[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5835 Referred in Senate (RFS)]

  2d Session
                                H. R. 5835


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 27, 2006

                                Received

                           November 13, 2006

      Read twice and referred to the Committee on Veterans' Affairs

_______________________________________________________________________

                                 AN ACT



     To amend title 38, United States Code, to improve information 
  management within the Department of Veterans Affairs, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Veterans Identity and Credit 
Security Act of 2006''.

SEC. 2. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.

    (a) Authority of Director of Office of Management and Budget to 
Establish Data Breach Policies.--Section 3543(a) of title 44, United 
States Code, is amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (8); and
            (3) by adding at the end the following:
            ``(9) establishing policies, procedures, and standards for 
        agencies to follow in the event of a breach of data security 
        involving the disclosure of sensitive personal information and 
        for which harm to an individual could reasonably be expected to 
        result, specifically including--
                    ``(A) a requirement for timely notice to be 
                provided to those individuals whose sensitive personal 
                information could be compromised as a result of such 
                breach, except no notice shall be required if the 
                breach does not create a reasonable risk of identity 
                theft, fraud, or other unlawful conduct regarding such 
                individual;
                    ``(B) guidance on determining how timely notice is 
                to be provided; and
                    ``(C) guidance regarding whether additional special 
                actions are necessary and appropriate, including data 
                breach analysis, fraud resolution services, identity 
                theft insurance, and credit protection or monitoring 
                services.''.
    (b) Authority of Chief Information Officer to Enforce Data Breach 
Policies and Develop and Maintain Inventories.--Section 3544(a)(3) of 
title 44, United States Code, is amended--
            (1) by inserting after ``authority to ensure compliance 
        with'' the following: ``and, to the extent determined necessary 
        and explicitly authorized by the head of the agency, to 
        enforce'';
            (2) by striking ``and'' at the end of subparagraph (D);
            (3) by inserting ``and'' at the end of subparagraph (E); 
        and
            (4) by adding at the end the following:
                    ``(F) developing and maintaining an inventory of 
                all personal computers, laptops, or any other hardware 
                containing sensitive personal information;''.
    (c) Inclusion of Data Breach Notification in Agency Information 
Security Programs.--Section 3544(b) of title 44, United States Code, is 
amended--
            (1) by striking ``and'' at the end of paragraph (7);
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (8); and
            (3) by adding at the end the following:
            ``(9) procedures for notifying individuals whose sensitive 
        personal information is compromised consistent with policies, 
        procedures, and standards established under section 3543(a)(9) 
        of this title.''.
    (d) Authority of Agency Chief Human Capital Officers to Assess 
Federal Personal Property.--Section 1402(a) of title 5, United States 
Code, is amended--
            (1) by striking ``, and'' at the end of paragraph (5) and 
        inserting a semicolon;
            (2) by striking the period and inserting ``; and'' at the 
        end of paragraph (6); and
            (3) by adding at the end the following:
            ``(7) prescribing policies and procedures for exit 
        interviews of employees, including a full accounting of all 
        Federal personal property that was assigned to the employee 
        during the course of employment.''.
    (e) Sensitive Personal Information Definition.--Section 3542(b) of 
title 44, United States Code, is amended by adding at the end the 
following new paragraph:
            ``(4) The term `sensitive personal information', with 
        respect to an individual, means any information about the 
        individual maintained by an agency, including--
                    ``(A) education, financial transactions, medical 
                history, and criminal or employment history;
                    ``(B) information that can be used to distinguish 
                or trace the individual's identity, including name, 
                social security number, date and place of birth, 
                mother's maiden name, or biometric records; or
                    ``(C) any other personal information that is linked 
                or linkable to the individual.''.

SEC. 3. UNDER SECRETARY FOR INFORMATION SERVICES.

    (a) Under Secretary.--Chapter 3 of title 38, United States Code, is 
amended by inserting after section 307 the following new section:
``Sec. 307A. Under Secretary for Information Services
    ``(a) Under Secretary.--There is in the Department an Under 
Secretary for Information Services, who is appointed by the President, 
by and with the advice and consent of the Senate. The Under Secretary 
shall be the head of the Office of Information Services and shall 
perform such functions as the Secretary shall prescribe.
    ``(b) Service as Chief Information Officer.--Notwithstanding any 
other provision of law, the Under Secretary for Information Services 
shall serve as the Chief Information Officer of the Department under 
section 310 of this title.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by inserting after the item relating to section 
307 the following new item:

``307A. Under Secretary for Information Services.''.
    (c) Conforming Amendment.--Section 308(b) of such title is amended 
by striking paragraph (5) and redesignating paragraphs (6) through (11) 
as paragraphs (5) through (10), respectively.

