[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 1901 Introduced in Senate (IS)]







107th CONGRESS
  2d Session
                                S. 1901

To authorize the National Science Foundation and the National Security 
   Agency to establish programs to increase the number of qualified 
faculty teaching advanced courses and conducting research in the field 
               of cybersecurity, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 28, 2002

  Mr. Edwards introduced the following bill; which was read twice and 
  referred to the Committee on Health, Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
To authorize the National Science Foundation and the National Security 
   Agency to establish programs to increase the number of qualified 
faculty teaching advanced courses and conducting research in the field 
               of cybersecurity, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Research and Education 
Act of 2002''.

SEC. 2. FINDINGS.

    Congress finds that--
            (1) critical elements of the Nation's basic economic and 
        physical infrastructure rely on information technology for 
        effective functioning;
            (2) increased reliance on technology has left our Nation 
        vulnerable to the threat of cyberterrorism;
            (3) long-term research on practices, methods, and 
        technologies that will help ensure the safety of our 
        information infrastructure remains woefully inadequate;
            (4) there is a critical shortage of faculty at institutions 
        of higher education who specialize in disciplines related to 
        cybersecurity;
            (5) a vigorous scholarly community in fields related to 
        cybersecurity is necessary to help conduct research and 
        disseminate knowledge about the practical application of the 
        community's findings; and
            (6) universities in the United States award the Ph.D. 
        degree in computer sciences to approximately 1,000 individuals 
        each year, but of those awarded this degree, less than 0.3 
        percent specialize in cybersecurity and still fewer become 
        employed in faculty positions at institutions of higher 
        education.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Cybersecurity.--The term ``cybersecurity'' means 
        information assurance, including scientific, technical, 
        management, or any other relevant disciplines required to 
        ensure computer and network security, including, but not 
        limited to, a discipline related to the following functions:
                    (A) Secure system and network administration and 
                operations.
                    (B) Systems security engineering.
                    (C) Information assurance systems and product 
                acquisition.
                    (D) Cryptography.
                    (E) Threat and vulnerability assessment, including 
                risk management.
                    (F) Web security.
                    (G) Operations of computer emergency response 
                teams.
                    (H) Cybersecurity training, education, and 
                management.
                    (I) Computer forensics.
                    (J) Defensive information operations.
            (2) Cybersecurity infrastructure.--The term ``cybersecurity 
        infrastructure'' includes--
                    (A) equipment that is integral to research and 
                education capabilities in cybersecurity, including, but 
                not limited to--
                            (i) encryption devices;
                            (ii) network switches;
                            (iii) routers;
                            (iv) firewalls;
                            (v) wireless networking gear;
                            (vi) protocol analyzers;
                            (vii) file servers;
                            (viii) workstations;
                            (ix) biometric tools; and
                            (x) computers; and
                    (B) technology support staff (including graduate 
                students) that is integral to research and education 
                capabilities in cybersecurity.
            (3) Director.--The term ``Director'' means the Director of 
        the National Science Foundation.
            (4) Institution of higher education.--The term 
        ``institution of higher education'' has the meaning given the 
        term in section 101(a) of the Higher Education Act of 1965 (20 
        U.S.C. 1001(a)).
            (5) Other relevant discipline.--The term ``other relevant 
        discipline'' includes, but is not limited to, the following 
        fields as the fields specifically relate to securing 
        information infrastructures:
                    (A) Biometrics.
                    (B) Software engineering.
                    (C) Computer science and engineering.
                    (D) Law.
                    (E) Business management or administration.
                    (F) Psychology.
                    (G) Mathematics.
                    (H) Sociology.
            (6) Qualified institution.--The term ``qualified 
        institution'' means an institution of higher education that, at 
        the time of submission of an application pursuant to any of the 
        programs authorized by this Act--
                    (A) has offered, for not less than 3 years prior to 
                the date the application is submitted under this Act, a 
                minimum of 2 graduate courses in cybersecurity (not 
                including short-term special seminars or 1-time classes 
                offered by visitors);
                    (B) has not less than 3 faculty members who teach 
                cybersecurity courses--
                            (i) each of whom has published not less 
                        than 1 refereed cybersecurity research article 
                        in a journal or through a conference during the 
                        2-year period preceding the date of enactment 
                        of this Act;
                            (ii) at least 1 of whom is tenured; and
                            (iii) each of whom has demonstrated active 
                        engagement in the cybersecurity scholarly 
                        community during the 2-year period preceding 
                        the date of enactment of this Act, such as 
                        serving as an editor of a cybersecurity journal 
                        or participating on a program committee for a 
                        cybersecurity conference or workshop;
                    (C) has graduated not less than 1 Ph.D. scholar in 
                cybersecurity during the 2-year period preceding the 
                date of enactment of this Act; and
                    (D) has not less than 3 graduate students enrolled 
                who are pursuing a Ph.D. in cybersecurity.

