Public Law 113–274: To provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes. Public Law274 Public Law 113–274128 Stat. 2971 2014-12-18 2014-12-18 United States Government Publishing OfficeNational Archives and Records AdministrationOffice of the Federal Registertext/xmlENPursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain. GPO Locator to USLM Converter 4.15.31;Stage2.202507022026-01-03 113public PUBLIC LAW 113–274—DEC. 18, 2014 128 STAT. 2971 Public Law113–274 113th Congress
An Act To provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes.

Dec. 18, 2014

[S. 1353]

   Be it enacted by the Senate and House of Representa­tives of the United States of America in Congress assembled,

Cybersecurity Enhancement Act of 2014.
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.(a)

15 USC 7421 note.

Short Title.—This Act may be cited as the “Cybersecurity Enhancement Act of 2014”. (b) Table of Contents.—The table of contents of this Act is as follows: Sec. 1.  Sec. 2.  Sec. 3.  Sec. 4.  TITLE I— Sec. 101.  TITLE II— Sec. 201.  Sec. 202.  Sec. 203.  Sec. 204.  TITLE III— Sec. 301.  Sec. 302.  TITLE IV— Sec. 401.  TITLE V— Sec. 501.  Sec. 502.  Sec. 503.  Sec. 504. 
SEC. 2.

15 USC 7421.

DEFINITIONS.  In this Act:(1) Cybersecurity mission.—The term “cybersecurity mission” means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies 128 STAT. 2972 and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace. (2) Information system.—The term “information system” has the meaning given that term in section 3502 of title 44, United States Code.
SEC. 3.

15 USC 7422.

NO REGULATORY AUTHORITY.  Nothing in this Act shall be construed to confer any regulatory authority on any Federal, State, tribal, or local department or agency.
SEC. 4.

15 USC 7423.

NO ADDITIONAL FUNDS AUTHORIZED.  No additional funds are authorized to carry out this Act, and the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.
<num value="I">TITLE I—</num><heading>PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY</heading> <section id="d375367e295" identifier="/us/pl/113/274/tI/s101" style="-uslm-lc:I658143"><num class="fontsize12" value="101">SEC. 101. </num><heading>PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.</heading><subsection class="firstIndent0 fontsize10" id="y3cea2161-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/a" role="instruction" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><heading class="fontsize10"><inline class="smallCaps">Cybersecurity</inline>.—</heading><chapeau>Section 2(c) of the National Institute of Standards and Technology Act (<ref href="/us/usc/t15/s272/c">15 U.S.C. 272(c)</ref>) <amendingAction type="amend">is amended</amendingAction>—</chapeau><paragraph class="fontsize10" id="y3cea2162-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/a/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>by <amendingAction type="redesignate">redesignating</amendingAction> paragraphs (15) through (22) as paragraphs (16) through (23), respectively; and</content></paragraph> <paragraph class="fontsize10" id="y3cea2163-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/a/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>by <amendingAction type="insert">inserting</amendingAction> after paragraph (14) the following:<quotedContent><paragraph class="indentUp0 fontsize10" id="y3cea2164-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="15">“(15) </num><content>on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure (as defined under subsection (e));”</content></paragraph> </quotedContent>.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cea2165-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/b" role="instruction" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><heading class="fontsize10"><inline class="smallCaps">Scope and Limitations</inline>.—</heading><content>Section 2 of the National Institute of Standards and Technology Act (<ref href="/us/usc/t15/s272">15 U.S.C. 272</ref>) <amendingAction type="amend">is amended</amendingAction> by <amendingAction type="add">adding</amendingAction> at the end the following:<quotedContent><subsection class="firstIndent0 fontsize10" id="y3ceb0bc6-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="e">“(e) </num><heading class="fontsize10"><inline class="smallCaps">Cyber Risks</inline>.—</heading><paragraph class="fontsize10" id="y3ceb0bc7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">“(1) </num><heading class="fontsize10"><inline class="smallCaps">In general</inline>.—</heading><chapeau>In carrying out the activities under subsection (c)(15), the Director—</chapeau><subparagraph class="fontsize10" id="y3ceb0bc8-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">“(A) </num><chapeau>shall—</chapeau><clause class="fontsize10" id="y3ceb0bc9-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">“(i) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3ceb0bca-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p></sidenote><content>coordinate closely and regularly with relevant private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations, including Sector Coordinating Councils and Information Sharing and Analysis Centers, and incorporate industry expertise;</content></clause> <clause class="fontsize10" id="y3ceb0bcb-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">“(ii) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3ceb0bcc-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote><content>consult with the heads of agencies with national security responsibilities, sector-specific agencies and other appropriate agencies, State and local governments, the governments of other nations, and international organizations;</content></clause> <clause class="fontsize10" id="y3ceb0bcd-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iii">“(iii) </num><content>identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, <page identifier="/us/stat/128/2973">128 STAT. 2973</page> that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks;</content></clause> <clause class="fontsize10" id="y3ceb0bce-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iv">“(iv) </num><chapeau>include methodologies—</chapeau><subclause class="fontsize10" id="y3ceb0bcf-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658128"><num class="fontsize10" style="-uslm-lc:emspace2" value="I">“(I) </num><content>to identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and</content></subclause> <subclause class="fontsize10" id="y3ceb0bd0-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658128"><num class="fontsize10" style="-uslm-lc:emspace2" value="II">“(II) </num><content>to protect individual privacy and civil liberties;</content></subclause> </clause> <clause class="fontsize10" id="y3ceb0bd1-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="v">“(v) </num><content>incorporate voluntary consensus standards and industry best practices;</content></clause> <clause class="fontsize10" id="y3ceb0bd2-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="vi">“(vi) </num><content>align with voluntary international standards to the fullest extent possible;</content></clause> <clause class="fontsize10" id="y3ceb0bd3-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="vii">“(vii) </num><content>prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes; and</content></clause> <clause class="fontsize10" id="y3ceb0bd4-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="viii">“(viii) </num><content>include such other similar and consistent elements as the Director considers necessary; and</content></clause> </subparagraph> <subparagraph class="fontsize10" id="y3ceb0bd5-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">“(B) </num><chapeau>shall not prescribe or otherwise require—</chapeau><clause class="fontsize10" id="y3ceb0bd6-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">“(i) </num><content>the use of specific solutions;</content></clause> <clause class="fontsize10" id="y3ceb0bd7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">“(ii) </num><content>the use of specific information or communications technology products or services; or</content></clause> <clause class="fontsize10" id="y3ceb0bd8-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iii">“(iii) </num><content>that information or communications technology products or services be designed, developed, or manufactured in a particular manner.</content></clause> </subparagraph> </paragraph> <paragraph class="fontsize10" id="y3ceb32e9-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">“(2) </num><heading class="fontsize10"><inline class="smallCaps">Limitation</inline>.—</heading><content>Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity. Nothing in this paragraph shall be construed to modify any regulatory requirement to report or submit information to a Federal, State, tribal, or local department or agency.</content></paragraph> <paragraph class="fontsize10" id="y3ceb32ea-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">“(3) </num><heading class="fontsize10"><inline class="smallCaps">Definitions</inline>.—</heading><chapeau>In this subsection:</chapeau><subparagraph class="fontsize10" id="y3ceb32eb-e880-11f0-bc57-ad3ac4b1618c" role="definitions" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">“(A) </num><heading class="fontsize10"><inline class="smallCaps">Critical infrastructure</inline>.—</heading><content>The term ‘<term>critical infrastructure</term>’ has the meaning given the term in section 1016(e) of the USA PATRIOT Act of 2001 (<ref href="/us/usc/t42/s5195c/e">42 U.S.C. 5195c(e)</ref>).</content></subparagraph> <subparagraph class="fontsize10" id="y3ceb32ec-e880-11f0-bc57-ad3ac4b1618c" role="definitions" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">“(B) </num><heading class="fontsize10"><inline class="smallCaps">Sector-specific agency</inline>.—</heading><content>The term ‘<term>sector-specific agency</term>’ means the Federal department or agency responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment.”</content></subparagraph> </paragraph> </subsection> </quotedContent>.</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3ceb32ed-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="c">(c) </num><heading class="fontsize10"><inline class="smallCaps">Study and Reports</inline>.—</heading><paragraph class="fontsize10" id="y3ceb32ee-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><heading class="fontsize10"><inline class="smallCaps">Study</inline>.—</heading><chapeau>The Comptroller General of the United States shall conduct a study that assesses—</chapeau><subparagraph class="fontsize10" id="y3ceb32ef-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/1/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>the progress made by the Director of the National Institute of Standards and Technology in facilitating the development of standards and procedures to reduce cyber risks to critical infrastructure in accordance with section 2(c)(15) of the National Institute of Standards and Technology Act, as added by this section;</content></subparagraph> <subparagraph class="fontsize10" id="y3ceb32f0-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/1/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>the extent to which the Director’s facilitation efforts are consistent with the directive in such section that the <page identifier="/us/stat/128/2974">128 STAT. 2974</page> development of such standards and procedures be voluntary and led by industry representatives;</content></subparagraph> <subparagraph class="fontsize10" id="y3ceb32f1-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/1/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><content>the extent to which other Federal agencies have promoted and sectors of critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act of 2001 (<ref href="/us/usc/t42/s5195c/e">42 U.S.C. 5195c(e)</ref>)) have adopted a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure in accordance with such section 2(c)(15);</content></subparagraph> <subparagraph class="fontsize10" id="y3ceb32f2-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/1/D" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">(D) </num><content>the reasons behind the decisions of sectors of critical infrastructure (as defined in subparagraph (C)) to adopt or to not adopt the voluntary standards described in subparagraph (C); and</content></subparagraph> <subparagraph class="fontsize10" id="y3ceb32f3-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/1/E" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="E">(E) </num><content>the extent to which such voluntary standards have proved successful in protecting critical infrastructure from cyber threats.