[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 2182 Reported in Senate (RS)]






                                                       Calendar No. 549
107th CONGRESS
  2d Session
                                S. 2182

                          [Report No. 107-239]

  To authorize funding for computer and network security research and 
 development and research fellowship programs, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 17, 2002

  Mr. Wyden (for himself, Mr. Allen, and Mrs. Clinton) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

                             August 1, 2002

              Reported by Mr. Hollings, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To authorize funding for computer and network security research and 
 development and research fellowship programs, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Cyber Security Research and 
Development Act''.</DELETED>

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    The Congress finds the following:</DELETED>
        <DELETED>    (1) Revolutionary advancements in computing and 
        communications technology have interconnected government, 
        commercial, scientific, and educational infrastructures--
        including critical infrastructures for electric power, natural 
        gas and petroleum production and distribution, 
        telecommunications, transportation, water supply, banking and 
        finance, and emergency and government services--in a vast, 
        interdependent physical and electronic network.</DELETED>
        <DELETED>    (2) Exponential increases in interconnectivity 
        have facilitated enhanced communications, economic growth, and 
        the delivery of services critical to the public welfare, but 
        have also increased the consequences of temporary or prolonged 
        failure.</DELETED>
        <DELETED>    (3) A Department of Defense Joint Task Force 
        concluded after a 1997 United States information warfare 
        exercise that the results ``clearly demonstrated our lack of 
        preparation for a coordinated cyber and physical attack on our 
        critical military and civilian infrastructure''.</DELETED>
        <DELETED>    (4) Computer security technology and systems 
        implementation lack--</DELETED>
                <DELETED>    (A) sufficient long term research 
                funding;</DELETED>
                <DELETED>    (B) adequate coordination across Federal 
                and State government agencies and among government, 
                academia, and industry; and</DELETED>
                <DELETED>    (C) sufficient numbers of outstanding 
                researchers in the field.</DELETED>
        <DELETED>    (5) Accordingly, Federal investment in computer 
        and network security research and development must be 
        significantly increased to--</DELETED>
                <DELETED>    (A) improve vulnerability assessment and 
                technological and systems solutions;</DELETED>
                <DELETED>    (B) expand and improve the pool of 
                information security professionals, including 
                researchers, in the United States workforce; 
                and</DELETED>
                <DELETED>    (C) better coordinate information sharing 
                and collaboration among industry, government, and 
                academic research projects.</DELETED>

<DELETED>SEC. 3. DEFINITIONS.</DELETED>

<DELETED>    For purposes of this Act--</DELETED>
        <DELETED>    (1) the term ``Director'' means the Director of 
        the National Science Foundation; and</DELETED>
        <DELETED>    (2) the term ``institution of higher education'' 
        has the meaning given that term in section 101 of the Higher 
        Education Act of 1965 (20 U.S.C. 1001).</DELETED>

<DELETED>SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.</DELETED>

<DELETED>    (a) Computer and Network Security Research Grants.--
</DELETED>
        <DELETED>    (1) In general.--The Director shall award grants 
        for basic research on innovative approaches to the structure of 
        computer and network hardware and software that are aimed at 
        enhancing computer security. Research areas may include--
        </DELETED>
                <DELETED>    (A) authentication and 
                cryptography;</DELETED>
                <DELETED>    (B) computer forensics and intrusion 
                detection;</DELETED>
                <DELETED>    (C) reliability of computer and network 
                applications, middleware, operating systems, and 
                communications infrastructure;</DELETED>
                <DELETED>    (D) privacy and confidentiality;</DELETED>
                <DELETED>    (E) firewall technology;</DELETED>
                <DELETED>    (F) emerging threats, including malicious 
                such as viruses and worms;</DELETED>
                <DELETED>    (G) vulnerability assessments;</DELETED>
                <DELETED>    (H) operations and control systems 
                management; and</DELETED>
                <DELETED>    (I) management of interoperable digital 
                certificates or digital watermarking.</DELETED>
        <DELETED>    (2) Merit review; competition.--Grants shall be 
        awarded under this section on a merit-reviewed competitive 
        basis.</DELETED>
        <DELETED>    (3) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation to carry out this subsection--</DELETED>
                <DELETED>    (A) $35,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $40,000,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $46,000,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $52,000,000 for fiscal year 2006; 
                and</DELETED>
                <DELETED>    (E) $60,000,000 for fiscal year 
                2007.</DELETED>
<DELETED>    (b) Computer and Network Security Research Centers.--
</DELETED>
        <DELETED>    (1) In general.--The Director shall award 
        multiyear grants, subject to the availability of 
        appropriations, to institutions of higher education (or 
        consortia thereof) to establish multidisciplinary Centers for 
        Computer and Network Security Research. Institutions of higher 
        education (or consortia thereof) receiving such grants may 
        partner with one or more government laboratories or for-profit 
        institutions.</DELETED>
        <DELETED>    (2) Merit review; competition.--Grants shall be 
        awarded under this subsection on a merit-reviewed competitive 
        basis.</DELETED>
        <DELETED>    (3) Purpose.--The purpose of the Centers shall be 
        to generate innovative approaches to computer and network 
        security by conducting cutting-edge, multidisciplinary research 
        in computer and network security, including the research areas 
        described in subsection (a)(1).</DELETED>
        <DELETED>    (4) Applications.--An institution of higher 
        education (or a consortium of such institutions) seeking 
funding under this subsection shall submit an application to the 
Director at such time, in such manner, and containing such information 
as the Director may require. The application shall include, at a 
minimum, a description of--</DELETED>
                <DELETED>    (A) the research projects that will be 
                undertaken by the Center and the contributions of each 
                of the participating entities;</DELETED>
                <DELETED>    (B) how the Center will promote active 
                collaboration among scientists and engineers from 
                different disciplines, such as computer scientists, 
                engineers, mathematicians, and social science 
                researchers;</DELETED>
                <DELETED>    (C) how the Center will contribute to 
                increasing the number of computer and network security 
                researchers and other professionals; and</DELETED>
                <DELETED>    (D) how the center will disseminate 
                research results quickly and widely to improve 
                cybersecurity in information technology networks, 
                products, and services.</DELETED>
        <DELETED>    (5) Criteria.--In evaluating the applications 
        submitted under paragraph (4), the Director shall consider, at 
        a minimum--</DELETED>
                <DELETED>    (A) the ability of the applicant to 
                generate innovative approaches to computer and network 
                security and effectively carry out the research 
                program;</DELETED>
                <DELETED>    (B) the experience of the applicant in 
                conducting research on computer and network security 
                and the capacity of the applicant to foster new 
                multidisciplinary collaborations;</DELETED>
                <DELETED>    (C) the capacity of the applicant to 
                attract and provide adequate support for undergraduate 
                and graduate students and postdoctoral fellows to 
                pursue computer and network security research; 
                and</DELETED>
                <DELETED>    (D) the extent to which the applicant will 
                partner with government laboratories or for-profit 
                entities, and the role the government laboratories or 
                for-profit entities will play in the research 
                undertaken by the Center.</DELETED>
        <DELETED>    (6) Annual meeting.--The Director shall convene an 
        annual meeting of the Centers in order to foster collaboration 
        and communication between Center participants.</DELETED>
        <DELETED>    (7) Authorization of appropriations.--There are 
        authorized to be appropriated for the National Science 
        Foundation to carry out this subsection--</DELETED>
                <DELETED>    (A) $12,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $24,000,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $36,000,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $36,000,000 for fiscal year 2006; 
                and</DELETED>
                <DELETED>    (E) $36,000,000 for fiscal year 
                2007.</DELETED>

<DELETED>SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK 
              SECURITY PROGRAMS.</DELETED>