SEC. 4. CYBERSECURITY GRADUATE FELLOWSHIP PROGRAM.

    (a) Purpose.--The purpose of this section is--
            (1) to encourage individuals to pursue academic careers in 
        cybersecurity upon the completion of doctoral degrees; and
            (2) to stimulate advanced study and research, at the 
        doctoral level, in complex, relevant, and important issues in 
        cybersecurity.
    (b) Establishment.--The Director is authorized to establish a 
Cybersecurity Fellowship Program (referred to in this section as the 
``fellowship program'') to annually award 3 to 5-year graduate 
fellowships to individuals for studies and research at the doctoral 
level in cybersecurity.
    (c) Cybersecurity Fellowship Program Advisory Board.--
            (1) Establishment.--There is established a Cybersecurity 
        Fellowship Program Advisory Board (referred to in this section 
        as the ``Board'').
            (2) Membership.--The Director shall appoint members of the 
        Board who shall include--
                    (A) not fewer than 3 full-time faculty members--
                            (i) each of whom teaches at an institution 
                        of higher education; and
                            (ii) each of whom has a specialty in 
                        cybersecurity; and
                    (B) not fewer than 2 research scientists employed 
                by a Federal agency with duties that include 
                cybersecurity activities.
            (3) Terms.--Members of the Board shall be appointed for 
        renewable 2-year terms.
    (d) Application.--Each individual desiring to receive a graduate 
fellowship under this section shall submit an application to the 
Director at such time, in such manner, and containing such information 
as the Director, in consultation with the Board, shall require.
    (e) Award.--The Director is authorized to award graduate 
fellowships under the fellowship program that shall--
            (1) be made available to individuals, through a competitive 
        selection process, for study at a qualified institution and in 
        accordance with the procedures established in subsection (h);
            (2) be in an amount that is sufficient to cover annual 
        tuition and fees for doctoral study at a qualified institution 
        for the duration of the graduate fellowship, and shall include, 
        in addition, an annual living stipend of $20,000; and
            (3) be for a duration of 3 to 5 years, the specific 
        duration of each graduate fellowship to be determined by the 
        Director in consultation with the Board on a case-by-case 
        basis.
    (f) Repayment.--Each graduate fellowship shall--
            (1) subject to paragraph (f)(2), be subject to full 
        repayment upon completion of the doctoral degree according to a 
        repayment schedule established and administered by the 
        Director;
            (2) be forgiven at the rate of 20 percent of the total 
        amount of graduate fellowship assistance received under this 
        section for each academic year that a recipient is employed as 
        a full-time faculty member at an institution of higher 
        education for a period not to exceed 5 years; and
            (3) be monitored by the Director to ensure compliance with 
        this section.
    (g) Eligibility.--To be eligible to receive a graduate fellowship 
under this section, an individual shall--
            (1) be a citizen of the United States;
            (2) be matriculated or eligible to be matriculated for 
        doctoral studies at a qualified institution; and
            (3) demonstrate a commitment to a career in higher 
        education.
    (h) Selection.--
            (1) In general.--The Director, in consultation with the 
        Board, shall select recipients for graduate fellowships.
            (2) Duties.--The Director, in consultation with the Board, 
        shall--
                    (A) establish criteria for a competitive selection 
                process for recipients of graduate fellowships;
                    (B) establish and promulgate an application process 
                for the fellowship program;
                    (C) receive applications for graduate fellowships;
                    (D) annually review applications and select 
                recipients of graduate fellowships; and
                    (E) establish and administer a repayment schedule 
                for recipients of graduate fellowships.
            (3) Consideration.--In making selections for graduate 
        fellowships, the Director, to the extent possible and in 
        consultation with the Board, shall consider applicants whose 
        interests are of an interdisciplinary nature, encompassing the 
        social scientific as well as technical dimensions of 
        cybersecurity.
    (i) Authorization of Appropriations.--There are authorized to be 
appropriated to carry out this section $5,000,000 for each of fiscal 
years 2003 through 2005, and such sums as may be necessary for each 
succeeding fiscal year.

SEC. 5. SABBATICAL FOR DISTINGUISHED FACULTY IN CYBERSECURITY.

