[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[S. 773 Reported in Senate (RS)]

                                                       Calendar No. 707
111th CONGRESS
  2d Session
                                 S. 773

To ensure the continued free flow of commerce within the United States 
       and with its global trading partners through secure cyber 
     communications, to provide for the continued development and 
   exploitation of the Internet and intranet communications for such 
  purposes, to provide for the development of a cadre of information 
technology specialists to improve and maintain effective cyber security 
          defenses against disruption, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 1, 2009

  Mr. Rockefeller (for himself, Ms. Snowe, Mr. Nelson of Florida, Mr. 
 Bayh, and Ms. Mikulski) introduced the following bill; which was read 
     twice and referred to the Committee on Commerce, Science, and 
                             Transportation

                           December 17, 2010

             Reported by Mr. Rockefeller, with an amendment
 [Strike all after the enacting clause and insert the part printed in 
                                italic]

_______________________________________________________________________

                                 A BILL


 
To ensure the continued free flow of commerce within the United States 
       and with its global trading partners through secure cyber 
     communications, to provide for the continued development and 
   exploitation of the Internet and intranet communications for such 
  purposes, to provide for the development of a cadre of information 
technology specialists to improve and maintain effective cybersecurity 
          defenses against disruption, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the 
``Cybersecurity Act of 2009''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents for this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Findings.
<DELETED>Sec. 3. Cybersecurity Advisory Panel.
<DELETED>Sec. 4. Real-time cybersecurity dashboard.
<DELETED>Sec. 5. State and regional cybersecurity enhancement program.
<DELETED>Sec. 6. NIST standards development and compliance.
<DELETED>Sec. 7. Licensing and certification of cybersecurity 
                            professionals.
<DELETED>Sec. 8. Review of NTIA domain name contracts.
<DELETED>Sec. 9. Secure domain name addressing system.
<DELETED>Sec. 10. Promoting cybersecurity awareness.
<DELETED>Sec. 11. Federal cybersecurity research and development.
<DELETED>Sec. 12. Federal Cyber Scholarship-for-Service program.
<DELETED>Sec. 13. Cybersecurity competition and challenge.
<DELETED>Sec. 14. Public-private clearinghouse.
<DELETED>Sec. 15. Cybersecurity risk management report.
<DELETED>Sec. 16. Legal framework review and report.
<DELETED>Sec. 17. Authentication and civil liberties report.
<DELETED>Sec. 18. Cybersecurity responsibilities and authorities.
<DELETED>Sec. 19. Quadrennial cyber review.
<DELETED>Sec. 20. Joint intelligence threat assessment.
<DELETED>Sec. 21. International norms and cybersecurity deterrence 
                            measures.
<DELETED>Sec. 22. Federal Secure Products and Services Acquisitions 
                            Board.
<DELETED>Sec. 23. Definitions.

