113 S1353 ES: Cybersecurity Enhancement Act of 2014
U.S. Senate
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of
contents(a)This Act may be cited
as the Cybersecurity Enhancement Act of 2014
.(b)The table of
contents of this Act is as follows:Sec. 1. Short title; table of contents.Sec. 2. Definitions.Sec. 3. No regulatory authority.Sec. 4. No additional funds authorized.TITLE I—Public-private collaboration on cybersecuritySec. 101. Public-private collaboration on cybersecurity.TITLE II—Cybersecurity research and developmentSec. 201. Federal cybersecurity research and development.Sec. 202. Computer and network security research centers.Sec. 203. Cybersecurity automation and checklists for government systems.Sec. 204. National Institute of Standards and Technology cybersecurity research and development.TITLE III—Education and Workforce DevelopmentSec. 301. Cybersecurity competitions and challenges.Sec. 302. Federal cyber scholarship-for-service program.TITLE IV—Cybersecurity Awareness and PreparednessSec. 401. National cybersecurity awareness and education program.TITLE V—Advancement of cybersecurity technical standardsSec. 501. Definitions.Sec. 502. International cybersecurity technical standards.Sec. 503. Cloud computing strategy.Sec. 504. Identity management research and development.2.In this Act:(1)The term cybersecurity mission means
activities that encompass the full range of threat reduction,
vulnerability
reduction, deterrence, international engagement, incident response,
resiliency,
and recovery policies and activities, including computer network
operations,
information assurance, law enforcement, diplomacy, military, and
intelligence
missions as such activities relate to the security and stability of
cyberspace.(2)The term information system has the meaning
given that term in section 3502 of title 44, United States Code.3.Nothing in this Act
shall be construed to confer any regulatory authority on any Federal,
State,
tribal, or local department or agency.4.No additional funds authorizedNo additional funds are authorized to carry out this Act, and the amendments made by this Act. This
Act, and the amendments made by this Act, shall be carried out using
amounts otherwise authorized or appropriated.<enum>I</enum><header display-inline="yes-display-inline">Public-private
collaboration on cybersecurity</header><section commented="no" display-inline="no-display-inline" id="id9f26089b-43da-426b-9ce3-5978047ae9c1" section-type="subsequent-section"><enum>101.</enum><header display-inline="yes-display-inline">Public-private
collaboration on cybersecurity</header><subsection commented="no" display-inline="no-display-inline" id="ide25c2653-22f3-4021-b976-277fbdb5392d"><enum>(a)</enum><header display-inline="yes-display-inline">Cybersecurity</header><text display-inline="yes-display-inline">Section
2(c) of the National Institute of Standards and Technology Act (15 U.S.C.
272(c)) is amended—</text><paragraph commented="no" display-inline="no-display-inline" id="id42fa62f2-0876-4ccf-8c6b-a3b7be1653b4"><enum>(1)</enum><text display-inline="yes-display-inline">by redesignating
paragraphs (15) through (22) as paragraphs (16) through (23),
respectively;
and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idaba5db2b-b9a7-4990-98f0-b55ac8a1f7cf"><enum>(2)</enum><text display-inline="yes-display-inline">by inserting after
paragraph (14) the following:</text><quoted-block display-inline="no-display-inline" id="idb34de4be-a74f-43a2-ae17-0286ad8b4e21" style="OLC"><paragraph commented="no" display-inline="no-display-inline" id="idc65d7c94-0806-4ff8-b5db-a89672a6322c"><enum>(15)</enum><text display-inline="yes-display-inline">on an ongoing basis,
facilitate and support the development of a voluntary,
consensus-based, industry-led
set of
standards, guidelines, best practices, methodologies, procedures,
and processes
to cost-effectively reduce cyber risks to critical infrastructure
(as defined under
subsection
(e));</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id900f98ae-3dd4-4c23-badf-d1ae7d8c6f0f"><enum>(b)</enum><header display-inline="yes-display-inline">Scope and
limitations</header><text display-inline="yes-display-inline">Section 2 of the National Institute of Standards and
Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/272">15 U.S.C. 272</external-xref>) is amended by adding at the end the
following:</text><quoted-block display-inline="no-display-inline" id="idb2509bce-9ca6-4e13-8f43-243942cf8daf" style="OLC"><subsection commented="no" display-inline="no-display-inline" id="id44632d79-ea68-4b32-baa3-615e142d8345"><enum>(e)</enum><header display-inline="yes-display-inline">Cyber risks</header><paragraph commented="no" display-inline="no-display-inline" id="id7671f216-1b28-4a20-a251-dde45ba9aeb3"><enum>(1)</enum><header display-inline="yes-display-inline">In
general</header><text display-inline="yes-display-inline">In carrying out the activities under subsection (c)(15),
the Director—</text><subparagraph commented="no" display-inline="no-display-inline" id="idd2b87fe5-9e08-4a3e-8b9c-5e12d172c7db"><enum>(A)</enum><text display-inline="yes-display-inline">shall—</text><clause commented="no" display-inline="no-display-inline" id="id22fc08ae-30c3-460f-9cdd-44d5cdf91ec5"><enum>(i)</enum><text display-inline="yes-display-inline">coordinate closely and
regularly with relevant private sector personnel and entities,
critical
infrastructure owners and operators, and other relevant industry
organizations, including Sector Coordinating Councils and
Information
Sharing and Analysis Centers, and
incorporate industry expertise;</text></clause><clause commented="no" display-inline="no-display-inline" id="ide7b3b809-ef8d-4953-8d98-5a72fb8dc30f"><enum>(ii)</enum><text display-inline="yes-display-inline">consult with the heads
of agencies with national security responsibilities,
sector-specific agencies and other appropriate agencies,
State and local governments, the governments of other nations, and
international organizations;</text></clause><clause commented="no" display-inline="no-display-inline" id="idd0fa607f-cd82-4903-8bf3-7674502610d6"><enum>(iii)</enum><text display-inline="yes-display-inline">identify a prioritized,
flexible, repeatable, performance-based, and cost-effective
approach, including
information security measures and controls, that may be voluntarily
adopted by
owners and operators of critical infrastructure to help them
identify, assess,
and manage cyber risks;</text></clause><clause commented="no" display-inline="no-display-inline" id="ide80be39d-ef00-48f4-b1be-b986cd16e2bf"><enum>(iv)</enum><text display-inline="yes-display-inline">include
methodologies—</text><subclause commented="no" display-inline="no-display-inline" id="id799df944-0ef5-4644-bfb1-6482de21dd04"><enum>(I)</enum><text display-inline="yes-display-inline">to identify and mitigate
impacts of the cybersecurity measures or controls on business
confidentiality;
and</text></subclause><subclause commented="no" display-inline="no-display-inline" id="id9ec52daf-6b54-460d-aa10-df5d370729a4"><enum>(II)</enum><text display-inline="yes-display-inline">to protect individual
privacy and civil liberties;</text></subclause></clause><clause commented="no" display-inline="no-display-inline" id="id329966de-9d2b-4cf9-ae2c-90b723dd13c3"><enum>(v)</enum><text display-inline="yes-display-inline">incorporate voluntary
consensus standards and industry best practices;</text></clause><clause commented="no" display-inline="no-display-inline" id="id2ae674fb-5e91-41a7-98e0-3a3d355cdb9e"><enum>(vi)</enum><text display-inline="yes-display-inline">align with voluntary
international standards to the fullest extent possible;</text></clause><clause commented="no" display-inline="no-display-inline" id="id24b44200-25b2-4d5e-9f3d-8967adb35c11"><enum>(vii)</enum><text display-inline="yes-display-inline">prevent duplication of
regulatory processes and prevent conflict with or superseding of
regulatory
requirements, mandatory standards, and related processes; and</text></clause><clause commented="no" display-inline="no-display-inline" id="id2978dd80-a6ec-4b9a-a50a-e93d5a592f52"><enum>(viii)</enum><text display-inline="yes-display-inline">include such other
similar and consistent elements as the Director considers
necessary; and</text></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6ed77c71-2d4c-40d4-b609-b6cefdcd0003"><enum>(B)</enum><text display-inline="yes-display-inline">shall not prescribe or
otherwise require—</text><clause commented="no" display-inline="no-display-inline" id="ide6732d0d-a0c8-42bf-8055-71bc20d4c432"><enum>(i)</enum><text display-inline="yes-display-inline">the use of specific
solutions;</text></clause><clause commented="no" display-inline="no-display-inline" id="idc5ab9164-c0d0-4ab5-ae15-86e7fb04aa28"><enum>(ii)</enum><text display-inline="yes-display-inline">the use of specific
information or communications technology products or services; or</text></clause><clause commented="no" display-inline="no-display-inline" id="idb8fa428a-88bc-432b-801f-62e4871a2c86"><enum>(iii)</enum><text display-inline="yes-display-inline">that information or
communications technology products or services be designed,
developed, or
manufactured in a particular manner.</text></clause></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idd2cb1e6e-b427-432f-804b-cd55477ab380"><enum>(2)</enum><header display-inline="yes-display-inline">Limitation</header><text display-inline="yes-display-inline">Information
shared with or provided to the Institute for the purpose of the
activities
described under subsection (c)(15) shall not be used by any
Federal, State,
tribal, or local department or agency to regulate the activity of
any
entity. Nothing in this paragraph
shall be construed to modify any regulatory requirement to report or
submit information to a Federal, State, tribal, or local
department or agency.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idc1eaf5c4-2c51-4c2f-8810-d76e73ef1fda"><enum>(3)</enum><header display-inline="yes-display-inline">Definitions</header><text display-inline="yes-display-inline">In
this subsection:</text><subparagraph commented="no" display-inline="no-display-inline" id="id5486aa1d-1e51-4dfa-9df6-74ccfe1a272c"><enum>(A)</enum><header display-inline="yes-display-inline">Critical
infrastructure</header><text display-inline="yes-display-inline">The term <term>critical infrastructure</term> has
the meaning given the term in section 1016(e) of the USA PATRIOT
Act of 2001
(<external-xref legal-doc="usc" parsable-cite="usc/42/5195c">42 U.S.C. 5195c(e)</external-xref>).</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id5d182b1d-863c-4d88-abf5-c44f853bf5af"><enum>(B)</enum><header display-inline="yes-display-inline">Sector-specific
