


109 HR 5835 : Veterans Identity and Credit Security

U.S. House of Representatives
2006-11-13
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		IIB
		109th CONGRESS
		2d Session
		H. R. 5835
		IN THE SENATE OF THE UNITED
		  STATES
		
			September 27, 2006
			Received
		
		
			November 13, 2006
			 Read twice and referred to the
			 Committee on Veterans'
			 Affairs
		
		AN ACT
		To amend title 38, United States Code, to
		  improve information management within the Department of Veterans Affairs, and
		  for other purposes. 
	
	
		1.Short titleThis Act may be cited as the
			 Veterans Identity and Credit Security
			 Act of 2006.
		2.Federal agency
			 data breach notification requirements
			(a)Authority of
			 director of Office of Management and Budget to establish data breach
			 policiesSection 3543(a) of title 44, United
			 States Code, is amended—
				(1)by striking
			 and at the end of paragraph (7);
				(2)by striking the
			 period and inserting ; and at the end of paragraph (8);
			 and
				(3)by
			 adding at the end the following:
					
						(9)establishing policies, procedures, and
				standards for agencies to follow in the event of a breach of data security
				involving the disclosure of sensitive personal information and for which harm
				to an individual could reasonably be expected to result, specifically
				including—
							(A)a requirement for
				timely notice to be provided to those individuals whose sensitive personal
				information could be compromised as a result of such breach, except no notice
				shall be required if the breach does not create a reasonable risk of identity
				theft, fraud, or other unlawful conduct regarding such individual;
							(B)guidance on
				determining how timely notice is to be provided; and
							(C)guidance regarding
				whether additional special actions are necessary and appropriate, including
				data breach analysis, fraud resolution services, identity theft insurance, and
				credit protection or monitoring
				services.
							.
				(b)Authority of
			 chief information officer to enforce data breach policies and develop and
			 maintain inventoriesSection 3544(a)(3)
			 of title 44, United States Code, is amended—
				(1)by inserting after
			 authority to ensure compliance with the following: and,
			 to the extent determined necessary and explicitly authorized by the head of the
			 agency, to enforce;
				(2)by striking
			 and at the end of subparagraph (D);
				(3)by inserting
			 and at the end of subparagraph (E); and
				(4)by
			 adding at the end the following:
					
						(F)developing and
				maintaining an inventory of all personal computers, laptops, or any other
				hardware containing sensitive personal
				information;
						.
				(c)Inclusion of
			 data breach notification in agency information security
			 programsSection 3544(b) of title 44, United
			 States Code, is amended—
				(1)by
			 striking and at the end of paragraph (7);
				(2)by striking the
			 period and inserting ; and at the end of paragraph (8);
			 and
				(3)by adding at the
			 end the following:
					
						(9)procedures for
				notifying individuals whose sensitive personal information is compromised
				consistent with policies, procedures, and standards established under section
				3543(a)(9) of this
				title.
						.
				(d)Authority of
			 agency chief human capital officers to assess federal personal
			 propertySection 1402(a) of title 5, United
			 States Code, is amended—
				(1)by
			 striking , and at the end of paragraph (5) and inserting a
			 semicolon;
				(2)by striking the
			 period and inserting ; and at the end of paragraph (6);
			 and
				(3)by adding at the
			 end the following:
					
						(7)prescribing
				policies and procedures for exit interviews of employees, including a full
				accounting of all Federal personal property that was assigned to the employee
				during the course of
				employment.
						.
				(e)Sensitive
			 personal information definitionSection 3542(b) of title 44, United
			 States Code, is amended by adding at the end the following new
			 paragraph:
				
					(4)The term
				sensitive personal information, with respect to an individual,
				means any information about the individual maintained by an agency,
				including—
						(A)education,
				financial transactions, medical history, and criminal or employment
				history;
						(B)information that
				can be used to distinguish or trace the individual’s identity, including name,
				social security number, date and place of birth, mother’s maiden name, or
				biometric records; or
						(C)any other personal
				information that is linked or linkable to the
				individual.
						.
			3.Under Secretary
			 for Information Services
			(a)Under
			 SecretaryChapter 3 of title 38, United
			 States Code, is amended by inserting after
			 section
			 307 the following new section:
				