SEC. 4. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY.

    (a) Information Security.--Chapter 57 of title 38, United States 
Code, is amended by adding at the end the following new subchapter:

                 ``SUBCHAPTER III--INFORMATION SECURITY

``Sec. 5721. Definitions
    ``For the purposes of this subchapter:
            ``(1) The term `sensitive personal information', with 
        respect to an individual, means any information about the 
        individual maintained by an agency, including--
                    ``(A) education, financial transactions, medical 
                history, and criminal or employment history;
                    ``(B) information that can be used to distinguish 
                or trace the individual's identity, including name, 
                social security number, date and place of birth, 
                mother's maiden name, or biometric records; or
                    ``(C) any other personal information that is linked 
                or linkable to the individual.
            ``(2) The term `data breach' means the loss, theft, or 
        other unauthorized access to data containing sensitive personal 
        information, in electronic or printed form, that results in the 
        potential compromise of the confidentiality or integrity of the 
        data.
            ``(3) The term `data breach analysis' means the 
        identification of any misuse of sensitive personal information 
        involved in a data breach.
            ``(4) The term `fraud resolution services' means services 
        to assist an individual in the process of recovering and 
        rehabilitating the credit of the individual after the 
        individual experiences identity theft.
            ``(5) The term `identity theft' has the meaning given such 
        term under section 603 of the Fair Credit Reporting Act (15 
        U.S.C. 1681a).
            ``(6) The term `identity theft insurance' means any 
        insurance policy that pays benefits for costs, including travel 
        costs, notary fees, and postage costs, lost wages, and legal 
        fees and expenses associated with the identity theft of the 
        insured individual.
            ``(7) The term `principal credit reporting agency' means a 
        consumer reporting agency as described in section 603(p) of the 
        Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
``Sec. 5722. Office of the Under Secretary for Information Services
    ``(a) Deputy Under Secretaries.--The Office of the Under Secretary 
for Information Services shall consist of the following:
            ``(1) The Deputy Under Secretary for Information Services 
        for Security, who shall serve as the Senior Information 
        Security Officer of the Department.
            ``(2) The Deputy Under Secretary for Information Services 
        for Operations and Management.
            ``(3) The Deputy Under Secretary for Information Services 
        for Policy and Planning.
    ``(b) Appointments.--Appointments under subsection (a) shall be 
made by the Secretary, notwithstanding the limitations of section 709 
of this title.
    ``(c) Qualifications.--At least one of positions established and 
filled under subsection (a) shall be filled by an individual who has at 
least five years of continuous service in the Federal civil service in 
the executive branch immediately preceding the appointment of the 
individual as a Deputy Under Secretary. For purposes of determining 
such continuous service of an individual, there shall be excluded any 
service by such individual in a position--
            ``(1) of a confidential, policy-determining, policy-making, 
        or policy-advocating character;
            ``(2) in which such individual served as a noncareer 
        appointee in the Senior Executive Service, as such term is 
        defined in section 3132(a)(7) of title 5; or
            ``(3) to which such individual was appointed by the 
        President.
``Sec. 5723. Information security management
    ``(a) Responsibilities of Chief Information Officer.--To support 
the economical, efficient, and effective execution of subtitle III of 
chapter 35 of title 44, and policies and plans of the Department, the 
Secretary shall ensure that the Chief Information Officer of the 
Department has the authority and control necessary to develop, approve, 
implement, integrate, and oversee the policies, procedures, processes, 
activities, and systems of the Department relating to that subtitle, 
including the management of all related mission applications, 
information resources, personnel, and infrastructure.
    ``(b) Annual Compliance Report.--Not later than March 1 of each 
year, the Secretary shall submit to the Committees on Veterans' Affairs 
of the Senate and House of Representatives, the Committee on Government 
Reform of the House of Representatives, and the Committee on Homeland 
Security and Governmental Affairs of the Senate, a report on the 
Department's compliance with subtitle III of chapter 35 of title 44. 
The information in such report shall be displayed in the aggregate and 
separately for each Administration, office, and facility of the 
Department.
    ``(c) Reports to Secretary of Compliance Deficiencies.--(1) At 
least once every month, the Chief Information Officer shall report to 