agency</header><text display-inline="yes-display-inline">The term <term>sector-specific agency</term> means the
Federal department or agency responsible for providing
institutional knowledge
and specialized expertise as well as leading, facilitating, or
supporting the
security and resilience programs and associated activities of its
designated
critical infrastructure sector in the all-hazards
environment.</text></subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection commented="no" display-inline="no-display-inline" id="id1BEB3A182E3A4ECA9036C4A1B3271FFC"><enum>(c)</enum><header display-inline="yes-display-inline">Study and
reports</header><paragraph commented="no" display-inline="no-display-inline" id="idE9B378749A26423EBEFDC93B0F63849C"><enum>(1)</enum><header display-inline="yes-display-inline">Study</header><text display-inline="yes-display-inline">The
Comptroller General of the United States shall conduct a study that
assesses—</text><subparagraph commented="no" display-inline="no-display-inline" id="id8EE36E5B03E8499993C8333D320BB818"><enum>(A)</enum><text display-inline="yes-display-inline">the progress made by the
Director of the National Institute of Standards and Technology in
facilitating
the development of standards and procedures to reduce cyber risks to
critical
infrastructure in accordance with section 2(c)(15) of the National
Institute of
Standards and Technology Act, as added by this section;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id4C453660C27A4588B932B813F72E18AA"><enum>(B)</enum><text display-inline="yes-display-inline">the extent to which the
Director's facilitation efforts are consistent with the directive in such
section that the development of such standards and procedures be voluntary
and
led by industry representatives;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idd4acd824cead48da9d7c68ec523bf1fd"><enum>(C)</enum><text display-inline="yes-display-inline">the extent to which
other Federal agencies have promoted and sectors of critical
infrastructure (as defined in section 1016(e) of the
USA
PATRIOT Act of 2001 (<external-xref legal-doc="usc" parsable-cite="usc/42/5195c">42 U.S.C. 5195c(e)</external-xref>)) have adopted a voluntary,
industry-led set of standards, guidelines, best practices, methodologies,
procedures, and processes to reduce cyber risks to critical infrastructure
in
accordance with such section 2(c)(15);</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="ide4b0796bf4184688a8079168502cb57e"><enum>(D)</enum><text display-inline="yes-display-inline">the reasons behind the
decisions of sectors of critical infrastructure (as defined in
subparagraph
(C)) to adopt or to not adopt the voluntary standards described in
subparagraph
(C); and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id94b88d4de6694cf3961823f815b4cebd"><enum>(E)</enum><text display-inline="yes-display-inline">the extent to which such
voluntary standards have proved successful in protecting critical
infrastructure from cyber threats.</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idD24CA89C12B34C1790DAE3FCD96911E3"><enum>(2)</enum><header display-inline="yes-display-inline">Reports</header><text display-inline="yes-display-inline">Not
later than 1 year after the date of the enactment of this Act, and every 2
years thereafter for the following 6 years, the Comptroller General shall
submit a report, which summarizes the findings of the study conducted
under
paragraph (1), to the
<committee-name committee-id="SSCM00">Committee on Commerce, Science, and
Transportation of the Senate</committee-name> and the
<committee-name committee-id="">Committee on Science, Space, and Technology of
the House of Representatives</committee-name>.</text></paragraph></subsection></section><enum>II</enum><header display-inline="yes-display-inline">Cybersecurity research
and development</header><section commented="no" display-inline="no-display-inline" id="id9752f956-c3f7-4328-97ca-1e858d7974ef" section-type="subsequent-section"><enum>201.</enum><header display-inline="yes-display-inline">Federal cybersecurity
research and development</header><subsection commented="no" display-inline="no-display-inline" id="id038b57f5-e122-4ce7-8081-0f5158127c28"><enum>(a)</enum><header display-inline="yes-display-inline">Fundamental
cybersecurity research</header><paragraph commented="no" display-inline="no-display-inline" id="idacea143b-545e-4a23-ae01-2ba4653b129d"><enum>(1)</enum><header display-inline="yes-display-inline">Federal cybersecurity research and development
strategic plan</header><text display-inline="yes-display-inline">The heads of the applicable agencies and departments,
working through the National Science and Technology
Council and the Networking and Information Technology Research and
Development Program, shall develop and update every 4 years a Federal
cybersecurity
research and development strategic plan (referred to in this subsection as
the <term>strategic plan</term>) based on
an assessment of cybersecurity risk to guide the overall direction of
Federal cybersecurity and information assurance research and development
for information technology and networking systems. The heads of the
applicable agencies and departments shall
build upon existing programs and
plans to develop the strategic plan to meet objectives in cybersecurity,
such as—</text><subparagraph commented="no" display-inline="no-display-inline" id="idd5f8a6bd-eda7-406a-a001-7c7f0e5fcaad"><enum>(A)</enum><text display-inline="yes-display-inline">how to design and build
complex software-intensive systems that are secure and reliable when first
deployed;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id7d676ef8-cd7f-4a07-8731-658d6b67c2d1"><enum>(B)</enum><text display-inline="yes-display-inline">how to test and verify
that software and hardware, whether developed locally or obtained from a
third
party, is free of significant known security flaws;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idcb642cbb-adea-441d-b3f6-7889c36d9557"><enum>(C)</enum><text display-inline="yes-display-inline">how to test and verify
that software and hardware obtained from a third party correctly
implements
stated functionality, and only that functionality;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id64b0755a-9ac3-4501-8824-b879779ad29f"><enum>(D)</enum><text display-inline="yes-display-inline">how to guarantee the
privacy of an individual, including that individual's identity,
information,
and lawful transactions when stored in distributed systems or transmitted
over
networks;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="ida14e1b47-784e-4ee4-af35-168b3e15bf1f"><enum>(E)</enum><text display-inline="yes-display-inline">how to build new
protocols to enable the Internet to have robust security as one of the key
capabilities of the Internet;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id90c4e69e-32e2-478c-97e8-f41f4fae5a07"><enum>(F)</enum><text display-inline="yes-display-inline">how to determine the
origin of a message transmitted over the Internet;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id0c9f7e7c-c213-4094-a3b7-71565a82ddd5"><enum>(G)</enum><text display-inline="yes-display-inline">how to support privacy in
conjunction with improved security;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idcfd8386e-f03a-49c7-bb39-826783ab14a8"><enum>(H)</enum><text display-inline="yes-display-inline">how to address the problem of insider threats;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="ided46a0a0-678d-4957-b69a-55122001f103"><enum>(I)</enum><text display-inline="yes-display-inline">how improved consumer
education and digital literacy initiatives can address human factors that
contribute to cybersecurity;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6c6f06c3-2857-4070-9290-8879cff66ce6"><enum>(J)</enum><text display-inline="yes-display-inline">how to protect
information processed, transmitted, or stored using cloud computing or
transmitted through wireless services; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id75ee5091-fc0a-40c3-b04a-507002ce0ae1"><enum>(K)</enum><text display-inline="yes-display-inline">any additional objectives
the heads of the applicable agencies and departments, in
coordination
with the head of any relevant Federal agency and with input from
stakeholders,
including appropriate national laboratories, industry, and academia,
determine
appropriate.</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id27B9A6582E0F4EF2952819E0B2316CAD"><enum>(2)</enum><header display-inline="yes-display-inline">Requirements</header><subparagraph commented="no" display-inline="no-display-inline" id="id8AA4F3989D9B4AFB92FBDE527E8C257A"><enum>(A)</enum><header display-inline="yes-display-inline">Contents of plan</header><text display-inline="yes-display-inline">The strategic plan shall—</text><clause commented="no" display-inline="no-display-inline" id="idEE15FB1E080F47FFAA44764A9583B110"><enum>(i)</enum><text display-inline="yes-display-inline">specify and prioritize near-term, mid-term, and long-term research
objectives, including objectives associated with the research identified
in section
4(a)(1) of
the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>);</text></clause><clause commented="no" display-inline="no-display-inline" id="id4AF79E34B2DF4A70B841FC4A5EA14264"><enum>(ii)</enum><text display-inline="yes-display-inline">specify how the near-term objectives described in clause (i) complement research and development
areas in which the private sector is actively engaged;</text></clause><clause commented="no" display-inline="no-display-inline" id="id76492C43F9DD4C988E28FCE9301DD32F"><enum>(iii)</enum><text display-inline="yes-display-inline">describe how the heads of the applicable agencies and departments will focus on innovative,
transformational technologies with the potential to enhance the
security, reliability, resilience, and trustworthiness of the digital
infrastructure, and to protect consumer privacy;</text></clause><clause commented="no" display-inline="no-display-inline" id="id05929F3D3557471BB91314FA535E8DC1"><enum>(iv)</enum><text display-inline="yes-display-inline">describe how the heads of the applicable agencies and departments will foster the rapid transfer of
research and development results into new cybersecurity
technologies and applications for the timely benefit of society and the
national interest, including through the dissemination of best practices
and other outreach activities;</text></clause><clause commented="no" display-inline="no-display-inline" id="id86C0E62B6B7C45B789337B357DA2B928"><enum>(v)</enum><text display-inline="yes-display-inline">describe how the heads of the applicable agencies and departments will establish and maintain a
national research infrastructure for creating, testing, and