<DELETED>    (a) Computer and Network Security Capacity Building 
Grants.--</DELETED>
        <DELETED>    (1) In general.--The Director shall establish a 
        program to award grants to institutions of higher education (or 
        consortia thereof) to establish or improve undergraduate and 
        master's degree programs in computer and network security, to 
        increase the number of students who pursue undergraduate or 
        master's degrees in fields related to computer and network 
        security, and to provide students with experience in government 
        or industry related to their computer and network security 
        studies.</DELETED>
        <DELETED>    (2) Merit review.--Grants shall be awarded under 
        this subsection on a merit-reviewed competitive 
        basis.</DELETED>
        <DELETED>    (3) Use of funds.--Grants awarded under this 
        subsection shall be used for activities that enhance the 
        ability of an institution of higher education (or consortium 
        thereof) to provide high-quality undergraduate and master's 
        degree programs in computer and network security and to recruit 
        and retain increased numbers of students to such programs. 
        Activities may include--</DELETED>
                <DELETED>    (A) revising curriculum to better prepare 
                undergraduate and master's degree students for careers 
                in computer and network security;</DELETED>
                <DELETED>    (B) establishing degree and certificate 
                programs in computer and network security;</DELETED>
                <DELETED>    (C) creating opportunities for 
                undergraduate students to participate in computer and 
                network security research projects;</DELETED>
                <DELETED>    (D) acquiring equipment necessary for 
                student instruction in computer and network security, 
                including the installation of testbed networks for 
                student use;</DELETED>
                <DELETED>    (E) providing opportunities for faculty to 
                work with local or Federal Government agencies, private 
                industry, or other academic institutions to develop new 
                expertise or to formulate new research directions in 
                computer and network security;</DELETED>
                <DELETED>    (F) establishing collaborations with other 
                academic institutions or departments that seek to 
                establish, expand, or enhance programs in computer and 
                network security;</DELETED>
                <DELETED>    (G) establishing student internships in 
                computer and network security at government agencies or 
                in private industry;</DELETED>
                <DELETED>    (H) establishing or enhancing bridge 
                programs in computer and network security between 
                community colleges and universities; and</DELETED>
                <DELETED>    (I) any other activities the Director 
                determines will accomplish the goals of this 
                subsection.</DELETED>
        <DELETED>    (4) Selection process.--</DELETED>
                <DELETED>    (A) Application.--An institution of higher 
                education (or a consortium thereof) seeking funding 
                under this subsection shall submit an application to 
                the Director at such time, in such manner, and 
                containing such information as the Director may 
                require. The application shall include, at a minimum--
                </DELETED>
                        <DELETED>    (i) a description of the 
                        applicant's computer and network security 
                        research and instructional capacity, and in the 
case of an application from a consortium of institutions of higher 
education, a description of the role that each member will play in 
implementing the proposal;</DELETED>
                        <DELETED>    (ii) a comprehensive plan by which 
                        the institution or consortium will build 
                        instructional capacity in computer and 
                        information security;</DELETED>
                        <DELETED>    (iii) a description of relevant 
                        collaborations with government agencies or 
                        private industry that inform the instructional 
                        program in computer and network 
                        security;</DELETED>
                        <DELETED>    (iv) a survey of the applicant's 
                        historic student enrollment and placement data 
                        in fields related to computer and network 
                        security and a study of potential enrollment 
                        and placement for students enrolled in the 
                        proposed computer and network security program; 
                        and</DELETED>
                        <DELETED>    (v) a plan to evaluate the success 
                        of the proposed computer and network security 
                        program, including post-graduation assessment 
                        of graduate school and job placement and 
                        retention rates as well as the relevance of the 
                        instructional program to graduate study and to 
                        the workplace.</DELETED>
                <DELETED>    (B) Awards.--(i) The Director shall 
                ensure, to the extent practicable, that grants are 
                awarded under this subsection in a wide range of 
                geographic areas and categories of institutions of 
                higher education.</DELETED>
                <DELETED>    (ii) The Director shall award grants under 
                this subsection for a period not to exceed 5 
                years.</DELETED>
        <DELETED>    (5) Assessment required.--The Director shall 
        evaluate the program established under this subsection no later 
        than 6 years after the establishment of the program. At a 
        minimum, the Director shall evaluate the extent to which the 
        grants achieved their objectives of increasing the quality and 
        quantity of students pursuing undergraduate or master's degrees 
        in computer and network security.</DELETED>
        <DELETED>    (6) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation to carry out this subsection--</DELETED>
                <DELETED>    (A) $15,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $20,000,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $20,000,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $20,000,000 for fiscal year 2006; 
                and</DELETED>
                <DELETED>    (E) $20,000,000 for fiscal year 
                2007.</DELETED>
<DELETED>    (b) Scientific and Advanced Technology Act of 1992.--
</DELETED>
        <DELETED>    (1) Grants.--The Director shall provide grants 
        under the Scientific and Advanced Technology Act of 1992 for 
        the purposes of section 3(a) and (b) of that Act, except that 
        the activities supported pursuant to this subsection shall be 
        limited to improving education in fields related to computer 
        and network security.</DELETED>
        <DELETED>    (2) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation to carry out this subsection--</DELETED>
                <DELETED>    (A) $1,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $1,250,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $1,250,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $1,250,000 for fiscal year 2006; 
                and</DELETED>
                <DELETED>    (E) $1,250,000 for fiscal year 
                2007.</DELETED>
<DELETED>    (c) Graduate Traineeships in Computer and Network Security 
Research.--</DELETED>
        <DELETED>    (1) In general.--The Director shall establish a 
        program to award grants to institutions of higher education to 
        establish traineeship programs for graduate students who pursue 
        computer and network security research leading to a doctorate 
        degree by providing funding and other assistance, and by 
        providing graduate students with research experience in 
        government or industry related to the students' computer and 
        network security studies.</DELETED>
        <DELETED>    (2) Merit review.--Grants shall be provided under 
        this subsection on a merit-reviewed competitive 
        basis.</DELETED>
        <DELETED>    (3) Use of funds.--An institution of higher 
        education shall use grant funds for the purposes of--</DELETED>
                <DELETED>    (A) providing fellowships to students who 
                are citizens, nationals, or lawfully admitted permanent 
                resident aliens of the United States and are pursuing 
                research in computer or network security leading to a 
                doctorate degree;</DELETED>
                <DELETED>    (B) paying tuition and fees for students 
                receiving fellowships under subparagraph (A);</DELETED>
                <DELETED>    (C) establishing scientific internship 
                programs for students receiving fellowships under 
                subparagraph (A) in computer and network security at 
                for-profit institutions or government laboratories; 
                and</DELETED>
                <DELETED>    (D) other costs associated with the 
                administration of the program.</DELETED>
        <DELETED>    (4) Fellowship amount.--Fellowships provided under 
        paragraph (3)(A) shall be in the amount of $25,000 per year, or 
        the level of the National Science Foundation Graduate Research 
        Fellowships, whichever is greater, for up to 3 years.</DELETED>
        <DELETED>    (5) Selection process.--An institution of higher 
        education seeking funding under this subsection shall submit an 
        application to the Director at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
        </DELETED>
                <DELETED>    (A) the instructional program and research 
                opportunities in computer and network security 
                available to graduate students at the applicant's 
                institution; and</DELETED>
                <DELETED>    (B) the internship program to be 
                established, including the opportunities that will be 
                made available to students for internships at for-
                profit institutions and government 
                laboratories.</DELETED>
        <DELETED>    (6) Review of applications.--In evaluating the 
        applications submitted under paragraph (5), the Director shall 
        consider--</DELETED>
                <DELETED>    (A) the ability of the applicant to 
                effectively carry out the proposed program;</DELETED>
                <DELETED>    (B) the quality of the applicant's 
                existing research and education programs;</DELETED>
                <DELETED>    (C) the likelihood that the program will 
                recruit increased numbers of students to pursue and 
                earn doctorate degrees in computer and network 
                security;</DELETED>
                <DELETED>    (D) the nature and quality of the 
                internship program established through collaborations 
                with government laboratories and for-profit 
                institutions;</DELETED>
                <DELETED>    (E) the integration of internship 
                opportunities into graduate students' research; 
                and</DELETED>
                <DELETED>    (F) the relevance of the proposed program 
                to current and future computer and network security 
                needs.</DELETED>
        <DELETED>    (7) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation to carry out this subsection--</DELETED>
                <DELETED>    (A) $10,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $20,000,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $20,000,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $20,000,000 for fiscal year 2006; 
                and</DELETED>
                <DELETED>    (E) $20,000,000 for fiscal year 
                2007.</DELETED>
<DELETED>    (d) Graduate Research Fellowships Program Support.--
Computer and network security shall be included among the fields of 
specialization supported by the National Science Foundation's Graduate 
Research Fellowships program under section 10 of the National Science 
Foundation Act of 1950 (42 U.S.C. 1869).</DELETED>