the Secretary any deficiency in the compliance with subtitle III of 
chapter 35 of title 44 of the Department or any Administration, office, 
or facility of the Department.
    ``(2) The Chief Information Officer shall immediately report to the 
Secretary any significant deficiency in such compliance.
    ``(d) Data Breaches.--(1) The Chief Information Officer shall 
immediately provide notice to the Secretary of any data breach.
    ``(2) Immediately after receiving notice of a data breach under 
paragraph (1), the Secretary shall provide notice of such breach to the 
Director of the Office of Management and Budget, the Inspector General 
of the Department, and, if appropriate, the Federal Trade Commission 
and the United States Secret Service.
    ``(e) Budgetary Matters.--When the budget for any fiscal year is 
submitted by the President to Congress under section 1105 of title 31, 
the Secretary shall submit to Congress a report that identifies amounts 
requested for Department implementation and remediation of and 
compliance with this subchapter and subtitle III of chapter 35 of title 
44. The report shall set forth those amounts both for each 
Administration within the Department and for the Department in the 
aggregate and shall identify, for each such amount, how that amount is 
aligned with and supports such implementation and compliance.
``Sec. 5724. Congressional reporting and notification of data breaches
    ``(a) Quarterly Reports.--(1) Not later than 30 days after the last 
day of a fiscal quarter, the Secretary shall submit to the Committees 
on Veterans' Affairs of the Senate and House of Representatives a 
report on any data breach with respect to sensitive personal 
information processed or maintained by the Department that occurred 
during that quarter.
    ``(2) Each report submitted under paragraph (1) shall identify, for 
each data breach covered by the report, the Administration and facility 
of the Department responsible for processing or maintaining the 
sensitive personal information involved in the data breach.
    ``(b) Notification of Significant Data Breaches.--(1) In the event 
of a data breach with respect to sensitive personal information 
processed or maintained by the Secretary that the Secretary determines 
is significant, the Secretary shall provide notice of such breach to 
the Committees on Veterans' Affairs of the Senate and House of 
Representatives.
    ``(2) Notice under paragraph (1) shall be provided promptly 
following the discovery of such a data breach and the implementation of 
any measures necessary to determine the scope of the breach, prevent 
any further breach or unauthorized disclosures, and reasonably restore 
the integrity of the data system.
``Sec. 5725. Data breaches
    ``(a) Independent Risk Analysis.--(1) In the event of a data breach 
with respect to sensitive personal information that is processed or 
maintained by the Secretary, the Secretary shall ensure that, as soon 
as possible after the data breach, a non-Department entity conducts an 
independent risk analysis of the data breach to determine the level of 
risk associated with the data breach for the potential misuse of any 
sensitive personal information involved in the data breach.
    ``(2) If the Secretary determines, based on the findings of a risk 
analysis conducted under paragraph (1), that a reasonable risk exists 
for the potential misuse of sensitive information involved in a data 
breach, the Secretary shall provide credit protection services in 
accordance with section 5726 of this title.
    ``(b) Notification.--(1) In the event of a data breach with respect 
to sensitive personal information that is processed or maintained by 
the Secretary, the Secretary shall provide to an individual whose 
sensitive personal information is involved in that breach notice of the 
data breach--
            ``(A) in writing; or
            ``(B) by email, if--
                    ``(i) the Department's primary method of 
                communication with the individual is by email; and
                    ``(ii) the individual has consented to receive such 
                notification.
    ``(2) Notice provided under paragraph (1) shall--
            ``(A) describe the circumstances of the data breach and the 
        risk that the breach could lead to misuse, including identity 
        theft, involving the sensitive personal information of the 
        individual;
            ``(B) describe the specific types of sensitive personal 
        information that was compromised as a part of the data breach;
            ``(C) describe the actions the Department is taking to 
        remedy the data breach;
            ``(D) inform the individual that the individual may request 
        a fraud alert and credit security freeze under this section;
            ``(E) clearly explain the advantages and disadvantages to 
        the individual of receiving fraud alerts and credit security 
        freezes under this section; and
            ``(F) includes such other information as the Secretary 
        determines is appropriate.
    ``(3) The notice required under paragraph (1) shall be provided 
promptly following the discovery of a data breach and the 
implementation of any measures necessary to determine the scope of the 