evaluating the next generation of secure networking and information
technology systems; and</text></clause><clause commented="no" display-inline="no-display-inline" id="idCE78B382C4C74B45ADD2974BBA516882"><enum>(vi)</enum><text display-inline="yes-display-inline">describe how the heads of the applicable agencies and departments will facilitate access by
academic researchers to the infrastructure described in clause (v), as
well as to relevant data, including event data.</text></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idB8E465E435834E1DA434E0C81BA687A9"><enum>(B)</enum><header display-inline="yes-display-inline">Private sector
efforts</header><text display-inline="yes-display-inline">In developing, implementing, and updating the strategic plan, the heads of the applicable agencies
and departments, working through the National Science
and Technology Council and Networking and Information Technology Research
and Development Program, shall work in close cooperation with
industry,
academia, and other interested stakeholders to ensure, to the extent
possible,
that Federal cybersecurity research and development is not duplicative of
private sector efforts.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id2AC084FB23D74C538507996655273EC3"><enum>(C)</enum><header display-inline="yes-display-inline">Recommendations</header><text display-inline="yes-display-inline">In developing and updating the strategic plan the heads of the applicable agencies and departments
shall solicit recommendations and advice from—</text><clause commented="no" display-inline="no-display-inline" id="id2BC9FE29BE3D4833B7B6074BA2A57D75"><enum>(i)</enum><text display-inline="yes-display-inline">the advisory committee established under section 101(b)(1) of the High-Performance Computing Act of
1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(b)(1)</external-xref>); and</text></clause><clause commented="no" display-inline="no-display-inline" id="id188E4CF202CD4FB783F66C1A18476F1A"><enum>(ii)</enum><text display-inline="yes-display-inline">a wide range of stakeholders, including industry, academia, including representatives of minority
serving institutions and community colleges, National Laboratories, and
other relevant organizations and institutions.</text></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idE4FC43181F3A4C9B932528180769B3B9"><enum>(D)</enum><header display-inline="yes-display-inline">Implementation roadmap</header><text display-inline="yes-display-inline">The heads of the applicable agencies and departments, working through the National Science
and Technology Council and Networking and Information Technology Research
and Development Program, shall develop and annually update an
implementation roadmap for the strategic plan. The implementation roadmap
shall—</text><clause commented="no" display-inline="no-display-inline" id="id3960A632EF6C4A6DBCF536C707083166"><enum>(i)</enum><text display-inline="yes-display-inline">specify the role of each Federal agency in carrying out or sponsoring research and development to
meet the research objectives of the strategic plan, including a
description of how progress toward the research objectives will be
evaluated;</text></clause><clause commented="no" display-inline="no-display-inline" id="id15A261AB202E4562B40C33D7B8079864"><enum>(ii)</enum><text display-inline="yes-display-inline">specify the funding allocated to each major research objective of the strategic plan and the source
of funding by agency for the current fiscal year;</text></clause><clause commented="no" display-inline="no-display-inline" id="idE44F120CB9D745CEB0326E0004976E21"><enum>(iii)</enum><text display-inline="yes-display-inline">estimate the funding required for each major research objective of the strategic plan for the
following 3 fiscal years; and</text></clause><clause commented="no" display-inline="no-display-inline" id="idF3072A73E0B0498AB122419A0733ACEF"><enum>(iv)</enum><text display-inline="yes-display-inline">track ongoing and completed Federal cybersecurity research and development projects.</text></clause></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id44B0A9AB5CB24F81BDEFFE2F52167DA1"><enum>(3)</enum><header display-inline="yes-display-inline">Reports to Congress</header><text display-inline="yes-display-inline">The heads of the applicable agencies and departments, working through the National Science and
Technology Council and Networking and Information Technology Research and
Development Program, shall submit to the Committee on Commerce, Science,
and Transportation of the Senate and the Committee on Science, Space, and
Technology of the House of Representatives—</text><subparagraph commented="no" display-inline="no-display-inline" id="idFFBD10D1F3494743A80C8CF8A1747B31"><enum>(A)</enum><text display-inline="yes-display-inline">the strategic plan not later than 1 year after the date of enactment of this Act;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id09D022FF821943859EB7480D6C1E3D9B"><enum>(B)</enum><text display-inline="yes-display-inline">each quadrennial update to the strategic plan; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id37A0E843F5654AC1A3F2E439DE35ADFF"><enum>(C)</enum><text display-inline="yes-display-inline">the implementation roadmap under subparagraph (D), and its annual updates, which shall be appended
to the
annual report required under section 101(a)(2)(D) of the High-Performance
Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(2)(D)</external-xref>).</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id00066C1458E14FF5A121A1D89C4B27C2"><enum>(4)</enum><header display-inline="yes-display-inline">Definition of applicable agencies and departments</header><text display-inline="yes-display-inline">In this subsection, the term <term>applicable agencies and departments</term> means the agencies and departments identified in clauses (i) through (x) of section 101(a)(3)(B)
of the High-Performance
Computing
Act of
1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(3)(B)</external-xref>) or designated under clause (xi) of that
section.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id914976b6-0218-4094-acfa-6f0f139b758e"><enum>(b)</enum><header display-inline="yes-display-inline">Cybersecurity practices
research</header><text display-inline="yes-display-inline">The Director of the National Science Foundation shall
support research that—</text><paragraph commented="no" display-inline="no-display-inline" id="idd2d331a2-c485-488c-8ec0-0a0f93116a8a"><enum>(1)</enum><text display-inline="yes-display-inline">develops, evaluates,
disseminates, and integrates new cybersecurity practices and concepts into
the
core curriculum of computer science programs and of other programs where
graduates of such programs have a substantial probability of developing
software after graduation, including new practices and concepts relating
to
secure coding education and improvement programs; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id81d303e3-84fb-42df-bb32-74395210a275"><enum>(2)</enum><text display-inline="yes-display-inline">develops new models for
professional development of faculty in cybersecurity education, including
secure coding development.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id0664672f-2223-4032-8b88-2294fb5ed5ee"><enum>(c)</enum><header display-inline="yes-display-inline">Cybersecurity modeling
and test beds</header><paragraph commented="no" display-inline="no-display-inline" id="id2f715961-7d3b-4f9e-8659-727c801c8a3b"><enum>(1)</enum><header display-inline="yes-display-inline">Review</header><text display-inline="yes-display-inline">Not
later than 1 year after the date of enactment of this Act, the Director
of the
National Science Foundation, in coordination with the Director of the
Office of
Science and Technology Policy, shall conduct a review of cybersecurity
test
beds in existence on the date of enactment of this Act to inform the
grants
under paragraph (2). The review shall include an assessment of whether a
sufficient number of cybersecurity test beds are available to meet the
research
needs under the Federal cybersecurity research and development strategic
plan. Upon
completion, the Director shall submit the review to the Committee on
Commerce, Science, and Transportation of the Senate and the Committee on
Science, Space, and Technology of the House of Representatives.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id3d718ebb-0882-480a-980f-63ea8de200cb"><enum>(2)</enum><header display-inline="yes-display-inline">Additional
cybersecurity modeling and test beds</header><subparagraph commented="no" display-inline="no-display-inline" id="id4fd42826-b84a-4c3c-9a51-164e7c09e160"><enum>(A)</enum><header display-inline="yes-display-inline">In
general</header><text display-inline="yes-display-inline">If the Director of the National Science Foundation, after
the review under paragraph (1), determines that the research needs under
the
Federal cybersecurity research and development strategic plan require the
establishment
of additional cybersecurity test beds, the Director of the National
Science
Foundation, in coordination with the Secretary of Commerce and the
Secretary of
Homeland Security, may award grants to institutions of higher education or
research and development non-profit institutions to establish
cybersecurity
test beds.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idd808d3ad-6042-4473-b9f8-7e8233916119"><enum>(B)</enum><header display-inline="yes-display-inline">Requirement</header><text display-inline="yes-display-inline">The
cybersecurity test beds under subparagraph (A) shall be sufficiently
robust
in
order to model the scale and complexity of real-time cyber attacks and
defenses
on real world networks and environments.</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id7a794473-5d55-44aa-9857-26f86709d63e"><enum>(C)</enum><header display-inline="yes-display-inline">Assessment
required</header><text display-inline="yes-display-inline">The Director of the National Science Foundation, in
coordination with the Secretary of Commerce and the Secretary of Homeland
Security, shall evaluate the effectiveness of any grants awarded under
this
subsection in meeting the objectives of the Federal cybersecurity research
and
development strategic plan not later than 2 years after the
review
under paragraph (1) of this subsection, and periodically thereafter.</text></subparagraph></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="ideb57e5b2-26d0-4fe2-adb0-3eb2c77d43a1"><enum>(d)</enum><header display-inline="yes-display-inline">Coordination With Other
Research Initiatives</header><text display-inline="yes-display-inline">In accordance with the responsibilities
under section 101 of the High-Performance Computing Act of 1991 (15 U.S.C.