					307A.Under
				Secretary for Information Services
						(a)Under
				SecretaryThere is in the
				Department an Under Secretary for Information Services, who is appointed by the
				President, by and with the advice and consent of the Senate. The Under
				Secretary shall be the head of the Office of Information Services and shall
				perform such functions as the Secretary shall prescribe.
						(b)Service as Chief
				Information OfficerNotwithstanding any other provision of law,
				the Under Secretary for Information Services shall serve as the Chief
				Information Officer of the Department under section 310 of this
				title.
						.
			(b)Clerical
			 amendmentThe table of sections at the beginning of such chapter
			 is amended by inserting after the item relating to section 307 the following
			 new item:
				
					
						307A. Under Secretary for Information
				Services.
					
					.
			(c)Conforming
			 amendmentSection 308(b) of such title is amended by striking
			 paragraph (5) and redesignating paragraphs (6) through (11) as paragraphs (5)
			 through (10), respectively.
			4.Department of
			 Veterans Affairs information security
			(a)Information
			 securityChapter 57 of title 38,
			 United States Code, is amended by adding at the end the following new
			 subchapter:
				
					IIIInformation
				Security
						5721.DefinitionsFor the purposes of this subchapter:
							(1)The term
				sensitive personal information, with respect to an individual,
				means any information about the individual maintained by an agency,
				including—
								(A)education,
				financial transactions, medical history, and criminal or employment
				history;
								(B)information that
				can be used to distinguish or trace the individual’s identity, including name,
				social security number, date and place of birth, mother’s maiden name, or
				biometric records; or
								(C)any other personal
				information that is linked or linkable to the individual.
								(2)The term
				data breach means the loss, theft, or other unauthorized access
				to data containing sensitive personal information, in electronic or printed
				form, that results in the potential compromise of the confidentiality or
				integrity of the data.
							(3)The term
				data breach analysis means the identification of any misuse of
				sensitive personal information involved in a data breach.
							(4)The term
				fraud resolution services means services to assist an individual
				in the process of recovering and rehabilitating the credit of the individual
				after the individual experiences identity theft.
							(5)The term
				identity theft has the meaning given such term under section 603
				of the Fair Credit Reporting Act (15 U.S.C. 1681a).
							(6)The term
				identity theft insurance means any insurance policy that pays
				benefits for costs, including travel costs, notary fees, and postage costs,
				lost wages, and legal fees and expenses associated with the identity theft of
				the insured individual.
							(7)The term principal credit reporting
				agency means a consumer reporting agency as described in section 603(p)
				of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
							5722.Office of the
				Under Secretary for Information Services
							(a)Deputy Under
				SecretariesThe Office of the Under Secretary for Information
				Services shall consist of the following:
								(1)The Deputy Under
				Secretary for Information Services for Security, who shall serve as the Senior
				Information Security Officer of the Department.
								(2)The Deputy Under
				Secretary for Information Services for Operations and Management.
								(3)The Deputy Under
				Secretary for Information Services for Policy and Planning.
								(b)AppointmentsAppointments
				under subsection (a) shall be made by the Secretary, notwithstanding the
				limitations of section 709 of this title.
							(c)QualificationsAt least one of positions established and
				filled under subsection (a) shall be filled by an individual who has at least
				five years of continuous service in the Federal civil service in the executive
				branch immediately preceding the appointment of the individual as a Deputy
				Under Secretary. For purposes of determining such continuous service of an
				individual, there shall be excluded any service by such individual in a
				position—
								(1)of a confidential,
				policy-determining, policy-making, or policy-advocating character;
								(2)in which such
				individual served as a noncareer appointee in the Senior Executive Service, as
				such term is defined in
				section
				3132(a)(7) of title 5; or
								(3)to which such
				individual was appointed by the President.
								5723.Information
				security management
							(a)Responsibilities
				of Chief Information OfficerTo support the economical, efficient, and
				effective execution of subtitle III of
				chapter 35 of title 44, and
				policies and plans of the Department, the Secretary shall ensure that the Chief
				Information Officer of the Department has the authority and control necessary
				to develop, approve, implement, integrate, and oversee the policies,
				procedures, processes, activities, and systems of the Department relating to
				that subtitle, including the management of all related mission applications,
				information resources, personnel, and infrastructure.