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    The Congress finds the following:</DELETED>
        <DELETED>    (1) America's failure to protect cyberspace is one 
        of the most urgent national security problems facing the 
        country.</DELETED>
        <DELETED>    (2) Since intellectual property is now often 
        stored in digital form, industrial espionage that exploits weak 
        cybersecurity dilutes our investment in innovation while 
        subsidizing the research and development efforts of foreign 
        competitors. In the new global competition, where economic 
        strength and technological leadership are vital components of 
        national power, failing to secure cyberspace puts us at a 
        disadvantage.</DELETED>
        <DELETED>    (3) According to the 2009 Annual Threat 
        Assessment, ``a successful cyber attack against a major 
        financial service provider could severely impact the national 
        economy, while cyber attacks against physical infrastructure 
        computer systems such as those that control power grids or oil 
        refineries have the potential to disrupt services for hours or 
        weeks'' and that ``Nation states and criminals target our 
        government and private sector information networks to gain 
        competitive advantage in the commercial sector.''.</DELETED>
        <DELETED>    (4) The Director of National Intelligence 
        testified before the Congress on February 19, 2009, that ``a 
        growing array of state and non-state adversaries are 
        increasingly targeting-for exploitation and potentially 
        disruption or destruction-our information infrastructure, 
        including the Internet, telecommunications networks, computer 
        systems, and embedded processors and controllers in critical 
        industries'' and these trends are likely to continue.</DELETED>
        <DELETED>    (5) John Brennan, the Assistant to the President 
        for Homeland Security and Counterterrorism wrote on March 2, 
        2009, that ``our nation's security and economic prosperity 
        depend on the security, stability, and integrity of 
        communications and information infrastructure that are largely 
        privately-owned and globally-operated.''.</DELETED>
        <DELETED>    (6) Paul Kurtz, a Partner and chief operating 
        officer of Good Harbor Consulting as well as a senior advisor 
        to the Obama Transition Team for cybersecurity, recently stated 
        that the United States is unprepared to respond to a ``cyber-
        Katrina'' and that ``a massive cyber disruption could have a 
        cascading, long-term impact without adequate co-ordination 
        between government and the private sector.''.</DELETED>
        <DELETED>    (7) The Cyber Strategic Inquiry 2008, sponsored by 
        Business Executives for National Security and executed by Booz 
        Allen Hamilton, recommended to ``establish a single voice for 
        cybersecurity within government'' concluding that the ``unique 
        nature of cybersecurity requires a new leadership 
        paradigm.''.</DELETED>
        <DELETED>    (8) Alan Paller, the Director of Research at the 
        SANS Institute, testified before the Congress that ``the fight 
        against cybercrime resembles an arms race where each time the 
        defenders build a new wall, the attackers create new tools to 
        scale the wall. What is particularly important in this analogy 
        is that, unlike conventional warfare where deployment takes 
        time and money and is quite visible, in the cyber world, when 
        the attackers find a new weapon, they can attack millions of 
        computers, and successfully infect hundreds of thousands, in a 
        few hours or days, and remain completely hidden.''.</DELETED>
        <DELETED>    (9) According to the February 2003 National 
        Strategy to Secure Cyberspace, ``our nation's critical 
        infrastructures are composed of public and private institutions 
        in the sectors of agriculture, food, water, public health, 
        emergency services, government, defense industrial base, 
        information and telecommunications, energy, transportation, 
        banking finance, chemicals and hazardous materials, and postal 
        and shipping. Cyberspace is their nervous system--the control 
        system of our country'' and that ``the cornerstone of America's 
        cyberspace security strategy is and will remain a public-
        private partnership.''.</DELETED>
        <DELETED>    (10) According to the National Journal, Mike 
        McConnell, the former Director of National Intelligence, told 
        President Bush in May 2007 that if the 9/11 attackers had 
        chosen computers instead of airplanes as their weapons and had 
        waged a massive assault on a U.S. bank, the economic 
        consequences would have been ``an order of magnitude greater'' 
        than those cased by the physical attack on the World Trade 
        Center. Mike McConnell has subsequently referred to 
        cybersecurity as the ``soft underbelly of this 
        country.''.</DELETED>
        <DELETED>    (11) The Center for Strategic and International 
        Studies report on Cybersecurity for the 44th Presidency 
        concluded that (A) cybersecurity is now a major national 
        security problem for the United States, (B) decisions and 
        actions must respect privacy and civil liberties, and (C) only 
        a comprehensive national security strategy that embraces both 
        the domestic and international aspects of cybersecurity will 
        make us more secure. The report continued stating that the 
        United States faces ``a long-term challenge in cyberspace from 
        foreign intelligence agencies and militaries, criminals, and 
        others, and that losing this struggle will wreak serious damage 
        on the economic health and national security of the United 
        States.''.</DELETED>
        <DELETED>    (12) James Lewis, Director and Senior Fellow, 
        Technology and Public Policy Program, Center for Strategic and 
        International Studies, testified on behalf of the Center for 
        Strategic and International Studies that ``the United States is 
        not organized and lacks a coherent national strategy for 
        addressing'' cybersecurity.</DELETED>
        <DELETED>    (13) President Obama said in a speech at Purdue 
        University on July 16, 2008, that ``every American depends--
        directly or indirectly--on our system of information networks. 
        They are increasingly the backbone of our economy and our 
        infrastructure; our national security and our personal well-
        being. But it's no secret that terrorists could use our 
        computer networks to deal us a crippling blow. We know that 
        cyber-espionage and common crime is already on the rise. And 
        yet while countries like China have been quick to recognize 
        this change, for the last eight years we have been dragging our 
        feet.'' Moreover, President Obama stated that ``we need to 
        build the capacity to identify, isolate, and respond to any 
        cyber-attack.''.</DELETED>
        <DELETED>    (14) The President's Information Technology 
        Advisory Committee reported in 2005 that software is a major 
        vulnerability and that ``software development methods that have 
        been the norm fail to provide the high-quality, reliable, and 
        secure software that the IT infrastructure requires. . . . 
        Today, as with cancer, vulnerable software can be invaded and 
        modified to cause damage to previously healthy software, and 
        infected software can replicate itself and be carried across 
        networks to cause damage in other systems.''.</DELETED>