5511), the Director of the Office of Science and Technology Policy shall
coordinate, to the extent practicable, Federal research and development
activities under this section with other ongoing research and development
security-related initiatives, including research being conducted by—</text><paragraph commented="no" display-inline="no-display-inline" id="idd5a105b0-8782-44a7-84f6-91e49c88f492"><enum>(1)</enum><text display-inline="yes-display-inline">the National Science
Foundation;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id60fb31f9-4a37-423c-bf1a-48f079c6bd78"><enum>(2)</enum><text display-inline="yes-display-inline">the National Institute of
Standards and Technology;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id38ba754a-dd00-404a-a84f-c8a7b777d6ba"><enum>(3)</enum><text display-inline="yes-display-inline">the Department of
Homeland Security;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id44298192-9c4f-46ed-8b27-e5f90c1eefe7"><enum>(4)</enum><text display-inline="yes-display-inline">other Federal
agencies;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id1ce39aa4-eea9-4c0a-b746-74746b0bc596"><enum>(5)</enum><text display-inline="yes-display-inline">other Federal and private
research laboratories, research entities, and universities;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id77f406f5-77d2-48f9-98b1-4036d853fc92"><enum>(6)</enum><text display-inline="yes-display-inline">institutions of higher
education;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id4cbf65c9-75a0-4e29-8d46-dd9c486c8d54"><enum>(7)</enum><text display-inline="yes-display-inline">relevant nonprofit
organizations; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id055299c6-05a2-4986-9174-1752b07226a9"><enum>(8)</enum><text display-inline="yes-display-inline">international partners of
the United States.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id5927279d-53b5-4dc5-94b4-534d9d9c068e"><enum>(e)</enum><header display-inline="yes-display-inline">National Science
Foundation Computer and Network Security Research Grant
Areas</header><text display-inline="yes-display-inline">Section 4(a)(1) of the Cyber Security Research and
Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(a)(1)</external-xref>) is amended—</text><paragraph commented="no" display-inline="no-display-inline" id="idecd86481-58a2-4235-b2d1-d87eb9ecfcb9"><enum>(1)</enum><text display-inline="yes-display-inline">in subparagraph (H), by
striking <quote>and</quote> at the end;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idb370e754-df27-4eec-a130-119a1f5afd78"><enum>(2)</enum><text display-inline="yes-display-inline">in subparagraph (I), by
striking the period at the end and inserting a semicolon; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id2dd0df8f-d718-45e9-b88a-eb38670d7fb5"><enum>(3)</enum><text display-inline="yes-display-inline">by adding at the end the
following:</text><quoted-block display-inline="no-display-inline" id="id148fd838-63ee-4b36-921d-ab0aa30efb93" style="OLC"><subparagraph commented="no" display-inline="no-display-inline" id="idcaaf4525-e12b-46ae-82ec-0a6ad148f2db"><enum>(J)</enum><text display-inline="yes-display-inline">secure fundamental
protocols that are integral to inter-network communications and
data
exchange;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idb92da513-c2be-4632-b37e-8d91d9a6414c"><enum>(K)</enum><text display-inline="yes-display-inline">secure software
engineering and software assurance, including—</text><clause commented="no" display-inline="no-display-inline" id="id0063a42d-c2f1-485b-be54-704bd6f24b0a"><enum>(i)</enum><text display-inline="yes-display-inline">programming languages and
systems that include fundamental security features;</text></clause><clause commented="no" display-inline="no-display-inline" id="id5913b700-a4cd-43dd-b949-d2561a0ec43b"><enum>(ii)</enum><text display-inline="yes-display-inline">portable or reusable
code that remains secure when deployed in various environments;</text></clause><clause commented="no" display-inline="no-display-inline" id="id753d6f98-e3e5-49c3-95eb-72a1f5ca9b8a"><enum>(iii)</enum><text display-inline="yes-display-inline">verification and
validation technologies to ensure that requirements and
specifications have
been implemented; and</text></clause><clause commented="no" display-inline="no-display-inline" id="id50ccddf4-a414-44e6-bca9-d0a38c8b27b7"><enum>(iv)</enum><text display-inline="yes-display-inline">models for comparison
and metrics to assure that required standards have been met;</text></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id2d9d68ab-b65a-484a-8500-ff56d32eb9fb"><enum>(L)</enum><text display-inline="yes-display-inline">holistic system security
that—</text><clause commented="no" display-inline="no-display-inline" id="id451a2b46-97e4-4679-975f-05342e639308"><enum>(i)</enum><text display-inline="yes-display-inline">addresses the building of
secure systems from trusted and untrusted components;</text></clause><clause commented="no" display-inline="no-display-inline" id="idaafbe4d8-ceda-4b41-8526-1134e2140329"><enum>(ii)</enum><text display-inline="yes-display-inline">proactively reduces
vulnerabilities;</text></clause><clause commented="no" display-inline="no-display-inline" id="id524a376a-d9b8-44fb-a572-02587183fecd"><enum>(iii)</enum><text display-inline="yes-display-inline">addresses insider
threats; and</text></clause><clause commented="no" display-inline="no-display-inline" id="idcd232550-de7e-4d6e-8f64-593eb77fff24"><enum>(iv)</enum><text display-inline="yes-display-inline">supports privacy in
conjunction with improved security;</text></clause></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id11778980-740a-4dad-abd6-17ca179634a8"><enum>(M)</enum><text display-inline="yes-display-inline">monitoring and
detection;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id85fadbae-8158-4b64-81ca-f35b97953a2c"><enum>(N)</enum><text display-inline="yes-display-inline">mitigation and rapid
recovery methods;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idf5253d67-7103-4891-ab40-dc88b59c9839"><enum>(O)</enum><text display-inline="yes-display-inline">security of wireless
networks and mobile devices; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idb0abe4e3-607d-4861-93d5-2d388a41f6f7"><enum>(P)</enum><text display-inline="yes-display-inline">security of cloud
infrastructure and
services.</text></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="idc00712df-9f11-4539-bca8-c60504cc5b7e"><enum>(f)</enum><header display-inline="yes-display-inline">Research on the science
of cybersecurity</header><text display-inline="yes-display-inline">The head of each agency and department
identified under section 101(a)(3)(B) of the High-Performance Computing
Act of
1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5511">15 U.S.C. 5511(a)(3)(B)</external-xref>), through existing programs and activities,
shall
support research that will lead to the development of a scientific
foundation
for the field of cybersecurity, including research that increases
understanding
of the underlying principles of securing complex networked systems,
enables
repeatable experimentation, and creates quantifiable security metrics.</text></subsection></section><section commented="no" display-inline="no-display-inline" id="idd5c74d86-baee-4975-89eb-daef0435349c" section-type="subsequent-section"><enum>202.</enum><header display-inline="yes-display-inline">Computer and network
security research centers</header><text display-inline="no-display-inline">Section 4(b) of the Cyber Security Research
and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7403">15 U.S.C. 7403(b)</external-xref>) is amended—</text><paragraph commented="no" display-inline="no-display-inline" id="id1E5DD0ACB8A9485DB1E20198E0004EE4"><enum>(1)</enum><text display-inline="yes-display-inline">in paragraph (3), by
striking <quote>the research areas</quote> and inserting the following:
<quote>improving the security and resiliency of information technology,
reducing cyber vulnerabilities, and anticipating and mitigating
consequences of
cyber attacks on critical infrastructure, by conducting research in the
areas</quote>;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idA4F2A951B50F447D88B4812A8E73D5AB"><enum>(2)</enum><text display-inline="yes-display-inline">by striking <quote>the
center</quote> in paragraph (4)(D) and inserting <quote>the Center</quote>;
and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id3CA8DB88F3E440F586F83F0298F6A4EB"><enum>(3)</enum><text display-inline="yes-display-inline">in paragraph (5)—</text><subparagraph commented="no" display-inline="no-display-inline" id="iddcc83de1-6b84-4e49-a1e8-bea47caf498f"><enum>(A)</enum><text display-inline="yes-display-inline">by striking
<quote>and</quote> at the end of subparagraph (C);</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idaa02a122-69a0-45f0-b7ee-3e1ff4819227"><enum>(B)</enum><text display-inline="yes-display-inline">by striking the period at
the end of subparagraph (D) and inserting a semicolon; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id0be7a80f-dfc1-4389-bc4a-1015e34a69d4"><enum>(C)</enum><text display-inline="yes-display-inline">by adding at the end the
following:</text><quoted-block display-inline="no-display-inline" id="id4DE24E285CF74C0A8325A956200A99C1" style="OLC"><subparagraph commented="no" display-inline="no-display-inline" id="id93ccf816-ff06-464a-8e69-cb01235d7e98"><enum>(E)</enum><text display-inline="yes-display-inline">the demonstrated
capability of the applicant to conduct high performance computation
integral to
complex computer and network security research, through on-site or
off-site
computing;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id3bb9f000-f809-430e-a499-d83825ac7fae"><enum>(F)</enum><text display-inline="yes-display-inline">the applicant's
affiliation with private sector entities involved with industrial
research
described in subsection (a)(1);</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="ide174f673-c943-425b-93da-69cfadd378f4"><enum>(G)</enum><text display-inline="yes-display-inline">the capability of the
applicant to conduct research in a secure environment;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="ide3f3ce61-193c-4212-81e6-3f7cfea4968a"><enum>(H)</enum><text display-inline="yes-display-inline">the applicant's
affiliation with existing research programs of the Federal
Government;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id8dde5e6e-385c-4a3a-9a34-c6d621396d46"><enum>(I)</enum><text display-inline="yes-display-inline">the applicant's
experience managing public-private partnerships to transition new
technologies
into a commercial setting or the government user community;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idC8CE05598AF44C9290CC9CE447F73056"><enum>(J)</enum><text display-inline="yes-display-inline">the capability of the
applicant to conduct interdisciplinary cybersecurity research,
basic and
applied, such as in law, economics, or behavioral sciences; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6CFD03E49ED74626977E6FF134F34DC5"><enum>(K)</enum><text display-inline="yes-display-inline">the capability of the
applicant to conduct research in areas such as systems security,
wireless
security, networking and protocols, formal methods and
high-performance
computing, nanotechnology, or industrial control