</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3ceb32f4-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tI/s101/c/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10"><inline class="smallCaps">Reports</inline>.—</heading><content>Not later than 1 year after the date of the enactment of this Act, and every 2 years thereafter for the following 6 years, the Comptroller General shall submit a report, which summarizes the findings of the study conducted under paragraph (1), to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.</content></paragraph> </subsection> </section> <num value="II">TITLE II—</num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3ceb32f5-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">15 USC</p><p class="leftAlign firstIndent0 fontsize8" id="x3ceb32f6-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">prec. 7431.</p></sidenote><heading>CYBERSECURITY RESEARCH AND DEVELOPMENT</heading> <section id="d375367e576" identifier="/us/pl/113/274/tII/s201" style="-uslm-lc:I658143"><num class="fontsize12" value="201">SEC. 201. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3ceb32f7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7431">15 USC 7431</ref>.</p></sidenote><heading>FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.</heading><subsection class="firstIndent0 fontsize10" id="y3cef50a8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><heading class="fontsize10"><inline class="smallCaps">Fundamental Cybersecurity Research</inline>.—</heading><paragraph class="fontsize10" id="y3cef50a9-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><heading class="fontsize10"><inline class="smallCaps">Federal cybersecurity research and development strategic plan</inline>.—</heading><chapeau>The heads<sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef50aa-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Deadline.</p></sidenote> of the applicable agencies and departments, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, shall develop and update every 4 years a Federal cybersecurity research and development strategic plan (referred to in this subsection as the “strategic plan”) based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. The heads of the applicable agencies and departments shall build upon existing programs and plans to develop the strategic plan to meet objectives in cybersecurity, such as—</chapeau><subparagraph class="fontsize10" id="y3cef50ab-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>how to design and build complex software-intensive systems that are secure and reliable when first deployed;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50ac-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>how to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50ad-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><content>how to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50ae-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/D" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">(D) </num><content>how to guarantee the privacy of an individual, including that individual’s identity, information, and lawful transactions when stored in distributed systems or transmitted over networks;<page identifier="/us/stat/128/2975">128 STAT. 2975</page></content></subparagraph> <subparagraph class="fontsize10" id="y3cef50af-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/E" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="E">(E) </num><content>how to build new protocols to enable the Internet to have robust security as one of the key capabilities of the Internet;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50b0-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/F" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="F">(F) </num><content>how to determine the origin of a message transmitted over the Internet;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50b1-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/G" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="G">(G) </num><content>how to support privacy in conjunction with improved security;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50b2-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/H" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="H">(H) </num><content>how to address the problem of insider threats;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50b3-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/I" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="I">(I) </num><content>how improved consumer education and digital literacy initiatives can address human factors that contribute to cybersecurity;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50b4-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/J" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="J">(J) </num><content>how to protect information processed, transmitted, or stored using cloud computing or transmitted through wireless services; and</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50b5-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/1/K" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="K">(K) </num><content>any additional objectives the heads of the applicable agencies and departments, in coordination with the head of any relevant Federal agency and with input from stakeholders, including appropriate national laboratories, industry, and academia, determine appropriate.</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cef50b6-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10"><inline class="smallCaps">Requirements</inline>.—</heading><subparagraph class="fontsize10" id="y3cef50b7-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><heading class="fontsize10"><inline class="smallCaps">Contents of plan</inline>.—</heading><chapeau>The strategic plan shall—</chapeau><clause class="fontsize10" id="y3cef50b8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A/i" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">(i) </num><content>specify and prioritize near-term, mid-term, and long-term research objectives, including objectives associated with the research identified in section 4(a)(1) of the Cyber Security Research and Development Act (<ref href="/us/usc/t15/s7403/a/1">15 U.S.C. 7403(a)(1)</ref>);</content></clause> <clause class="fontsize10" id="y3cef50b9-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A/ii" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">(ii) </num><content>specify how the near-term objectives described in clause (i) complement research and development areas in which the private sector is actively engaged;</content></clause> <clause class="fontsize10" id="y3cef50ba-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A/iii" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iii">(iii) </num><content>describe how the heads of the applicable agencies and departments will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;</content></clause> <clause class="fontsize10" id="y3cef50bb-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A/iv" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iv">(iv) </num><content>describe how the heads of the applicable agencies and departments will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;</content></clause> <clause class="fontsize10" id="y3cef50bc-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A/v" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="v">(v) </num><content>describe how the heads of the applicable agencies and departments will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems; and</content></clause> <clause class="fontsize10" id="y3cef50bd-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/A/vi" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="vi">(vi) </num><content>describe how the heads of the applicable agencies and departments will facilitate access by academic researchers to the infrastructure described in clause (v), as well as to relevant data, including event data.</content></clause> </subparagraph> <subparagraph class="fontsize10" id="y3cef50be-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><heading class="fontsize10"><inline class="smallCaps">Private sector efforts</inline>.—</heading><content>In developing, implementing, and updating the strategic plan, the heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall work in close cooperation with <page identifier="/us/stat/128/2976">128 STAT. 2976</page> industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector efforts.</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50bf-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><heading class="fontsize10"><inline class="smallCaps">Recommendations</inline>.—</heading><chapeau>In developing and updating the strategic plan the heads of the applicable agencies and departments shall solicit recommendations and advice from—</chapeau><clause class="fontsize10" id="y3cef50c0-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/C/i" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">(i) </num><content>the advisory committee established under section 101(b)(1) of the High-Performance Computing Act of 1991 (<ref href="/us/usc/t15/s5511/b/1">15 U.S.C. 5511(b)(1)</ref>); and</content></clause> <clause class="fontsize10" id="y3cef50c1-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/C/ii" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">(ii) </num><content>a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions.</content></clause> </subparagraph> <subparagraph class="fontsize10" id="y3cef50c2-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/D" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">(D) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef50c3-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Deadline.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">Implementation roadmap</inline>.—</heading><chapeau>The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall develop and annually update an implementation roadmap for the strategic plan. The implementation roadmap shall—</chapeau><clause class="fontsize10" id="y3cef50c4-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/D/i" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">(i) </num><content>specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;</content></clause> <clause class="fontsize10" id="y3cef50c5-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/D/ii" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">(ii) </num><content>specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year;</content></clause> <clause class="fontsize10" id="y3cef50c6-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/D/iii" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iii">(iii) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef50c7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Time period.