[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4061 Engrossed in House (EH)]

111th CONGRESS
  2d Session
                                H. R. 4061

_______________________________________________________________________

                                 AN ACT


 
     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Enhancement Act of 
2010''.

                   TITLE I--RESEARCH AND DEVELOPMENT

SEC. 101. DEFINITIONS.

    In this title:
            (1) National coordination office.--The term National 
        Coordination Office means the National Coordination Office for 
        the Networking and Information Technology Research and 
        Development program.
            (2) Program.--The term Program means the Networking and 
        Information Technology Research and Development program which 
        has been established under section 101 of the High-Performance 
        Computing Act of 1991 (15 U.S.C. 5511).

SEC. 102. FINDINGS.

    Section 2 of the Cyber Security Research and Development Act (15 
U.S.C. 7401) is amended--
            (1) by amending paragraph (1) to read as follows:
            ``(1) Advancements in information and communications 
        technology have resulted in a globally interconnected network 
        of government, commercial, scientific, and education 
        infrastructures, including critical infrastructures for 
        electric power, natural gas and petroleum production and 
        distribution, telecommunications, transportation, water supply, 
        banking and finance, and emergency and government services.'';
            (2) in paragraph (2), by striking ``Exponential increases 
        in interconnectivity have facilitated enhanced communications, 
        economic growth,'' and inserting ``These advancements have 
        significantly contributed to the growth of the United States 
        economy'';
            (3) by amending paragraph (3) to read as follows:
            ``(3) The Cyberspace Policy Review published by the 
        President in May, 2009, concluded that our information 
        technology and communications infrastructure is vulnerable and 
        has `suffered intrusions that have allowed criminals to steal 
        hundreds of millions of dollars and nation-states and other 
        entities to steal intellectual property and sensitive military 
        information'.'';
            (4) by redesignating paragraphs (4) through (6) as 
        paragraphs (5) through (7), respectively;
            (5) by inserting after paragraph (3) the following new 
        paragraph:
            ``(4) In a series of hearings held before Congress in 2009, 
        experts testified that the Federal cybersecurity research and 
        development portfolio was too focused on short-term, 
        incremental research and that it lacked the prioritization and 
        coordination necessary to address the long-term challenge of 
        ensuring a secure and reliable information technology and 
        communications infrastructure.''; and
            (6) by amending paragraph (7), as so redesignated by 
        paragraph (4) of this section, to read as follows:
            ``(7) While African-Americans, Hispanics, and Native 
        Americans constitute 33 percent of the college-age population, 
        members of these minorities comprise less than 20 percent of 
        bachelor degree recipients in the field of computer 
        sciences.''.

SEC. 103. CYBERSECURITY STRATEGIC RESEARCH AND DEVELOPMENT PLAN.