    (a) Establishment.--The Director is authorized to award grants to 
institutions of higher education to enable faculty members who are 
teaching cybersecurity subjects to spend a sabbatical from teaching 
working at--
            (1) the National Security Agency;
            (2) the Department of Defense;
            (3) the National Institute of Standards and Technology;
            (4) a research laboratory supported by the Department of 
        Energy; or
            (5) a qualified institution.
    (b) Application.--Each institution of higher education desiring to 
receive a grant under this section shall submit an application to the 
Director at such time, in such manner, and containing such information 
as the Director shall require.
    (c) Grant Awards.--
            (1) In general.--The Director shall award a grant under 
        this section only if the National Science Foundation and the 
        agency or institution where the faculty member will spend the 
        sabbatical approve the sabbatical placement.
            (2) Number and duration.--For each fiscal year, the 
        Director shall award grants for not more than 25 sabbatical 
        positions that will each be for a 1-year period.
            (3) Amount of award.--
                    (A) In general.--Each institution of higher 
                education that is awarded a grant under this section 
                shall receive $250,000 for each faculty member who will 
                spend a sabbatical pursuant to the grant.
                    (B) Use of award.--The Director shall award a grant 
                under this section in 2 disbursements in the following 
                manner:
                            (i) First disbursement.--The first 
                        disbursement shall be made upon selection of a 
                        grant recipient and shall consist of the 
                        following:
                                    (I) $20,000 to provide a stipend 
                                for living expenses to each faculty 
                                member awarded a sabbatical under this 
                                section.
                                    (II) An amount sufficient for the 
                                grant recipient to hire a qualified 
                                replacement for the faculty member 
                                awarded a sabbatical under this section 
                                for the term of the sabbatical, if such 
                                a replacement is possible.
                            (ii) Second disbursement.--The second 
                        disbursement shall be made at the conclusion of 
                        the sabbatical, only if the faculty member 
                        completes the sabbatical in its entirety, and 
                        shall be used for the grant recipient's 
                        cybersecurity infrastructure needs, including--
                                    (I) acquiring equipment or 
                                technology;
                                    (II) hiring graduate students; or
                                    (III) supporting any other activity 
                                that will enhance the grant recipient's 
                                course offerings and research in 
                                cybersecurity.
    (d) Eligibility.--To be eligible to receive a grant under this 
section, an institution of higher education shall submit an application 
under subsection (b) that--
            (1) identifies the faculty member to whom the institution 
        of higher education will provide a sabbatical and ensures that 
        the faculty member is a citizen of the United States;
            (2) ensures that the faculty member to whom the institution 
        of higher education will provide a sabbatical is tenured at 
        that institution of higher education and meets general 
        standards of excellence in research or teaching; and
            (3) explains how the faculty member to whom the institution 
        of higher education will provide a sabbatical will--
                    (A) integrate into the faculty member's course 
                offerings knowledge related to cybersecurity that is 
                gained during the sabbatical; and
                    (B) in conjunction with the institution of higher 
                education, use the second disbursement of funds 
                available under subsection (c)(3)(B)(ii).
    (e) Authorization of Appropriations.--There is authorized to be 
appropriated to carry out this section $8,000,000 for each of fiscal 
years 2003 through 2005.

SEC. 6. ENHANCING CYBERSECURITY INFRASTRUCTURE.

    (a) Establishment.--The Director is authorized to award grants to 
qualified institutions to fund activities that provide, enhance, and 
facilitate acquisition of cybersecurity infrastructure at qualified 
institutions.
    (b) Use of Grant Award.--Each qualified institution that receives a 
grant under this section shall use the grant funds for needs 
specifically related to--
            (1) cybersecurity education and research; and
            (2) development efforts related to cybersecurity.
    (c) Matching Funds.--Each qualified institution that receives a 
grant under this section shall contribute to the activities assisted 
under this section non-Federal matching funds equal to not less than 25 
percent of the amount of the grant.
    (d) Authorization of Appropriations.--There is authorized to be 
appropriated to carry out this section $10,000,000 for each of fiscal 
years 2003 through 2005.

SEC. 7. CYBERSECURITY AWARENESS, TRAINING, AND EDUCATION PROGRAM.