systems.</text></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></section><section commented="no" display-inline="no-display-inline" id="id8775B5FC7B2F4C238FE3A4064A49F53F" section-type="subsequent-section"><enum>203.</enum><header display-inline="yes-display-inline">Cybersecurity automation and checklists for government systems</header><text display-inline="no-display-inline">Section 8(c) of the Cyber Security Research and Development Act (<external-xref legal-doc="usc" parsable-cite="usc/15/7406">15 U.S.C. 7406(c)</external-xref>) is amended to
read as follows:</text><quoted-block display-inline="no-display-inline" id="id90653E2CEFD34151A29925CF01E73222" style="OLC"><subsection commented="no" display-inline="no-display-inline" id="idB90A3759EF4244A0838A8DF3A8122C65"><enum>(c)</enum><header display-inline="yes-display-inline">Security automation and checklists for government systems</header><paragraph commented="no" display-inline="no-display-inline" id="idC9D0CFEDAD0E41C6AC5C5F6932FF28E1"><enum>(1)</enum><header display-inline="yes-display-inline">In general</header><text display-inline="yes-display-inline">The Director of the National Institute of Standards and Technology shall, as necessary, develop and
revise security automation standards, associated reference materials
(including protocols), and checklists providing settings and option
selections that minimize the security risks associated with each
information technology hardware or software system and security tool that
is, or is likely to become, widely used within the Federal Government,
thereby enabling standardized and interoperable technologies,
architectures, and frameworks for continuous monitoring of information
security within the Federal Government.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id6F8432B0877842D98CD168202E009A12"><enum>(2)</enum><header display-inline="yes-display-inline">Priorities for development</header><text display-inline="yes-display-inline">The Director of the National Institute of Standards and Technology shall establish priorities for
the development of standards, reference materials, and checklists under
this subsection on the basis of—</text><subparagraph commented="no" display-inline="no-display-inline" id="idE7363978F0FB4AEC94ACB154FBFF7FAF"><enum>(A)</enum><text display-inline="yes-display-inline">the security risks associated with the use of the system;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6394C218C110432C9DE0B6C1DEAA3243"><enum>(B)</enum><text display-inline="yes-display-inline">the number of agencies that use a particular system or security tool;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idF2131A5ED8B84CE396673CB69BC94F78"><enum>(C)</enum><text display-inline="yes-display-inline">the usefulness of the standards, reference materials, or checklists to Federal agencies that are
users or potential users of the system;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id174073A1C2334AD888FACDD7731A6CD4"><enum>(D)</enum><text display-inline="yes-display-inline">the effectiveness of the associated standard, reference material, or checklist in creating or
enabling continuous monitoring of information security; or</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6D5315C70A2A49C99D89F90DBDCA8751"><enum>(E)</enum><text display-inline="yes-display-inline">such other factors as the Director of the National Institute of Standards and Technology determines
to be appropriate.</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id48C3875E96DA471DB9515B187EF00B14"><enum>(3)</enum><header display-inline="yes-display-inline">Excluded systems</header><text display-inline="yes-display-inline">The Director of the National Institute of Standards and Technology may exclude from the application
of paragraph (1) any information technology hardware or software system or
security tool for which such Director determines that the development of a
standard, reference material, or checklist is inappropriate because of the
infrequency of use of the system, the obsolescence of the system, or the
lack of utility or impracticability of developing a standard, reference
material, or checklist for the system.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id9D92F94E03A8443E98C3D23D87B8B82E"><enum>(4)</enum><header display-inline="yes-display-inline">Dissemination of standards and related materials</header><text display-inline="yes-display-inline">The Director of the National Institute of Standards and Technology shall ensure that Federal
agencies are informed of the availability of any standard, reference
material, checklist, or other item developed under this subsection.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idCA7207F620B9454C830B77757969BDB6"><enum>(5)</enum><header display-inline="yes-display-inline">Agency use requirements</header><text display-inline="yes-display-inline">The development of standards, reference materials, and checklists under paragraph (1) for an
information technology hardware or software system or tool does not—</text><subparagraph commented="no" display-inline="no-display-inline" id="idE977BB153F884AD0995854AE35AF418D"><enum>(A)</enum><text display-inline="yes-display-inline">require any Federal agency to select the specific settings or options recommended by the standard,
reference material, or checklist for the system;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id78F51BB992C5405DA4660303E3CC9C16"><enum>(B)</enum><text display-inline="yes-display-inline">establish conditions or prerequisites for Federal agency procurement or deployment of any such
system;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idF0459212FA9B4D3EA2CD725687B7945A"><enum>(C)</enum><text display-inline="yes-display-inline">imply an endorsement of any such system by the Director of the National Institute of Standards and
Technology; or</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id4AC374A82E4145F9A833572AA132DED6"><enum>(D)</enum><text display-inline="yes-display-inline">preclude any Federal agency from procuring or deploying other information technology hardware or
software systems for which no such standard, reference material, or
checklist has been developed or identified under paragraph (1).</text></subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></section><section commented="no" display-inline="no-display-inline" id="idDC9374414B6A4DD1910D910133F9A91D" section-type="subsequent-section"><enum>204.</enum><header display-inline="yes-display-inline">National Institute of Standards and Technology cybersecurity research and development</header><text display-inline="no-display-inline">Section 20 of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) is amended—</text><paragraph commented="no" display-inline="no-display-inline" id="id112364BC955E4A738874BA1B18CDE904"><enum>(1)</enum><text display-inline="yes-display-inline">by redesignating subsection (e) as subsection (f); and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id98D5F24D6A0B448AB5CFE6E1CB05EBC3"><enum>(2)</enum><text display-inline="yes-display-inline">by inserting after subsection (d) the following:</text><quoted-block display-inline="no-display-inline" id="id42BF77D0237644AC90A1DE97DDFDA02A" style="OLC"><subsection commented="no" display-inline="no-display-inline" id="idACED525C90AB438D88C75D41F98AC7D3"><enum>(e)</enum><header display-inline="yes-display-inline">Intramural Security Research</header><text display-inline="yes-display-inline">As part of the research activities conducted in accordance with subsection (d)(3), the Institute
shall, to the extent practicable and appropriate—</text><paragraph commented="no" display-inline="no-display-inline" id="id6D8422DBD79A44709452C850D347EDCA"><enum>(1)</enum><text display-inline="yes-display-inline">conduct a research program to develop a unifying and standardized identity, privilege, and access
control management framework for the execution of a wide variety of
resource protection policies and that is amenable to implementation within
a wide variety of existing and emerging computing environments;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idE50FB82A0DD943348902C9DD3CBFD337"><enum>(2)</enum><text display-inline="yes-display-inline">carry out research associated with improving the security of information systems and networks;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id6314CEA3D7904B168EF1C24BC7C34867"><enum>(3)</enum><text display-inline="yes-display-inline">carry out research associated with improving the testing, measurement, usability, and assurance of
information systems and networks;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id603648AC619A410BAC0390ED5BAFEABA"><enum>(4)</enum><text display-inline="yes-display-inline">carry out research associated with improving security of industrial control systems;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idDEA332D812FF49A98A6787F7BFA40374"><enum>(5)</enum><text display-inline="yes-display-inline">carry out research associated with improving the security and integrity of the information
technology supply chain; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id0FAC7F89730F474D8021BA0ACA921E4D"><enum>(6)</enum><text display-inline="yes-display-inline">carry out any additional research the Institute determines appropriate.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></section><enum>III</enum><header display-inline="yes-display-inline">Education and Workforce
Development</header><section commented="no" display-inline="no-display-inline" id="id903fd649-950b-4aa9-9afc-35d2ae804318" section-type="subsequent-section"><enum>301.</enum><header display-inline="yes-display-inline"> Cybersecurity
competitions and challenges</header><subsection commented="no" display-inline="no-display-inline" id="id067acd21-a3ee-4e60-8f30-93de47876e50"><enum>(a)</enum><header display-inline="yes-display-inline">In
general</header><text display-inline="yes-display-inline">The Secretary of Commerce, Director of the National
Science Foundation, and Secretary of Homeland Security, in consultation
with
the Director of the Office of Personnel Management, shall—</text><paragraph commented="no" display-inline="no-display-inline" id="id88e4f562-02f3-4086-90d3-e1ee021a7c10"><enum>(1)</enum><text display-inline="yes-display-inline">support competitions and
challenges under section 24 of the Stevenson-Wydler Technology Innovation
Act of 1980 (<external-xref legal-doc="usc" parsable-cite="usc/15/3719">15 U.S.C. 3719</external-xref>) (as amended by section 105 of the America
COMPETES Reauthorization Act
of
2010 (124 Stat. 3989)) or any other provision of law, as appropriate—</text><subparagraph commented="no" display-inline="no-display-inline" id="id0f3964aa-e308-4437-8d57-4da654b0bb3f"><enum>(A)</enum><text display-inline="yes-display-inline">to identify, develop, and
recruit talented individuals to perform duties relating to the security of
information technology in Federal, State, local, and tribal government
agencies,
and the private sector; or</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id5875ee86-84c7-4e84-ab50-3f03a5ef9f26"><enum>(B)</enum><text display-inline="yes-display-inline">to stimulate innovation
in basic and applied cybersecurity research, technology development, and
prototype demonstration that has the potential for application to the
information technology activities of the Federal Government; and</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="ida7a00f15-2763-43cb-ac35-cc344d645948"><enum>(2)</enum><text display-inline="yes-display-inline">ensure the effective
operation of the competitions and challenges under this section.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="idff1719dc-2369-4cf9-8068-a946012a19a6"><enum>(b)</enum><header display-inline="yes-display-inline">Participation</header><text display-inline="yes-display-inline">Participants