    (a) In General.--Not later than 12 months after the date of 
enactment of this Act, the agencies identified in subsection 
101(a)(3)(B)(i) through (x) of the High-Performance Computing Act of 
1991 (15 U.S.C. 5511(a)(3)(B)(i) through (x)) or designated under 
section 101(a)(3)(B)(xi) of such Act, working through the National 
Science and Technology Council and with the assistance of the National 
Coordination Office, shall transmit to Congress a strategic plan based 
on an assessment of cybersecurity risk to guide the overall direction 
of Federal cybersecurity and information assurance research and 
development for information technology and networking systems. Once 
every 3 years after the initial strategic plan is transmitted to 
Congress under this section, such agencies shall prepare and transmit 
to Congress an update of such plan.
    (b) Contents of Plan.--The strategic plan required under subsection 
(a) shall--
            (1) specify and prioritize near-term, mid-term and long-
        term research objectives, including objectives associated with 
        the research areas identified in section 4(a)(1) of the Cyber 
        Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
        and how the near-term objectives complement research and 
        development areas in which the private sector is actively 
        engaged;
            (2) describe how the Program will focus on innovative, 
        transformational technologies with the potential to enhance the 
        security, reliability, resilience, and trustworthiness of the 
        digital infrastructure, including technologies to secure 
        sensitive information shared among Federal agencies;
            (3) describe how the Program will foster the transfer of 
        research and development results into new cybersecurity 
        technologies and applications for the benefit of society and 
        the national interest, including through the dissemination of 
        best practices and other outreach activities;
            (4) describe how the Program will establish and maintain a 
        national research infrastructure for creating, testing, and 
        evaluating the next generation of secure networking and 
        information technology systems;
            (5) describe how the Program will facilitate access by 
        academic researchers to the infrastructure described in 
        paragraph (4), as well as to relevant data, including event 
        data representing realistic threats and vulnerabilities;
            (6) describe how the Program will engage females and 
        individuals identified in section 33 or 34 of the Science and 
        Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b) 
        to foster a more diverse workforce in this area;
            (7) outline how the United States can work strategically 
        with our international partners on cybersecurity research and 
        development issues where appropriate; and
            (8) describe how the Program will strengthen all levels of 
        cybersecurity education and training programs to ensure an 
        adequate, well-trained workforce.
    (c) Development of Roadmap.--The agencies described in subsection 
(a) shall develop and annually update an implementation roadmap for the 
strategic plan required in this section. Such roadmap shall--
            (1) specify the role of each Federal agency in carrying out 
        or sponsoring research and development to meet the research 
        objectives of the strategic plan, including a description of 
        how progress toward the research objectives will be evaluated;
            (2) specify the funding allocated to each major research 
        objective of the strategic plan and the source of funding by 
        agency for the current fiscal year; and
            (3) estimate the funding required for each major research 
        objective of the strategic plan for the following 3 fiscal 
        years.
    (d) Recommendations.--In developing and updating the strategic plan 
under subsection (a), the agencies involved shall solicit 
recommendations and advice from--
            (1) the advisory committee established under section 
        101(b)(1) of the High-Performance Computing Act of 1991 (15 
        U.S.C. 5511(b)(1)); and
            (2) a wide range of stakeholders, including industry, 
        academia, including representatives of minority serving 
        institutions and community colleges, National Laboratories, and 
        other relevant organizations and institutions.
    (e) Appending to Report.--The implementation roadmap required under 
subsection (c), and its annual updates, shall be appended to the report 
required under section 101(a)(2)(D) of the High-Performance Computing 
Act of 1991 (15 U.S.C. 5511(a)(2)(D)).

SEC. 104. SOCIAL AND BEHAVIORAL RESEARCH IN CYBERSECURITY.

    Section 4(a)(1) of the Cyber Security Research and Development Act 
(15 U.S.C. 7403(a)(1)) is amended--
            (1) by inserting ``and usability'' after ``to the 
        structure'';
            (2) in subparagraph (H), by striking ``and'' after the 
        semicolon;
            (3) in subparagraph (I), by striking the period at the end 
        and inserting ``; and''; and
            (4) by adding at the end the following new subparagraph:
                    ``(J) social and behavioral factors, including 
                human-computer interactions, usability, user 
                motivations, and organizational cultures.''.

SEC. 105. NATIONAL SCIENCE FOUNDATION CYBERSECURITY RESEARCH AND 
              DEVELOPMENT PROGRAMS.