</p></sidenote><content>estimate the funding required for each major research objective of the strategic plan for the following 3 fiscal years; and</content></clause> <clause class="fontsize10" id="y3cef50c8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/2/D/iv" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iv">(iv) </num><content>track ongoing and completed Federal cybersecurity research and development projects.</content></clause> </subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cef50c9-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><heading class="fontsize10"><inline class="smallCaps">Reports to congress</inline>.—</heading><chapeau>The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives—</chapeau><subparagraph class="fontsize10" id="y3cef50ca-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/3/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>the strategic plan not later than 1 year after the date of enactment of this Act;</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50cb-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/3/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>each quadrennial update to the strategic plan; and</content></subparagraph> <subparagraph class="fontsize10" id="y3cef50cc-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/3/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><content>the implementation roadmap under subparagraph (D), and its annual updates, which shall be appended to the annual report required under section 101(a)(2)(D) of the High-Performance Computing Act of 1991 (<ref href="/us/usc/t15/s5511/a/2/D">15 U.S.C. 5511(a)(2)(D)</ref>).</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cef50cd-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/a/4" role="definitions" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><heading class="fontsize10"><inline class="smallCaps">Definition of applicable agencies and departments</inline>.—</heading><content>In this subsection, the term “<term>applicable agencies and departments</term>” means the agencies and departments identified in clauses (i) through (x) of section 101(a)(3)(B) of the High-Performance Computing Act of 1991 (<ref href="/us/usc/t15/s5511/a/3/B">15 U.S.C. 5511(a)(3)(B)</ref>) or designated under clause (xi) of that section.<page identifier="/us/stat/128/2977">128 STAT. 2977</page></content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cef50ce-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/b" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><heading class="fontsize10"><inline class="smallCaps">Cybersecurity Practices Research</inline>.—</heading><chapeau>The Director of the National Science Foundation shall support research that—</chapeau><paragraph class="fontsize10" id="y3cef50cf-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/b/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>develops, evaluates, disseminates, and integrates new cybersecurity practices and concepts into the core curriculum of computer science programs and of other programs where graduates of such programs have a substantial probability of developing software after graduation, including new practices and concepts relating to secure coding education and improvement programs; and</content></paragraph> <paragraph class="fontsize10" id="y3cef50d0-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/b/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>develops new models for professional development of faculty in cybersecurity education, including secure coding development.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cef77e1-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="c">(c) </num><heading class="fontsize10"><inline class="smallCaps">Cybersecurity Modeling and Test Beds</inline>.—</heading><paragraph class="fontsize10" id="y3cef77e2-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/c/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef77e3-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Deadline.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">Review</inline>.—</heading><content>Not later than 1 year after the date of enactment of this Act, the Director of the National Science Foundation, in coordination with the Director of the Office of Science and Technology Policy, shall conduct a review of cybersecurity test beds in existence on the date of enactment of this Act to inform the grants under paragraph (2). The<sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef77e4-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Assessment.</p></sidenote> review shall include an assessment of whether a sufficient number of cybersecurity test beds are available to meet the research needs under the Federal cybersecurity research and development strategic plan. Upon completion, the Director shall submit the review to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.</content></paragraph> <paragraph class="fontsize10" id="y3cef77e5-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/c/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef77e6-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Grants.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">Additional cybersecurity modeling and test beds</inline>.—</heading><subparagraph class="fontsize10" id="y3cef77e7-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/c/2/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef77e8-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Determination.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cef77e9-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">In general</inline>.—</heading><content>If the Director of the National Science Foundation, after the review under paragraph (1), determines that the research needs under the Federal cybersecurity research and development strategic plan require the establishment of additional cybersecurity test beds, the Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, may award grants to institutions of higher education or research and development non-profit institutions to establish cybersecurity test beds.</content></subparagraph> <subparagraph class="fontsize10" id="y3cef77ea-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/c/2/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><heading class="fontsize10"><inline class="smallCaps">Requirement</inline>.—</heading><content>The cybersecurity test beds under subparagraph (A) shall be sufficiently robust in order to model the scale and complexity of real-time cyber attacks and defenses on real world networks and environments.</content></subparagraph> <subparagraph class="fontsize10" id="y3cef77eb-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/c/2/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cef77ec-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cef77ed-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Evaluation.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cef77ee-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Deadlines.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">Assessment required</inline>.—</heading><content>The Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, shall evaluate the effectiveness of any grants awarded under this subsection in meeting the objectives of the Federal cybersecurity research and development strategic plan not later than 2 years after the review under paragraph (1) of this subsection, and periodically thereafter.</content></subparagraph> </paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cef77ef-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="d">(d) </num><heading class="fontsize10"><inline class="smallCaps">Coordination With Other Research Initiatives</inline>.—</heading><chapeau>In accordance with the responsibilities under section 101 of the High-Performance Computing Act of 1991 (<ref href="/us/usc/t15/s5511">15 U.S.C. 5511</ref>), the Director of the Office of Science and Technology Policy shall coordinate, to the extent practicable, Federal research and development activities under this section with other ongoing research and development security-related initiatives, including research being conducted by—<page identifier="/us/stat/128/2978">128 STAT. 2978</page></chapeau><paragraph class="fontsize10" id="y3cef77f0-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>the National Science Foundation;</content></paragraph> <paragraph class="fontsize10" id="y3cef77f1-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>the National Institute of Standards and Technology;</content></paragraph> <paragraph class="fontsize10" id="y3cef77f2-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>the Department of Homeland Security;</content></paragraph> <paragraph class="fontsize10" id="y3cef77f3-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><content>other Federal agencies;</content></paragraph> <paragraph class="fontsize10" id="y3cef77f4-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/5" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">(5) </num><content>other Federal and private research laboratories, research entities, and universities;</content></paragraph> <paragraph class="fontsize10" id="y3cef77f5-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/6" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="6">(6) </num><content>institutions of higher education;</content></paragraph> <paragraph class="fontsize10" id="y3cef77f6-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/7" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="7">(7) </num><content>relevant nonprofit organizations; and</content></paragraph> <paragraph class="fontsize10" id="y3cef77f7-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/d/8" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="8">(8) </num><content>international partners of the United States.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cef77f8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/e" role="instruction" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="e">(e) </num><heading class="fontsize10"><inline class="smallCaps">National Science Foundation Computer and Network Security Research Grant Areas</inline>.