in the competitions and challenges under subsection (a)(1) may include—</text><paragraph commented="no" display-inline="no-display-inline" id="id1aee8955-47da-452b-bb63-745ce46fbd7a"><enum>(1)</enum><text display-inline="yes-display-inline">students enrolled in
grades 9 through 12;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id1a51b06b-fcc1-4c62-8eb8-e8beb2e42085"><enum>(2)</enum><text display-inline="yes-display-inline">students enrolled in a
postsecondary program of study leading to a baccalaureate degree at an
institution of higher education;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id91c1b541-aeb6-4231-824a-8589962cc962"><enum>(3)</enum><text display-inline="yes-display-inline">students enrolled in a
postbaccalaureate program of study at an institution of higher
education;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id49de017f-94ae-4e66-bf8f-f0cbb50f5459"><enum>(4)</enum><text display-inline="yes-display-inline">institutions of higher
education and research institutions;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id259dd04f-9456-4652-9954-e02400351fd8"><enum>(5)</enum><text display-inline="yes-display-inline">veterans; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idb5210d03-8c7b-4c1c-b424-1e626cbe930e"><enum>(6)</enum><text display-inline="yes-display-inline">other groups or
individuals that the Secretary of Commerce, Director of the National
Science
Foundation, and Secretary of Homeland Security determine appropriate.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id95239c71-e79d-49cb-a9b8-10a56539de48"><enum>(c)</enum><header display-inline="yes-display-inline">Affiliation and
cooperative agreements</header><text display-inline="yes-display-inline">Competitions and challenges under this
section may be carried out through affiliation and cooperative agreements
with—</text><paragraph commented="no" display-inline="no-display-inline" id="idbae23af8-4aa7-4f9b-95a2-f12fbef7be97"><enum>(1)</enum><text display-inline="yes-display-inline">Federal agencies;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="ida6c4cc47-79cd-4537-bc2b-97542018698e"><enum>(2)</enum><text display-inline="yes-display-inline">regional, State, or
school programs supporting the development of cyber professionals;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idb5e670b1-ff8f-41bc-9dbb-37493ecddc69"><enum>(3)</enum><text display-inline="yes-display-inline">State, local, and tribal
governments; or</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id20a01513-72f6-4200-8eb6-93e98789db53"><enum>(4)</enum><text display-inline="yes-display-inline">other private sector
organizations.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id1bca636b-4a42-4270-9147-1d9aaff050c6"><enum>(d)</enum><header display-inline="yes-display-inline">Areas of
skill</header><text display-inline="yes-display-inline">Competitions and challenges under subsection (a)(1)(A)
shall be designed to identify, develop, and recruit exceptional talent
relating
to—</text><paragraph commented="no" display-inline="no-display-inline" id="id6efbab11-1f16-4c5e-884f-bde39a9c5dda"><enum>(1)</enum><text display-inline="yes-display-inline">ethical hacking;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id6926225c-40fe-4c04-985c-3dc2a454bf0b"><enum>(2)</enum><text display-inline="yes-display-inline">penetration
testing;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idaf24dda6-ec07-46e2-aacd-9a65deec0b13"><enum>(3)</enum><text display-inline="yes-display-inline">vulnerability
assessment;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idcdba0e51-1ef6-4103-93b2-f01a366b548b"><enum>(4)</enum><text display-inline="yes-display-inline">continuity of system
operations;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id21378cf1-0045-4e55-a8b2-6ad32f599656"><enum>(5)</enum><text display-inline="yes-display-inline">security in
design;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id0129966f-005a-4ffa-a48a-9291d24806c8"><enum>(6)</enum><text display-inline="yes-display-inline">cyber forensics;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id92306664-9c62-45c1-9934-09f3ec1d0787"><enum>(7)</enum><text display-inline="yes-display-inline">offensive and defensive
cyber operations; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id093fd900-a959-44bc-8a78-b1a539a8390b"><enum>(8)</enum><text display-inline="yes-display-inline">other areas the Secretary
of Commerce, Director of the National Science Foundation, and Secretary of
Homeland Security consider necessary to fulfill the cybersecurity
mission.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id116329b0-eb08-454a-83e3-627e5744e6b6"><enum>(e)</enum><header display-inline="yes-display-inline">Topics</header><text display-inline="yes-display-inline">In
selecting topics for competitions and challenges under subsection (a)(1),
the
Secretary of Commerce, Director of the National Science Foundation, and
Secretary of Homeland Security—</text><paragraph commented="no" display-inline="no-display-inline" id="id3db23b3b-4c84-48cb-b7dc-9eb608ba3b4b"><enum>(1)</enum><text display-inline="yes-display-inline">shall consult widely both
within and outside the Federal Government; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id8c9a94b6-46cb-4934-880a-2407c4228598"><enum>(2)</enum><text display-inline="yes-display-inline">may empanel advisory
committees.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="idbb5d0dd5-5c9d-453b-b583-bcc38be8b612"><enum>(f)</enum><header display-inline="yes-display-inline">Internships</header><text display-inline="yes-display-inline">The
Director of the Office of Personnel Management may support, as
appropriate,
internships or other work experience in the Federal Government to the
winners
of the competitions and challenges under this section.</text></subsection></section><section commented="no" display-inline="no-display-inline" id="idb36aedb6-92d2-4753-811f-ae7c5825f473" section-type="subsequent-section"><enum>302.</enum><header display-inline="yes-display-inline">Federal cyber
scholarship-for-service program</header><subsection commented="no" display-inline="no-display-inline" id="idab86d04b-6ecb-4964-a07d-c600ff05e16f"><enum>(a)</enum><header display-inline="yes-display-inline">In
general</header><text display-inline="yes-display-inline">The Director of the National Science Foundation, in
coordination with the Director of the Office of Personnel Management and
Secretary of Homeland Security, shall continue a Federal cyber
scholarship-for-service program to recruit and train the next generation
of
information technology professionals, industrial control system security
professionals, and security managers to meet the needs of the
cybersecurity
mission for Federal, State, local, and tribal governments.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id940f95af-be2a-40a5-a1d7-adcece269070"><enum>(b)</enum><header display-inline="yes-display-inline">Program description and
components</header><text display-inline="yes-display-inline">The Federal Cyber Scholarship-for-Service Program
shall—</text><paragraph commented="no" display-inline="no-display-inline" id="id83cfb53f-7f87-4167-bd43-bb6cabca8920"><enum>(1)</enum><text display-inline="yes-display-inline">provide scholarships through qualified institutions of higher education, including community
colleges, to
students who are enrolled in programs of study at institutions of higher
education leading to degrees or specialized program certifications in the
cybersecurity field;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idf82ca9c9-8784-449d-ba1b-9b1b6f1a9641"><enum>(2)</enum><text display-inline="yes-display-inline">provide the scholarship
recipients with summer internship opportunities or other meaningful
temporary
appointments in the Federal information technology workforce; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idf8eea3a8-1f46-466d-a2cb-3b37aee71cda"><enum>(3)</enum><text display-inline="yes-display-inline">prioritize the employment placement of scholarship recipients in the Federal Government.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="idb7db691a-672e-4a86-b096-b772e2e60155"><enum>(c)</enum><header display-inline="yes-display-inline">Scholarship
amounts</header><text display-inline="yes-display-inline">Each scholarship under subsection (b) shall be in an
amount that covers the student's tuition and fees at the institution under
subsection (b)(1) for not more than 3 years and provides the student with
an additional stipend.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="idc55c4c88-14ca-4900-a9b5-cfd129d3474e"><enum>(d)</enum><header display-inline="yes-display-inline">Post-award employment obligations</header><text display-inline="yes-display-inline">Each scholarship recipient, as a condition of
receiving a scholarship under the program, shall enter into an agreement
under
which the recipient agrees to work in the cybersecurity mission of a
Federal,
State, local, or tribal agency for a period equal to the length of the
scholarship following receipt of the student's degree.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id1f153832-f830-4069-8c4a-c9c5c4d1b6ff"><enum>(e)</enum><header display-inline="yes-display-inline">Hiring
authority</header><paragraph commented="no" display-inline="no-display-inline" id="id3c043b60-0ca7-4ba2-8b87-d434f026c1bb"><enum>(1)</enum><header display-inline="yes-display-inline">Appointment in excepted
service</header><text display-inline="yes-display-inline">Notwithstanding any provision of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/33">chapter 33</external-xref> of title 5,
United States Code, governing appointments in the competitive service, an
agency shall appoint in the excepted service an individual who has
completed
the eligible degree program for which a scholarship was awarded.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id9951860b-974f-4bfe-9b44-ea8e7fcf2408"><enum>(2)</enum><header display-inline="yes-display-inline">Noncompetitive
conversion</header><text display-inline="yes-display-inline">Except as provided in paragraph (4), upon fulfillment
of the service term, an employee appointed under paragraph (1) may be
converted
noncompetitively to term, career-conditional or career appointment.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id71b148e6-2f9b-440c-bc47-19f539adde5f"><enum>(3)</enum><header display-inline="yes-display-inline">Timing of
conversion</header><text display-inline="yes-display-inline">An agency may noncompetitively convert a term employee
appointed under paragraph (2) to a career-conditional or career
appointment
before the term appointment expires.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id3f9691a5-4497-41c1-8216-e015f136f3ed"><enum>(4)</enum><header display-inline="yes-display-inline">Authority to decline
conversion</header><text display-inline="yes-display-inline">An agency may decline to make the noncompetitive
conversion or appointment under paragraph (2) for cause.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id65de700f-379c-48a8-838a-edf383c5671c"><enum>(f)</enum><header display-inline="yes-display-inline">Eligibility</header><text display-inline="yes-display-inline">To
be eligible to receive a scholarship under this section, an individual
shall—</text><paragraph commented="no" display-inline="no-display-inline" id="ida5db3f63-2fbc-4d34-808c-61eb10e7c66a"><enum>(1)</enum><text display-inline="yes-display-inline">be a citizen or lawful
permanent resident of the United States;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id684f7698-8ac6-4280-908f-30ba571d0e77"><enum>(2)</enum><text display-inline="yes-display-inline">demonstrate a commitment