    (a) Computer and Network Security Research Areas.--Section 4(a)(1) 
of the Cyber Security Research and Development Act (15 U.S.C. 
7403(a)(1)) is amended--
            (1) in subparagraph (A) by inserting ``identity 
        management,'' after ``cryptography,''; and
            (2) by amending subparagraph (I) to read as follows:
                    ``(I) enhancement of the ability of law enforcement 
                to detect, investigate, and prosecute cyber-crimes, 
                including crimes that involve piracy of intellectual 
                property, crimes against children, and organized 
                crime.''.
    (b) Computer and Network Security Research Grants.--Section 4(a)(3) 
of such Act (15 U.S.C. 7403(a)(3)) is amended by striking subparagraphs 
(A) through (E) and inserting the following new subparagraphs:
                    ``(A) $68,700,000 for fiscal year 2010;
                    ``(B) $73,500,000 for fiscal year 2011;
                    ``(C) $78,600,000 for fiscal year 2012;
                    ``(D) $84,200,000 for fiscal year 2013; and
                    ``(E) $90,000,000 for fiscal year 2014.''.
    (c) Computer and Network Security Research Centers.--Section 4(b) 
of such Act (15 U.S.C. 7403(b)) is amended--
            (1) in paragraph (4)--
                    (A) in subparagraph (C), by striking ``and'' after 
                the semicolon;
                    (B) in subparagraph (D), by striking the period and 
                inserting ``; and''; and
                    (C) by adding at the end the following new 
                subparagraph:
                    ``(E) how the center will partner with government 
                laboratories, for-profit entities, other institutions 
                of higher education, or nonprofit research 
                institutions.''; and
            (2) by amending paragraph (7) to read as follows:
            ``(7) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (d) Computer and Network Security Capacity Building Grants.--
Section 5(a) of such Act (15 U.S.C. 7404(a)) is amended--
            (1) in paragraph (3)(A), by inserting ``, including 
        curriculum on the principles and techniques of designing secure 
        software'' after ``network security''; and
            (2) by amending paragraph (6) to read as follows:
            ``(6) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) 
of such Act (15 U.S.C. 7404(b)(2)) is amended to read as follows:
            ``(2) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (f) Graduate Traineeships in Computer and Network Security.--
Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is amended to read 
as follows:
            ``(7) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (g) Postdoctoral Research Fellowships in Cybersecurity.--Section 
5(e) of such Act (15 U.S.C. 7404(e)) is amended to read as follows:
    ``(e) Postdoctoral Research Fellowships in Cybersecurity.--
            ``(1) In general.--The Director shall carry out a program 
        to encourage young scientists and engineers to conduct 
        postdoctoral research in the fields of cybersecurity and 
        information assurance, including the research areas described 
        in section 4(a)(1), through the award of competitive, merit-
        based fellowships.
            ``(2) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (h) Prohibition on Earmarks.--None of the funds appropriated under 
this section, and the amendments made by this section may be used for a 
Congressional earmark as defined in clause 9(d) of rule XXI of the 
Rules of the House of Representatives.
    (i) Computer and Network Security Capacity Building Grants--
Manufacturing Extension Partnership.--Section 5(a)(3) of the Cyber 
Security Research and Development Act (15 U.S.C. 7404(a)(3)) is 
amended--
            (1) by striking ``and'' at the end of subparagraph (I);
            (2) by redesignating subparagraph (J) as subparagraph (K); 
        and
            (3) by inserting after subparagraph (I) the following new 
        subparagraph:
                    ``(J) establishing or enhancing collaboration in 
                computer and network security between community 
                colleges, universities, and Manufacturing Extension 
                Partnership Centers; and''.

SEC. 106. FEDERAL CYBER SCHOLARSHIP FOR SERVICE PROGRAM.