—</heading><chapeau>Section 4(a)(1) of the Cyber Security Research and Development Act (<ref href="/us/usc/t15/s7403/a/1">15 U.S.C. 7403(a)(1)</ref>) <amendingAction type="amend">is amended</amendingAction>—</chapeau><paragraph class="fontsize10" id="y3cef77f9-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/e/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>in subparagraph (H), by <amendingAction type="delete">striking</amendingAction> “<quotedText>and</quotedText>” at the end;</content></paragraph> <paragraph class="fontsize10" id="y3cef77fa-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/e/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>in subparagraph (I), by <amendingAction type="delete">striking</amendingAction> the period at the end and <amendingAction type="insert">inserting</amendingAction> a semicolon; and</content></paragraph> <paragraph class="fontsize10" id="y3cef77fb-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/e/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>by <amendingAction type="add">adding</amendingAction> at the end the following:<quotedContent><subparagraph class="fontsize10" id="y3cf0143c-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="J">“(J) </num><content>secure fundamental protocols that are integral to inter-network communications and data exchange;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf0143d-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="K">“(K) </num><chapeau>secure software engineering and software assurance, including—</chapeau><clause class="fontsize10" id="y3cf0143e-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">“(i) </num><content>programming languages and systems that include fundamental security features;</content></clause> <clause class="fontsize10" id="y3cf0143f-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">“(ii) </num><content>portable or reusable code that remains secure when deployed in various environments;</content></clause> <clause class="fontsize10" id="y3cf01440-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iii">“(iii) </num><content>verification and validation technologies to ensure that requirements and specifications have been implemented; and</content></clause> <clause class="fontsize10" id="y3cf01441-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iv">“(iv) </num><content>models for comparison and metrics to assure that required standards have been met;</content></clause> </subparagraph> <subparagraph class="fontsize10" id="y3cf01442-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="L">“(L) </num><chapeau>holistic system security that—</chapeau><clause class="fontsize10" id="y3cf01443-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">“(i) </num><content>addresses the building of secure systems from trusted and untrusted components;</content></clause> <clause class="fontsize10" id="y3cf01444-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="ii">“(ii) </num><content>proactively reduces vulnerabilities;</content></clause> <clause class="fontsize10" id="y3cf01445-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iii">“(iii) </num><content>addresses insider threats; and</content></clause> <clause class="fontsize10" id="y3cf01446-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658126"><num class="fontsize10" style="-uslm-lc:emspace2" value="iv">“(iv) </num><content>supports privacy in conjunction with improved security;</content></clause> </subparagraph> <subparagraph class="fontsize10" id="y3cf01447-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="M">“(M) </num><content>monitoring and detection;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf01448-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="N">“(N) </num><content>mitigation and rapid recovery methods;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf01449-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="O">“(O) </num><content>security of wireless networks and mobile devices; and</content></subparagraph> <subparagraph class="fontsize10" id="y3cf0144a-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="P">“(P) </num><content>security of cloud infrastructure and services.”</content></subparagraph> </quotedContent>.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf0144b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s201/f" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="f">(f) </num><heading class="fontsize10"><inline class="smallCaps">Research on the Science of Cybersecurity</inline>.—</heading><content>The head of each agency and department identified under section 101(a)(3)(B) of the High-Performance Computing Act of 1991 (<ref href="/us/usc/t15/s5511/a/3/B">15 U.S.C. 5511(a)(3)(B)</ref>), through existing programs and activities, shall support research that will lead to the development of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation, and creates quantifiable security metrics.</content></subsection> </section> <section id="d375367e1122" identifier="/us/pl/113/274/tII/s202" role="instruction" style="-uslm-lc:I658143"><num class="fontsize12" value="202">SEC. 202. </num><heading>COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.</heading><chapeau class="indentUp0 firstIndent0 fontsize10" id="x3cf0897c-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120">  Section 4(b) of the Cyber Security Research and Development Act (<ref href="/us/usc/t15/s7403/b">15 U.S.C. 7403(b)</ref>) <amendingAction type="amend">is amended</amendingAction>—</chapeau><paragraph class="fontsize10" id="y3cf0897d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s202/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>in paragraph (3), by <amendingAction type="delete">striking</amendingAction> “<quotedText>the research areas</quotedText>” and <amendingAction type="insert">inserting</amendingAction> the following: “<quotedText>improving the security and resiliency <page identifier="/us/stat/128/2979">128 STAT. 2979</page> of information technology, reducing cyber vulnerabilities, and anticipating and mitigating consequences of cyber attacks on critical infrastructure, by conducting research in the areas</quotedText>”;</content></paragraph> <paragraph class="fontsize10" id="y3cf0897e-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s202/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>by <amendingAction type="delete">striking</amendingAction> “<quotedText>the center</quotedText>” in paragraph (4)(D) and <amendingAction type="insert">inserting</amendingAction> “<quotedText>the Center</quotedText>”; and</content></paragraph> <paragraph class="fontsize10" id="y3cf0897f-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s202/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><chapeau>in paragraph (5)—</chapeau><subparagraph class="fontsize10" id="y3cf08980-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s202/3/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>by <amendingAction type="delete">striking</amendingAction> “<quotedText>and</quotedText>” at the end of subparagraph (C);</content></subparagraph> <subparagraph class="fontsize10" id="y3cf08981-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s202/3/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>by <amendingAction type="delete">striking</amendingAction> the period at the end of subparagraph (D) and <amendingAction type="insert">inserting</amendingAction> a semicolon; and</content></subparagraph> <subparagraph class="fontsize10" id="y3cf08982-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s202/3/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><content>by <amendingAction type="add">adding</amendingAction> at the end the following:<quotedContent><subparagraph class="indentUp0 fontsize10" id="y3cf0d7a3-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="E">“(E) </num><content>the demonstrated capability of the applicant to conduct high performance computation integral to complex computer and network security research, through on-site or off-site computing;</content></subparagraph> <subparagraph class="indentUp0 fontsize10" id="y3cf0d7a4-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="F">“(F) </num><content>the applicant’s affiliation with private sector entities involved with industrial research described in subsection (a)(1);</content></subparagraph> <subparagraph class="indentUp0 fontsize10" id="y3cf0d7a5-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="G">“(G) </num><content>the capability of the applicant to conduct research in a secure environment;</content></subparagraph> <subparagraph class="indentUp0 fontsize10" id="y3cf0d7a6-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="H">“(H) </num><content>the applicant’s affiliation with existing research programs of the Federal Government;</content></subparagraph> <subparagraph class="indentUp0 fontsize10" id="y3cf0d7a7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="I">“(I) </num><content>the applicant’s experience managing public-private partnerships to transition new technologies into a commercial setting or the government user community;</content></subparagraph> <subparagraph class="indentUp0 fontsize10" id="y3cf0d7a8-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="J">“(J) </num><content>the capability of the applicant to conduct interdisciplinary cybersecurity research, basic and applied, such as in law, economics, or behavioral sciences; and</content></subparagraph> <subparagraph class="indentUp0 fontsize10" id="y3cf0d7a9-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="K">“(K) </num><content>the capability of the applicant to conduct research in areas such as systems security, wireless security, networking and protocols, formal methods and high-performance computing, nanotechnology, or industrial control systems.”</content></subparagraph> </quotedContent>.</content></subparagraph> </paragraph> </section> <section id="d375367e1235" identifier="/us/pl/113/274/tII/s203" role="instruction" style="-uslm-lc:I658143"><num class="fontsize12" value="203">SEC. 203. </num><heading>CYBERSECURITY AUTOMATION AND CHECKLISTS FOR GOVERNMENT SYSTEMS.</heading><content class="firstIndent0 fontsize10" id="x3cf125ca-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120">  Section 8(c) of the Cyber Security Research and Development Act (<ref href="/us/usc/t15/s7406/c">15 U.S.C. 7406(c)</ref>) <amendingAction type="amend">is amended</amendingAction> to read as follows:<quotedContent><subsection class="firstIndent0 fontsize10" id="y3cf1e91b-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="c">“(c) </num><heading class="fontsize10"><inline class="smallCaps">Security Automation and Checklists for Government Systems</inline>.—</heading><paragraph class="fontsize10" id="y3cf1e91c-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">“(1) </num><heading class="fontsize10"><inline class="smallCaps">In general</inline>.—</heading><content>The Director of the National Institute of Standards and Technology shall, as necessary, develop and revise security automation standards, associated reference materials (including protocols), and checklists providing settings and option selections that minimize the security risks associated with each information technology hardware or software system and security tool that is, or is likely to become, widely used within the Federal Government, thereby enabling standardized and interoperable technologies, architectures, and frameworks for continuous monitoring of information security within the Federal Government.</content></paragraph> <paragraph class="fontsize10" id="y3cf1e91d-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">“(2) </num><heading class="fontsize10"><inline class="smallCaps">Priorities for development</inline>.—</heading><chapeau>The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference materials, and checklists under this subsection on the basis of—</chapeau><subparagraph class="fontsize10" id="y3cf1e91e-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">“(A) </num><content>the security risks associated with the use of the system;<page identifier="/us/stat/128/2980">128 STAT. 2980</page></content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e91f-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">“(B) </num><content>the number of agencies that use a particular system or security tool;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e920-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">“(C) </num><content>the usefulness of the standards, reference materials, or checklists to Federal agencies that are users or potential users of the system;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e921-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">“(D) </num><content>the effectiveness of the associated standard, reference material, or checklist in creating or enabling continuous monitoring of information security; or</content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e922-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="E">“(E) </num><content>such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate.</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cf1e923-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">“(3) </num><heading class="fontsize10"><inline class="smallCaps">Excluded systems</inline>.—</heading><content>The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any information technology hardware or software system or security tool for which such Director determines that the development of a standard, reference material, or checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the lack of utility or impracticability of developing a standard, reference material, or checklist for the system.