[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4061 Introduced in House (IH)]

111th CONGRESS
  1st Session
                                H. R. 4061

     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            November 7, 2009

 Mr. Lipinski (for himself, Mr. McCaul, Mr. Wu, Mr. Ehlers, Ms. Eddie 
    Bernice Johnson of Texas, Mr. Smith of Nebraska, Mr. Gordon of 
Tennessee, Mr. Hall of Texas, Mr. Lujan, and Mr. Rothman of New Jersey) 
 introduced the following bill; which was referred to the Committee on 
                         Science and Technology

_______________________________________________________________________

                                 A BILL


 
     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Enhancement Act of 
2009''.

                   TITLE I--RESEARCH AND DEVELOPMENT

SEC. 101. DEFINITIONS.

    In this title:
            (1) National coordination office.--The term National 
        Coordination Office means the National Coordination Office for 
        the Networking and Information Technology Research and 
        Development program.
            (2) Program.--The term Program means the Networking and 
        Information Technology Research and Development program which 
        has been established under section 101 of the High-Performance 
        Computing Act of 1991 (15 U.S.C. 5511).

SEC. 102. FINDINGS.

    Section 2 of the Cyber Security Research and Development Act (15 
U.S.C. 7401) is amended--
            (1) by amending paragraph (1) to read as follows:
            ``(1) Advancements in information and communications 
        technology have resulted in a globally interconnected network 
        of government, commercial, scientific, and education 
        infrastructures, including critical infrastructures for 
        electric power, natural gas and petroleum production and 
        distribution, telecommunications, transportation, water supply, 
        banking and finance, and emergency and government services.'';
            (2) in paragraph (2), by striking ``Exponential increases 
        in interconnectivity have facilitated enhanced communications, 
        economic growth,'' and inserting ``These advancements have 
        significantly contributed to the growth of the United States 
        economy'';
            (3) by amending paragraph (3) to read as follows:
            ``(3) The Cyberspace Policy Review published by the 
        President in May, 2009, concluded that our information 
        technology and communications infrastructure is vulnerable and 
        has `suffered intrusions that have allowed criminals to steal 
        hundreds of millions of dollars and nation-states and other 
        entities to steal intellectual property and sensitive military 
        information'.'';
            (4) by redesignating paragraphs (4) through (6) as 
        paragraphs (5) through (7), respectively;
            (5) by inserting after paragraph (3) the following new 
        paragraph:
            ``(4) In a series of hearings held before Congress in 2009, 
        experts testified that the Federal cybersecurity research and 
        development portfolio was too focused on short-term, 
        incremental research and that it lacked the prioritization and 
        coordination necessary to address the long-term challenge of 
        ensuring a secure and reliable information technology and 
        communications infrastructure.''; and
            (6) by amending paragraph (7), as so redesignated by 
        paragraph (4) of this section, to read as follows:
            ``(7) While African-Americans, Hispanics, and Native 
        Americans constitute 33 percent of the college-age population, 
        members of these minorities comprise less than 20 percent of 
        bachelor degree recipients in the field of computer 
        sciences.''.

SEC. 103. CYBERSECURITY STRATEGIC RESEARCH AND DEVELOPMENT PLAN.