    (a) In General.--The Director of the National Science Foundation 
shall carry out a Scholarship for Service program to recruit and train 
the next generation of Federal cybersecurity professionals and to 
increase the capacity of the higher education system to produce an 
information technology workforce with the skills necessary to enhance 
the security of the Nation's communications and information 
infrastructure.
    (b) Characteristics of Program.--The program under this section 
shall--
            (1) provide, through qualified institutions of higher 
        education, scholarships that provide tuition, fees, and a 
        competitive stipend for up to 2 years to students pursing a 
        bachelor's or master's degree and up to 3 years to students 
        pursuing a doctoral degree in a cybersecurity field;
            (2) provide the scholarship recipients with summer 
        internship opportunities or other meaningful temporary 
        appointments in the Federal information technology workforce 
        or, at the discretion of the Director, with appropriate private 
        sector entities; and
            (3) increase the capacity of institutions of higher 
        education throughout all regions of the United States to 
        produce highly qualified cybersecurity professionals, through 
        the award of competitive, merit-reviewed grants that support 
        such activities as--
                    (A) faculty professional development, including 
                technical, hands-on experiences in the private sector 
                or government, workshops, seminars, conferences, and 
                other professional development opportunities that will 
                result in improved instructional capabilities;
                    (B) institutional partnerships, including minority 
                serving institutions and community colleges;
                    (C) development of cybersecurity-related courses 
                and curricula; and
                    (D) outreach to secondary schools and 2-year 
                institutions to increase the interest and recruitment 
                of students into cybersecurity-related fields.
    (c) Scholarship Requirements.--
            (1) Eligibility.--Scholarships under this section shall be 
        available only to students who--
                    (A) are citizens or permanent residents of the 
                United States;
                    (B) are full-time students in an eligible degree 
                program, as determined by the Director, that is focused 
                on computer security or information assurance at an 
                awardee institution; and
                    (C) accept the terms of a scholarship pursuant to 
                this section.
            (2) Selection.--Individuals shall be selected to receive 
        scholarships primarily on the basis of academic merit, with 
        consideration given to financial need, to the goal of promoting 
        the participation of individuals identified in section 33 or 34 
        of the Science and Engineering Equal Opportunities Act (42 
        U.S.C. 1885a or 1885b), and to veterans. For purposes of this 
        paragraph, the term ``veteran'' means a person who--
                    (A) served on active duty (other than active duty 
                for training) in the Armed Forces of the United States 
                for a period of more than 180 consecutive days, and who 
                was discharged or released therefrom under conditions 
                other than dishonorable; or
                    (B) served on active duty (other than active duty 
                for training) in the Armed Forces of the United States 
                and was discharged or released from such service for a 
                service-connected disability before serving 180 
                consecutive days.
        For purposes of subparagraph (B), the term ``service-
        connected'' has the meaning given such term under section 101 
        of title 38, United States Code.
            (3) Service obligation.--If an individual receives a 
        scholarship under this section, as a condition of receiving 
        such scholarship, the individual upon completion of their 
        degree must serve as a cybersecurity professional within the 
        Federal workforce for a period of time as provided in paragraph 
        (5). If a scholarship recipient is not offered employment by a 
        Federal agency or a federally funded research and development 
        center, the service requirement can be satisfied at the 
        Director's discretion by--
                    (A) serving as a cybersecurity professional in a 
                State, local, or tribal government agency; or
                    (B) teaching cybersecurity courses at an 
                institution of higher education.
            (4) Conditions of support.--As a condition of acceptance of 
        a scholarship under this section, a recipient shall agree to 
        provide the awardee institution with annual verifiable 
        documentation of employment and up-to-date contact information.
            (5) Length of service.--The length of service required in 
        exchange for a scholarship under this subsection shall be as 
        follows:
                    (A) For a recipient in a bachelor's degree program, 
                1 year more than the number of years for which the 
                scholarship was received.
                    (B) For a recipient in a master's degree program, 2 
                years more than the number of years for which the 
                scholarship was received.
                    (C) For a recipient in a doctorate degree program, 
                3 years more than the number of years for which the 
                scholarship was received.
    (d) Failure to Complete Service Obligation.--
            (1) General rule.--If an individual who has received a 
        scholarship under this section--
                    (A) fails to maintain an acceptable level of 
                academic standing in the educational institution in 