breach, prevent any further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
    ``(c) Report.--For each data breach with respect to sensitive 
personal information processed or maintained by the Secretary, the 
Secretary shall promptly submit to the Committees on Veterans' Affairs 
of the Senate and House of Representatives a report containing the 
findings of any independent risk analysis conducted under subsection 
(a)(1), any determination of the Secretary under subsection (a)(2), and 
a description of any credit protection services provided under section 
5726 of this title.
    ``(d) Final Determination.--Notwithstanding sections 511 and 
7104(a) of this title, any determination of the Secretary under 
subsection (a)(2) with respect to the reasonable risk for the potential 
misuse of sensitive information involved in a data breach is final and 
conclusive and may not be reviewed by any other official, 
administrative body, or court, whether by an action in the nature of 
mandamus or otherwise.
    ``(e) Fraud Alerts.--(1) In the event of a data breach with respect 
to sensitive personal information that is processed or maintained by 
the Secretary, the Secretary shall arrange, upon the request of an 
individual whose sensitive personal information is involved in the 
breach to a principal credit reporting agency with which the Secretary 
has entered into a contract under section 5726(d) and at no cost to the 
individual, for the principal credit reporting agency to provide fraud 
alert services for that individual for a period of not less than one 
year, beginning on the date of such request, unless the individual 
requests that such fraud alert be removed before the end of such 
period, and the agency receives appropriate proof of the identity of 
the individual for such purpose.
    ``(2) The Secretary shall arrange for each principal credit 
reporting agency referred to in paragraph (1) to provide any alert 
requested under such subsection in the file of the individual along 
with any credit score generated in using that file, for a period of not 
less than one year, beginning on the date of such request, unless the 
individual requests that such fraud alert be removed before the end of 
such period, and the agency receives appropriate proof of the identity 
of the individual for such purpose.
    ``(f) Credit Security Freeze.-- (1) In the event of a data breach 
with respect to sensitive personal information that is processed or 
maintained by the Secretary, the Secretary shall arrange, upon the 
request of an individual whose sensitive personal information is 
involved in the breach and at no cost to the individual, for each 
principal credit reporting agency to apply a security freeze to the 
file of that individual for a period of not less than one year, 
beginning on the date of such request, unless the individual requests 
that such security freeze be removed before the end of such period, and 
the agency receives appropriate proof of the identity of the individual 
for such purpose.
    ``(2) The Secretary shall arrange for a principal credit reporting 
agency applying a security freeze under paragraph (1)--
    ``(A) to send a written confirmation of the security freeze to the 
individual within five business days of applying the freeze;
    ``(B) to refer the information regarding the security freeze to 
other consumer reporting agencies;
    ``(C) to provide the individual with a unique personal 
identification number or password to be used by the individual when 
providing authorization for the release of the individual's credit for 
a specific party or period of time; and
    ``(D) upon the request of the individual, to temporarily lift the 
freeze for a period of time specified by the individual, beginning not 
later than three business days after the date on which the agency 
receives the request.
``Sec. 5726. Provision of credit protection services
    ``(a) Covered Individual.--For purposes of this section, a covered 
individual is an individual whose sensitive personal information that 
is processed or maintained by the Department (or any third-party entity 
acting on behalf of the Department) is involved, on or after August 1, 
2005, in a data breach for which the Secretary determines a reasonable 
risk exists for the potential misuse of sensitive personal information 
under section 5725(a)(2) of this title.
    ``(b) Notification.--(1) In addition to any notice required under 
subsection 5725(b) of this title, the Secretary shall provide to a 
covered individual notice in writing that--
            ``(A) the individual may request credit protection services 
        under this section;
            ``(B) clearly explains the advantages and disadvantages to 
        the individual of receiving credit protection services under 
        this section;
            ``(E) includes a notice of which principal credit reporting 
        agency the Secretary has entered into a contract with under 
        subsection (d), and information about requesting services 
        through that agency;
            ``(C) describes actions the individual can or should take 
        to reduce the risk of identity theft; and
            ``(D) includes such other information as the Secretary 
        determines is appropriate.