<DELETED>SEC. 3. CYBERSECURITY ADVISORY PANEL.</DELETED>

<DELETED>    (a) In General.--The President shall establish or 
designate a Cybersecurity Advisory Panel.</DELETED>
<DELETED>    (b) Qualifications.--The President--</DELETED>
        <DELETED>    (1) shall appoint as members of the panel 
        representatives of industry, academic, non-profit 
        organizations, interest groups and advocacy organizations, and 
        State and local governments who are qualified to provide advice 
        and information on cybersecurity research, development, 
        demonstrations, education, technology transfer, commercial 
        application, or societal and civil liberty concerns; 
        and</DELETED>
        <DELETED>    (2) may seek and give consideration to 
        recommendations from the Congress, industry, the cybersecurity 
        community, the defense community, State and local governments, 
        and other appropriate organizations.</DELETED>
<DELETED>    (c) Duties.--The panel shall advise the President on 
matters relating to the national cybersecurity program and strategy and 
shall assess--</DELETED>
        <DELETED>    (1) trends and developments in cybersecurity 
        science research and development;</DELETED>
        <DELETED>    (2) progress made in implementing the 
        strategy;</DELETED>
        <DELETED>    (3) the need to revise the strategy;</DELETED>
        <DELETED>    (4) the balance among the components of the 
        national strategy, including funding for program 
        components;</DELETED>
        <DELETED>    (5) whether the strategy, priorities, and goals 
        are helping to maintain United States leadership and defense in 
        cybersecurity;</DELETED>
        <DELETED>    (6) the management, coordination, implementation, 
        and activities of the strategy; and</DELETED>
        <DELETED>    (7) whether societal and civil liberty concerns 
        are adequately addressed.</DELETED>
<DELETED>    (d) Reports.--The panel shall report, not less frequently 
than once every 2 years, to the President on its assessments under 
subsection (c) and its recommendations for ways to improve the 
strategy.</DELETED>
<DELETED>    (e) Travel Expenses of Non-Federal Members.--Non-Federal 
members of the panel, while attending meetings of the panel or while 
otherwise serving at the request of the head of the panel while away 
from their homes or regular places of business, may be allowed travel 
expenses, including per diem in lieu of subsistence, as authorized by 
section 5703 of title 5, United States Code, for individuals in the 
government serving without pay. Nothing in this subsection shall be 
construed to prohibit members of the panel who are officers or 
employees of the United States from being allowed travel expenses, 
including per diem in lieu of subsistence, in accordance with 
law.</DELETED>
<DELETED>    (f) Exemption From FACA Sunset.--Section 14 of the Federal 
Advisory Committee Act (5 U.S.C. App.) shall not apply to the Advisory 
Panel.</DELETED>

<DELETED>SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.</DELETED>

<DELETED>    The Secretary of Commerce shall--</DELETED>
        <DELETED>    (1) in consultation with the Office of Management 
        and Budget, develop a plan within 90 days after the date of 
        enactment of this Act to implement a system to provide dynamic, 
        comprehensive, real-time cybersecurity status and vulnerability 
        information of all Federal Government information systems and 
        networks managed by the Department of Commerce; and</DELETED>
        <DELETED>    (2) implement the plan within 1 year after the 
        date of enactment of this Act.</DELETED>

<DELETED>SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT 
              PROGRAM.</DELETED>