                which the individual is enrolled, as determined by the 
                Director;
                    (B) is dismissed from such educational institution 
                for disciplinary reasons;
                    (C) withdraws from the program for which the award 
                was made before the completion of such program;
                    (D) declares that the individual does not intend to 
                fulfill the service obligation under this section; or
                    (E) fails to fulfill the service obligation of the 
                individual under this section,
        such individual shall be liable to the United States as 
        provided in paragraph (3).
            (2) Monitoring compliance.--As a condition of participating 
        in the program, a qualified institution of higher education 
        receiving a grant under this section shall--
                    (A) enter into an agreement with the Director of 
                the National Science Foundation to monitor the 
                compliance of scholarship recipients with respect to 
                their service obligation; and
                    (B) provide to the Director, on an annual basis, 
                post-award employment information required under 
                subsection (c)(4) for scholarship recipients through 
                the completion of their service obligation.
            (3) Amount of repayment.--
                    (A) Less than one year of service.--If a 
                circumstance described in paragraph (1) occurs before 
                the completion of 1 year of a service obligation under 
                this section, the total amount of awards received by 
                the individual under this section shall be repaid or 
                such amount shall be treated as a loan to be repaid in 
                accordance with subparagraph (C).
                    (B) More than one year of service.--If a 
                circumstance described in subparagraph (D) or (E) of 
                paragraph (1) occurs after the completion of 1 year of 
                a service obligation under this section, the total 
                amount of scholarship awards received by the individual 
                under this section, reduced by the ratio of the number 
                of years of service completed divided by the number of 
                years of service required, shall be repaid or such 
                amount shall be treated as a loan to be repaid in 
                accordance with subparagraph (C).
                    (C) Repayments.--A loan described in subparagraph 
                (A) or (B) shall be treated as a Federal Direct 
                Unsubsidized Stafford Loan under part D of title IV of 
                the Higher Education Act of 1965 (20 U.S.C. 1087a and 
                following), and shall be subject to repayment, together 
                with interest thereon accruing from the date of the 
                scholarship award, in accordance with terms and 
                conditions specified by the Director (in consultation 
                with the Secretary of Education) in regulations 
                promulgated to carry out this paragraph.
            (4) Collection of repayment.--
                    (A) In general.--In the event that a scholarship 
                recipient is required to repay the scholarship under 
                this subsection, the institution providing the 
                scholarship shall--
                            (i) be responsible for determining the 
                        repayment amounts and for notifying the 
                        recipient and the Director of the amount owed; 
                        and
                            (ii) collect such repayment amount within a 
                        period of time as determined under the 
                        agreement described in paragraph (2), or the 
                        repayment amount shall be treated as a loan in 
                        accordance with paragraph (3)(C).
                    (B) Returned to treasury.--Except as provided in 
                subparagraph (C) of this paragraph, any such repayment 
                shall be returned to the Treasury of the United States.
                    (C) Retain percentage.--An institution of higher 
                education may retain a percentage of any repayment the 
                institution collects under this paragraph to defray 
                administrative costs associated with the collection. 
                The Director shall establish a single, fixed percentage 
                that will apply to all eligible entities.
            (5) Exceptions.--The Director may provide for the partial 
        or total waiver or suspension of any service or payment 
        obligation by an individual under this section whenever 
        compliance by the individual with the obligation is impossible 
        or would involve extreme hardship to the individual, or if 
        enforcement of such obligation with respect to the individual 
        would be unconscionable.
    (e) Hiring Authority.--For purposes of any law or regulation 
governing the appointment of individuals in the Federal civil service, 
upon successful completion of their degree, students receiving a 
scholarship under this section shall be hired under the authority 
provided for in section 213.3102(r) of title 5, Code of Federal 
Regulations, and be exempted from competitive service. Upon fulfillment 
of the service term, such individuals shall be converted to a 
competitive service position without competition if the individual 
meets the requirements for that position.
    (f) Authorization of Appropriations.--There are authorized to 
appropriated to the National Science Foundation to carry out this 
section--
            (1) $18,700,000 for fiscal year 2010;
            (2) $20,100,000 for fiscal year 2011;
            (3) $21,600,000 for fiscal year 2012;
            (4) $23,300,000 for fiscal year 2013; and
            (5) $25,000,000 for fiscal year 2014.