</content></paragraph> <paragraph class="fontsize10" id="y3cf1e924-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">“(4) </num><heading class="fontsize10"><inline class="smallCaps">Dissemination of standards and related materials</inline>.—</heading><content>The Director of the National Institute of Standards and Technology shall ensure that Federal agencies are informed of the availability of any standard, reference material, checklist, or other item developed under this subsection.</content></paragraph> <paragraph class="fontsize10" id="y3cf1e925-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">“(5) </num><heading class="fontsize10"><inline class="smallCaps">Agency use requirements</inline>.—</heading><chapeau>The development of standards, reference materials, and checklists under paragraph (1) for an information technology hardware or software system or tool does not—</chapeau><subparagraph class="fontsize10" id="y3cf1e926-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">“(A) </num><content>require any Federal agency to select the specific settings or options recommended by the standard, reference material, or checklist for the system;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e927-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">“(B) </num><content>establish conditions or prerequisites for Federal agency procurement or deployment of any such system;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e928-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">“(C) </num><content>imply an endorsement of any such system by the Director of the National Institute of Standards and Technology; or</content></subparagraph> <subparagraph class="fontsize10" id="y3cf1e929-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">“(D) </num><content>preclude any Federal agency from procuring or deploying other information technology hardware or software systems for which no such standard, reference material, or checklist has been developed or identified under paragraph (1).”</content></subparagraph> </paragraph> </subsection> </quotedContent>.</content></section> <section id="d375367e1353" identifier="/us/pl/113/274/tII/s204" role="instruction" style="-uslm-lc:I658143"><num class="fontsize12" value="204">SEC. 204. </num><heading>NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY RESEARCH AND DEVELOPMENT.</heading><chapeau class="indentUp0 firstIndent0 fontsize10" id="x3cf2374a-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120">  Section 20 of the National Institute of Standards and Technology Act (<ref href="/us/usc/t15/s278g–3">15 U.S.C. 278g–3</ref>) <amendingAction type="amend">is amended</amendingAction>—</chapeau><paragraph class="fontsize10" id="y3cf2374b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s204/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>by <amendingAction type="redesignate">redesignating</amendingAction> subsection (e) as subsection (f); and</content></paragraph> <paragraph class="fontsize10" id="y3cf2374c-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tII/s204/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>by <amendingAction type="insert">inserting</amendingAction> after subsection (d) the following:<quotedContent><subsection class="indentDown1 firstIndent0 fontsize10" id="y3cf2856d-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="e">“(e) </num><heading class="fontsize10"><inline class="smallCaps">Intramural Security Research</inline>.—</heading><chapeau>As part of the research activities conducted in accordance with subsection (d)(3), the Institute shall, to the extent practicable and appropriate—</chapeau><paragraph class="fontsize10" id="y3cf2856e-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">“(1) </num><content>conduct a research program to develop a unifying and standardized identity, privilege, and access control management framework for the execution of a wide variety of resource protection policies and that is amenable to implementation within <page identifier="/us/stat/128/2981">128 STAT. 2981</page> a wide variety of existing and emerging computing environments;</content></paragraph> <paragraph class="fontsize10" id="y3cf2856f-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">“(2) </num><content>carry out research associated with improving the security of information systems and networks;</content></paragraph> <paragraph class="fontsize10" id="y3cf28570-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">“(3) </num><content>carry out research associated with improving the testing, measurement, usability, and assurance of information systems and networks;</content></paragraph> <paragraph class="fontsize10" id="y3cf28571-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">“(4) </num><content>carry out research associated with improving security of industrial control systems;</content></paragraph> <paragraph class="fontsize10" id="y3cf28572-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">“(5) </num><content>carry out research associated with improving the security and integrity of the information technology supply chain; and</content></paragraph> <paragraph class="fontsize10" id="y3cf28573-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="6">“(6) </num><content>carry out any additional research the Institute determines appropriate.”</content></paragraph> </subsection> </quotedContent>.</content></paragraph> </section> <num value="III">TITLE III—</num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf28574-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">15 USC</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf28575-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">prec. 7441.</p></sidenote><heading>EDUCATION AND WORKFORCE DEVELOPMENT</heading> <section id="d375367e1441" identifier="/us/pl/113/274/tIII/s301" style="-uslm-lc:I658143"><num class="fontsize12" value="301">SEC. 301. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf28576-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7441">15 USC 7441</ref>.</p></sidenote><heading>CYBERSECURITY COMPETITIONS AND CHALLENGES.</heading><subsection class="firstIndent0 fontsize10" id="y3cf43327-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/a" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf43328-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">In General</inline>.—</heading><chapeau>The Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security, in consultation with the Director of the Office of Personnel Management, shall—</chapeau><paragraph class="fontsize10" id="y3cf43329-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/a/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><chapeau>support competitions and challenges under section 24 of the Stevenson-Wydler Technology Innovation Act of 1980 (<ref href="/us/usc/t15/s3719">15 U.S.C. 3719</ref>) (as amended by section 105 of the America COMPETES Reauthorization Act of 2010 (<ref href="/us/stat/124/3989">124 Stat. 3989</ref>)) or any other provision of law, as appropriate—</chapeau><subparagraph class="fontsize10" id="y3cf4332a-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/a/1/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>to identify, develop, and recruit talented individuals to perform duties relating to the security of information technology in Federal, State, local, and tribal government agencies, and the private sector; or</content></subparagraph> <subparagraph class="fontsize10" id="y3cf4332b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/a/1/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>to stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that has the potential for application to the information technology activities of the Federal Government; and</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cf4332c-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/a/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>ensure the effective operation of the competitions and challenges under this section.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf4332d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><heading class="fontsize10"><inline class="smallCaps">Participation</inline>.—</heading><chapeau>Participants in the competitions and challenges under subsection (a)(1) may include—</chapeau><paragraph class="fontsize10" id="y3cf4332e-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>students enrolled in grades 9 through 12;</content></paragraph> <paragraph class="fontsize10" id="y3cf4332f-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>students enrolled in a postsecondary program of study leading to a baccalaureate degree at an institution of higher education;</content></paragraph> <paragraph class="fontsize10" id="y3cf43330-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>students enrolled in a postbaccalaureate program of study at an institution of higher education;</content></paragraph> <paragraph class="fontsize10" id="y3cf43331-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><content>institutions of higher education and research institutions;</content></paragraph> <paragraph class="fontsize10" id="y3cf43332-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b/5" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">(5) </num><content>veterans; and</content></paragraph> <paragraph class="fontsize10" id="y3cf43333-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/b/6" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="6">(6) </num><content>other groups or individuals that the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security determine appropriate.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf43334-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="c">(c) </num><heading class="fontsize10"><inline class="smallCaps">Affiliation and Cooperative Agreements</inline>.—</heading><chapeau>Competitions and challenges under this section may be carried out through affiliation and cooperative agreements with—<page identifier="/us/stat/128/2982">128 STAT. 2982</page></chapeau><paragraph class="fontsize10" id="y3cf43335-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/c/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>Federal agencies;</content></paragraph> <paragraph class="fontsize10" id="y3cf43336-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/c/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>regional, State, or school programs supporting the development of cyber professionals;</content></paragraph> <paragraph class="fontsize10" id="y3cf43337-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/c/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>State, local, and tribal governments; or</content></paragraph> <paragraph class="fontsize10" id="y3cf43338-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/c/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><content>other private sector organizations.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf43339-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="d">(d) </num><heading class="fontsize10"><inline class="smallCaps">Areas of Skill</inline>.