<DELETED>SEC. 6. CONSULTATION.</DELETED>

<DELETED>    In carrying out sections 4 and 5, the Director shall 
consult with other Federal agencies.</DELETED>

<DELETED>SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND 
              NETWORK SECURITY.</DELETED>

<DELETED>    Section 3(a) of the National Science Foundation Act of 
1950 (42 U.S.C. 1862(a)) is amended--</DELETED>
        <DELETED>    (1) by striking ``and'' at the end of paragraph 
        (6);</DELETED>
        <DELETED>    (2) by striking the period at the end of paragraph 
        (7) and inserting ``; and''; and</DELETED>
        <DELETED>    (3) by adding at the end the following new 
        paragraph:</DELETED>
        <DELETED>    ``(8) to take a leading role in fostering and 
        supporting research and education activities to improve the 
        security of networked information systems.''.</DELETED>

<DELETED>SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 
              RESEARCH PROGRAM.</DELETED>

<DELETED>    The National Institute of Standards and Technology Act is 
amended--</DELETED>
        <DELETED>    (1) by moving section 22 to the end of the Act and 
        redesignating it as section 32;</DELETED>
        <DELETED>    (2) by inserting after section 21 the following 
        new section:</DELETED>

 <DELETED>``research program on security of computer systems</DELETED>

<DELETED>    ``Sec. 22. (a) Establishment.--The Director shall 
establish a program of assistance to institutions of higher education 
that enter into partnerships with for-profit entities to support 
research to improve the security of computer systems. The partnerships 
may also include government laboratories. The program shall--</DELETED>
        <DELETED>    ``(1) include multidisciplinary, long-term, high-
        risk research;</DELETED>
        <DELETED>    ``(2) include research directed toward addressing 
        needs identified through the activities of the Computer System 
        Security and Privacy Advisory Board under section 20(f); 
        and</DELETED>
        <DELETED>    ``(3) promote the development of a robust research 
        community working at the leading edge of knowledge in subject 
        areas relevant to the security of computer systems by providing 
        support for graduate students, post-doctoral researchers, and 
        senior researchers.</DELETED>
<DELETED>    ``(b) Fellowships.--(1) The Director is authorized to 
establish a program to award post-doctoral research fellowships to 
individuals who are citizens, nationals, or lawfully admitted permanent 
resident aliens of the United States and are seeking research positions 
at institutions, including the Institute, engaged in research 
activities related to the security of computer systems, including the 
research areas described in section 4(a)(1) of the Cyber Security 
Research and Development Act.</DELETED>
<DELETED>    ``(2) The Director is authorized to establish a program to 
award senior research fellowships to individuals seeking research 
positions at institutions, including the Institute, engaged in research 
activities related to the security of computer systems, including the 
research areas described in section 4(a)(1) of the Cyber Security 
Research and Development Act. Senior research fellowships shall be made 
available for established researchers at institutions of higher 
education who seek to change research fields and pursue studies related 
to the security of computer systems.</DELETED>
<DELETED>    ``(3)(A) To be eligible for an award under this 
subsection, an individual shall submit an application to the Director 
at such time, in such manner, and containing such information as the 
Director may require.</DELETED>
<DELETED>    ``(B) Under this subsection, the Director is authorized to 
provide stipends for post-doctoral research fellowships at the level of 
the Institute's Post Doctoral Research Fellowship Program and senior 
research fellowships at levels consistent with support for a faculty 
member in a sabbatical position.</DELETED>
<DELETED>    ``(c) Awards; Applications.--The Director is authorized to 
award grants or cooperative agreements to institutions of higher 
education to carry out the program established under subsection (a). To 
be eligible for an award under this section, an institution of higher 
education shall submit an application to the Director at such time, in 
such manner, and containing such information as the Director may 
require. The application shall include, at a minimum, a description 
of--</DELETED>
        <DELETED>    ``(1) the number of graduate students anticipated 
        to participate in the research project and the level of support 
        to be provided to each;</DELETED>
        <DELETED>    ``(2) the number of post-doctoral research 
        positions included under the research project and the level of 
        support to be provided to each;</DELETED>
        <DELETED>    ``(3) the number of individuals, if any, intending 
        to change research fields and pursue studies related to the 
        security of computer systems to be included under the research 
        project and the level of support to be provided to each; 
        and</DELETED>
        <DELETED>    ``(4) how the for-profit entities and any other 
        partners will participate in developing and carrying out the 
        research and education agenda of the partnership.</DELETED>
<DELETED>    ``(d) Program Operation.--(1) The program established 
under subsection (a) shall be managed by individuals who shall have 
both expertise in research related to the security of computer systems 
and knowledge of the vulnerabilities of existing computer systems. The 
Director shall designate such individuals as program 
managers.</DELETED>
<DELETED>    ``(2) Program managers designated under paragraph (1) may 
be new or existing employees of the Institute or individuals on 
assignment at the Institute under the Intergovernmental Personnel Act 
of 1970.</DELETED>
<DELETED>    ``(3) Program managers designated under paragraph (1) 
shall be responsible for--</DELETED>
        <DELETED>    ``(A) establishing and publicizing the broad 
        research goals for the program;</DELETED>
        <DELETED>    ``(B) soliciting applications for specific 
        research projects to address the goals developed under 
        subparagraph (A);</DELETED>
        <DELETED>    ``(C) selecting research projects for support 
        under the program from among applications submitted to the 
        Institute, following consideration of--</DELETED>
                <DELETED>    ``(i) the novelty and scientific and 
                technical merit of the proposed projects;</DELETED>
                <DELETED>    ``(ii) the demonstrated capabilities of 
                the individual or individuals submitting the 
                applications to successfully carry out the proposed 
                research;</DELETED>
                <DELETED>    ``(iii) the impact the proposed projects 
                will have on increasing the number of computer security 
                researchers;</DELETED>
                <DELETED>    ``(iv) the nature of the participation by 
                for-profit entities and the extent to which the 
                proposed projects address the concerns of industry; 
                and</DELETED>
                <DELETED>    ``(v) other criteria determined by the 
                Director, based on information specified for inclusion 
                in applications under subsection (c); and</DELETED>
        <DELETED>    ``(D) monitoring the progress of research projects 
        supported under the program.</DELETED>
<DELETED>    ``(e) Review of Program.--(1) The Director shall 
periodically review the portfolio of research awards monitored by each 
program manager designated in accordance with subsection (d). In 
conducting those reviews, the Director shall seek the advice of the 
Computer System Security and Privacy Advisory Board, established under 
section 21, on the appropriateness of the research goals and on the 
quality and utility of research projects managed by program managers in 
accordance with subsection (d).</DELETED>
<DELETED>    ``(2) The Director shall also contract with the National 
Research Council for a comprehensive review of the program established 
under subsection (a) during the 5th year of the program. Such review 
shall include an assessment of the scientific quality of the research 
conducted, the relevance of the research results obtained to the goals 
of the program established under subsection (d)(3)(A), and the progress 
of the program in promoting the development of a substantial academic 
research community working at the leading edge of knowledge in the 
field. The Director shall submit to Congress a report on the results of 
the review under this paragraph no later than six years after the 
initiation of the program.</DELETED>
<DELETED>    ``(f) Definitions.--For purposes of this section--
</DELETED>
        <DELETED>    ``(1) the term `computer system' has the meaning 
        given that term in section 20(d)(1); and</DELETED>
        <DELETED>    ``(2) the term `institution of higher education' 
        has the meaning given that term in section 101 of the Higher 
        Education Act of 1965 (20 U.S.C. 1001).''; and</DELETED>
        <DELETED>    (3) in section 20(d)(1)(B)(i) (15 U.S.C. 278g-
        3(d)(1)(B)(i)), by inserting ``and computer networks'' after 
        ``computers''.</DELETED>