							(b)Annual compliance
				reportNot later than March 1
				of each year, the Secretary shall submit to the Committees on Veterans’ Affairs
				of the Senate and House of Representatives, the Committee on Government Reform
				of the House of Representatives, and the Committee on Homeland Security and
				Governmental Affairs of the Senate, a report on the Department’s compliance
				with subtitle III of
				chapter 35 of title 44. The
				information in such report shall be displayed in the aggregate and separately
				for each Administration, office, and facility of the Department.
							(c)Reports to
				Secretary of compliance deficiencies(1)At least once every
				month, the Chief Information Officer shall report to the Secretary any
				deficiency in the compliance with subtitle III of
				chapter 35 of title 44 of the
				Department or any Administration, office, or facility of the Department.
								(2)The Chief Information Officer shall
				immediately report to the Secretary any significant deficiency in such
				compliance.
								(d)Data
				breaches(1)The Chief Information
				Officer shall immediately provide notice to the Secretary of any data
				breach.
								(2)Immediately after receiving notice of
				a data breach under paragraph (1), the Secretary shall provide notice of such
				breach to the Director of the Office of Management and Budget, the Inspector
				General of the Department, and, if appropriate, the Federal Trade Commission
				and the United States Secret Service.
								(e)Budgetary
				mattersWhen the budget for any fiscal year is submitted by the
				President to Congress under
				section
				1105 of title 31, the Secretary shall submit to Congress a
				report that identifies amounts requested for Department implementation and
				remediation of and compliance with this subchapter and subtitle III of
				chapter 35 of title 44. The
				report shall set forth those amounts both for each Administration within the
				Department and for the Department in the aggregate and shall identify, for each
				such amount, how that amount is aligned with and supports such implementation
				and compliance.
							5724.Congressional
				reporting and notification of data breaches
							(a)Quarterly
				reports(1)Not later than 30 days
				after the last day of a fiscal quarter, the Secretary shall submit to the
				Committees on Veterans’ Affairs of the Senate and House of Representatives a
				report on any data breach with respect to sensitive personal information
				processed or maintained by the Department that occurred during that
				quarter.
								(2)Each report submitted under paragraph
				(1) shall identify, for each data breach covered by the report, the
				Administration and facility of the Department responsible for processing or
				maintaining the sensitive personal information involved in the data
				breach.
								(b)Notification of
				significant data breaches(1)In the event of a data
				breach with respect to sensitive personal information processed or maintained
				by the Secretary that the Secretary determines is significant, the Secretary
				shall provide notice of such breach to the Committees on Veterans’ Affairs of
				the Senate and House of Representatives.
								(2)Notice under paragraph (1) shall be
				provided promptly following the discovery of such a data breach and the
				implementation of any measures necessary to determine the scope of the breach,
				prevent any further breach or unauthorized disclosures, and reasonably restore
				the integrity of the data system.
								5725.Data
				breaches
							(a)Independent risk
				analysis(1)In the event of a data
				breach with respect to sensitive personal information that is processed or
				maintained by the Secretary, the Secretary shall ensure that, as soon as
				possible after the data breach, a non-Department entity conducts an independent
				risk analysis of the data breach to determine the level of risk associated with
				the data breach for the potential misuse of any sensitive personal information
				involved in the data breach.
								(2)If the Secretary determines, based on the
				findings of a risk analysis conducted under paragraph (1), that a reasonable
				risk exists for the potential misuse of sensitive information involved in a
				data breach, the Secretary shall provide credit protection services in
				accordance with section 5726 of this title.
								(b)Notification(1)In the event of a data breach with respect
				to sensitive personal information that is processed or maintained by the
				Secretary, the Secretary shall provide to an individual whose sensitive
				personal information is involved in that breach notice of the data
				breach—
									(A)in writing; or
									(B)by email, if—
										(i)the Department's primary method of
				communication with the individual is by email; and
										(ii)the individual has consented to
				receive such notification.
										(2)Notice provided under paragraph (1)
				shall—
									(A)describe the circumstances of the data
				breach and the risk that the breach could lead to misuse, including identity
				theft, involving the sensitive personal information of the individual;
									(B)describe the specific types of
				sensitive personal information that was compromised as a part of the data
				breach;
									(C)describe the actions the Department is