    ``(2) The notice required under paragraph (1) shall be made as 
promptly as possible and without unreasonable delay following the 
discovery of a data breach for which the Secretary determines a 
reasonable risk exists for the potential misuse of sensitive personal 
information under section 5725(a)(2) of this title and the 
implementation of any measures necessary to determine the scope of the 
breach, prevent any further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
    ``(3) The Secretary shall ensure that each notification under 
paragraph (1) includes a form or other means for readily requesting the 
credit protection services under this section. Such form or other means 
may include a telephone number, email address, or Internet website 
address.
    ``(c) Availability of Services Through Other Government Agencies.--
If a service required to be provided under this section is available to 
a covered individual through another department or agency of the 
Government, the Secretary and the head of that department or agency may 
enter into an agreement under which the head of that department or 
agency agrees to provide that service to the covered individual.
    ``(d) Contract With Credit Reporting Agency.--Subject to the 
availability of appropriations and notwithstanding any other provision 
of law, the Secretary shall enter into contracts or other agreements as 
necessary with one or more principal credit reporting agencies in order 
to ensure, in advance, the provision of credit protection services 
under this section and fraud alerts and security freezes under section 
5725 of this title. Any such contract or agreement may include 
provisions for the Secretary to pay the expenses of such a credit 
reporting agency for the provision of such services.
    ``(e) Data Breach Analysis.--The Secretary shall arrange, upon the 
request of a covered individual and at no cost to the individual, to 
provide data breach analysis for the individual for a period of not 
less than one year, beginning on the date of such request.
    ``(f) Provision of Credit Monitoring Services and Identity Theft 
Insurance.--During the one-year period beginning on the date on which 
the Secretary notifies a covered individual that the individual's 
sensitive personal information is involved in a data breach, the 
Secretary shall arrange, upon the request of the individual and without 
charge to the individual, for the provision of credit monitoring 
services to the individual. Credit monitoring services under this 
subsection shall include each of the following:
            ``(1) One copy of the credit report of the individual every 
        three months.
            ``(2) Fraud resolution services for the individual.
            ``(3) Identity theft insurance in a coverage amount that 
        does not exceed $30,000 in aggregate liability for the insured.
``Sec. 5727. Contracts for data processing or maintenance
    ``(a) Contract Requirements.--If the Secretary enters into a 
contract for the performance of any Department function that requires 
access to sensitive personal information, the Secretary shall require 
as a condition of the contract that--
            ``(1) the contractor shall not, directly or through an 
        affiliate of the contractor, disclose such information to any 
        other person unless the disclosure is lawful and is expressly 
        permitted under the contract;
            ``(2) the contractor, or any subcontractor for a 
        subcontract of the contract, shall promptly notify the 
        Secretary of any data breach that occurs with respect to such 
        information.
    ``(b) Liquidated Damages.--Each contract subject to the 
requirements of subsection (a) shall provide for liquidated damages to 
be paid by the contractor to the Secretary in the event of a data 
breach with respect to any sensitive personal information processed or 
maintained by the contractor or any subcontractor under that contract.
    ``(c) Provision of Credit Protection Services.--Any amount 
collected by the Secretary under subsection (b) shall be deposited in 
or credited to the Department account from which the contractor was 
paid and shall remain available for obligation without fiscal year 
limitation exclusively for the purpose of providing credit protection 
services in accordance with section 5726 of this title.
``Sec. 5728. Authorization of appropriations
    ``There are authorized to be appropriated to carry out this 
subchapter such sums as may be necessary for each fiscal year.''.
    (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by adding at the end the following new items:
                 ``subchapter iii--information security
``5721. Definitions.
``5722. Office of the Under Secretary for Information Services.
``5723. Information security management.
``5724. Congressional reporting and notification of data breaches.
``5725. Data breaches.
``5726. Provision of credit protection services.
``5727. Contracts for data processing or maintenance.
``5728. Authorization of appropriations.''.
    (c) Deadline for Regulations.--Not later than 60 days after the 
date of the enactment of this Act, the Secretary of Veterans Affairs 
shall publish regulations to carry out subchapter III of chapter 57 of 
title 38, United States Code, as added by subsection (a).