to a career in improving the security of information technology;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idfd5843ef-b895-4c7e-86e9-5a3822ab7642"><enum>(3)</enum><text display-inline="yes-display-inline">have demonstrated a high
level of proficiency in mathematics, engineering, or computer sciences;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id1910C0A0082C45E0BBEC19AA51D12E71"><enum>(4)</enum><text display-inline="yes-display-inline">be a full-time student in an eligible degree
program at a qualified institution of higher education, as determined by
the Director of the National
Science Foundation; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id85E16D375589431990BEC6D54FB6A698"><enum>(5)</enum><text display-inline="yes-display-inline">accept the terms of a scholarship under this section.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id5429178e-d5c9-49c5-9817-2e51aa6aa81f"><enum>(g)</enum><header display-inline="yes-display-inline">Conditions of support</header><paragraph commented="no" display-inline="no-display-inline" id="id3C6D8AE1F9334432BF8962BE7BBA3FC0"><enum>(1)</enum><header display-inline="yes-display-inline">In general</header><text display-inline="yes-display-inline">As a condition of receiving a scholarship under this section, a recipient shall agree to
provide the qualified institution of higher education
with annual verifiable documentation of post-award employment and
up-to-date contact information.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id61641BBC80E941CA81C27AED8FE817E6"><enum>(2)</enum><header display-inline="yes-display-inline">Terms</header><text display-inline="yes-display-inline">A scholarship recipient under this
section shall be liable to the United States as provided in subsection (i)
if the individual—</text><subparagraph commented="no" display-inline="no-display-inline" id="id9910D7F28024452C915A9101201F4C2F"><enum>(A)</enum><text display-inline="yes-display-inline">fails to maintain an acceptable level of academic standing at the applicable institution of
higher
education, as determined by the Director of the National Science
Foundation;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idF0D0A4A58D364B9BB69631786084D8C2"><enum>(B)</enum><text display-inline="yes-display-inline">is dismissed from the applicable institution of higher education for disciplinary reasons;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id80A9BAA8C3D64881B84C5B3088E08D7A"><enum>(C)</enum><text display-inline="yes-display-inline">withdraws from the eligible degree program before completing the program;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id16FC09FCD4134B9499C62CF0D817D04E"><enum>(D)</enum><text display-inline="yes-display-inline">declares that the individual does not intend to fulfill the post-award employment obligation under
this section;
or</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idA8449BFF22A0436588258394F08CA6EC"><enum>(E)</enum><text display-inline="yes-display-inline">fails to fulfill the post-award employment obligation of the individual under this section.</text></subparagraph></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id1A5670BE3AE448C1A934F2333780A2DF"><enum>(h)</enum><header display-inline="yes-display-inline">Monitoring compliance</header><text display-inline="yes-display-inline">As a condition of participating in the program, a qualified institution of higher education
shall—</text><paragraph commented="no" display-inline="no-display-inline" id="idB3E0A4D56E944FE696F06C7B93E9670E"><enum>(1)</enum><text display-inline="yes-display-inline">enter into an agreement with the Director of the National Science Foundation, to monitor the
compliance of scholarship recipients with respect to their post-award
employment obligations; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id4E999C0663F54B26B90AEF013C187815"><enum>(2)</enum><text display-inline="yes-display-inline">provide to the Director of the National Science Foundation, on an annual basis, the post-award
employment documentation required under subsection (g)(1) for scholarship
recipients through the completion of their post-award employment
obligations.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id622FCB3867244FC0A219B0DF4D615B19"><enum>(i)</enum><header display-inline="yes-display-inline">Amount of repayment</header><paragraph commented="no" display-inline="no-display-inline" id="id48A132CE933C48618EAEC9953EEE3809"><enum>(1)</enum><header display-inline="yes-display-inline">Less than 1 year of service</header><text display-inline="yes-display-inline">If a circumstance described in subsection (g)(2) occurs before the completion of 1 year of a
post-award employment obligation under this section, the total amount
of scholarship awards received by the individual under this section shall—</text><subparagraph commented="no" display-inline="no-display-inline" id="id17C99C6E96994118AAFEC32E0FF7DA80"><enum>(A)</enum><text display-inline="yes-display-inline">be repaid; or</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id444C1A2D1BE64A488A23F99E194B79F9"><enum>(B)</enum><text display-inline="yes-display-inline">be treated
as a loan to be repaid in accordance with subsection (j).</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id4F5CFE0655304792902DCDCBD1901F7D"><enum>(2)</enum><header display-inline="yes-display-inline">1 or more years of service</header><text display-inline="yes-display-inline">If a circumstance described in subparagraph (D) or (E) of subsection (g)(2) occurs after the
completion of 1 or more years of
a
post-award employment obligation under this section, the total amount of
scholarship
awards received by the
individual under this section, reduced by the ratio of the number of years
of service completed divided by the number of years of service required,
shall—</text><subparagraph commented="no" display-inline="no-display-inline" id="idFF1E63F406FF4FA6B3D19CB358479057"><enum>(A)</enum><text display-inline="yes-display-inline">be repaid; or</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idFEF8FB550A324B56BA522F2DE859E92E"><enum>(B)</enum><text display-inline="yes-display-inline">be treated
as a loan to be repaid in accordance with subsection (j).</text></subparagraph></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id013A6E1F53064CDFB0C83E8655E09D09"><enum>(j)</enum><header display-inline="yes-display-inline">Repayments</header><text display-inline="yes-display-inline">A loan described subsection (i) shall—</text><paragraph commented="no" display-inline="no-display-inline" id="idDC066C016C9A4EF4A8DFD40964F75A84"><enum>(1)</enum><text display-inline="yes-display-inline">be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher
Education Act of 1965 (<external-xref legal-doc="usc" parsable-cite="usc/20/1087a">20 U.S.C. 1087a et seq.</external-xref>); and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id3DF6B0925E9344B0BAF85FFA38F1B1AE"><enum>(2)</enum><text display-inline="yes-display-inline">be subject to repayment, together with interest thereon accruing from the date of the scholarship
award, in accordance with terms and conditions specified by the Director
of the National Science Foundation (in consultation with the Secretary of
Education) in regulations promulgated to carry out this subsection.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id72FAADF8357144928C694B8CFF501823"><enum>(k)</enum><header display-inline="yes-display-inline">Collection of repayment</header><paragraph commented="no" display-inline="no-display-inline" id="idF066483383E34EB887588EE8E3EF16A7"><enum>(1)</enum><header display-inline="yes-display-inline">In general</header><text display-inline="yes-display-inline">In the event that a scholarship recipient is required to repay the scholarship award under this
section,
the qualified institution of higher education providing the scholarship
shall—</text><subparagraph commented="no" display-inline="no-display-inline" id="id5ED1E87DE76A4299A49970AA15D5D9FF"><enum>(A)</enum><text display-inline="yes-display-inline">determine the repayment
amounts and notify the recipient and the Director of the National Science
Foundation of the amounts owed; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id6F7299A4E0944BD1B6072E3CC39FE10F"><enum>(B)</enum><text display-inline="yes-display-inline">collect the repayment amounts within a period of time as determined by the Director of the National
Science Foundation, or the repayment amounts shall be treated as a loan in
accordance with subsection (j).</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idD5380027ADB449C68D4F40C16F07A788"><enum>(2)</enum><header display-inline="yes-display-inline">Returned to Treasury</header><text display-inline="yes-display-inline">Except as provided in paragraph (3), any repayment under this subsection shall be returned to the
Treasury of the
United States.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idE74EC69AB10C41848092A106845ACB3E"><enum>(3)</enum><header display-inline="yes-display-inline">Retain percentage</header><text display-inline="yes-display-inline">A qualified institution of higher education may retain a percentage of any repayment the
institution
collects under this subsection to defray administrative costs associated
with the collection. The Director of the National Science Foundation shall
establish a single, fixed percentage that will apply to all eligible
entities.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id19AC9CE1BF4647BF8F69147B9AD6AE80"><enum>(l)</enum><header display-inline="yes-display-inline">Exceptions</header><text display-inline="yes-display-inline">The Director of the National Science Foundation may provide for the partial or total waiver or
suspension of any service or payment obligation by
an individual under this section whenever compliance by the individual
with the obligation is impossible or would involve extreme hardship to the
individual, or if enforcement of such obligation with respect to the
individual would be unconscionable.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id5b0eafb9-eb19-430b-9020-93877ab2dcc0"><enum>(m)</enum><header display-inline="yes-display-inline">Evaluation and
report</header><text display-inline="yes-display-inline">The Director of the National Science Foundation shall
evaluate and report periodically to Congress on the success of recruiting
individuals for scholarships under this section and on hiring and
retaining
those individuals in the public sector workforce.</text></subsection></section><enum>IV</enum><header display-inline="yes-display-inline">Cybersecurity Awareness
and Preparedness</header><section commented="no" display-inline="no-display-inline" id="idf4a02230-50b0-4996-858e-b1d8f2f3b714" section-type="subsequent-section"><enum>401.</enum><header display-inline="yes-display-inline">National cybersecurity
awareness and education program</header><subsection commented="no" display-inline="no-display-inline" id="id21f9c915-aff3-4cd6-90cc-bb51b734dac1"><enum>(a)</enum><header display-inline="yes-display-inline">National cybersecurity
awareness and education program</header><text display-inline="yes-display-inline">The Director of the National
Institute of Standards and Technology (referred to in this section as the
<quote>Director</quote>), in consultation with appropriate Federal agencies,
industry, educational institutions, National Laboratories, the Networking
and Information Technology
Research and Development program, and other organizations shall continue
to coordinate a national cybersecurity awareness and education program,