SEC. 107. CYBERSECURITY WORKFORCE ASSESSMENT.

    Not later than 180 days after the date of enactment of this Act the 
President shall transmit to the Congress a report addressing the 
cybersecurity workforce needs of the Federal Government. The report 
shall include--
            (1) an examination of the current state of and the 
        projected needs of the Federal cybersecurity workforce, 
        including a comparison of the different agencies and 
        departments, the extent to which different agencies and 
        departments rely on contractors to support the Federal 
        cybersecurity workforce, and an analysis of the capacity of 
        such agencies and departments to meet those needs;
            (2) an analysis of the sources and availability of 
        cybersecurity talent, a comparison of the skills and expertise 
        sought by the Federal Government and the private sector, an 
        examination of the current and future capacity of United States 
        institutions of higher education, including community colleges, 
        to provide cybersecurity professionals with those skills sought 
        by the Federal Government and the private sector, and a 
        description of how successful programs are engaging the talents 
        of women and African-Americans, Hispanics, and Native Americans 
        in the cybersecurity workforce;
            (3) an examination of the effectiveness of the National 
        Centers of Academic Excellence in Information Assurance 
        Education, the Centers of Academic Excellence in Research, and 
        the Federal Cyber Scholarship for Service programs in promoting 
        higher education and research in cybersecurity and information 
        assurance and in producing a growing number of professionals 
        with the necessary cybersecurity and information assurance 
        expertise;
            (4) an analysis of any barriers to the Federal Government 
        recruiting and hiring cybersecurity talent, including barriers 
        relating to compensation, the hiring process, job 
        classification, job security clearance and suitability 
        requirements, and hiring flexibilities;
            (5) a specific analysis of the capacity of the agency 
        workforce to manage contractors who are performing 
        cybersecurity work on behalf of the Federal Government; and
            (6) recommendations for Federal policies to ensure an 
        adequate, well-trained Federal cybersecurity workforce, 
        including recommendations on the temporary assignment of 
        private sector cybersecurity professionals to Federal agencies.

SEC. 108. CYBERSECURITY UNIVERSITY-INDUSTRY TASK FORCE.

    (a) Establishment of University-Industry Task Force.--Not later 
than 180 days after the date of enactment of this Act, the Director of 
the Office of Science and Technology Policy shall convene a task force 
to explore mechanisms for carrying out collaborative research and 
development activities for cybersecurity through a consortium or other 
appropriate entity with participants from institutions of higher 
education and industry.
    (b) Functions.--The task force shall--
            (1) develop options for a collaborative model and an 
        organizational structure for such entity under which the joint 
        research and development activities could be planned, managed, 
        and conducted effectively, including mechanisms for the 
        allocation of resources among the participants in such entity 
        for support of such activities;
            (2) propose a process for developing a research and 
        development agenda for such entity, including guidelines to 
        ensure an appropriate scope of work focused on nationally 
        significant challenges and requiring collaboration;
            (3) define the roles and responsibilities for the 
        participants from institutions of higher education and industry 
        in such entity;
            (4) propose guidelines for assigning intellectual property 
        rights, for the transfer of research and development results to 
        the private sector, and for the sharing of lessons learned on 
        the effectiveness of new technologies from the private sector 
        with the public sector; and
            (5) make recommendations for how such entity could be 
        funded from Federal, State, and nongovernmental sources.
    (c) Composition.--In establishing the task force under subsection 
(a), the Director of the Office of Science and Technology Policy shall 
appoint an equal number of individuals from institutions of higher 
education, including community colleges, and from industry with 
knowledge and expertise in cybersecurity, and shall include 
representatives from minority-serving institutions.
    (d) Report.--Not later than 12 months after the date of enactment 
of this Act, the Director of the Office of Science and Technology 
Policy shall transmit to the Congress a report describing the findings 
and recommendations of the task force.

SEC. 109. CYBERSECURITY CHECKLIST DEVELOPMENT AND DISSEMINATION.