SEC. 5. REPORT ON FEASIBILITY OF USING PERSONAL IDENTIFICATION NUMBERS 
              FOR IDENTIFICATION.

    Not later than 180 days after the date of the enactment of this 
Act, the Secretary of Veterans Affairs shall submit to Congress a 
report containing the assessment of the Secretary with respect to the 
feasibility of using personal identification numbers instead of Social 
Security numbers for the purpose of identifying individuals whose 
sensitive personal information (as that term is defined in section 5721 
of title 38, United States Code, as added by section 4) is processed or 
maintained by the Secretary.

SEC. 6. DEADLINE FOR APPOINTMENTS.

    (a) Deadline.--Not later than 180 days after the date of the 
enactment of this Act--
            (1) the President shall nominate an individual to serve as 
        the Under Secretary of Veterans Affairs for Information 
        Services under section 307A of title 38, United States Code, as 
        added by section 3; and
            (2) the Secretary of Veterans Affairs shall appoint an 
        individual to serve as each of the Deputy Under Secretaries of 
        Veterans Affairs for Information Services under section 5722 of 
        such title, as added by section 4.
    (b) Report.--Not later than 30 days after the date of the enactment 
of this Act, and every 30 days thereafter until the appointments 
described in subsection (a) are made, the Secretary of Veterans Affairs 
shall submit to Congress a report describing the progress of such 
appointments.

SEC. 7. INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM.

    (a) Program Required.--Title 38, United States Code, is amended by 
inserting after chapter 78 the following new chapter:

    ``CHAPTER 79--INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM

``Sec.
``7901.  Programs; purpose.
``7902.  Scholarship program.
``7903.  Education debt reduction program.
``7904.  Preferences in awarding financial assistance.
``7905.  Requirement of honorable discharge for veterans receiving 
                            assistance.
``7906. Regulations.
``7907. Termination.
``Sec. 7901. Programs; purpose
    ``(a) In General.--To encourage the recruitment and retention of 
Department personnel who have the information security skills necessary 
to meet Department requirements, the Secretary shall carry out programs 
in accordance with this chapter to provide financial support for 
education in computer science and electrical and computer engineering 
at accredited institutions of higher education.
    ``(b) Types of Programs.--The programs authorized under this 
chapter are as follows:
            ``(1) Scholarships for pursuit of doctoral degrees in 
        computer science and electrical and computer engineering at 
        accredited institutions of higher education.
            ``(2) Education debt reduction for Department personnel who 
        hold doctoral degrees in computer science and electrical and 
        computer engineering at accredited institutions of higher 
        education.
``Sec. 7902. Scholarship program
    ``(a) Authority.--(1) Subject to the availability of 
appropriations, the Secretary shall establish a scholarship program 
under which the Secretary shall, subject to subsection (d), provide 
financial assistance in accordance with this section to a qualified 
person--
            ``(A) who is pursuing a doctoral degree in computer science 
        or electrical or computer engineering at an accredited 
        institution of higher education; and
            ``(B) who enters into an agreement with the Secretary as 
        described in subsection (b).
    ``(2)(A) Except as provided under subparagraph (B), the Secretary 
may provide financial assistance under this section to an individual 
for up to five years.
    ``(B) The Secretary may waive the limitation under subparagraph (A) 
if the Secretary determines that such a waiver is appropriate.
    ``(3)(A) The Secretary may award up to five scholarships for any 
academic year to individuals who did not receive assistance under this 
section for the preceding academic year.
    ``(B) Not more than one scholarship awarded under subparagraph (A) 
may be awarded to an individual who is an employee of the Department 
when the scholarship is awarded.
    ``(b) Service Agreement for Scholarship Recipients.--(1) To receive 
financial assistance under this section an individual shall enter into 
an agreement to accept and continue employment in the Department for 
the period of obligated service determined under paragraph (2).
    ``(2) For the purposes of this subsection, the period of obligated 
service for a recipient of financial assistance under this section 
shall be the period determined by the Secretary as being appropriate to 
obtain adequate service in exchange for the financial assistance and 
otherwise to achieve the goals set forth in section 7901(a) of this 
title. In no event may the period of service required of a recipient be 
less than the period equal to two times the total period of pursuit of 
a degree for which the Secretary agrees to provide the recipient with 
financial assistance under this section. The period of obligated 
service is in addition to any other period for which the recipient is 
obligated to serve on active duty or in the civil service, as the case 
may be.
    ``(3) An agreement entered into under this section by a person 
pursuing an doctoral degree shall include terms that provide the 
following:
            ``(A) That the period of obligated service begins on a date 
        after the award of the degree that is determined under the 
        regulations prescribed under section 7906 of this title.
            ``(B) That the individual will maintain satisfactory 
        academic progress, as determined in accordance with those 
        regulations, and that failure to maintain such progress 
        constitutes grounds for termination of the financial assistance 
        for the individual under this section.
            ``(C) Any other terms and conditions that the Secretary 
        determines appropriate for carrying out this section.
    ``(c) Amount of Assistance.--(1) The amount of the financial 
assistance provided for an individual under this section shall be the 
amount determined by the Secretary as being necessary to pay--
            ``(A) the tuition and fees of the individual; and
            ``(B) $1500 to the individual each month (including a month 
        between academic semesters or terms leading to the degree for 
        which such assistance is provided or during which the 
        individual is not enrolled in a course of education but is 
        pursuing independent research leading to such degree) for 
        books, laboratory expenses, and expenses of room and board.
    ``(2) In no case may the amount of assistance provided for an 
individual under this section for an academic year exceed $50,000.
    ``(3) In no case may the total amount of assistance provided for an 
individual under this section exceed $200,000.
    ``(4) Notwithstanding any other provision of law, financial 
assistance paid an individual under this section shall not be 
considered as income or resources in determining eligibility for, or 
the amount of benefits under, any Federal or federally assisted 
program.
    ``(d) Repayment for Period of Unserved Obligated Service.--(1) An 
individual who receives financial assistance under this section shall 
repay to the Secretary an amount equal to the unearned portion of the 
financial assistance if the individual fails to satisfy the 
requirements of the service agreement entered into under subsection 
(b), except in certain circumstances authorized by the Secretary.
    ``(2) The Secretary may establish, by regulations, procedures for 
determining the amount of the repayment required under this subsection 
and the circumstances under which an exception to the required 
repayment may be granted.
    ``(3) An obligation to repay the Secretary under this subsection 
is, for all purposes, a debt owed the United States. A discharge in 
bankruptcy under title 11 does not discharge a person from such debt if 
the discharge order is entered less than five years after the date of 
the termination of the agreement or contract on which the debt is 
based.
    ``(e) Waiver or Suspension of Compliance.--The Secretary shall 
prescribe regulations providing for the waiver or suspension of any 
obligation of a individual for service or payment under this section 
(or an agreement under this section) whenever noncompliance by the 
individual is due to circumstances beyond the control of the individual 
or whenever the Secretary determines that the waiver or suspension of 
compliance is in the best interest of the United States.
    ``(f) Internships.--(1) The Secretary may offer a compensated 