    (a) In General.--Not later than 12 months after the date of 
enactment of this Act, the agencies identified in subsection 
101(a)(3)(B) (i) through (x) of the High-Performance Computing Act of 
1991 (15 U.S.C. 5511(a)(3)(B) (i) through (x)) or designated under 
section 101(a)(3)(B)(xi) of such Act, working through the National 
Science and Technology Council and with the assistance of the National 
Coordination Office, shall transmit to Congress a strategic plan based 
on an assessment of cybersecurity risk to guide the overall direction 
of Federal cybersecurity and information assurance research and 
development for information technology and networking systems. Once 
every 3 years after the initial strategic plan is transmitted to 
Congress under this section, such agencies shall prepare and transmit 
to Congress an update of such plan.
    (b) Contents of Plan.--The strategic plan required under subsection 
(a) shall--
            (1) specify and prioritize near-term, mid-term and long-
        term research objectives, including objectives associated with 
        the research areas identified in section 4(a)(1) of the Cyber 
        Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
        and how the near-term objectives complement research and 
        development areas in which the private sector is actively 
        engaged;
            (2) describe how the Program will focus on innovative, 
        transformational technologies with the potential to enhance the 
        security, reliability, resilience, and trustworthiness of the 
        digital infrastructure;
            (3) describe how the Program will foster the transfer of 
        research and development results into new cybersecurity 
        technologies and applications for the benefit of society and 
        the national interest, including through the dissemination of 
        best practices and other outreach activities;
            (4) describe how the Program will establish and maintain a 
        national research infrastructure for creating, testing, and 
        evaluating the next generation of secure networking and 
        information technology systems;
            (5) describe how the Program will facilitate access by 
        academic researchers to the infrastructure described in 
        paragraph (4), as well as to event data; and
            (6) describe how the Program will engage females and 
        individuals identified in section 33 or 34 of the Science and 
        Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b) 
        to foster a more diverse workforce in this area.
    (c) Development of Roadmap.--The agencies described in subsection 
(a) shall develop and annually update an implementation roadmap for the 
strategic plan required in this section. Such roadmap shall--
            (1) specify the role of each Federal agency in carrying out 
        or sponsoring research and development to meet the research 
        objectives of the strategic plan, including a description of 
        how progress toward the research objectives will be evaluated;
            (2) specify the funding allocated to each major research 
        objective of the strategic plan and the source of funding by 
        agency for the current fiscal year; and
            (3) estimate the funding required for each major research 
        objective of the strategic plan for the following 3 fiscal 
        years.
    (d) Recommendations.--In developing and updating the strategic plan 
under subsection (a), the agencies involved shall solicit 
recommendations and advice from--
            (1) the advisory committee established under section 
        101(b)(1) of the High-Performance Computing Act of 1991 (15 
        U.S.C. 5511(b)(1)); and
            (2) a wide range of stakeholders, including industry, 
        academia, including representatives of minority serving 
        institutions, and other relevant organizations and 
        institutions.
    (e) Appending to Report.--The implementation roadmap required under 
subsection (c), and its annual updates, shall be appended to the report 
required under section 101(a)(2)(D) of the High-Performance Computing 
Act of 1991 (15 U.S.C. 5511(a)(2)(D)).

SEC. 104. SOCIAL AND BEHAVIORAL RESEARCH IN CYBERSECURITY.

    Section 4(a)(1) of the Cyber Security Research and Development Act 
(15 U.S.C. 7403(a)(1)) is amended--
            (1) by inserting ``and usability'' after ``to the 
        structure'';
            (2) in subparagraph (H), by striking ``and'' after the 
        semicolon;
            (3) in subparagraph (I), by striking the period at the end 
        and inserting ``; and''; and
            (4) by adding at the end the following new subparagraph:
                    ``(J) social and behavioral factors, including 
                human-computer interactions, usability, user 
                motivations, and organizational cultures.''.

SEC. 105. NATIONAL SCIENCE FOUNDATION CYBERSECURITY RESEARCH AND 
              DEVELOPMENT PROGRAMS.