    Section 8(c) of the Cyber Security Research and Development Act (15 
U.S.C. 7406(c)) is amended to read as follows:
    ``(c) Checklists for Government Systems.--
            ``(1) In general.--The Director of the National Institute 
        of Standards and Technology shall develop or identify and 
        revise or adapt as necessary, checklists, configuration 
        profiles, and deployment recommendations for products and 
        protocols that minimize the security risks associated with each 
        computer hardware or software system that is, or is likely to 
        become, widely used within the Federal Government.
            ``(2) Priorities for development.--The Director of the 
        National Institute of Standards and Technology shall establish 
        priorities for the development of checklists under this 
        subsection. Such priorities may be based on the security risks 
        associated with the use of each system, the number of agencies 
        that use a particular system, the usefulness of the checklist 
        to Federal agencies that are users or potential users of the 
        system, or such other factors as the Director determines to be 
        appropriate.
            ``(3) Excluded systems.--The Director of the National 
        Institute of Standards and Technology may exclude from the 
        requirements of paragraph (1) any computer hardware or software 
        system for which the Director determines that the development 
        of a checklist is inappropriate because of the infrequency of 
        use of the system, the obsolescence of the system, or the 
        inutility or impracticability of developing a checklist for the 
        system.
            ``(4) Automation specifications.--The Director of the 
        National Institute of Standards and Technology shall develop 
        automated security specifications (such as the Security Content 
        Automation Protocol) with respect to checklist content and 
        associated security related data.
            ``(5) Dissemination of checklists.--The Director of the 
        National Institute of Standards and Technology shall ensure 
        that Federal agencies are informed of the availability of any 
        product developed or identified under the National Checklist 
        Program for any information system, including the Security 
        Content Automation Protocol and other automated security 
        specifications.
            ``(6) Agency use requirements.--The development of a 
        checklist under paragraph (1) for a computer hardware or 
        software system does not--
                    ``(A) require any Federal agency to select the 
                specific settings or options recommended by the 
                checklist for the system;
                    ``(B) establish conditions or prerequisites for 
                Federal agency procurement or deployment of any such 
                system;
                    ``(C) imply an endorsement of any such system by 
                the Director of the National Institute of Standards and 
                Technology; or
                    ``(D) preclude any Federal agency from procuring or 
                deploying other computer hardware or software systems 
                for which no such checklist has been developed or 
                identified under paragraph (1).''.

SEC. 110. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY 
              RESEARCH AND DEVELOPMENT.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended by redesignating subsection (e) as 
subsection (f), and by inserting after subsection (d) the following:
    ``(e) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (d)(3), the 
Institute shall--
            ``(1) conduct a research program to develop a unifying and 
        standardized identity, privilege, and access control management 
        framework for the execution of a wide variety of resource 
        protection policies and that is amenable to implementation 
        within a wide variety of existing and emerging computing 
        environments;
            ``(2) carry out research associated with improving the 
        security of information systems and networks;
            ``(3) carry out research associated with improving the 
        testing, measurement, usability, and assurance of information 
        systems and networks; and
            ``(4) carry out research associated with improving security 
        of industrial control systems.''.

SEC. 111. NATIONAL ACADEMY OF SCIENCES STUDY ON THE ROLE OF COMMUNITY 
              COLLEGES IN CYBERSECURITY EDUCATION.

    Not later than 120 days after the date of enactment of this Act, 
the Director of the Office of Science and Technology Policy, in 
consultation with the Director of the National Coordination Office, 
shall enter into a contract with the National Academy of Sciences to 
conduct and complete a study to describe the role of community colleges 
in cybersecurity education and to identify exemplary practices and 
partnerships related to cybersecurity education between community 
colleges and 4-year educational institutions.

SEC. 112. NATIONAL CENTER OF EXCELLENCE FOR CYBERSECURITY.

