[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3316 Introduced in House (IH)]







107th CONGRESS
  1st Session
                                H. R. 3316

  To amend the National Institute of Standards and Technology Act to 
   establish research programs to improve the security of networked 
 information systems, to enhance the ability of the National Institute 
of Standards and Technology to improve computer security, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           November 16, 2001

 Mr. Baird (for himself, Mr. Matheson, Mr. Udall of Colorado, and Mr. 
    Honda) introduced the following bill; which was referred to the 
                          Committee on Science

_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
   establish research programs to improve the security of networked 
 information systems, to enhance the ability of the National Institute 
of Standards and Technology to improve computer security, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement and 
Research Act of 2001''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has 
        responsibility for developing standards and guidelines needed 
        to ensure the cost-effective security and privacy of sensitive 
        information in Federal computer systems.
            (2) The application of best security practices developed by 
        the National Institute of Standards and Technology is important 
        for protecting sensitive, but unclassified, information 
        controlled by Federal agencies.
            (3) The Federal Government has an important role in 
        supporting research and education activities needed to ensure 
        the security of future networked information systems in both 
        the public and private sectors.
            (4) Technology, including applications of cryptography, 
        exists that can be readily provided by private sector companies 
        to ensure the confidentiality, authenticity, and integrity of 
        information in electronic form associated with public and 
        private activities.
            (5) The development and use of encryption technologies by 
        industry should be driven by market forces rather than by 
        Government-imposed requirements.
    (b) Purposes.--The purposes of this Act are to--
            (1) establish research programs focused on improving the 
        security of networked information systems;
            (2) promote the development of a vigorous academic research 
        community engaged in leading edge research on computer and 
        communications security;
            (3) reinforce the role of the National Institute of 
        Standards and Technology in ensuring the security of 
        unclassified information in Federal computer systems; and
            (4) promote technology solutions based on private sector 
        offerings to protect the security of Federal computer systems.

SEC. 3. RESEARCH ON THE SECURITY OF NETWORKED INFORMATION SYSTEMS.

    The National Institute of Standards and Technology Act is amended--
            (1) by moving section 22 to the end of the Act and 
        redesignating it as section 32; and
            (2) by inserting after section 21 the following new 
        section:

                           ``research program

    ``Sec. 22. (a) Establishment.--The Director shall establish a 
program to support research at institutions of higher education (where 
the term ``institution of higher education'' has the meaning given such 
term in section 101 of the Higher Education Act of 1965 (20 U.S.C. 
1001)), for-profit research organizations, or consortia of such 
institutions, to improve the security of networked information systems. 
The program shall--
            ``(1) include multidisciplinary, long-term, high-risk 
        research;
            ``(2) include directed research to address needs identified 
        through the activities of the Computer System Security and 
        Privacy Advisory Board under section 20(e)(2) of this Act; and
            ``(3) promote the development of a substantial academic 
        research community working at the leading edge of knowledge in 
        subject areas relevant to the security of networked information 
        systems.
    ``(b) Fellowships.--(1) In order to help meet the requirement of 
subsection (a)(3), the Director shall provide support for post-doctoral 
research fellowships and for senior research fellowships. Support for 
such fellowships shall be made available through research projects 
funded under the program established by subsection (a) and through a 
separate fellowship program described in paragraph (2) of this 
subsection. Senior fellowships shall be made available for established 
researchers who seek to change research fields and pursue studies 
related to the security of networked information systems.
    ``(2) The Director is authorized to establish a program to award 
post-doctoral research fellowships and senior research fellowships to 
individuals seeking research positions at institutions, including the 
Institute, engaged in research activities related to the security of 
networked information systems. To be eligible for an award under this 
paragraph, an individual shall submit an application to the Director at 
such time, in such manner, and containing such information as the 
Director may require.
    ``(3) Under this subsection, the Director is authorized to provide 
stipends for senior research fellowships at levels consistent with 
support for a faculty member in a sabbatical position and post-doctoral 
research fellowships at the level of the Institute's Post Doctoral 
Research Fellowship Program.
    ``(c) Awards; Applications.--The Director is authorized to award 
grants or cooperative agreements to institutions of higher education to 
carry out the program established under subsection (a). To be eligible 
for such an award, an institution of higher education shall submit an 
application to the Director at such time, in such manner, and 
containing such information as the Director may require. The 
application shall include a description of--
            ``(1) the number of graduate students anticipated to 
        participate in the research project and the level of support to 
        be provided to each;
            ``(2) the number of post-doctoral research fellowships 
        included under the project and the level of support to be 
        provided to each; and
            ``(3) the number of senior research fellows anticipated to 
        participate in the research project and the level of support to 
        be provided to each.
The Director shall ensure that a major consideration for making such 
awards shall be the emphasis and commitment demonstrated by the 
application to meeting the program requirement specified by subsection 
(a)(3).
    ``(d) Program Managers.--The Director shall designate employees of 
the Institute to serve as program managers for the program established 
under subsection (a). Program managers so designated shall be 
responsible for--
            ``(1) establishing broad research goals for the program and 
        publicizing the goals to the academic research community;
            ``(2) soliciting applications for specific research 
        projects to address the goals developed under paragraph (1);
            ``(3) selecting research projects for support under the 
        program from among applications submitted to the Institute, 
        following consideration of--
                    ``(A) the novelty and scientific and technical 
                merit of the proposed projects;
                    ``(B) the demonstrated capabilities of the 
                individual or individuals submitting the applications 
                to successfully carry out the proposed research; and
                    ``(C) other criteria determined by the Director, 
                based on information specified for inclusion in 
                applications under subsection (c); and
            ``(4) monitoring the progress of research projects 
        supported under the program.
    ``(e) Review of Program.--(1) The Director shall--
            ``(A) provide for periodic reviews by the senior staff of 
        the Institute of the portfolio of research awards monitored by 
        each program manager designated in accordance with subsection 
        (d); and
            ``(B) seek the advice of the Computer System Security and 
        Privacy Advisory Board, established under section 21, on the 
        appropriateness of the research goals and on the quality and 
        relevance of research projects managed by program managers in 
        accordance with subsection (d).
    ``(2) The Director shall also contract with the National Research 
Council for a comprehensive review of the program established under 
subsection (a) during the 5th year of the program. Such review shall 
include an assessment of the scientific quality of the research 
conducted, the relevance of the research results obtained to the goals 
of the program, and the progress of the program in promoting the 
development of a substantial academic research community working at the 
leading edge of knowledge in the field. The Director shall submit to 
Congress a report on the results of the review under this paragraph no 
later than six years after the initiation of the program.''.

SEC. 4. INTRAMURAL SECURITY RESEARCH.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended--
            (1) by redesignating subsection (d) as subsection (f); and
            (2) by inserting after subsection (c) the following new 
        subsection:
    ``(d) As part of the research activities conducted in accordance 
with subsection (b)(4), the Institute shall--
            ``(1) conduct research to address emerging technologies 
        associated with composing a networked computer system from 
        components while ensuring it maintains desired security 
        properties; and
            ``(2) carry out multidisciplinary, long-term, high-risk 
        research on ways to improve the security of networked 
        information systems.''.

SEC. 5. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Secretary of 
Commerce for the National Institute of Standards and Technology--
            (1) for activities under section 22 of the National 
        Institute of Standards and Technology Act, as added by section 
        3 of this Act, $25,000,000 for fiscal year 2003, $40,000,000 
        for fiscal year 2004, $55,000,000 for fiscal year 2005, 
        $70,000,000 for fiscal year 2006, $85,000,000 for fiscal year 
        2007, and such sums as may be necessary for fiscal years 2008 
        through 2012; and
            (2) for activities under section 20(d) of the National 
        Institute of Standards and Technology Act, as added by section 
        4 of this Act, $5,000,000 for fiscal year 2003, $5,200,000 for 
        fiscal year 2004, $5,400,000 for fiscal year 2005, $5,600,000 
        for fiscal year 2006, and $5,800,000 for fiscal year 2007.

SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
inserting after subsection (d), as added by section 4 of this Act, the 
following new subsection:
    ``(e)(1) The Institute shall solicit the recommendations of the 
Computer System Security and Privacy Advisory Board, established by 
section 21, regarding standards and guidelines that are being 
considered for submittal to the Secretary in accordance with subsection 
(a)(4). The recommendations of the Board shall accompany standards and 
guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary 
$1,030,000 for fiscal year 2002 and $1,060,000 for fiscal year 2003 to 
enable the Computer System Security and Privacy Advisory Board, 
established by section 21, to identify emerging issues, including 
research needs, related to computer security, privacy, and cryptography 
and to convene public meetings on those subjects, receive 
presentations, and publish reports, digests, and summaries for public 
distribution on those subjects.''.
                                 <all>