<DELETED>SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND 
              INFORMATION.</DELETED>

<DELETED>    Section 20 of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3) is amended by adding at the end the 
following new subsection:</DELETED>
<DELETED>    ``(f) There are authorized to be appropriated to the 
Secretary $1,060,000 for fiscal year 2003 and $1,090,000 for fiscal 
year 2004 to enable the Computer System Security and Privacy Advisory 
Board, established by section 21, to identify emerging issues, 
including research needs, related to computer security, privacy, and 
cryptography and, as appropriate, to convene public meetings on those 
subjects, receive presentations, and publish reports, digests, and 
summaries for public distribution on those subjects.''.</DELETED>

<DELETED>SEC. 10. INTRAMUTAL SECURITY RESEARCH.</DELETED>

<DELETED>    Section 20 of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3) is further amended--</DELETED>
        <DELETED>    (1) by redesignating subsection (d) as subsection 
        (e); and</DELETED>
        <DELETED>    (2) by inserting after subsection (c) the 
        following new subsection:</DELETED>
<DELETED>    ``(d) As part of the research activities conducted in 
accordance with subsection (b)(4), the Institute shall--</DELETED>
        <DELETED>    ``(1) conduct a research program to address 
        emerging technologies associated with assembling a networked 
        computer system from components while ensuring it maintains 
        desired security properties;</DELETED>
        <DELETED>    ``(2) carry out research associated with improving 
        the security of real-time computing and communications systems 
        for use in process control; and</DELETED>
        <DELETED>    ``(3) carry out multidisciplinary, long-term, 
        high-risk research on ways to improve the security of computer 
        systems.''.</DELETED>

<DELETED>SEC. 11. AUTHORIZATION OF APPROPRIATIONS.</DELETED>

<DELETED>    There are authorized to be appropriated to the Secretary 
of Commerce for the National Institute of Standards and Technology--
</DELETED>
        <DELETED>    (1) for activities under section 22 of the 
        National Institute of Standards and Technology Act, as added by 
        section 8 of this Act--</DELETED>
                <DELETED>    (A) $25,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $40,000,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $55,000,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $70,000,000 for fiscal year 
                2006;</DELETED>
                <DELETED>    (E) $85,000,000 for fiscal year 2007; 
                and</DELETED>
                <DELETED>    (F) such sums as may be necessary for 
                fiscal years 2008 through 2012; and</DELETED>
        <DELETED>    (2) for activities under section 20(d) of the 
        National Institute of Standards and Technology Act, as added by 
        section 10 of this Act--</DELETED>
                <DELETED>    (A) $6,000,000 for fiscal year 
                2003;</DELETED>
                <DELETED>    (B) $6,200,000 for fiscal year 
                2004;</DELETED>
                <DELETED>    (C) $6,400,000 for fiscal year 
                2005;</DELETED>
                <DELETED>    (D) $6,600,000 for fiscal year 2006; 
                and</DELETED>
                <DELETED>    (E) $6,800,000 for fiscal year 
                2007.</DELETED>

<DELETED>SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND 
              NETWORK SECURITY IN CRITICAL INFRASTRUCTURES.</DELETED>

<DELETED>    (a) Study.--Not later than 3 months after the date of the 
enactment of this Act, the Director of the National Institute of 
Standards and Technology shall enter into an arrangement with the 
National Research Council of the National Academy of Sciences to 
conduct a study of the vulnerabilities of the Nation's network 
infrastructure and make recommendations for appropriate improvements. 
The National Research Council shall--</DELETED>
        <DELETED>    (1) review existing studies and associated data on 
        the architectural, hardware, and software vulnerabilities and 
        interdependencies in United States critical infrastructure 
        networks;</DELETED>
        <DELETED>    (2) identify and assess gaps in technical 
        capability for robust critical infrastructure network security, 
        and make recommendations for research priorities and resource 
        requirements; and</DELETED>
        <DELETED>    (3) review any and all other essential elements of 
        computer and network security, including security of industrial 
        process controls, to be determined in the conduct of the 
        study.</DELETED>
<DELETED>    (b) Report.--The Director of the National Institute of 
Standards and Technology shall transmit a report containing the results 
of the study and recommendations required by subsection (a) to the 
Congress not later than 21 months after the date of enactment of this 
Act.</DELETED>
<DELETED>    (c) Security.--The Director of the National Institute of 
Standards and Technology shall ensure that no information that is 
classified is included in any publicly released version of the report 
required by this section.</DELETED>
<DELETED>    (d) Authorization of Appropriations.--There are authorized 
to be appropriated to the Secretary of Commerce for the National 
Institute of Standards and Technology for the purposes of carrying out 
this section, $700,000.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Security Research and 
Development Act''.

SEC. 2. FINDINGS.

    The Congress finds the following:
            (1) Revolutionary advancements in computing and 
        communications technology have interconnected government, 
        commercial, scientific, and educational infrastructures--
        including critical infrastructures for electric power, natural 
        gas and petroleum production and distribution, 
        telecommunications, transportation, water supply, banking and 
        finance, and emergency and government services--in a vast, 
        interdependent physical and electronic network.
            (2) Exponential increases in interconnectivity have 
        facilitated enhanced communications, economic growth, and the 
        delivery of services critical to the public welfare, but have 
        also increased the consequences of temporary or prolonged 
        failure.
            (3) A Department of Defense Joint Task Force concluded 
        after a 1997 United States information warfare exercise that 
        the results ``clearly demonstrated our lack of preparation for 
        a coordinated cyber and physical attack on our critical 
        military and civilian infrastructure''.
            (4) Computer security technology and systems implementation 
        lack--
                    (A) sufficient long term research funding;
                    (B) adequate coordination across Federal and State 
                government agencies and among government, academia, and 
                industry; and
                    (C) sufficient numbers of outstanding researchers 
                in the field.
            (5) Accordingly, Federal investment in computer and network 
        security research and development must be significantly 
        increased to--
                    (A) improve vulnerability assessment and 
                technological and systems solutions;
                    (B) expand and improve the pool of information 
                security professionals, including researchers, in the 
                United States workforce; and
                    (C) better coordinate information sharing and 
                collaboration among industry, government, and academic 
                research projects.
            (6) While African-Americans, Hispanics, and Native 
        Americans constitute 25 percent of the total United States 
        workforce and 30 percent of the college-age population, members 
        of these minorities comprise less than 7 percent of the United 
        States computer and information science workforce.

SEC. 3. DEFINITIONS.

    For purposes of this Act--
            (1) the term ``Director'' means the Director of the 
        National Science Foundation;
            (2) the term ``institution of higher education'' has the 
        meaning given that term in section 101 of the Higher Education 
        Act of 1965 (20 U.S.C. 1001); and
            (3) ``Federal agency benchmark security standards'' means a 
        baseline minimum security configuration for specific computer 
        hardware or software components, an operational procedure or 
        practice, or organizational structure that increases the 
        security of the information technology assets of a department 
        or agency of the Federal Government.

SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.