				taking to remedy the data breach;
									(D)inform the individual that the
				individual may request a fraud alert and credit security freeze under this
				section;
									(E)clearly explain the advantages and
				disadvantages to the individual of receiving fraud alerts and credit security
				freezes under this section; and
									(F)includes such other information as the
				Secretary determines is appropriate.
									(3)The notice required under paragraph
				(1) shall be provided promptly following the discovery of a data breach and the
				implementation of any measures necessary to determine the scope of the breach,
				prevent any further breach or unauthorized disclosures, and reasonably restore
				the integrity of the data system.
								(c)ReportFor
				each data breach with respect to sensitive personal information processed or
				maintained by the Secretary, the Secretary shall promptly submit to the
				Committees on Veterans’ Affairs of the Senate and House of Representatives a
				report containing the findings of any independent risk analysis conducted under
				subsection (a)(1), any determination of the Secretary under subsection (a)(2),
				and a description of any credit protection services provided under section 5726
				of this title.
							(d)Final
				determinationNotwithstanding
				sections 511 and 7104(a) of this title, any determination of the Secretary
				under subsection (a)(2) with respect to the reasonable risk for the potential
				misuse of sensitive information involved in a data breach is final and
				conclusive and may not be reviewed by any other official, administrative body,
				or court, whether by an action in the nature of mandamus or otherwise.
							(e)Fraud
				alerts(1)In the event of a data breach with respect
				to sensitive personal information that is processed or maintained by the
				Secretary, the Secretary shall arrange, upon the request of an individual whose
				sensitive personal information is involved in the breach to a principal credit
				reporting agency with which the Secretary has entered into a contract under
				section 5726(d) and at no cost to the individual, for the principal credit
				reporting agency to provide fraud alert services for that individual for a
				period of not less than one year, beginning on the date of such request, unless
				the individual requests that such fraud alert be removed before the end of such
				period, and the agency receives appropriate proof of the identity of the
				individual for such purpose.
								(2)The Secretary shall arrange for each
				principal credit reporting agency referred to in paragraph (1) to provide any
				alert requested under such subsection in the file of the individual along with
				any credit score generated in using that file, for a period of not less than
				one year, beginning on the date of such request, unless the individual requests
				that such fraud alert be removed before the end of such period, and the agency
				receives appropriate proof of the identity of the individual for such
				purpose.
								(f)Credit security
				freeze(1)In the event of a data breach with respect
				to sensitive personal information that is processed or maintained by the
				Secretary, the Secretary shall arrange, upon the request of an individual whose
				sensitive personal information is involved in the breach and at no cost to the
				individual, for each principal credit reporting agency to apply a security
				freeze to the file of that individual for a period of not less than one year,
				beginning on the date of such request, unless the individual requests that such
				security freeze be removed before the end of such period, and the agency
				receives appropriate proof of the identity of the individual for such purpose.
								(2)The Secretary shall arrange for a
				principal credit reporting agency applying a security freeze under paragraph
				(1)—
									(A)to send a written confirmation of the
				security freeze to the individual within five business days of applying the
				freeze;
									(B)to refer the information regarding the
				security freeze to other consumer reporting agencies;
									(C)to provide the individual with a
				unique personal identification number or password to be used by the individual
				when providing authorization for the release of the individual’s credit for a
				specific party or period of time; and
									(D)upon the request of the individual,
				to temporarily lift the freeze for a period of time specified by the
				individual, beginning not later than three business days after the date on
				which the agency receives the request.
									5726.Provision of
				credit protection services
							(a)Covered
				individualFor purposes of this section, a covered individual is
				an individual whose sensitive personal information that is processed or
				maintained by the Department (or any third-party entity acting on behalf of the
				Department) is involved, on or after August 1, 2005, in a data breach for which
				the Secretary determines a reasonable risk exists for the potential misuse of
				sensitive personal information under section 5725(a)(2) of this title.
							(b)Notification(1)In addition to any
				notice required under subsection 5725(b) of this title, the Secretary shall
				provide to a covered individual notice in writing that—
									(A)the individual may request credit