—</heading><chapeau>Competitions and challenges under subsection (a)(1)(A) shall be designed to identify, develop, and recruit exceptional talent relating to—</chapeau><paragraph class="fontsize10" id="y3cf4333a-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>ethical hacking;</content></paragraph> <paragraph class="fontsize10" id="y3cf4333b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>penetration testing;</content></paragraph> <paragraph class="fontsize10" id="y3cf4333c-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>vulnerability assessment;</content></paragraph> <paragraph class="fontsize10" id="y3cf4333d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><content>continuity of system operations;</content></paragraph> <paragraph class="fontsize10" id="y3cf4333e-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/5" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">(5) </num><content>security in design;</content></paragraph> <paragraph class="fontsize10" id="y3cf4333f-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/6" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="6">(6) </num><content>cyber forensics;</content></paragraph> <paragraph class="fontsize10" id="y3cf43340-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/7" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="7">(7) </num><content>offensive and defensive cyber operations; and</content></paragraph> <paragraph class="fontsize10" id="y3cf43341-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/d/8" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="8">(8) </num><content>other areas the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security consider necessary to fulfill the cybersecurity mission.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf43342-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/e" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="e">(e) </num><heading class="fontsize10"><inline class="smallCaps">Topics</inline>.—</heading><chapeau>In selecting topics for competitions and challenges under subsection (a)(1), the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security—</chapeau><paragraph class="fontsize10" id="y3cf43343-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/e/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf43344-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote><content>shall consult widely both within and outside the Federal Government; and</content></paragraph> <paragraph class="fontsize10" id="y3cf43345-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/e/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>may empanel advisory committees.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf43346-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s301/f" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="f">(f) </num><heading class="fontsize10"><inline class="smallCaps">Internships</inline>.—</heading><content>The Director of the Office of Personnel Management may support, as appropriate, internships or other work experience in the Federal Government to the winners of the competitions and challenges under this section.</content></subsection> </section> <section id="d375367e1644" identifier="/us/pl/113/274/tIII/s302" style="-uslm-lc:I658143"><num class="fontsize12" value="302">SEC. 302. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf43347-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7442">15 USC 7442</ref>.</p></sidenote><heading>FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.</heading><subsection class="firstIndent0 fontsize10" id="y3cf5e0f8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/a" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e0f9-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">In General</inline>.—</heading><content>The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management and Secretary of Homeland Security, shall continue a Federal cyber scholarship-for-service program to recruit and train the next generation of information technology professionals, industrial control system security professionals, and security managers to meet the needs of the cybersecurity mission for Federal, State, local, and tribal governments.</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e0fa-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/b" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><heading class="fontsize10"><inline class="smallCaps">Program Description and Components</inline>.—</heading><chapeau>The Federal Cyber Scholarship-for-Service Program shall—</chapeau><paragraph class="fontsize10" id="y3cf5e0fb-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/b/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>provide scholarships through qualified institutions of higher education, including community colleges, to students who are enrolled in programs of study at institutions of higher education leading to degrees or specialized program certifications in the cybersecurity field;</content></paragraph> <paragraph class="fontsize10" id="y3cf5e0fc-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/b/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>provide the scholarship recipients with summer internship opportunities or other meaningful temporary appointments in the Federal information technology workforce; and</content></paragraph> <paragraph class="fontsize10" id="y3cf5e0fd-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/b/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>prioritize the employment placement of scholarship recipients in the Federal Government.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e0fe-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="c">(c) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e0ff-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Time period.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">Scholarship Amounts</inline>.—</heading><content>Each scholarship under subsection (b) shall be in an amount that covers the student’s tuition and fees at the institution under subsection (b)(1) for not more than 3 years and provides the student with an additional stipend.<page identifier="/us/stat/128/2983">128 STAT. 2983</page></content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e100-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/d" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="d">(d) </num><heading class="fontsize10"><inline class="smallCaps">Post-award Employment Obligations</inline>.—</heading><content>Each scholarship recipient, as a condition of receiving a scholarship under the program, shall enter into an agreement under which the recipient agrees to work in the cybersecurity mission of a Federal, State, local, or tribal agency for a period equal to the length of the scholarship following receipt of the student’s degree.</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e101-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/e" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="e">(e) </num><heading class="fontsize10"><inline class="smallCaps">Hiring Authority</inline>.—</heading><paragraph class="fontsize10" id="y3cf5e102-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/e/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><heading class="fontsize10"><inline class="smallCaps">Appointment in excepted service</inline>.—</heading><content>Notwithstanding any provision of <ref href="/us/usc/t5/ch33">chapter 33 of title 5, United States Code</ref>, governing appointments in the competitive service, an agency shall appoint in the excepted service an individual who has completed the eligible degree program for which a scholarship was awarded.</content></paragraph> <paragraph class="fontsize10" id="y3cf5e103-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/e/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10"><inline class="smallCaps">Noncompetitive conversion</inline>.—</heading><content>Except as provided in paragraph (4), upon fulfillment of the service term, an employee appointed under paragraph (1) may be converted noncompetitively to term, career-conditional or career appointment.</content></paragraph> <paragraph class="fontsize10" id="y3cf5e104-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/e/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><heading class="fontsize10"><inline class="smallCaps">Timing of conversion</inline>.—</heading><content>An agency may noncompetitively convert a term employee appointed under paragraph (2) to a career-conditional or career appointment before the term appointment expires.</content></paragraph> <paragraph class="fontsize10" id="y3cf5e105-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/e/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><heading class="fontsize10"><inline class="smallCaps">Authority to decline conversion</inline>.—</heading><content>An agency may decline to make the noncompetitive conversion or appointment under paragraph (2) for cause.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e106-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/f" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="f">(f) </num><heading class="fontsize10"><inline class="smallCaps">Eligibility</inline>.—</heading><chapeau>To be eligible to receive a scholarship under this section, an individual shall—</chapeau><paragraph class="fontsize10" id="y3cf5e107-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/f/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>be a citizen or lawful permanent resident of the United States;</content></paragraph> <paragraph class="fontsize10" id="y3cf5e108-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/f/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>demonstrate a commitment to a career in improving the security of information technology;</content></paragraph> <paragraph class="fontsize10" id="y3cf5e109-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/f/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>have demonstrated a high level of proficiency in mathematics, engineering, or computer sciences;</content></paragraph> <paragraph class="fontsize10" id="y3cf5e10a-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/f/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><content>be a full-time student in an eligible degree program at a qualified institution of higher education, as determined by the Director of the National Science Foundation; and</content></paragraph> <paragraph class="fontsize10" id="y3cf5e10b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/f/5" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">(5) </num><content>accept the terms of a scholarship under this section.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e10c-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="g">(g) </num><heading class="fontsize10"><inline class="smallCaps">Conditions of Support</inline>.—</heading><paragraph class="fontsize10" id="y3cf5e10d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><heading class="fontsize10"><inline class="smallCaps">In general</inline>.—</heading><content>As a condition of receiving a scholarship under this section, a recipient shall agree to provide the qualified institution of higher education with annual verifiable documentation of post-award employment and up-to-date contact information.</content></paragraph> <paragraph class="fontsize10" id="y3cf5e10e-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10"><inline class="smallCaps">Terms</inline>.—</heading><chapeau>A scholarship recipient under this section shall be liable to the United States as provided in subsection (i) if the individual—</chapeau><subparagraph class="fontsize10" id="y3cf5e10f-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/2/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>fails to maintain an acceptable level of academic standing at the applicable institution of higher education, as determined by the Director of the National Science Foundation;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e110-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/2/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>is dismissed from the applicable institution of higher education for disciplinary reasons;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e111-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/2/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><content>withdraws from the eligible degree program before completing the program;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e112-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/2/D" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">(D) </num><content>declares that the individual does not intend to fulfill the post-award employment obligation under this section; or<page identifier="/us/stat/128/2984">128 STAT. 2984</page></content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e113-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/g/2/E" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="E">(E) </num><content>fails to fulfill the post-award employment obligation of the individual under this section.