    (a) Purpose.--The purpose of this section is to increase the 
quality of education and training in cybersecurity, thereby increasing 
the number of qualified students entering the field of cybersecurity to 
adequately address the Nation's increasing dependence on information 
technology and to defend the Nation's increasingly vulnerable 
information infrastructure.
    (b) Establishment.--The Director of the National Security Agency is 
authorized to award grants, on a competitive basis, to qualified 
institutions to establish Cybersecurity Awareness, Training, and 
Education Programs (referred to in this section as ``information 
programs'').
    (c) Application.--
            (1) In general.--Each qualified institution desiring to 
        receive a grant under this section shall submit an application 
        to the Director of the National Security Agency at such time, 
        in such manner, and accompanied by such information as the 
        Director of the National Security Agency shall require.
            (2) Plans.--Each application submitted pursuant to 
        paragraph (1) shall include a plan for establishing and 
        maintaining an information program under this section, 
        including a description of--
                    (A) the design, structure, and scope of the 
                proposed information program, including unique 
                qualities that may distinguish the proposed information 
                program from possible approaches of other qualified 
                institutions;
                    (B) research being conducted in the disciplines 
                encompassed by the plan;
                    (C) any integration of the information program with 
                other federally funded programs related to 
                cybersecurity education, such as the National Science 
                Foundation Scholarship for Service Program, the 
                Department of Defense Multidisciplinary Research 
                Program of the University Research Initiative, and the 
                Department of Defense Information Assurance Scholarship 
                Program;
                    (D) necessary costs for information infrastructure 
                to support the information program;
                    (E) how the qualified institution will protect the 
                integrity and security of the information 
                infrastructure and any student testing mechanisms; and
                    (F) other relevant information.
            (3) Collaboration.--A qualified institution desiring to 
        receive a grant under this section may propose collaboration 
        with other qualified institutions.
    (d) Grant Awards.--Each qualified institution that receives a grant 
under this section shall use the grant funds to--
            (1) establish or enhance a Center for Studies in 
        Cybersecurity Awareness, Training, and Education that shall--
                    (A) establish a professionally produced, web-based 
                collection of cybersecurity programs of instruction 
                that have been approved for general public 
                dissemination by the authors and owners of the 
                programs;
                    (B) maintain a web-based directory of cybersecurity 
                education and training related conferences and 
                symposia;
                    (C) sponsor the development of specific 
                instructional materials in cybersecurity and other 
                relevant disciplines, including--
                            (i) intrusion detection;
                            (ii) overview of information assurance;
                            (iii) ethical use of computing systems;
                            (iv) network security;
                            (v) cryptography;
                            (vi) risk management;
                            (vii) malicious logic; and
                            (viii) system security engineering;
                    (D) sponsor cybersecurity education symposia;
                    (E) collaborate with the National Colloquium for 
                Information Assurance Education;
                    (F) create a ``Virtual Academy'' for sharing 
                courseware and laboratory exercises in cybersecurity; 
                and
                    (G) review and participate in integrating various 
                cybersecurity education and training standards into 
                unified curricula; and
            (2) establish or enhance a Center for the Development of 
        Faculty in Cybersecurity that shall--
                    (A) establish criteria for recognition and 
                certification of cybersecurity trainers and educators;
                    (B) establish faculty training outreach to teachers 
                in kindergarten through grade 12 and to faculty of part 
                B institutions (as defined in section 322 of the Higher 
                Education Act of 1965 (20 U.S.C. 1061));
                    (C) build, test, and evaluate laboratory exercises 
                that represent use of model practices in cybersecurity 
                for use in training and education programs; and
                    (D) establish an integrated program to include the 
                programs described in this paragraph and paragraph (1).
    (e) Authorization of Appropriations.--There are authorized to be 
appropriated to carry out this section--
            (1) $1,500,000 for fiscal year 2003;
            (2) $2,000,000 for fiscal year 2004;
            (3) $3,000,000 for fiscal year 2005; and
            (4) $4,500,000 for fiscal year 2006.

SEC. 8. CYBERSECURITY WORKFORCE AND FACILITIES STUDY.

    (a) Study.--The Comptroller General shall conduct a study and 
collect data on the following:
            (1) The cybersecurity workforce, including--
                    (A) the size and nature of the cybersecurity 
                workforce by occupation category (including academic 
                faculty at institutions of higher education), level of 
                education and training, personnel demographics, and 
                industry characteristics; and
                    (B) the role of foreign workers in the 
                cybersecurity workforce.
            (2) Academic cybersecurity research facilities, including--
                    (A) total academic research space available or 
                utilized for research relating to cybersecurity;
                    (B) academic research space relating to 
                cybersecurity that is in need of major repair or 
                renovation;
                    (C) new or ongoing projects at institutions of 
                higher education expected to produce new or renovated 
                research space to be used for research relating to 
                cybersecurity; and
                    (D) any research space needs related to 
                cybersecurity and based on projections of growth in 
                educational programs and research, including costs and 
                initiatives required to meet such needs and possible 
                consequences of failure to meet such needs.
            (3) Other information that the Comptroller General 
        determines appropriate.
    (b) Report.--Not later than 6 months after the date of enactment of 
this Act, and biennially thereafter, the Comptroller General shall 
prepare and submit a report on the study conducted pursuant to 
subsection (a) to the--
            (1) Committee on Health, Education, Labor and Pensions of 
        the Senate; and
            (2) Committee on Education and the Workforce of the House 
        of Representatives.
                                 <all>