    (a) Computer and Network Security Research Grants.--
            (1) In general.--The Director shall award grants for basic 
        research on innovative approaches to the structure of computer 
        and network hardware and software that are aimed at enhancing 
        computer security. Research areas may include--
                    (A) authentication and cryptography;
                    (B) computer forensics and intrusion detection;
                    (C) reliability of computer and network 
                applications, middleware, operating systems, and 
                communications infrastructure;
                    (D) privacy and confidentiality;
                    (E) network security architecture, including tools 
                for security administration and analysis such as 
                firewall technology;
                    (F) emerging threats, including malicious such as 
                viruses and worms;
                    (G) vulnerability assessments and techniques for 
                quantifying risk;
                    (H) operations and control systems management;
                    (I) management of interoperable digital 
                certificates or digital watermarking; and
                    (J) remote access and wireless security.
            (2) Merit review; competition.--Grants shall be awarded 
        under this section on a merit-reviewed competitive basis.
            (3) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $35,000,000 for fiscal year 2003;
                    (B) $40,000,000 for fiscal year 2004;
                    (C) $46,000,000 for fiscal year 2005;
                    (D) $52,000,000 for fiscal year 2006; and
                    (E) $60,000,000 for fiscal year 2007.
    (b) Computer and Network Security Research Centers.--
            (1) In general.--The Director shall award multiyear grants, 
        subject to the availability of appropriations, to institutions 
        of higher education (or consortia thereof) to establish 
        multidisciplinary Centers for Computer and Network Security 
        Research. Institutions of higher education (or consortia 
        thereof) receiving such grants may partner with one or more 
        government laboratories or for-profit institutions.
            (2) Merit review; competition.--Grants shall be awarded 
        under this subsection on a merit-reviewed competitive basis.
            (3) Purpose.--The purpose of the Centers shall be to 
        generate innovative approaches to computer and network security 
        by conducting cutting-edge, multidisciplinary research in 
        computer and network security, including the research areas 
        described in subsection (a)(1).
            (4) Applications.--An institution of higher education (or a 
        consortium of such institutions) seeking funding under this 
subsection shall submit an application to the Director at such time, in 
such manner, and containing such information as the Director may 
require. The application shall include, at a minimum, a description 
of--
                    (A) the research projects that will be undertaken 
                by the Center and the contributions of each of the 
                participating entities;
                    (B) how the Center will promote active 
                collaboration among scientists and engineers from 
                different disciplines, such as computer scientists, 
                engineers, mathematicians, and social science 
                researchers;
                    (C) how the Center will contribute to increasing 
                the number of computer and network security researchers 
                and other professionals among all cultures; and
                    (D) how the center will disseminate research 
                results quickly and widely to improve cyber security in 
                information technology networks, products, and 
                services.
            (5) Criteria.--In evaluating the applications submitted 
        under paragraph (4), the Director shall consider, at a 
        minimum--
                    (A) the ability of the applicant to generate 
                innovative approaches to computer and network security 
                and effectively carry out the research program;
                    (B) the experience of the applicant in conducting 
                research on computer and network security and the 
                capacity of the applicant to foster new 
                multidisciplinary collaborations;
                    (C) the capacity of the applicant to attract and 
                provide adequate support for a diverse group of 
                undergraduate and graduate students and postdoctoral 
                fellows to pursue computer and network security 
                research; and
                    (D) the extent to which the applicant will partner 
                with government laboratories or for-profit entities, 
                and the role the government laboratories or for-profit 
                entities will play in the research undertaken by the 
                Center.
            (6) Annual meeting.--The Director shall convene an annual 
        meeting of the Centers in order to foster collaboration and 
        communication between Center participants.
            (7) Authorization of appropriations.--There are authorized 
        to be appropriated for the National Science Foundation to carry 
        out this subsection--
                    (A) $12,000,000 for fiscal year 2003;
                    (B) $24,000,000 for fiscal year 2004;
                    (C) $36,000,000 for fiscal year 2005;
                    (D) $36,000,000 for fiscal year 2006; and
                    (E) $36,000,000 for fiscal year 2007.

SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY 
              PROGRAMS.

    (a) Computer and Network Security Capacity Building Grants.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education (or consortia 
        thereof) to establish or improve undergraduate and master's 
        degree programs in computer and network security, to increase 
        the number and diversity of students who pursue undergraduate 
        or master's degrees in fields related to computer and network 
        security, and to provide students with experience in government 
        or industry related to their computer and network security 
        studies.
            (2) Merit review.--Grants shall be awarded under this 
        subsection on a merit-reviewed competitive basis.
            (3) Use of funds.--Grants awarded under this subsection 
        shall be used for activities that enhance the ability of an 
        institution of higher education (or consortium thereof) to 
        provide high-quality undergraduate and master's degree programs 
        in computer and network security and to recruit and retain 
        increased numbers of students to such programs. Activities may 
        include--
                    (A) revising curriculum to better prepare 
                undergraduate and master's degree students for careers 
                in computer and network security;
                    (B) establishing degree and certificate programs in 
                computer and network security;
                    (C) creating opportunities for undergraduate 
                students to participate in computer and network 
                security research projects;
                    (D) acquiring equipment necessary for student 
                instruction in computer and network security, including 
                the installation of testbed networks for student use;
                    (E) providing opportunities for faculty to work 
                with local or Federal Government agencies, private 
industry, or other academic institutions to develop new expertise or to 
formulate new research directions in computer and network security;
                    (F) establishing collaborations with other academic 
                institutions or departments that seek to establish, 
                expand, or enhance programs in computer and network 
                security;
                    (G) establishing student internships in computer 
                and network security at government agencies or in 
                private industry;
                    (H) establishing collaborations with other academic 
                institutions to establish or enhance a web-based 
                collection of computer and network security courseware 
                and laboratory exercises for sharing with other 
                institutions of higher education and community 
                colleges;
                    (I) providing outreach to teachers in kindergarten 
                through grade 12 to increase their awareness, and the 
                awareness of their students, of computer security 
                careers and practices; and
                    (J) establishing or enhancing bridge programs in 
                computer and network security between community 
                colleges and universities; and
                    (K) any other activities the Director determines 
                will accomplish the goals of this subsection.
            (4) Selection process.--
                    (A) Application.--An institution of higher 
                education (or a consortium thereof) seeking funding 
                under this subsection shall submit an application to 
                the Director at such time, in such manner, and 
                containing such information as the Director may 
                require. The application shall include, at a minimum--
                            (i) a description of the applicant's 
                        computer and network security research and 
instructional capacity, and in the case of an application from a 
consortium of institutions of higher education, a description of the 
role that each member will play in implementing the proposal;
                            (ii) a comprehensive plan by which the 
                        institution or consortium will build 
                        instructional capacity in computer and 
                        information security;
                            (iii) a description of relevant 
                        collaborations with government agencies or 
                        private industry that inform the instructional 
                        program in computer and network security;
                            (iv) a survey of the applicant's historic 
                        student enrollment and placement data in fields 
                        related to computer and network security and a 
                        study of potential enrollment and placement for 
                        students enrolled in the proposed computer and 
                        network security program; and
                            (v) a plan to evaluate the success of the 
                        proposed computer and network security program, 
                        including post-graduation assessment of 
                        graduate school and job placement and retention 
                        rates as well as the relevance of the 
                        instructional program to graduate study and to 
                        the workplace.
                    (B) Awards.--(i) The Director shall ensure, to the 
                extent practicable, that grants are awarded under this 
                subsection in a wide range of geographic areas and 
                categories of institutions of higher education, 
                including minority serving institutions.
                    (ii) The Director shall award grants under this 
                subsection for a period not to exceed 5 years.
            (5) Assessment required.--The Director shall evaluate the 
        program established under this subsection no later than 6 years 
        after the establishment of the program. At a minimum, the 
        Director shall evaluate the extent to which the grants achieved 
        their objectives of increasing the quality, quantity, and 
        diversity of students pursuing undergraduate or master's 
        degrees in computer and network security.
            (6) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $15,000,000 for fiscal year 2003;
                    (B) $20,000,000 for fiscal year 2004;
                    (C) $20,000,000 for fiscal year 2005;
                    (D) $20,000,000 for fiscal year 2006; and
                    (E) $20,000,000 for fiscal year 2007.
    (b) Scientific and Advanced Technology Act of 1992.--
            (1) Grants.--The Director shall provide grants under the 
        Scientific and Advanced Technology Act of 1992 (42 U.S.C. 
        1862i) for the purposes of section 3(a) and (b) of that Act, 
        except that the activities supported pursuant to this 
        subsection shall be limited to improving education in fields 
        related to computer and network security.
            (2) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $1,000,000 for fiscal year 2003;
                    (B) $1,250,000 for fiscal year 2004;
                    (C) $1,250,000 for fiscal year 2005;
                    (D) $1,250,000 for fiscal year 2006; and
                    (E) $1,250,000 for fiscal year 2007.
    (c) Graduate Traineeships in Computer and Network Security 
Research.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education to establish 
        traineeship programs for graduate students who pursue computer 
        and network security research leading to a doctorate degree by 
        providing funding and other assistance, and by providing 
        graduate students with research experience in government or 
        industry related to the students' computer and network security 
        studies.
            (2) Merit review.--Grants shall be provided under this 
        subsection on a merit-reviewed competitive basis.
            (3) Use of funds.--An institution of higher education shall 
        use grant funds for the purposes of--
                    (A) providing fellowships to students who are 
                citizens, nationals, or lawfully admitted permanent 
                resident aliens of the United States and are pursuing 
                research in computer or network security leading to a 
                doctorate degree;
                    (B) paying tuition and fees for students receiving 
                fellowships under subparagraph (A);
                    (C) establishing scientific internship programs for 
                students receiving fellowships under subparagraph (A) 
                in computer and network security at for-profit 
                institutions or government laboratories; and
                    (D) other costs associated with the administration 
                of the program.
            (4) Fellowship amount.--Fellowships provided under 
        paragraph (3)(A) shall be in the amount of $25,000 per year, or 
        the level of the National Science Foundation Graduate Research 
        Fellowships, whichever is greater, for up to 3 years.
            (5) Selection process.--An institution of higher education 
        seeking funding under this subsection shall submit an 
        application to the Director at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
                    (A) the instructional program and research 
                opportunities in computer and network security 
                available to graduate students at the applicant's 
                institution; and
                    (B) the internship program to be established, 
                including the opportunities that will be made available 
                to students for internships at for-profit institutions 
                and government laboratories.
            (6) Review of applications.--In evaluating the applications 
        submitted under paragraph (5), the Director shall consider--
                    (A) the ability of the applicant to effectively 
                carry out the proposed program;
                    (B) the quality of the applicant's existing 
                research and education programs;
                    (C) the likelihood that the program will recruit 
                increased numbers and a more diverse population of 
                students to pursue and earn doctorate degrees in 
                computer and network security;
                    (D) the nature and quality of the internship 
                program established through collaborations with 
                government laboratories and for-profit institutions;
                    (E) the integration of internship opportunities 
                into graduate students' research; and
                    (F) the relevance of the proposed program to 
                current and future computer and network security needs.
            (7) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $10,000,000 for fiscal year 2003;
                    (B) $20,000,000 for fiscal year 2004;
                    (C) $20,000,000 for fiscal year 2005;
                    (D) $20,000,000 for fiscal year 2006; and
                    (E) $20,000,000 for fiscal year 2007.
    (d) Graduate Research Fellowships Program Support.--Computer and 
network security shall be included among the fields of specialization 
supported by the National Science Foundation's Graduate Research 
Fellowships program under section 10 of the National Science Foundation 
Act of 1950 (42 U.S.C. 1869).
    (e) Cyber Security Faculty Development Fellowship Program.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education to establish 
        traineeship programs to enable graduate students to pursue 
        academic careers in cyber security upon completion of doctoral 
        degrees.
            (2) Application.--Each institution of higher education 
        desiring to receive a grant under this subsection shall submit 
        an application to the Director at such time, in such manner, 
        and containing such information as the Director shall require.
            (3) Use of funds.--Funds received by an institution of 
        higher education under this paragraph shall--
                    (A) be made available to individuals on a merit-
                reviewed competitive basis and in accordance with the 
                procedures established in paragraph (5);
                    (B) be in an amount that is sufficient to cover 
                annual tuition and fees for doctoral study at an 
                institution of higher education for the duration of the 
                graduate fellowship, and shall include, in addition, an 
                annual living stipend of $25,000; and
                    (C) be provided to individuals for a duration of no 
                more than 5 years, the specific duration of each 
                graduate fellowship to be determined by the institution 
                of higher education, on a case-by-case basis.
            (4) Repayment.--Each graduate fellowship shall--
                    (A) subject to subparagraph (4)(B), be subject to 
                full repayment upon completion of the doctoral degree 
                according to a repayment schedule established and 
                administered by the institution of higher education;
                    (B) be forgiven at the rate of 20 percent of the 
                total amount of the graduate fellowship assistance 
                received under this section for each academic year that 
                a recipient is employed as a full-time faculty member 
                at an institution of higher education for a period not 
                to exceed 5 years; and
                    (C) be monitored by the institution of higher 
                education to ensure compliance with this subsection.
            (5) Eligibility.--To be eligible to receive a graduate 
        fellowship under this section, an individual shall--
                    (A) be a citizen, national, or lawfully admitted 
                permanent resident alien of the United States;
                    (B) demonstrate a commitment to a career in higher 
                education.
            (6) Consideration.--In making selections for graduate 
        fellowships under this paragraph, the Director, to the extent 
        possible and in consultation with institutions of higher 
        education, shall consider a diverse pool of applicants whose 
        interests are of an interdisciplinary nature, encompassing the 
        social scientific as well as the technical dimensions of cyber 
        security.
            (7) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this paragraph $5,000,000 for each of fiscal years 2003 
        through 2007.