    (a) Computer and Network Security Research Areas.--Section 4(a) of 
the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
is amended in subparagraph (A) by inserting ``identity management,'' 
after ``cryptography,''.
    (b) Computer and Network Security Research Grants.--Section 4(a)(3) 
of such Act (15 U.S.C. 7403(a)(3)) is amended by striking subparagraphs 
(A) through (E) and inserting the following new subparagraphs:
                    ``(A) $68,700,000 for fiscal year 2010;
                    ``(B) $73,500,000 for fiscal year 2011;
                    ``(C) $78,600,000 for fiscal year 2012;
                    ``(D) $84,200,000 for fiscal year 2013; and
                    ``(E) $90,000,000 for fiscal year 2014.''.
    (c) Computer and Network Security Research Centers.--Section 4(b) 
of such Act (15 U.S.C. 7403(b)) is amended--
            (1) in paragraph (4)--
                    (A) in subparagraph (C), by inserting ``and'' after 
                the semicolon;
                    (B) in subparagraph (D), by striking the period and 
                inserting ``; and''; and
                    (C) by striking subparagraph (D);
            (2) by adding at the end the following new subparagraph:
                    ``(E) how the center will partner with government 
                laboratories, for-profit entities, other institutions 
                of higher education, or nonprofit research 
                institutions.''; and
            (3) by amending paragraph (7) to read as follows:
            ``(7) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (d) Computer and Network Security Capacity Building Grants.--
Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended to read 
as follows:
            ``(6) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) 
of such Act (15 U.S.C. 7404(b)(2)) is amended to read as follows:
            ``(2) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (f) Graduate Traineeships in Computer and Network Security.--
Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is amended to read 
as follows:
            ``(7) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.
    (g) Postdoctoral Research Fellowships in Cybersecurity.--Section 
5(e) of such Act (15 U.S.C. 7404(e)) is amended to read as follows:
    ``(e) Postdoctoral Research Fellowships in Cybersecurity.--
            ``(1) In general.--The Director shall carry out a program 
        to encourage young scientists and engineers to conduct 
        postdoctoral research in the fields of cybersecurity and 
        information assurance, including the research areas described 
        in section 4(a)(1), through the award of competitive, merit-
        based fellowships.
            ``(2) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation such sums as are necessary to carry out this 
        subsection for each of the fiscal years 2010 through 2014.''.

SEC. 106. CYBERSECURITY UNIVERSITY-INDUSTRY TASK FORCE.

    (a) Establishment of University-Industry Task Force.--Not later 
than 180 days after the date of enactment of this Act, the Director of 
the Office of Science and Technology Policy shall convene a task force 
to explore mechanisms for carrying out collaborative research and 
development activities for cybersecurity through a consortium or other 
appropriate entity with participants from institutions of higher 
education and industry.
    (b) Functions.--The task force shall--
            (1) develop options for a collaborative model and an 
        organizational structure for such entity under which the joint 
        research and development activities could be planned, managed, 
        and conducted effectively, including mechanisms for the 
        allocation of resources among the participants in such entity 
        for support of such activities;
            (2) propose a process for developing a research and 
        development agenda for such entity, including guidelines to 
        ensure an appropriate scope of work focused on nationally 
        significant challenges and requiring collaboration;
            (3) define the roles and responsibilities for the 
        participants from institutions of higher education and industry 
        in such entity;
            (4) propose guidelines for assigning intellectual property 
        rights and for the transfer of research and development results 
        to the private sector; and
            (5) make recommendations for how such entity could be 
        funded from Federal, State, and nongovernmental sources.
    (c) Composition.--In establishing the task force under subsection 
(a), the Director of the Office of Science and Technology Policy shall 
appoint an equal number of individuals from institutions of higher 
education and from industry with knowledge and expertise in 
cybersecurity.
    (d) Report.--Not later than 12 months after the date of enactment 
of this Act, the Director of the Office of Science and Technology 
Policy shall transmit to the Congress a report describing the findings 
and recommendations of the task force.

SEC. 107. CYBERSECURITY CHECKLIST DEVELOPMENT AND DISSEMINATION.