</content></subparagraph> </paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e114-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/h" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="h">(h) </num><heading class="fontsize10"><inline class="smallCaps">Monitoring Compliance</inline>.—</heading><chapeau>As a condition of participating in the program, a qualified institution of higher education shall—</chapeau><paragraph class="fontsize10" id="y3cf5e115-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/h/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e116-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Contracts.</p></sidenote><content>enter into an agreement with the Director of the National Science Foundation, to monitor the compliance of scholarship recipients with respect to their post-award employment obligations; and</content></paragraph> <paragraph class="fontsize10" id="y3cf5e117-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/h/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>provide to the Director of the National Science Foundation, on an annual basis, the post-award employment documentation required under subsection (g)(1) for scholarship recipients through the completion of their post-award employment obligations.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e118-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="i">(i) </num><heading class="fontsize10"><inline class="smallCaps">Amount of Repayment</inline>.—</heading><paragraph class="fontsize10" id="y3cf5e119-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><heading class="fontsize10"><inline class="smallCaps">Less than 1 year of service</inline>.—</heading><chapeau>If a circumstance described in subsection (g)(2) occurs before the completion of 1 year of a post-award employment obligation under this section, the total amount of scholarship awards received by the individual under this section shall—</chapeau><subparagraph class="fontsize10" id="y3cf5e11a-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i/1/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>be repaid; or</content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e11b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i/1/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>be treated as a loan to be repaid in accordance with subsection (j).</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cf5e11c-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10 smallCaps">1 or more years of service<inline class="noSmallCaps">.—</inline></heading><chapeau>If a circumstance described in subparagraph (D) or (E) of subsection (g)(2) occurs after the completion of 1 or more years of a post-award employment obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall—</chapeau><subparagraph class="fontsize10" id="y3cf5e11d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i/2/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>be repaid; or</content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e11e-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/i/2/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>be treated as a loan to be repaid in accordance with subsection (j).</content></subparagraph> </paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e11f-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/j" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="j">(j) </num><heading class="fontsize10"><inline class="smallCaps">Repayments</inline>.—</heading><chapeau>A loan described subsection (i) shall—</chapeau><paragraph class="fontsize10" id="y3cf5e120-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/j/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher Education Act of 1965 (<ref href="/us/usc/t20/s1087a/etseq">20 U.S.C. 1087a et seq.</ref>); and</content></paragraph> <paragraph class="fontsize10" id="y3cf5e121-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/j/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>be subject to repayment, together with interest thereon accruing from the date of the scholarship award, in accordance with terms and conditions specified by the Director of the National Science Foundation (in consultation with the Secretary of Education) in regulations promulgated to carry out this subsection.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e122-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/k" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="k">(k) </num><heading class="fontsize10"><inline class="smallCaps">Collection of Repayment</inline>.—</heading><paragraph class="fontsize10" id="y3cf5e123-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/k/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e124-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Determinations.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">In general</inline>.—</heading><chapeau>In the event that a scholarship recipient is required to repay the scholarship award under this section, the qualified institution of higher education providing the scholarship shall—</chapeau><subparagraph class="fontsize10" id="y3cf5e125-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/k/1/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e126-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Notification.</p></sidenote><content>determine the repayment amounts and notify the recipient and the Director of the National Science Foundation of the amounts owed; and</content></subparagraph> <subparagraph class="fontsize10" id="y3cf5e127-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/k/1/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e128-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Time period.</p></sidenote><content>collect the repayment amounts within a period of time as determined by the Director of the National Science Foundation, or the repayment amounts shall be treated as a loan in accordance with subsection (j).</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cf5e129-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/k/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10"><inline class="smallCaps">Returned to treasury</inline>.—</heading><content>Except as provided in paragraph (3), any repayment under this subsection shall be returned to the Treasury of the United States.<page identifier="/us/stat/128/2985">128 STAT. 2985</page></content></paragraph> <paragraph class="fontsize10" id="y3cf5e12a-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/k/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><heading class="fontsize10"><inline class="smallCaps">Retain percentage</inline>.—</heading><content>A qualified institution of higher education may retain a percentage of any repayment the institution collects under this subsection to defray administrative costs associated with the collection.<sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf5e12b-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Applicability.</p></sidenote> The Director of the National Science Foundation shall establish a single, fixed percentage that will apply to all eligible entities.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e12c-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/l" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="l">(l) </num><heading class="fontsize10"><inline class="smallCaps">Exceptions</inline>.—</heading><content>The Director of the National Science Foundation may provide for the partial or total waiver or suspension of any service or payment obligation by an individual under this section whenever compliance by the individual with the obligation is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf5e12d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIII/s302/m" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="m">(m) </num><heading class="fontsize10"><inline class="smallCaps">Evaluation and Report</inline>.—</heading><content>The Director of the National Science Foundation shall evaluate and report periodically to Congress on the success of recruiting individuals for scholarships under this section and on hiring and retaining those individuals in the public sector workforce.</content></subsection> </section> <num value="IV">TITLE IV—</num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf6083e-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">15 USC</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf6083f-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">prec. 7451.</p></sidenote><heading>CYBERSECURITY AWARENESS AND PREPAREDNESS</heading> <section id="d375367e2036" identifier="/us/pl/113/274/tIV/s401" style="-uslm-lc:I658143"><num class="fontsize12" value="401">SEC. 401. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf60840-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7451">15 USC 7451</ref>.</p></sidenote><heading>NATIONAL CYBERSECURITY AWARENESS AND EDUCATION PROGRAM.</heading><subsection class="firstIndent0 fontsize10" id="y3cf67d71-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><heading class="fontsize10"><inline class="smallCaps">National Cybersecurity Awareness and Education Program</inline>.—</heading><chapeau>The Director<sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf67d72-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote> of the National Institute of Standards and Technology (referred to in this section as the “Director”), in consultation with appropriate Federal agencies, industry, educational institutions, National Laboratories, the Networking and Information Technology Research and Development program, and other organizations shall continue to coordinate a national cybersecurity awareness and education program, that includes activities such as—</chapeau><paragraph class="fontsize10" id="y3cf67d73-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>the widespread dissemination of cybersecurity technical standards and best practices identified by the Director;</content></paragraph> <paragraph class="fontsize10" id="y3cf67d74-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>efforts to make cybersecurity best practices usable by individuals, small to medium-sized businesses, educational institutions, and State, local, and tribal governments;</content></paragraph> <paragraph class="fontsize10" id="y3cf67d75-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>increasing public awareness of cybersecurity, cyber safety, and cyber ethics;</content></paragraph> <paragraph class="fontsize10" id="y3cf67d76-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><chapeau>increasing the understanding of State, local, and tribal governments, institutions of higher education, and private sector entities of—</chapeau><subparagraph class="fontsize10" id="y3cf67d77-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/4/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>the benefits of ensuring effective risk management of information technology versus the costs of failure to do so; and</content></subparagraph> <subparagraph class="fontsize10" id="y3cf67d78-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/4/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>the methods to mitigate and remediate vulnerabilities;</content></subparagraph> </paragraph> <paragraph class="fontsize10" id="y3cf67d79-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/5" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="5">(5) </num><content>supporting formal cybersecurity education programs at all education levels to prepare and improve a skilled cybersecurity and computer science workforce for the private sector and Federal, State, local, and tribal government; and</content></paragraph> <paragraph class="fontsize10" id="y3cf67d7a-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/a/6" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="6">(6) </num><content>promoting initiatives to evaluate and forecast future cybersecurity workforce needs of the Federal Government and develop strategies for recruitment, training, and retention.