SEC. 6. CONSULTATION.

    In carrying out sections 4 and 5, the Director shall consult with 
other Federal agencies.

SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK 
              SECURITY.

    Section 3(a) of the National Science Foundation Act of 1950 (42 
U.S.C. 1862(a)) is amended--
            (1) by striking ``and'' at the end of paragraph (6);
            (2) by striking ``Congress.'' in paragraph (7) and 
        inserting ``Congress ; and''; and
            (3) by adding at the end the following:
            ``(8) to take a leading role in fostering and supporting 
        research and education activities to improve the security of 
        networked information systems.''.

SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS.

    (a) Research Program.--The National Institute of Standards and 
Technology Act (15 U.S.C. 271 et seq.) is amended--
            (1) by moving section 22 to the end of the Act and 
        redesignating it as section 32;
            (2) by inserting after section 21 the following new 
        section:

           ``research program on security of computer systems

    ``Sec. 22. (a) Establishment.--The Director, through the Director 
of the Office for Information Security Programs, shall establish a 
program of assistance to institutions of higher education that enter 
into partnerships with for-profit entities to support research to 
improve the security of computer systems. The partnerships may also 
include government laboratories. The program shall--
            ``(1) include multidisciplinary, long-term research;
            ``(2) include research directed toward addressing needs 
        identified through the activities of the Computer System 
        Security and Privacy Advisory Board under section 20(f); and
            ``(3) promote the development of a robust research 
        community working at the leading edge of knowledge in subject 
        areas relevant to the security of computer systems by providing 
        support for graduate students, post-doctoral researchers, and 
        senior researchers.
    ``(b) Fellowships.--
            ``(1) In general.--The Director is authorized to establish 
        a program to award post-doctoral research fellowships to 
        individuals who are citizens, nationals, or lawfully admitted 
        permanent resident aliens of the United States and are seeking 
        research positions at institutions, including the Institute, 
        engaged in research activities related to the security of 
        computer systems, including the research areas described in 
        section 4(a)(1) of the Cyber Security Research and Development 
        Act.
            ``(2) Senior research fellowships.--The Director is 
        authorized to establish a program to award senior research 
        fellowships to individuals seeking research positions at 
        institutions, including the Institute, engaged in research 
        activities related to the security of computer systems, 
        including the research areas described in section 4(a)(1) of 
        the Cyber Security Research and Development Act. Senior 
        research fellowships shall be made available for established 
        researchers at institutions of higher education who seek to 
        change research fields and pursue studies related to the 
        security of computer systems.
    ``(3) Eligibility.--
                    ``(A) In general.--To be eligible for an award 
                under this subsection, an individual shall submit an 
                application to the Director at such time, in such 
                manner, and containing such information as the Director 
                may require.
                    ``(B) Stipends.--Under this subsection, the 
                Director is authorized to provide stipends for post-
                doctoral research fellowships at the level of the 
                Institute's Post Doctoral Research Fellowship Program 
                and senior research fellowships at levels consistent 
                with support for a faculty member in a sabbatical 
                position.
    ``(c) Awards; Applications.--
            ``(1) In general.--The Director is authorized to award 
        grants or cooperative agreements to institutions of higher 
        education to carry out the program established under subsection 
        (a).
            ``(2) Eligibility.--To be eligible for an award under this 
        section, an institution of higher education shall submit an 
        application to the Director at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
                    ``(A) the number of graduate students anticipated 
                to participate in the research project and the level of 
                support to be provided to each;
                    ``(B) the number of post-doctoral research 
                positions included under the research project and the 
                level of support to be provided to each;
                    ``(C) the number of individuals, if any, intending 
                to change research fields and pursue studies related to 
                the security of computer systems to be included under 
                the research project and the level of support to be 
                provided to each; and
                    ``(D) how the for-profit entities and any other 
                partners will participate in developing and carrying 
                out the research and education agenda of the 
                partnership.
    ``(d) Sliding Scale Cost-Sharing.--In awarding a grant under this 
section, the Director shall require up to 50 percent of the costs of 
the project funded by the grant to be met by the for-profit entity or 
entities in the partnership. The Director shall base the percentage of 
cost-sharing required under this paragraph on a sliding scale 
reflecting the degree to which the results of the research undertaken 
by a partnership may reasonably be expected to be applied and shared, 
with--
            ``(1) the smallest percentage of cost-sharing required for 
        projects the anticipated results of which are reasonably 
        expected to be of broadest potential application and broadly 
        shared; and
            ``(2) the greatest percentage of cost-sharing required for 
        projects the anticipated results of which are reasonably 
        expected--
                    ``(A) to be of narrow or proprietary application; 
                or
                    ``(B) not to be broadly shared.
    ``(e) Program Operation.--
            ``(1) Management.--The program established under subsection 
        (a) shall be headed by the Director of the Office for 
        Information Security Programs and managed by individuals who 
        shall have both expertise in research related to the security 
        of computer systems and knowledge of the vulnerabilities of 
        existing computer systems. The Director shall designate such 
        individuals, on a competitive basis, as program managers.
            ``(2) Managers may be employees.--Program managers 
        designated under paragraph (1) may be new or existing employees 
        of the Institute.
            ``(3) Manager responsibility.--Program managers designated 
        under paragraph (1) shall be responsible for--
                    ``(A) establishing and publicizing the broad 
                research goals for the program;
                    ``(B) soliciting applications for specific research 
                projects to address the goals developed under 
                subparagraph (A);
                    ``(C) selecting research projects for support under 
                the program from among applications submitted to the 
                Institute, following consideration of--
                            ``(i) the novelty and scientific and 
                        technical merit of the proposed projects;
                            ``(ii) the demonstrated capabilities of the 
                        individual or individuals submitting the 
                        applications to successfully carry out the 
                        proposed research;
                            ``(iii) the impact the proposed projects 
                        will have on increasing the number of computer 
                        security researchers;
                            ``(iv) the nature of the participation by 
                        for-profit entities and the extent to which the 
                        proposed projects address the concerns of 
                        industry; and
                            ``(v) other criteria determined by the 
                        Director, based on information specified for 
                        inclusion in applications under subsection (c); 
                        and
                    ``(D) monitoring the progress of research projects 
                supported under the program.
            ``(4) From amounts available for awards under subsection 
        (c), the Director, in consultation with the Director of the 
        Office for Information Security Programs established in section 
        20 of this Act, may assign up to 5 percent to a Directors Fund 
        which may be awarded throughout the fiscal year at the 
        discretion of the Director to promising projects designed to 
        fulfill the goals stated in subsection (a). Such projects 
        should be innovative in nature and should meet emerging needs 
        in computer security.
    ``(f) Review of Program.--
            ``(1) Periodic review.--The Director shall periodically 
        review the portfolio of research awards monitored by each 
        program manager designated in accordance with subsection (e). 
        In conducting those reviews, the Director shall seek the advice 
        of the Computer System Security and Privacy Advisory Board, 
        established under section 21, on the appropriateness of the 
        research goals and on the quality and utility of research 
        projects managed by program managers in accordance with 
        subsection (e).
            ``(2) Comprehensive 5-year review.--The Director shall also 
        contract with the National Research Council for a comprehensive 
        review of the program established under subsection (a) during 
        the 5th year of the program. Such review shall include an 
        assessment of the scientific quality of the research conducted, 
        the relevance of the research results obtained to the goals of 
        the program established under subsection (e)(3)(A), and the 
        progress of the program in promoting the development of a 
        substantial academic research community working at the leading 
        edge of knowledge in the field. The Director shall submit to 
        Congress a report on the results of the review under this 
        paragraph no later than 6 years after the initiation of the 
        program.
    ``(g) Definitions.--In this section:
            ``(1) Computer system.--The term `computer system' has the 