    (a) In General.--As part of the Program, the Director of the 
National Science Foundation shall, in coordination with other Federal 
agencies participating in the Program, establish a National Center of 
Excellence for Cybersecurity.
    (b) Merit Review.--The National Center of Excellence for 
Cybersecurity shall be awarded on a merit-reviewed, competitive basis.
    (c) Activities Supported.--The National Center of Excellence for 
Cybersecurity shall--
            (1) involve institutions of higher education or national 
        laboratories and other partners, which may include States and 
        industry;
            (2) make use of existing expertise in cybersecurity;
            (3) interact and collaborate with Computer and Network 
        Security Research Centers to foster the exchange of technical 
        information and best practices;
            (4) perform research to support the development of 
        technologies for testing hardware and software products to 
        validate operational readiness and certify stated security 
        levels;
            (5) coordinate cybersecurity education and training 
        opportunities nationally;
            (6) enhance technology transfer and commercialization that 
        promote cybersecurity innovation; and
            (7) perform research on cybersecurity social and behavioral 
        factors, including human-computer interactions, usability, user 
        motivations, and organizational cultures.

SEC. 113. CYBERSECURITY INFRASTRUCTURE REPORT.

    Not later than 1 year after the date of enactment of this Act, the 
Comptroller General shall transmit to the Congress a report examining 
key weaknesses within the current cybersecurity infrastructure, along 
with recommendations on how to address such weaknesses in the future 
and on the technology that is needed to do so.

       TITLE II--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

SEC. 201. DEFINITIONS.

    In this title:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Institute.--The term ``Institute'' means the National 
        Institute of Standards and Technology.

SEC. 202. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

    The Director, in coordination with appropriate Federal authorities, 
shall--
            (1) ensure coordination of United States Government 
        representation in the international development of technical 
        standards related to cybersecurity; and
            (2) not later than 1 year after the date of enactment of 
        this Act, develop and transmit to the Congress a proactive plan 
        to engage international standards bodies with respect to the 
        development of technical standards related to cybersecurity.

SEC. 203. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.

    (a) Program.--The Director, in collaboration with relevant Federal 
agencies, industry, educational institutions, and other organizations, 
shall develop and implement a cybersecurity awareness and education 
program to increase public awareness, including among children and 
young adults, of cybersecurity risks, consequences, and best practices 
through--
            (1) the widespread dissemination of cybersecurity technical 
        standards and best practices identified by the Institute; and
            (2) efforts to make cybersecurity technical standards and 
        best practices usable by individuals, small to medium-sized 
        businesses, State, local, and tribal governments, and 
        educational institutions, especially with respect to novice 
        computer users, elderly populations, low-income populations, 
        and populations in areas of planned broadband expansion or 
        deployment.
    (b) Workshops.--In carrying out activities under subsection (a)(1), 
the Institute is authorized to host regional workshops to provide an 
overview of cybersecurity risks and best practices to businesses, 
State, local, and tribal governments, and educational institutions.
    (c) Manufacturing Extension Partnership.--The Director shall, to 
the extent appropriate, implement subsection (a) through the 
Manufacturing Extension Partnership program under section 25 of the 
National Institute of Standards and Technology Act (15 U.S.C. 278k).
    (d) Report to Congress.--Not later than 90 days after the date of 
enactment of this Act, the Director shall transmit to the Congress a 
report containing a strategy for implementation of this section.

SEC. 204. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    The Director shall establish a program to support the development 
of technical standards, metrology, testbeds, and conformance criteria, 
taking into account appropriate user concerns, to--
            (1) improve interoperability among identity management 
        technologies;
            (2) strengthen authentication methods of identity 
        management systems;
            (3) improve privacy protection in identity management 
        systems, including health information technology systems, 
        through authentication and security protocols; and
            (4) improve the usability of identity management systems.

SEC. 205. PRACTICES AND STANDARDS.

    The National Institute of Standards and Technology shall work with 
other Federal, State, and private sector partners, as appropriate, to 
develop a framework that States may follow in order to achieve 
effective cybersecurity practices in a timely and cost-effective 
manner.

            Passed the House of Representatives February 4, 2010.

            Attest:

                                                                 Clerk.
111th CONGRESS

  2d Session

                               H. R. 4061

_______________________________________________________________________

                                 AN ACT

     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.