<page identifier="/us/stat/128/2986">128 STAT. 2986</page></content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf67d7b-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/b" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf67d7c-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">Considerations</inline>.—</heading><content>In carrying out the authority described in subsection (a), the Director, in consultation with appropriate Federal agencies, shall leverage existing programs designed to inform the public of safety and security of products or services, including self-certifications and independently verified assessments regarding the quantification and valuation of information security risk.</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf67d7d-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/c" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="c">(c) </num><heading class="fontsize10"><inline class="smallCaps">Strategic Plan</inline>.—</heading><content>The Director, in cooperation with relevant Federal agencies and other stakeholders, shall build upon programs and plans in effect as of the date of enactment of this Act to develop and implement a strategic plan to guide Federal programs and activities in support of the national cybersecurity awareness and education program under subsection (a).</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf67d7e-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tIV/s401/d" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="d">(d) </num><heading class="fontsize10"><inline class="smallCaps">Report</inline>.—</heading><content>Not later than 1 year after the date of enactment of this Act, and every 5 years thereafter, the Director shall transmit the strategic plan under subsection (c) to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.</content></subsection> </section> <num value="V">TITLE V—</num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf67d7f-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">15 USC</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf67d80-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">prec. 7461.</p></sidenote><heading>ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS</heading> <section id="d375367e2145" identifier="/us/pl/113/274/tV/s501" style="-uslm-lc:I658143"><num class="fontsize12" value="501">SEC. 501. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf67d81-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7461">15 USC 7461</ref>.</p></sidenote><heading>DEFINITIONS.</heading><chapeau class="indentUp0 firstIndent0 fontsize10" id="x3cf6a492-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120">  In this title:</chapeau><paragraph class="fontsize10" id="y3cf6a493-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s501/1" role="definitions" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><heading class="fontsize10"><inline class="smallCaps">Director</inline>.—</heading><content>The term “<term>Director</term>” means the Director of the National Institute of Standards and Technology.</content></paragraph> <paragraph class="fontsize10" id="y3cf6a494-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s501/2" role="definitions" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><heading class="fontsize10"><inline class="smallCaps">Institute</inline>.—</heading><content>The term “<term>Institute</term>” means the National Institute of Standards and Technology.</content></paragraph> </section> <section id="d375367e2175" identifier="/us/pl/113/274/tV/s502" style="-uslm-lc:I658143"><num class="fontsize12" value="502">SEC. 502. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf6a495-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7462">15 USC 7462</ref>.</p></sidenote><heading>INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.</heading><subsection class="firstIndent0 fontsize10" id="y3cf6cba6-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s502/a" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf6cba7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">In General</inline>.—</heading><chapeau>The Director, in coordination with appropriate Federal authorities, shall—</chapeau><paragraph class="fontsize10" id="y3cf6cba8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s502/a/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and</content></paragraph> <paragraph class="fontsize10" id="y3cf6cba9-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s502/a/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf6cbaa-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Deadline.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf6cbab-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Plans.</p></sidenote><content>not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination.</content></paragraph> </subsection> <subsection class="firstIndent0 fontsize10" id="y3cf6cbac-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s502/b" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><heading class="fontsize10"><inline class="smallCaps">Consultation With the Private Sector</inline>.—</heading><content>In carrying out the activities specified in subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders.</content></subsection> </section> <section id="d375367e2221" identifier="/us/pl/113/274/tV/s503" style="-uslm-lc:I658143"><num class="fontsize12" value="503">SEC. 503. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf6cbad-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7463">15 USC 7463</ref>.</p></sidenote><heading>CLOUD COMPUTING STRATEGY.</heading><subsection class="firstIndent0 fontsize10" id="y3cf719ce-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/a" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="a">(a) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf719cf-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf719d0-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Collaboration.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf719d1-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote><heading class="fontsize10"><inline class="smallCaps">In General</inline>.—</heading><content>The Director, in coordination with the Office of Management and Budget, in collaboration with the Federal Chief Information Officers Council, and in consultation with other relevant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the Federal Government.</content></subsection> <subsection class="firstIndent0 fontsize10" id="y3cf719d2-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b" style="-uslm-lc:I658120"><num class="fontsize10" style="-uslm-lc:emspace2" value="b">(b) </num><heading class="fontsize10"><inline class="smallCaps">Activities</inline>.—</heading><chapeau>In carrying out the strategy described under subsection (a), the Director shall give consideration to activities that—<page identifier="/us/stat/128/2987">128 STAT. 2987</page></chapeau><paragraph class="fontsize10" id="y3cf719d3-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;</content></paragraph> <paragraph class="fontsize10" id="y3cf719d4-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>advance the development of conformance testing performed by the private sector in support of cloud computing standardization; and</content></paragraph> <paragraph class="fontsize10" id="y3cf719d5-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf719d6-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Coordination.</p><p class="leftAlign firstIndent0 fontsize8" id="x3cf719d7-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180">Consultation.</p></sidenote><chapeau>support, in coordination with the Office of Management and Budget, and in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, including activities—</chapeau><subparagraph class="fontsize10" id="y3cf719d8-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/3/A" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="A">(A) </num><content>to ensure the physical security of cloud computing data centers and the data stored in such centers;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf719d9-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/3/B" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="B">(B) </num><content>to ensure secure access to the data stored in cloud computing data centers;</content></subparagraph> <subparagraph class="fontsize10" id="y3cf719da-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/3/C" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="C">(C) </num><content>to develop security standards as required under section 20 of the National Institute of Standards and Technology Act (<ref href="/us/usc/t15/s278g–3">15 U.S.C. 278g–3</ref>); and</content></subparagraph> <subparagraph class="fontsize10" id="y3cf719db-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s503/b/3/D" style="-uslm-lc:I658124"><num class="fontsize10" style="-uslm-lc:emspace2" value="D">(D) </num><content>to support the development of the automation of continuous monitoring systems.</content></subparagraph> </paragraph> </subsection> </section> <section id="d375367e2303" identifier="/us/pl/113/274/tV/s504" style="-uslm-lc:I658143"><num class="fontsize12" value="504">SEC. 504. </num><sidenote><p class="leftAlign firstIndent0 fontsize8" id="x3cf719dc-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658180"><ref href="/us/usc/t15/s7464">15 USC 7464</ref>.</p></sidenote><heading>IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.</heading><chapeau class="indentUp0 firstIndent0 fontsize10" id="x3cf73fed-e880-11f0-bc57-ad3ac4b1618c" style="-uslm-lc:I658120">  The Director shall continue a program to support the development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns—</chapeau><paragraph class="fontsize10" id="y3cf73fee-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s504/1" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="1">(1) </num><content>to improve interoperability among identity management technologies;</content></paragraph> <paragraph class="fontsize10" id="y3cf73fef-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s504/2" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="2">(2) </num><content>to strengthen authentication methods of identity management systems;</content></paragraph> <paragraph class="fontsize10" id="y3cf73ff0-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s504/3" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="3">(3) </num><content>to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and</content></paragraph> <paragraph class="fontsize10" id="y3cf73ff1-e880-11f0-bc57-ad3ac4b1618c" identifier="/us/pl/113/274/tV/s504/4" style="-uslm-lc:I658122"><num class="fontsize10" style="-uslm-lc:emspace2" value="4">(4) </num><content>to improve the usability of identity management systems.</content></paragraph> </section> Approved December 18, 2014.
LEGISLATIVE HISTORYS. 1353: SENATE REPORTS: ┐No. 113–270 (Comm. on Commerce, Science, and Transpor-
            tation). CONGRESSIONAL RECORD, Vol. 160 (2014):

Dec. 11, considered and passed Senate and House.