				protection services under this section;
									(B)clearly explains the advantages and
				disadvantages to the individual of receiving credit protection services under
				this section;
									(E)includes a notice of which principal
				credit reporting agency the Secretary has entered into a contract with under
				subsection (d), and information about requesting services through that
				agency;
									(C)describes actions the individual can
				or should take to reduce the risk of identity theft; and
									(D)includes such other information as the
				Secretary determines is appropriate.
									(2)The notice required under paragraph (1)
				shall be made as promptly as possible and without unreasonable delay following
				the discovery of a data breach for which the Secretary determines a reasonable
				risk exists for the potential misuse of sensitive personal information under
				section 5725(a)(2) of this title and the implementation of any measures
				necessary to determine the scope of the breach, prevent any further breach or
				unauthorized disclosures, and reasonably restore the integrity of the data
				system.
								(3)The Secretary shall ensure that each
				notification under paragraph (1) includes a form or other means for readily
				requesting the credit protection services under this section. Such form or
				other means may include a telephone number, email address, or Internet website
				address.
								(c)Availability of
				services through other Government agenciesIf a service required
				to be provided under this section is available to a covered individual through
				another department or agency of the Government, the Secretary and the head of
				that department or agency may enter into an agreement under which the head of
				that department or agency agrees to provide that service to the covered
				individual.
							(d)Contract with
				credit reporting agencySubject to the availability of
				appropriations and notwithstanding any other provision of law, the Secretary
				shall enter into contracts or other agreements as necessary with one or more
				principal credit reporting agencies in order to ensure, in advance, the
				provision of credit protection services under this section and fraud alerts and
				security freezes under section 5725 of this title. Any such contract or
				agreement may include provisions for the Secretary to pay the expenses of such
				a credit reporting agency for the provision of such services.
							(e)Data breach
				analysisThe Secretary shall
				arrange, upon the request of a covered individual and at no cost to the
				individual, to provide data breach analysis for the individual for a period of
				not less than one year, beginning on the date of such request.
							(f)Provision of
				credit monitoring services and identity theft insuranceDuring
				the one-year period beginning on the date on which the Secretary notifies a
				covered individual that the individual’s sensitive personal information is
				involved in a data breach, the Secretary shall arrange, upon the request of the
				individual and without charge to the individual, for the provision of credit
				monitoring services to the individual. Credit monitoring services under this
				subsection shall include each of the following:
								(1)One copy of the
				credit report of the individual every three months.
								(2)Fraud resolution
				services for the individual.
								(3)Identity theft
				insurance in a coverage amount that does not exceed $30,000 in aggregate
				liability for the insured.
								5727.Contracts for
				data processing or maintenance
							(a)Contract
				requirementsIf the Secretary
				enters into a contract for the performance of any Department function that
				requires access to sensitive personal information, the Secretary shall require
				as a condition of the contract that—
								(1)the contractor
				shall not, directly or through an affiliate of the contractor, disclose such
				information to any other person unless the disclosure is lawful and is
				expressly permitted under the contract;
								(2)the contractor, or
				any subcontractor for a subcontract of the contract, shall promptly notify the
				Secretary of any data breach that occurs with respect to such
				information.
								(b)Liquidated
				damagesEach contract subject to the requirements of subsection
				(a) shall provide for liquidated damages to be paid by the contractor to the
				Secretary in the event of a data breach with respect to any sensitive personal
				information processed or maintained by the contractor or any subcontractor
				under that contract.
							(c)Provision of
				credit protection servicesAny amount collected by the Secretary
				under subsection (b) shall be deposited in or credited to the Department
				account from which the contractor was paid and shall remain available for
				obligation without fiscal year limitation exclusively for the purpose of
				providing credit protection services in accordance with section 5726 of this
				title.
							5728.Authorization
				of appropriationsThere are
				authorized to be appropriated to carry out this subchapter such sums as may be
				necessary for each fiscal
				year.
						.
			(b)Clerical
			 amendmentThe table of sections at the beginning of such chapter
			 is amended by adding at the end the following new items:
				