        meaning given that term in section 20(d)(1).
            ``(2) Institution of higher education.--The term 
        `institution of higher education' has the meaning given that 
        term in section 101 of the Higher Education Act of 1965 (20 
        U.S.C. 1001).''.
    (b) Amendment of Computer System Definition.--Section 
20(d)(1)(B)(i) of National Institute of Standards and Technology Act 
(15 U.S.C. 278g-3(d)(1)(B)(i)) is amended to read as follows:
                            ``(i) computers and computer networks;''.
    (c) Appropriate Federal Agency Benchmark Security Standards.--
            (1) NIST report.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the National Institute 
        of Standards and Technology shall submit to Committee on 
        Commerce, Science, and Transportation of the Senate, the 
        Committee on Science of the House of Representatives, and the 
        Committees on Appropriations of the Senate and the House of 
        Representatives a report that--
                    (A) identifies specific Federal agency benchmark 
                security standards that should be developed by the 
                Institute over the 12-month period beginning on the 
                date of the report, and that should serve as the basis 
                for security standards that will eventually be adopted 
                by the departments and agencies of the Federal 
                Government; and
                    (B) recommends, in consultation with the Office of 
                Management and Budget, any Federal funding, in addition 
                to levels authorized under this title, that the 
                Institute requires fully to carry out its mission under 
                this title.
            (2) NIST recommendations for federal agency benchmark 
        standards.--
                    (A) In general.--Not later than 1 year after the 
                date of the report issued under paragraph (1), Director 
                of the National Institute of Standards and Technology 
                shall, in consultation with appropriate public and 
                private entities, prepare a report for the Secretary of 
                Commerce and the Chairman of the Federal Chief 
                Information Officers council that contains 
                recommendations for specific, reasonable Federal agency 
                benchmark security standards to be adopted by the 
                civilian departments and agencies of the Federal 
                Government.
                    (B) Updates.--The Director shall review the 
                recommended standards under subparagraph (A) not less 
                than once every 6 months, and update such standards or 
                issue new standards as necessary. Nothing in this title 
                shall prohibit the Director from updating any portion 
                of such recommended standards more frequently if 
                determines that circumstances so require.
                    (C) Dissemination.--The Secretary of Commerce shall 
                widely disseminate the report under subparagraph (A), 
                and any update of the report under subparagraph (B), 
                among relevant government (including State and local 
                government), private and academic entities.
            (3) Adoption of benchmark security standards government-
        wide.--
                    (A) In general.--Not later than 90 days after the 
                date of the report under paragraph (2)(A), each 
                civilian department and agency of the Federal 
                Government shall implement the appropriate benchmark 
                security standards recommended by such report.
                    (B) Implementation of updated standards.--If the 
                Director of the National Institute of Standards and 
                Technology, through the Secretary of Commerce, updates 
                recommended federal agency benchmark security standards 
                pursuant to paragraph (2), each civilian department and 
                agency of the Federal Government shall implement such 
                updated standards not later than 30 days after the date 
                of the report containing recommendations for updated 
                standards.
                    (C) Implementation of new standards.--If the 
                Director of the National Institute of Standards and 
                Technology, through the Secretary of Commerce, 
                recommends new Federal agency benchmark security 
                standards pursuant to paragraph (2), each civilian 
                department and agency of the Federal Government shall 
                implement such new standards no later than 90 days 
                after the date of the report containing recommendations 
                for new standards.
            (4) Current federal agency benchmark security standards.--
                    (A) In general.--Not later than 90 days after the 
                date of enactment of this Act, the Director of the 
                Chairman of the Federal Chief Information Officers 
                Council shall provide to the Director of the National 
                Institute of Standards and Technology a list of the 
                specific benchmarks that each civilian department and 
                agency of the Federal Government uses as its current 
                minimum security standards.
                    (B) Classified report.--The list under this 
                paragraph shall be provided in classified form.
            (5) Authorization of appropriations.--There are hereby 
        authorized to be appropriated for the National Institute of 
        Standards and Technology for purposes of activities under this 
        subsection, $15,000,000 for each of fiscal years 2003 through 
        2007
    (d) Reports to Congress.--
            (1) Federal chief information officers report.--Not later 
        than 36 months after the date of enactment of this Act, the 
        Chairman of Federal Chief Information Officers Council shall 
        submit a report to the appropriate committees of Congress 
        including--
                    (A) a description of the status of implementation 
                of the federal agency benchmark security standards at 
                each department and agency of the Federal Government;
                    (B) a description of the costs associated with such 
                implementation; and
                    (C) a description of any barriers to implementation 
                and recommendation for overcoming such barriers.
            (2) National academy of sciences study.--Not later than 3 
        months after the date of enactment of this Act, the Director of 
        the National Institute of Standards and Technology shall enter 
        into an arrangement with the National Research Council of the 
        National Academy of Sciences to conduct a study to examine the 
        impact of requiring Federal agencies to implement benchmark 
        security standards on the state of national cyber security 
        preparedness.
                    (A) Matters to be assessed in study.--At a minimum, 
                the study shall address the following:
                            (i) The extent to which the cyber security 
                        posture of federal agencies would be improved 
                        with the adoption of the standards described in 
                        subsection (c)(2)(A).
                            (ii) The operational benefits, costs and 
                        consequences of the adoption of the standards 
                        described in subsection (c)(2)(A).
                            (iii) The operational consequences of 
                        differing cyber security needs for different 
                        Federal agencies.
                    (B) Classified report.--To the maximum degree 
                possible, the final report shall be submitted in 
                unclassified form with classified annexes as necessary.
                    (C) Interagency cooperation with study.--All 
                Federal agencies shall cooperate fully with the 
                National Research Council in its activities in carrying 
                out the study under this section.
                    (D) Expedited processing of security clearances for 
                study.--For the purpose of facilitating the 
                commencement of the study under this section, officials 
                in relevant departments and agencies of the Federal 
                Government shall expedite to the fullest degree 
                possible the processing of security clearances that are 
                necessary for the National Research Council to conduct 
                the study.
                    (E) Report.--The Director of the National Institute 
                of Standards and Technology shall transmit a report to 
                containing the results of the study to the Congress not 
                later than 21 months after the date of enactment of 
                this Act.
                    (F) Authorization of appropriations.--There are 
                authorized to be appropriated to the Secretary of 
                Commerce for the National Institute of Standards and 
                Technology for the purposes of carrying out this 
                subsection, $800,000.
    (e) Information Security Program Office.--Section 20 of the 
National Institute of Standards and Technology Act (15 U.S.C. 278g-3), 
is amended by redesignating subsection (d) as subsection (e) and by 
inserting after subsection (c) the following:
    ``(d) Establishment of an Office for Information Security 
Programs.--
                    ``(1) In general.--There is established in the 
                Institute an Office for Information Security Programs.
                    ``(2) Head.--The Office for Information Security 
                Programs shall be headed by a Director, who shall be a 
                senior executive and shall be compensated at a level in 
                the Senior Executive Service under section 5382 of 
                title 5, United States Code, as determined by the 
                Secretary of Commerce.
                    ``(3) Function.--The Director of the Institute 
                shall delegate to the Director of the Office of 
                Information Security Programs the authority to 
                administer all functions under this section, except 
                that any such delegation shall not relieve the Director 
                of the Institute of responsibility for the 
                administration of such functions. The Director of the 
                Office of Information Security Programs shall serve as 
                principal adviser to the Director of the Institute on 
                all functions under this section.''

SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended by adding at the end the following 
new subsection:
    ``(f) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary $1,060,000 for fiscal year 2003 and 
$1,090,000 for fiscal year 2004 to enable the Computer System Security 
and Privacy Advisory Board, established by section 21, to identify 
emerging issues, including research needs, related to computer 
security, privacy, and cryptography and, as appropriate, to convene 
public meetings on those subjects, receive presentations, and publish 
reports, digests, and summaries for public distribution on those 
subjects.''.

SEC. 10. INTRAMURAL SECURITY RESEARCH.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
redesignating subsection (f) as subsection (g), and by inserting after 
subsection (e) the following:
    ``(f) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (b)(4), the 
Institute shall--
            ``(1) conduct a research program to address emerging 
        technologies associated with assembling a networked computer 
system from components while ensuring it maintains desired security 
properties;
            ``(2) carry out research associated with improving the 
        security of real-time computing and communications systems for 
        use in process control; and
            ``(3) carry out multidisciplinary, long-term, high-risk 
        research on ways to improve the security of computer 
        systems.''.

SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Secretary of 
Commerce for the National Institute of Standards and Technology--
            (1) for activities under section 22 of the National 
        Institute of Standards and Technology Act, as added by section 
        8 of this Act--
                    (A) $25,000,000 for fiscal year 2003;
                    (B) $40,000,000 for fiscal year 2004;
                    (C) $55,000,000 for fiscal year 2005;
                    (D) $70,000,000 for fiscal year 2006;
                    (E) $85,000,000 for fiscal year 2007; and
            (2) for activities under section 20(f) of the National 
        Institute of Standards and Technology Act, as added by section 
        10 of this Act--
                    (A) $6,000,000 for fiscal year 2003;
                    (B) $6,200,000 for fiscal year 2004;
                    (C) $6,400,000 for fiscal year 2005;
                    (D) $6,600,000 for fiscal year 2006; and
                    (E) $6,800,000 for fiscal year 2007.

SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK 
              SECURITY IN CRITICAL INFRASTRUCTURES.

    (a) Study.--Not later than 3 months after the date of the enactment 
of this Act, the Director of the National Institute of Standards and 
Technology shall enter into an arrangement with the National Research 
Council of the National Academy of Sciences to conduct a study of the 
vulnerabilities of the Nation's network infrastructure and make 
recommendations for appropriate improvements. The National Research 
Council shall--
            (1) review existing studies and associated data on the 
        architectural, hardware, and software vulnerabilities and 
        interdependencies in United States critical infrastructure 
        networks;
            (2) identify and assess gaps in technical capability for 
        robust critical infrastructure network security, and make 
        recommendations for research priorities and resource 
        requirements; and
            (3) review any and all other essential elements of computer 
        and network security, including security of industrial process 
        controls, to be determined in the conduct of the study.
    (b) Report.--The Director of the National Institute of Standards 
and Technology shall transmit a report containing the results of the 
study and recommendations required by subsection (a) to the Congress 
not later than 21 months after the date of enactment of this Act.
    (c) Security.--The Director of the National Institute of Standards 
and Technology shall ensure that no information that is classified is 
included in any publicly released version of the report required by 
this section.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce for the National Institute of 
Standards and Technology for the purposes of carrying out this section, 
$700,000.

SEC. 13. COORDINATION OF FEDERAL CYBER SECURITY RESEARCH AND 
              DEVELOPMENT

    Section 205 (a) of the National Science and Technology Policy Act 
(42 U.S.C. 6614 (a)) is amended
            (1) by striking ``and'' after the semicolon in paragraph 
        (12);
            (2) by redesignating paragraph (13) as paragraph (14); and
            (3) by inserting after paragraph (12) the following:
            ``(13) develop strategies, in consultation with the Office 
        of Homeland Security, the President's Critical Infrastructure 
        Protection Board, and the relevant federal departments and 
        agencies, to foster greater coordination of federal research 
        and development activities and promote cooperation between the 
        Federal Government, institutions of higher education, and 
        private industry in the field of cyber security; and''




                                                       Calendar No. 549

107th CONGRESS

  2d Session

                                S. 2182

                          [Report No. 107-239]

_______________________________________________________________________

                                 A BILL

  To authorize funding for computer and network security research and 
 development and research fellowship programs, and for other purposes.

_______________________________________________________________________

                             August 1, 2002

                       Reported with an amendment