internship to an individual for whom financial assistance is provided 
under this section during a period between academic semesters or terms 
leading to the degree for which such assistance is provided. 
Compensation provided for such an internship shall be in addition to 
the financial assistance provided under this section.
    ``(2) An internship under this subsection shall not be counted 
toward satisfying a period of obligated service under this section.
    ``(g) Ineligibility of Individuals Receiving Montgomery GI Bill 
Education Assistance Payments.--An individual who receives a payment of 
educational assistance under chapter 30, 31, 32, 34, or 35 of this 
title or chapter 1606 or 1607 of title 10 for a month in which the 
individual is enrolled in a course of education leading to a doctoral 
degree in information security is not eligible to receive financial 
assistance under this section for that month.
``Sec. 7903. Education debt reduction program
    ``(a) Authority.--(1) Subject to the availability of 
appropriations, the Secretary shall establish an education debt 
reduction program under which the Secretary shall make education debt 
reduction payments under this section to qualified individuals eligible 
under subsection (b) for the purpose of reimbursing such individuals 
for payments by such individuals of principal and interest on loans 
described in paragraph (2) of that subsection.
    ``(2)(A) For each fiscal year, the Secretary may accept up to five 
individuals into the program established under paragraph (1)who did not 
receive such a payment during the preceding fiscal year.
    ``(B) Not more than one individual accepted into the program for a 
fiscal year under subsection (A) shall be a Department employee as of 
the date on which the individual is accepted into the program.
    ``(b) Eligibility.--An individual is eligible to participate in the 
program under this section if the individual--
            ``(1) has completed a doctoral degree a doctoral degree in 
        computer science or electrical or computer engineering at an 
        accredited institution of higher education during the five-year 
        period preceding the date on which the individual is hired;
            ``(2) is an employee of the Department who serves in a 
        position related to information security (as determined by the 
        Secretary); and
            ``(3) owes any amount of principal or interest under a 
        loan, the proceeds of which were used by or on behalf of that 
        individual to pay costs relating to a doctoral degree in 
        computer science or electrical or computer engineering at an 
        accredited institution of higher education.
    ``(c) Amount of Assistance.--(1) Subject to paragraph (2), the 
amount of education debt reduction payments made to an individual under 
this section may not exceed $82,500 over a total of five years, of 
which not more than $16,500 of such payments may be made in each year.
    ``(2) The total amount payable to an individual under this section 
for any year may not exceed the amount of the principal and interest on 
loans referred to in subsection (b)(3) that is paid by the individual 
during such year.
    ``(d) Payments.--(1) The Secretary shall make education debt 
reduction payments under this section on an annual basis.
    ``(2) The Secretary shall make such a payment--
            ``(A) on the last day of the one-year period beginning on 
        the date on which the individual is accepted into the program 
        established under subsection (a); or
            ``(B) in the case of an individual who received a payment 
        under this section for the preceding fiscal year, on the last 
        day of the one-year period beginning on the date on which the 
        individual last received such a payment.
    ``(3) Notwithstanding any other provision of law, education debt 
reduction payments under this section shall not be considered as income 
or resources in determining eligibility for, or the amount of benefits 
under, any Federal or federally assisted program.
    ``(e) Performance Requirement.--The Secretary may make education 
debt reduction payments to an individual under this section for a year 
only if the Secretary determines that the individual maintained an 
acceptable level of performance in the position or positions served by 
the individual during the year.
    ``(f) Notification of Terms of Provision of Payments.--The 
Secretary shall provide to an individual who receives a payment under 
this section notice in writing of the terms and conditions that apply 
to such a payment.
    ``(g) Covered Costs.--For purposes of subsection (b)(3), costs 
relating to a course of education or training include--
            ``(1) tuition expenses; and
            ``(2) all other reasonable educational expenses, including 
        fees, books, and laboratory expenses;
``Sec. 7904. Preferences in awarding financial assistance
    ``In awarding financial assistance under this chapter, the 
Secretary shall give a preference to qualified individuals who are 
otherwise eligible to receive the financial assistance in the following 
order of priority:
            ``(1) Veterans with service-connected disabilities.
            ``(2) Veterans.
            ``(3) Persons described in section 4215(a)(B) of this 
        title.
            ``(4) Individuals who received or are pursuing degrees at 
        institutions designated by the National Security Agency as 
        Centers of Academic Excellence in Information Assurance 
        Education.
            ``(5) Citizens of the United States.
``Sec. 7905. Requirement of honorable discharge for veterans receiving 
              assistance
    ``No veteran shall receive financial assistance under this chapter 
unless the veteran was discharged from the Armed Forces under honorable 
conditions.
``Sec. 7906. Regulations
    ``The Secretary shall prescribe regulations for the administration 
of this chapter.
``Sec. 7907. Termination
    ``The authority of the Secretary to make a payment under this 
chapter shall terminate on July 31, 2017.''.
    (b) GAO Report.--Not later than three years after the date of the 
enactment of this Act, the Comptroller General shall submit to Congress 
a report on the scholarship and education debt reduction programs under 
chapter 79 of title 38, United States Code, as added by subsection (a).
    (c) Applicability of Scholarships.--Section 7902 of title 38, 
United States Code, as added by subsection (a), shall apply with 
respect to financial assistance provided for an academic semester or 
term that begins on or after August 1, 2007.
    (d) Clerical Amendment.--The tables of chapters at the beginning of 
such title, and at the beginning of part V of such title, are amended 
by inserting after the item relating to chapter 78 the following new 
item:

``79. Information Security Education Assistance Program.....    7901''.

            Passed the House of Representatives September 26, 2006.

            Attest:

                                                 KAREN L. HAAS,

                                                                 Clerk.