					
						Subchapter III—Information
				Security
						5721. Definitions.
						5722. Office of the Under Secretary for
				Information Services.
						5723. Information security
				management.
						5724. Congressional reporting and
				notification of data breaches.
						5725. Data breaches.
						5726. Provision of credit protection
				services.
						5727. Contracts for data processing or
				maintenance.
						5728. Authorization of
				appropriations.
					
					.
			(c)Deadline for
			 regulationsNot later than 60 days after the date of the
			 enactment of this Act, the Secretary of Veterans Affairs shall publish
			 regulations to carry out subchapter III of
			 chapter 57 of title 38,
			 United States Code, as added by subsection (a).
			5.Report on
			 feasibility of using personal identification numbers for
			 identificationNot later than
			 180 days after the date of the enactment of this Act, the Secretary of Veterans
			 Affairs shall submit to Congress a report containing the assessment of the
			 Secretary with respect to the feasibility of using personal identification
			 numbers instead of Social Security numbers for the purpose of identifying
			 individuals whose sensitive personal information (as that term is defined in
			 section
			 5721 of title 38, United States Code, as added by section 4) is
			 processed or maintained by the Secretary.
		6.Deadline for
			 appointments
			(a)DeadlineNot
			 later than 180 days after the date of the enactment of this Act—
				(1)the President
			 shall nominate an individual to serve as the Under Secretary of Veterans
			 Affairs for Information Services under
			 section
			 307A of title 38, United States Code, as added by section 3;
			 and
				(2)the Secretary of
			 Veterans Affairs shall appoint an individual to serve as each of the Deputy
			 Under Secretaries of Veterans Affairs for Information Services under section
			 5722 of such title, as added by section 4.
				(b)ReportNot
			 later than 30 days after the date of the enactment of this Act, and every 30
			 days thereafter until the appointments described in subsection (a) are made,
			 the Secretary of Veterans Affairs shall submit to Congress a report describing
			 the progress of such appointments.
			7.Information security
			 education assistance program
			(a)Program
			 requiredTitle 38, United States Code, is amended by inserting
			 after chapter 78 the following new chapter:
				
