[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3316 Introduced in House (IH)]
107th CONGRESS
1st Session
H. R. 3316
To amend the National Institute of Standards and Technology Act to
establish research programs to improve the security of networked
information systems, to enhance the ability of the National Institute
of Standards and Technology to improve computer security, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
November 16, 2001
Mr. Baird (for himself, Mr. Matheson, Mr. Udall of Colorado, and Mr.
Honda) introduced the following bill; which was referred to the
Committee on Science
_______________________________________________________________________
A BILL
To amend the National Institute of Standards and Technology Act to
establish research programs to improve the security of networked
information systems, to enhance the ability of the National Institute
of Standards and Technology to improve computer security, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Computer Security Enhancement and
Research Act of 2001''.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--The Congress finds the following:
(1) The National Institute of Standards and Technology has
responsibility for developing standards and guidelines needed
to ensure the cost-effective security and privacy of sensitive
information in Federal computer systems.
(2) The application of best security practices developed by
the National Institute of Standards and Technology is important
for protecting sensitive, but unclassified, information
controlled by Federal agencies.
(3) The Federal Government has an important role in
supporting research and education activities needed to ensure
the security of future networked information systems in both
the public and private sectors.
(4) Technology, including applications of cryptography,
exists that can be readily provided by private sector companies
to ensure the confidentiality, authenticity, and integrity of
information in electronic form associated with public and
private activities.
(5) The development and use of encryption technologies by
industry should be driven by market forces rather than by
Government-imposed requirements.
(b) Purposes.--The purposes of this Act are to--
(1) establish research programs focused on improving the
security of networked information systems;
(2) promote the development of a vigorous academic research
community engaged in leading edge research on computer and
communications security;
(3) reinforce the role of the National Institute of
Standards and Technology in ensuring the security of
unclassified information in Federal computer systems; and
(4) promote technology solutions based on private sector
offerings to protect the security of Federal computer systems.
SEC. 3. RESEARCH ON THE SECURITY OF NETWORKED INFORMATION SYSTEMS.
The National Institute of Standards and Technology Act is amended--
(1) by moving section 22 to the end of the Act and
redesignating it as section 32; and
(2) by inserting after section 21 the following new
section:
``research program
``Sec. 22. (a) Establishment.--The Director shall establish a
program to support research at institutions of higher education (where
the term ``institution of higher education'' has the meaning given such
term in section 101 of the Higher Education Act of 1965 (20 U.S.C.
1001)), for-profit research organizations, or consortia of such
institutions, to improve the security of networked information systems.
The program shall--
``(1) include multidisciplinary, long-term, high-risk
research;
``(2) include directed research to address needs identified
through the activities of the Computer System Security and
Privacy Advisory Board under section 20(e)(2) of this Act; and
``(3) promote the development of a substantial academic
research community working at the leading edge of knowledge in
subject areas relevant to the security of networked information
systems.
``(b) Fellowships.--(1) In order to help meet the requirement of
subsection (a)(3), the Director shall provide support for post-doctoral
research fellowships and for senior research fellowships. Support for
such fellowships shall be made available through research projects
funded under the program established by subsection (a) and through a
separate fellowship program described in paragraph (2) of this
subsection. Senior fellowships shall be made available for established
researchers who seek to change research fields and pursue studies
related to the security of networked information systems.
``(2) The Director is authorized to establish a program to award
post-doctoral research fellowships and senior research fellowships to
individuals seeking research positions at institutions, including the
Institute, engaged in research activities related to the security of
networked information systems. To be eligible for an award under this
paragraph, an individual shall submit an application to the Director at
such time, in such manner, and containing such information as the
Director may require.
``(3) Under this subsection, the Director is authorized to provide
stipends for senior research fellowships at levels consistent with
support for a faculty member in a sabbatical position and post-doctoral
research fellowships at the level of the Institute's Post Doctoral
Research Fellowship Program.