    Section 8(c) of the Cybersecurity Research and Development Act (15 
U.S.C. 7406(c)) is amended to read as follows:
    ``(c) Checklists for Government Systems.--
            ``(1) In general.--The Director of the National Institute 
        of Standards and Technology shall develop or identify and 
        revise or adapt as necessary, checklists, configuration 
        profiles, and deployment recommendations for products and 
        protocols that minimize the security risks associated with each 
        computer hardware or software system that is, or is likely to 
        become, widely used within the Federal Government.
            ``(2) Priorities for development.--The Director of the 
        National Institute of Standards and Technology shall establish 
        priorities for the development of checklists under this 
        subsection. Such priorities may be based on the security risks 
        associated with the use of each system, the number of agencies 
        that use a particular system, the usefulness of the checklist 
        to Federal agencies that are users or potential users of the 
        system, or such other factors as the Director determines to be 
        appropriate.
            ``(3) Excluded systems.--The Director of the National 
        Institute of Standards and Technology may exclude from the 
        requirements of paragraph (1) any computer hardware or software 
        system for which the Director determines that the development 
        of a checklist is inappropriate because of the infrequency of 
        use of the system, the obsolescence of the system, or the 
        inutility or impracticability of developing a checklist for the 
        system.
            ``(4) Automation specifications.--The Director of the 
        National Institute of Standards and Technology shall develop 
        automated security specifications (such as the Security Content 
        Automation Protocol) with respect to checklist content and 
        associated security related data.
            ``(5) Dissemination of checklists.--The Director of the 
        National Institute of Standards and Technology shall ensure 
        that any product developed under the National Checklist Program 
        for any information system, including the Security Content 
        Automation Protocol and other automated security 
        specifications, is made available to Federal agencies.
            ``(6) Agency use requirements.--Federal agencies shall use 
        checklists developed or identified under paragraph (1) to 
        secure computer hardware and software systems. This paragraph 
        does not--
                    ``(A) require any Federal agency to select the 
                specific settings or options recommended by the 
                checklist for the system;
                    ``(B) establish conditions or prerequisites for 
                Federal agency procurement or deployment of any such 
                system;
                    ``(C) imply an endorsement of any such system by 
                the Director of the National Institute of Standards and 
                Technology; or
                    ``(D) preclude any Federal agency from procuring or 
                deploying other computer hardware or software systems 
                for which no such checklist has been developed or 
                identified under paragraph (1).''.

SEC. 108. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY 
              RESEARCH AND DEVELOPMENT.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended by redesignating subsection (e) as 
subsection (f), and by inserting after subsection (d) the following:
    ``(e) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (d)(3), the 
Institute shall--
            ``(1) conduct a research program to develop a unifying and 
        standardized identity, privilege, and access control management 
        framework for the execution of a wide variety of resource 
        protection policies and that is amenable to implementation 
        within a wide variety of existing and emerging computing 
        environments;
            ``(2) carry out research associated with improving the 
        security of information systems and networks;
            ``(3) carry out research associated with improving the 
        testing, measurement, usability, and assurance of information 
        systems and networks; and
            ``(4) carry out research associated with improving security 
        of industrial control systems.''.

       TITLE II--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

SEC. 201. DEFINITIONS.

    In this title:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Institute.--The term ``Institute'' means the National 
        Institute of Standards and Technology.

SEC. 202. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

    The Director, in coordination with appropriate Federal authorities, 
shall--
            (1) ensure coordination of United States Government 
        representation in the international development of technical 
        standards related to cybersecurity; and
            (2) not later than 1 year after the date of enactment of 
        this Act, develop and transmit to the Congress a proactive plan 
        to engage international standards bodies with respect to the 
        development of technical standards related to cybersecurity.

SEC. 203. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.

    (a) Program.--The Director, in collaboration with relevant Federal 
agencies, industry, educational institutions, and other organizations, 
shall develop and implement a cybersecurity awareness and education 
program to increase public awareness of cybersecurity risks, 
consequences, and best practices through--
            (1) the widespread dissemination of cybersecurity technical 
        standards and best practices identified by the Institute; and
            (2) efforts to make cybersecurity technical standards and 
        best practices usable by individuals, small to medium-sized 
        businesses, State and local governments, and educational 
        institutions.
    (b) Manufacturing Extension Partnership.--The Director shall, to 
the extent appropriate, implement subsection (a) through the 
Manufacturing Extension Partnership program under section 25 of the 
National Institute of Standards and Technology Act (15 U.S.C. 278k).
    (c) Report to Congress.--Not later than 90 days after the date of 
enactment of this Act, the Director shall transmit to the Congress a 
report containing a strategy for implementation of this section.

SEC. 204. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    The Director shall establish a program to support the development 
of technical standards, metrology, testbeds, and conformance criteria, 
taking into account appropriate user concerns, to--
            (1) improve interoperability among identity management 
        technologies;
            (2) strengthen authentication methods of identity 
        management systems; and
            (3) improve privacy protection in identity management 
        systems, including health information technology systems, 
        through authentication and security protocols.
                                 <all>