					79Information
				Security Education Assistance Program
						
							Sec.
							7901.  Programs; purpose.
							7902.  Scholarship program.
							7903.  Education debt reduction program.
							7904.  Preferences in awarding financial
				  assistance.
							7905.  Requirement of honorable discharge for veterans
				  receiving assistance.
							7906. Regulations.
							7907. Termination.
						
						7901.Programs;
				purpose
							(a)In
				GeneralTo encourage the recruitment and retention of Department
				personnel who have the information security skills necessary to meet Department
				requirements, the Secretary shall carry out programs in accordance with this
				chapter to provide financial support for education in computer science and
				electrical and computer engineering at accredited institutions of higher
				education.
							(b)Types of
				ProgramsThe programs authorized under this chapter are as
				follows:
								(1)Scholarships for pursuit of doctoral
				degrees in computer science and electrical and computer engineering at
				accredited institutions of higher education.
								(2)Education debt reduction for Department
				personnel who hold doctoral degrees in computer science and electrical and
				computer engineering at accredited institutions of higher education.
								7902.Scholarship
				program
							(a)Authority(1)Subject to the
				availability of appropriations, the Secretary shall establish a scholarship
				program under which the Secretary shall, subject to subsection (d), provide
				financial assistance in accordance with this section to a qualified
				person—
									(A)who is pursuing a doctoral degree in
				computer science or electrical or computer engineering at an accredited
				institution of higher education; and
									(B)who enters into an agreement with the
				Secretary as described in subsection (b).
									(2)(A)Except as provided under
				subparagraph (B), the Secretary may provide financial assistance under this
				section to an individual for up to five years.
									(B)The Secretary may waive the
				limitation under subparagraph (A) if the Secretary determines that such a
				waiver is appropriate.
									(3)(A)The Secretary may award
				up to five scholarships for any academic year to individuals who did not
				receive assistance under this section for the preceding academic year.
									(B)Not more than one scholarship awarded
				under subparagraph (A) may be awarded to an individual who is an employee of
				the Department when the scholarship is awarded.
									(b)Service Agreement
				for Scholarship Recipients(1)To receive financial
				assistance under this section an individual shall enter into an agreement to
				accept and continue employment in the Department for the period of obligated
				service determined under paragraph (2).
								(2)For the purposes of this subsection,
				the period of obligated service for a recipient of financial assistance under
				this section shall be the period determined by the Secretary as being
				appropriate to obtain adequate service in exchange for the financial assistance
				and otherwise to achieve the goals set forth in section 7901(a) of this title.
				In no event may the period of service required of a recipient be less than the
				period equal to two times the total period of pursuit of a degree for which the
				Secretary agrees to provide the recipient with financial assistance under this
				section. The period of obligated service is in addition to any other period for
				which the recipient is obligated to serve on active duty or in the civil
				service, as the case may be.
								(3)An agreement entered into under this
				section by a person pursuing an doctoral degree shall include terms that
				provide the following:
									(A)That the period of obligated service
				begins on a date after the award of the degree that is determined under the
				regulations prescribed under section 7906 of this title.
									(B)That the individual will maintain
				satisfactory academic progress, as determined in accordance with those
				regulations, and that failure to maintain such progress constitutes grounds for
				termination of the financial assistance for the individual under this
				section.
									(C)Any other terms and conditions that
				the Secretary determines appropriate for carrying out this section.
									(c)Amount of
				Assistance(1)The amount of the
				financial assistance provided for an individual under this section shall be the
				amount determined by the Secretary as being necessary to pay—
									(A)the tuition and fees of the
				individual; and
									(B)$1500 to the individual each month
				(including a month between academic semesters or terms leading to the degree
				for which such assistance is provided or during which the individual is not
				enrolled in a course of education but is pursuing independent research leading
				to such degree) for books, laboratory expenses, and expenses of room and
				board.
									(2)In no case may the amount of
				assistance provided for an individual under this section for an academic year
				exceed $50,000.
								(3)In no case may the total amount of
				assistance provided for an individual under this section exceed
				$200,000.
								(4)Notwithstanding any other provision of law,
				financial assistance paid an individual under this section shall not be
				considered as income or resources in determining eligibility for, or the amount
				of benefits under, any Federal or federally assisted program.
								(d)Repayment for Period of Unserved
				Obligated Service(1)An individual who receives financial
				assistance under this section shall repay to the Secretary an amount equal to
				the unearned portion of the financial assistance if the individual fails to
				satisfy the requirements of the service agreement entered into under subsection
				(b), except in certain circumstances authorized by the Secretary.
								(2)The Secretary may establish, by
				regulations, procedures for determining the amount of the repayment required
				under this subsection and the circumstances under which an exception to the
				required repayment may be granted.
								(3)An obligation to repay the Secretary under
				this subsection is, for all purposes, a debt owed the United States. A
				discharge in bankruptcy under title 11 does not discharge a person from such
				debt if the discharge order is entered less than five years after the date of
				the termination of the agreement or contract on which the debt is based.
								(e)Waiver or suspension of
				complianceThe Secretary
				shall prescribe regulations providing for the waiver or suspension of any
				obligation of a individual for service or payment under this section (or an
				agreement under this section) whenever noncompliance by the individual is due
				to circumstances beyond the control of the individual or whenever the Secretary
				determines that the waiver or suspension of compliance is in the best interest
				of the United States.