that includes activities such
as—</text><paragraph commented="no" display-inline="no-display-inline" id="idF8B6ABAF29AB47E594C41287A96DEA53"><enum>(1)</enum><text display-inline="yes-display-inline">the widespread dissemination of cybersecurity technical standards and best practices identified by
the Director;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idE6F728ECFA2547279D9AADC14117E437"><enum>(2)</enum><text display-inline="yes-display-inline">efforts to make cybersecurity best practices usable by individuals, small to medium-sized
businesses, educational institutions, and
State, local, and tribal governments;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idbe3e5684-e43c-4f14-bef7-1bf21c34eeb3"><enum>(3)</enum><text display-inline="yes-display-inline">increasing
public awareness of cybersecurity, cyber safety, and cyber ethics;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id3cdf3215-7803-4fbd-89d7-06c18224bb5b"><enum>(4)</enum><text display-inline="yes-display-inline">increasing
the understanding of State, local, and tribal governments, institutions of
higher
education, and private sector entities of—</text><subparagraph commented="no" display-inline="no-display-inline" id="id778e5597-6cfa-4771-820a-9592a77d4167"><enum>(A)</enum><text display-inline="yes-display-inline">the benefits of ensuring
effective risk management of information technology versus the
costs of
failure to do so; and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id99395195-7861-4dac-85ac-a0389999979d"><enum>(B)</enum><text display-inline="yes-display-inline">the methods to mitigate
and remediate vulnerabilities;</text></subparagraph></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idb4d0b32b-72ce-40b5-8d14-e97a84964fbf"><enum>(5)</enum><text display-inline="yes-display-inline">supporting formal
cybersecurity education programs at all education levels to prepare
and improve a skilled
cybersecurity and computer science workforce for the private sector and
Federal,
State, local, and tribal government; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idb45140ba-28a0-4f9f-8777-e64c4b9d1473"><enum>(6)</enum><text display-inline="yes-display-inline">promoting initiatives to evaluate
and forecast future cybersecurity workforce needs of the Federal
Government and
develop strategies for recruitment, training, and retention.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id525fcfad-2f9e-4110-81a0-29d67e2970a8"><enum>(b)</enum><header display-inline="yes-display-inline">Considerations</header><text display-inline="yes-display-inline">In
carrying out the authority described in subsection (a), the Director, in
consultation with appropriate Federal agencies, shall leverage existing
programs designed to inform the public of safety and security of products
or
services, including self-certifications and independently verified
assessments
regarding the quantification and valuation of information security risk.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id79e063a1-4f80-4aef-98de-f78e423ac9fb"><enum>(c)</enum><header display-inline="yes-display-inline">Strategic
plan</header><text display-inline="yes-display-inline">The Director, in cooperation with relevant Federal agencies
and other stakeholders, shall build upon programs and plans in effect as
of the
date of enactment of this Act to develop and implement a strategic plan to
guide Federal programs and activities in support of the national
cybersecurity
awareness and education program under subsection (a).</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id8a106b8c-ac97-4781-87a8-6773261fe4d2"><enum>(d)</enum><header display-inline="yes-display-inline">Report</header><text display-inline="yes-display-inline">Not
later than 1 year after the date of enactment of this Act, and every 5
years
thereafter, the Director shall transmit the strategic plan under
subsection (c)
to the Committee on Commerce, Science, and Transportation of the Senate
and the
Committee on Science, Space, and Technology of the House of
Representatives.</text></subsection></section><enum>V</enum><header display-inline="yes-display-inline">Advancement of cybersecurity technical standards</header><section commented="no" display-inline="no-display-inline" id="idEA6FDDB7C3CF4B6689DCCCB57C61B1CA" section-type="subsequent-section"><enum>501.</enum><header display-inline="yes-display-inline">Definitions</header><text display-inline="no-display-inline">In this title:</text><paragraph commented="no" display-inline="no-display-inline" id="idC6741D766C6C41C0941C75EB9BF00927"><enum>(1)</enum><header display-inline="yes-display-inline">Director</header><text display-inline="yes-display-inline">The term <term>Director</term> means the Director of the National Institute of Standards and Technology.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id36B9289ACFCA4529A929DA7A2D12134D"><enum>(2)</enum><header display-inline="yes-display-inline">Institute</header><text display-inline="yes-display-inline">The term <term>Institute</term> means the National Institute of Standards and Technology.</text></paragraph></section><section commented="no" display-inline="no-display-inline" id="idCBA697BDBECC4F43AA09667B261D5A53" section-type="subsequent-section"><enum>502.</enum><header display-inline="yes-display-inline">International cybersecurity technical standards</header><subsection commented="no" display-inline="no-display-inline" id="id61209B28A89C421AA64CDA27EEABAB41"><enum>(a)</enum><header display-inline="yes-display-inline">In general</header><text display-inline="yes-display-inline">The Director, in coordination with appropriate Federal authorities, shall—</text><paragraph commented="no" display-inline="no-display-inline" id="id7257F8AC43094975B36509241CB6814F"><enum>(1)</enum><text display-inline="yes-display-inline">as appropriate, ensure coordination of Federal agencies engaged in the development of international
technical standards related to information system security; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id7E50A4CE0E3E405889682842B008EAE7"><enum>(2)</enum><text display-inline="yes-display-inline">not later than 1 year after the date of enactment of this Act, develop and transmit to Congress
a plan for ensuring such Federal agency coordination.</text></paragraph></subsection><subsection commented="no" display-inline="no-display-inline" id="id8470544057334FE2A4904C8183214148"><enum>(b)</enum><header display-inline="yes-display-inline">Consultation with the private sector</header><text display-inline="yes-display-inline">In carrying out the activities specified in subsection (a)(1), the Director shall ensure
consultation with
appropriate private sector stakeholders.</text></subsection></section><section commented="no" display-inline="no-display-inline" id="id90B2F5062768455789F4826772B6F3BC" section-type="subsequent-section"><enum>503.</enum><header display-inline="yes-display-inline">Cloud computing strategy</header><subsection commented="no" display-inline="no-display-inline" id="id08CC0CC98F5344599F4CC0CCD3124C2C"><enum>(a)</enum><header display-inline="yes-display-inline">In general</header><text display-inline="yes-display-inline">The Director, in coordination with the Office of Management and Budget, in collaboration with the
Federal Chief Information Officers Council, and in
consultation with other relevant Federal agencies and stakeholders from
the
private sector, shall continue to develop and encourage the implementation
of a comprehensive strategy for the use and adoption of cloud computing
services by the Federal Government.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="id1189174DB1834522AF669276DAE4D07A"><enum>(b)</enum><header display-inline="yes-display-inline">Activities</header><text display-inline="yes-display-inline">In carrying out the strategy described under subsection (a), the Director shall give consideration
to activities that—</text><paragraph commented="no" display-inline="no-display-inline" id="id01EDA1A77C694259B9080E453A24D0C7"><enum>(1)</enum><text display-inline="yes-display-inline">accelerate the development, in collaboration with the private sector, of standards that address
interoperability and portability of cloud computing services;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id34A4613F58F24051A4EAFCF1F9C078F2"><enum>(2)</enum><text display-inline="yes-display-inline">advance the development of conformance testing performed by the private sector in support of cloud
computing standardization; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idCEE6268A60244985B860D31DB1A4C325"><enum>(3)</enum><text display-inline="yes-display-inline">support, in coordination with the Office of Management and Budget, and in consultation with the
private sector, the development of appropriate security
frameworks and reference materials, and the identification of best
practices, for use by Federal agencies to address security and privacy
requirements to enable the use and adoption of cloud computing services,
including activities—</text><subparagraph commented="no" display-inline="no-display-inline" id="id3B65D222F1634E8A848C45B49F035312"><enum>(A)</enum><text display-inline="yes-display-inline">to ensure the physical security of cloud computing data centers and the data stored in such
centers;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idF98C4B8899F545F486463D790712AE1F"><enum>(B)</enum><text display-inline="yes-display-inline">to ensure secure access to the data stored in cloud computing data centers;</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="idA9603E4A3C79419DAC5953B1C5B37F8B"><enum>(C)</enum><text display-inline="yes-display-inline">to develop security standards as required under section 20 of the National Institute of Standards
and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>); and</text></subparagraph><subparagraph commented="no" display-inline="no-display-inline" id="id41D521B335B5400E820FC22E65C1A93D"><enum>(D)</enum><text display-inline="yes-display-inline">to support the development of the automation of continuous monitoring systems.</text></subparagraph></paragraph></subsection></section><section commented="no" display-inline="no-display-inline" id="id6A740D43C99A454E88C816CC902A7060" section-type="subsequent-section"><enum>504.</enum><header display-inline="yes-display-inline">Identity management research and development</header><text display-inline="no-display-inline">The Director shall continue a program to support the development of voluntary and cost-effective
technical standards, metrology, testbeds, and conformance criteria, taking
into account appropriate user concerns—</text><paragraph commented="no" display-inline="no-display-inline" id="id88031E8CFE7E4EB789C4DC7B59A3CC2F"><enum>(1)</enum><text display-inline="yes-display-inline">to improve interoperability among identity management technologies;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id95AA4101103A4527BFC00762B5A66DA9"><enum>(2)</enum><text display-inline="yes-display-inline">to strengthen authentication methods of identity management systems;</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id5AFCD06659C74E29B2403E10629A5DD7"><enum>(3)</enum><text display-inline="yes-display-inline">to improve privacy protection in identity management systems, including health information
technology systems, through authentication and security protocols; and</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="id66B9631FF3D94DDE8799F97F41EA3245"><enum>(4)</enum><text display-inline="yes-display-inline">to improve the usability of identity management systems.</text></paragraph></section>Passed the Senate December 11, 2014.Secretary