection id="HCF208D57810A4DDB82E15121F95F8D99"><enum>(a)</enum><header>In general</header><text>The Director, in collaboration with the Federal CIO Council, and in consultation with other relevant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the Federal Government.</text> </subsection><subsection id="H4F61AB4F73B146B2B92C5752454DBE47"><enum>(b)</enum><header>Activities</header><text>In carrying out the strategy developed under subsection (a), the Director shall give consideration to activities that—</text> <paragraph id="H7AF0E37851494AE3A1F84A58A434EF00"><enum>(1)</enum><text>accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;</text> </paragraph><paragraph id="HD1D1CFCAC3C543DA8A37294452C4C9A7"><enum>(2)</enum><text>advance the development of conformance testing performed by the private sector in support of cloud computing standardization; and</text> </paragraph><paragraph id="H3F97CE52ACCE411EB12D2B111BBA25ED"><enum>(3)</enum><text>support, in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, including activities—</text> <subparagraph id="HF9517C13C8ED4C9F8BAD65C252EDB554"><enum>(A)</enum><text>to ensure the physical security of cloud computing data centers and the data stored in such centers;</text> </subparagraph><subparagraph id="H4ED537279E8045C3925E576DE67DB3EC"><enum>(B)</enum><text>to ensure secure access to the data stored in cloud computing data centers;</text> </subparagraph><subparagraph id="H00FCE71F12534BF0B44019B48FCA6FD5"><enum>(C)</enum><text>to develop security standards as required under section 20 of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>); and</text> </subparagraph><subparagraph id="H37BCAD8C081E4A4982FBDB19859A1141"><enum>(D)</enum><text>to support the development of the automation of continuous monitoring systems.</text> </subparagraph></paragraph></subsection></section><section id="HA9973D003AE74FA29AC43893AC686D2D"><enum>204.</enum><header>Promoting cybersecurity awareness and education</header> <subsection id="H9748A934C2F14EE59E9D536E625F7275"><enum>(a)</enum><header>Program</header><text>The Director, in collaboration with relevant Federal agencies, industry, educational institutions, National Laboratories, the National Coordination Office of the Networking and Information Technology Research and Development program, and other organizations, shall continue to coordinate a cybersecurity awareness and education program to increase knowledge, skills, and awareness of cybersecurity risks, consequences, and best practices through—</text> <paragraph id="H3E1451AA3B3E42C7A4A7A85348CE10DA"><enum>(1)</enum><text>the widespread dissemination of cybersecurity technical standards and best practices identified by the Institute;</text> </paragraph><paragraph id="H426F9AE7FD4F4E80AE21E4457FFAB3D1"><enum>(2)</enum><text>efforts to make cybersecurity best practices usable by individuals, small to medium-sized businesses, State, local, and tribal governments, and educational institutions;</text> </paragraph><paragraph display-inline="no-display-inline" id="H6374967A7AF84B6A914CE41E054D1F70"><enum>(3)</enum><text display-inline="yes-display-inline">improving the state of cybersecurity education at all educational levels;</text> </paragraph><paragraph id="H2644D7DE7E7F44BAB517E7404DE3094E"><enum>(4)</enum><text>efforts to attract, recruit, and retain qualified professionals to the Federal cybersecurity workforce; and</text> </paragraph><paragraph id="HA7E5CC9B79BF41D0947A756B54E6AB48"><enum>(5)</enum><text>improving the skills, training, and professional development of the Federal cybersecurity workforce.</text> </paragraph></subsection><subsection id="H5E3E69D4269B460989E53950FF236BA0"><enum>(b)</enum><header>Strategic plan</header><text>The Director shall, in cooperation with relevant Federal agencies and other stakeholders, develop and implement a strategic plan to guide Federal programs and activities in support of a comprehensive cybersecurity awareness and education program as described under subsection (a).</text> </subsection><subsection id="H52FB74C22311448F97459FDCB146E847"><enum>(c)</enum><header>Report to congress</header><text>Not later than 1 year after the date of enactment of this Act and every 5 years thereafter, the Director shall transmit the strategic plan required under subsection (b) to the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate.</text> </subsection></section><section id="HC6BDCF9DF3034ED3B9FF7FA4C7818304"><enum>205.</enum><header>Identity management research and development</header><text display-inline="no-display-inline">The Director shall continue a program to support the development of technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns, to—</text> <paragraph id="H761BEC12C1BC4BA1BA68342416002719"><enum>(1)</enum><text>improve interoperability among identity management technologies;</text> </paragraph><paragraph id="HB2719E13BC2A403F9398FD2060B8F7A1"><enum>(2)</enum><text>strengthen authentication methods of identity management systems;</text> </paragraph><paragraph id="H1A8FA061B8F34566B9D2B0CE0ECEF840"><enum>(3)</enum><text>improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and</text> </paragraph><paragraph id="H4CC549D814F1430BA88B703D458A0A94"><enum>(4)</enum><text>improve the usability of identity management systems.</text> </paragraph></section><section display-inline="no-display-inline" id="H64568F5783F446088A96C2C27712DAF2" section-type="subsequent-section"><enum>206.</enum><header>Authorizations</header><text display-inline="no-display-inline">No additional funds are authorized to carry out this Act, and the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.</text> </section>

Passed the House of Representatives April 16, 2013.

Karen L. Haas, Clerk