							(f)Internships(1)The Secretary may offer
				a compensated internship to an individual for whom financial assistance is
				provided under this section during a period between academic semesters or terms
				leading to the degree for which such assistance is provided. Compensation
				provided for such an internship shall be in addition to the financial
				assistance provided under this section.
								(2)An internship under this subsection
				shall not be counted toward satisfying a period of obligated service under this
				section.
								(g)Ineligibility of individuals
				receiving Montgomery GI Bill education assistance paymentsAn individual who receives a payment of
				educational assistance under chapter 30, 31, 32, 34, or 35 of this title or
				chapter 1606 or 1607 of title 10 for a month in which the individual is
				enrolled in a course of education leading to a doctoral degree in information
				security is not eligible to receive financial assistance under this section for
				that month.
							7903.Education debt
				reduction program
							(a)Authority(1)Subject to the
				availability of appropriations, the Secretary shall establish an education debt
				reduction program under which the Secretary shall make education debt reduction
				payments under this section to qualified individuals eligible under subsection
				(b) for the purpose of reimbursing such individuals for payments by such
				individuals of principal and interest on loans described in paragraph (2) of
				that subsection.
								(2)(A)For each fiscal year,
				the Secretary may accept up to five individuals into the program established
				under paragraph (1)who did not receive such a payment during the preceding
				fiscal year.
									(B)Not more than one individual accepted
				into the program for a fiscal year under subsection (A) shall be a Department
				employee as of the date on which the individual is accepted into the
				program.
									(b)EligibilityAn individual is eligible to participate in
				the program under this section if the individual—
								(1)has completed a doctoral degree a doctoral
				degree in computer science or electrical or computer engineering at an
				accredited institution of higher education during the five-year period
				preceding the date on which the individual is hired;
								(2)is an employee of
				the Department who serves in a position related to information security (as
				determined by the Secretary); and
								(3)owes any amount of principal or interest
				under a loan, the proceeds of which were used by or on behalf of that
				individual to pay costs relating to a doctoral degree in computer science or
				electrical or computer engineering at an accredited institution of higher
				education.
								(c)Amount of assistance(1)Subject to paragraph
				(2), the amount of education debt reduction payments made to an individual
				under this section may not exceed $82,500 over a total of five years, of which
				not more than $16,500 of such payments may be made in each year.
								(2)The total amount payable to an individual
				under this section for any year may not exceed the amount of the principal and
				interest on loans referred to in subsection (b)(3) that is paid by the
				individual during such year.
								(d)Payments(1)The Secretary shall make
				education debt reduction payments under this section on an annual basis.
								(2)The Secretary shall make such a
				payment—
									(A)on the last day of the one-year period
				beginning on the date on which the individual is accepted into the program
				established under subsection (a); or
									(B)in the case of an individual who
				received a payment under this section for the preceding fiscal year, on the
				last day of the one-year period beginning on the date on which the individual
				last received such a payment.
									(3)Notwithstanding any other provision
				of law, education debt reduction payments under this section shall not be
				considered as income or resources in determining eligibility for, or the amount
				of benefits under, any Federal or federally assisted program.
								(e)Performance
				requirementThe Secretary may
				make education debt reduction payments to an individual under this section for
				a year only if the Secretary determines that the individual maintained an
				acceptable level of performance in the position or positions served by the
				individual during the year.
							(f)Notification of
				terms of provision of paymentsThe Secretary shall provide to an
				individual who receives a payment under this section notice in writing of the
				terms and conditions that apply to such a payment.
							(g)Covered
				costsFor purposes of subsection (b)(3), costs relating to a
				course of education or training include—
								(1)tuition expenses;
				and
								(2)all other
				reasonable educational expenses, including fees, books, and laboratory
				expenses;
								7904.Preferences in
				awarding financial assistanceIn awarding financial assistance under this
				chapter, the Secretary shall give a preference to qualified individuals who are
				otherwise eligible to receive the financial assistance in the following order
				of priority:
							(1)Veterans with
				service-connected disabilities.
							(2)Veterans.
							(3)Persons described
				in section 4215(a)(B) of this title.
							(4)Individuals who received or are pursuing
				degrees at institutions designated by the National Security Agency as Centers
				of Academic Excellence in Information Assurance Education.
							(5)Citizens of the
				United States.
							7905.Requirement of
				honorable discharge for veterans receiving assistanceNo veteran shall receive financial
				assistance under this chapter unless the veteran was discharged from the Armed
				Forces under honorable conditions.
						7906.RegulationsThe Secretary shall prescribe regulations
				for the administration of this chapter.
						7907.TerminationThe authority of the Secretary to make a
				payment under this chapter shall terminate on July 31,
				2017.
						.
			(b)GAO
			 reportNot later than three years after the date of the enactment
			 of this Act, the Comptroller General shall submit to Congress a report on the
			 scholarship and education debt reduction programs under
			 chapter 79 of title 38,
			 United States Code, as added by subsection (a).
			(c)Applicability of
			 scholarshipsSection 7902 of title 38, United
			 States Code, as added by subsection (a), shall apply with respect to financial
			 assistance provided for an academic semester or term that begins on or after
			 August 1, 2007.
			(d)Clerical
			 amendmentThe tables of
			 chapters at the beginning of such title, and at the beginning of part V of such
			 title, are amended by inserting after the item relating to chapter 78 the
			 following new item:
				
					
						79.Information Security Education Assistance
				  Program7901
					
					.
			
	
		
			Passed the House of
			 Representatives September 26, 2006.
			Karen L. Haas,
			Clerk.
		
	