``(c) Awards; Applications.--The Director is authorized to award
grants or cooperative agreements to institutions of higher education to
carry out the program established under subsection (a). To be eligible
for such an award, an institution of higher education shall submit an
application to the Director at such time, in such manner, and
containing such information as the Director may require. The
application shall include a description of--
``(1) the number of graduate students anticipated to
participate in the research project and the level of support to
be provided to each;
``(2) the number of post-doctoral research fellowships
included under the project and the level of support to be
provided to each; and
``(3) the number of senior research fellows anticipated to
participate in the research project and the level of support to
be provided to each.
The Director shall ensure that a major consideration for making such
awards shall be the emphasis and commitment demonstrated by the
application to meeting the program requirement specified by subsection
(a)(3).
``(d) Program Managers.--The Director shall designate employees of
the Institute to serve as program managers for the program established
under subsection (a). Program managers so designated shall be
responsible for--
``(1) establishing broad research goals for the program and
publicizing the goals to the academic research community;
``(2) soliciting applications for specific research
projects to address the goals developed under paragraph (1);
``(3) selecting research projects for support under the
program from among applications submitted to the Institute,
following consideration of--
``(A) the novelty and scientific and technical
merit of the proposed projects;
``(B) the demonstrated capabilities of the
individual or individuals submitting the applications
to successfully carry out the proposed research; and
``(C) other criteria determined by the Director,
based on information specified for inclusion in
applications under subsection (c); and
``(4) monitoring the progress of research projects
supported under the program.
``(e) Review of Program.--(1) The Director shall--
``(A) provide for periodic reviews by the senior staff of
the Institute of the portfolio of research awards monitored by
each program manager designated in accordance with subsection
(d); and
``(B) seek the advice of the Computer System Security and
Privacy Advisory Board, established under section 21, on the
appropriateness of the research goals and on the quality and
relevance of research projects managed by program managers in
accordance with subsection (d).
``(2) The Director shall also contract with the National Research
Council for a comprehensive review of the program established under
subsection (a) during the 5th year of the program. Such review shall
include an assessment of the scientific quality of the research
conducted, the relevance of the research results obtained to the goals
of the program, and the progress of the program in promoting the
development of a substantial academic research community working at the
leading edge of knowledge in the field. The Director shall submit to
Congress a report on the results of the review under this paragraph no
later than six years after the initiation of the program.''.
SEC. 4. INTRAMURAL SECURITY RESEARCH.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is amended--
(1) by redesignating subsection (d) as subsection (f); and
(2) by inserting after subsection (c) the following new
subsection:
``(d) As part of the research activities conducted in accordance
with subsection (b)(4), the Institute shall--
``(1) conduct research to address emerging technologies
associated with composing a networked computer system from
components while ensuring it maintains desired security
properties; and
``(2) carry out multidisciplinary, long-term, high-risk
research on ways to improve the security of networked
information systems.''.
SEC. 5. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Secretary of
Commerce for the National Institute of Standards and Technology--
(1) for activities under section 22 of the National
Institute of Standards and Technology Act, as added by section
3 of this Act, $25,000,000 for fiscal year 2003, $40,000,000
for fiscal year 2004, $55,000,000 for fiscal year 2005,
$70,000,000 for fiscal year 2006, $85,000,000 for fiscal year
2007, and such sums as may be necessary for fiscal years 2008
through 2012; and
(2) for activities under section 20(d) of the National
Institute of Standards and Technology Act, as added by section
4 of this Act, $5,000,000 for fiscal year 2003, $5,200,000 for
fiscal year 2004, $5,400,000 for fiscal year 2005, $5,600,000
for fiscal year 2006, and $5,800,000 for fiscal year 2007.
SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
inserting after subsection (d), as added by section 4 of this Act, the
following new subsection:
``(e)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board, established by
section 21, regarding standards and guidelines that are being
considered for submittal to the Secretary in accordance with subsection
(a)(4). The recommendations of the Board shall accompany standards and
guidelines submitted to the Secretary.
``(2) There are authorized to be appropriated to the Secretary
$1,030,000 for fiscal year 2002 and $1,060,000 for fiscal year 2003 to
enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues, including
research needs, related to computer security, privacy, and cryptography
and to convene public meetings on those subjects, receive
presentations, and publish reports, digests, and summaries for public
distribution on those subjects.''.
<all>