<DELETED>    (a) Creation and Support of Cybersecurity Centers.--The 
Secretary of Commerce shall provide assistance for the creation and 
support of Regional Cybersecurity Centers for the promotion and 
implementation of cybersecurity standards. Each Center shall be 
affiliated with a United States-based nonprofit institution or 
organization, or consortium thereof, that applies for and is awarded 
financial assistance under this section.</DELETED>
<DELETED>    (b) Purpose.--The purpose of the Centers is to enhance the 
cybersecurity of small and medium sized businesses in United States 
through--</DELETED>
        <DELETED>    (1) the transfer of cybersecurity standards, 
        processes, technology, and techniques developed at the National 
        Institute of Standards and Technology to Centers and, through 
        them, to small- and medium-sized companies throughout the 
        United States;</DELETED>
        <DELETED>    (2) the participation of individuals from 
        industry, universities, State governments, other Federal 
        agencies, and, when appropriate, the Institute in cooperative 
        technology transfer activities;</DELETED>
        <DELETED>    (3) efforts to make new cybersecurity technology, 
        standards, and processes usable by United States-based small- 
        and medium-sized companies;</DELETED>
        <DELETED>    (4) the active dissemination of scientific, 
        engineering, technical, and management information about 
        cybersecurity to industrial firms, including small- and medium-
        sized companies; and</DELETED>
        <DELETED>    (5) the utilization, when appropriate, of the 
        expertise and capability that exists in Federal laboratories 
        other than the Institute.</DELETED>
<DELETED>    (c) Activities.--The Centers shall--</DELETED>
        <DELETED>    (1) disseminate cybersecurity technologies, 
        standard, and processes based on research by the Institute for 
        the purpose of demonstrations and technology 
        transfer;</DELETED>
        <DELETED>    (2) actively transfer and disseminate 
        cybersecurity strategies, best practices, standards, and 
        technologies to protect against and mitigate the risk of cyber 
        attacks to a wide range of companies and enterprises, 
        particularly small- and medium-sized businesses; and</DELETED>
        <DELETED>    (3) make loans, on a selective, short-term basis, 
        of items of advanced cybersecurity countermeasures to small 
        businesses with less than 100 employees.</DELETED>
<DELETED>    (c) Duration and Amount of Support; Program Descriptions; 
Applications; Merit Review; Evaluations of Assistance.--</DELETED>
        <DELETED>    (1) Financial support.--The Secretary may provide 
        financial support, not to exceed 50 percent of its annual 
        operating and maintenance costs, to any Center for a period not 
        to exceed 6 years (except as provided in paragraph 
        (5)(D)).</DELETED>
        <DELETED>    (2) Program description.--Within 90 days after the 
        date of enactment of this Act, the Secretary shall publish in 
        the Federal Register a draft description of a program for 
        establishing Centers and, after a 30-day comment period, shall 
        publish a final description of the program. The description 
        shall include--</DELETED>
                <DELETED>    (A) a description of the 
                program;</DELETED>
                <DELETED>    (B) procedures to be followed by 
                applicants;</DELETED>
                <DELETED>    (C) criteria for determining qualified 
                applicants;</DELETED>
                <DELETED>    (D) criteria, including those described in 
                paragraph (4), for choosing recipients of financial 
                assistance under this section from among the qualified 
                applicants; and</DELETED>
                <DELETED>    (E) maximum support levels expected to be 
                available to Centers under the program in the fourth 
                through sixth years of assistance under this 
                section.</DELETED>
        <DELETED>    (3) Applications; support commitment.--Any 
        nonprofit institution, or consortia of nonprofit institutions, 
        may submit to the Secretary an application for financial 
        support under this section, in accordance with the procedures 
        established by the Secretary. In order to receive assistance 
        under this section, an applicant shall provide adequate 
        assurances that it will contribute 50 percent or more of the 
        proposed Center's annual operating and maintenance costs for 
        the first 3 years and an increasing share for each of the next 
        3 years.</DELETED>
        <DELETED>    (4) Award criteria.--Awards shall be made on a 
        competitive, merit-based review. In making a decision whether 
        to approve an application and provide financial support under 
        this section, the Secretary shall consider, at a minimum--
        </DELETED>
                <DELETED>    (A) the merits of the application, 
                particularly those portions of the application 
                regarding technology transfer, training and education, 
                and adaptation of cybersecurity technologies to the 
                needs of particular industrial sectors;</DELETED>
                <DELETED>    (B) the quality of service to be 
                provided;</DELETED>
                <DELETED>    (C) geographical diversity and extent of 
                service area; and</DELETED>
                <DELETED>    (D) the percentage of funding and amount 
                of in-kind commitment from other sources.</DELETED>
        <DELETED>    (5) Third year evaluation.--</DELETED>
                <DELETED>    (A) In general.--Each Center which 
                receives financial assistance under this section shall 
                be evaluated during its third year of operation by an 
                evaluation panel appointed by the Secretary.</DELETED>
                <DELETED>    (B) Evaluation panel.--Each evaluation 
                panel shall be composed of private experts, none of 
                whom shall be connected with the involved Center, and 
                Federal officials. An official of the Institute shall 
                chair the panel. Each evaluation panel shall measure 
                the Center's performance against the objectives 
                specified in this section.</DELETED>
                <DELETED>    (C) Positive evaluation required for 
                continued funding.--The Secretary may not provide 
                funding for the fourth through the sixth years of a 
                Center's operation unless the evaluation by the 
                evaluation panel is positive. If the evaluation is 
                positive, the Secretary may provide continued funding 
                through the sixth year at declining levels.</DELETED>
                <DELETED>    (D) Funding after sixth year.--After the 
                sixth year, the Secretary may provide additional 
                financial support to a Center if it has received a 
                positive evaluation through an independent review, 
                under procedures established by the Institute. An 
                additional independent review shall be required at 
                least every 2 years after the sixth year of operation. 
                Funding received for a fiscal year under this section 
                after the sixth year of operation may not exceed one 
                third of the annual operating and maintenance costs of 
                the Center.</DELETED>
        <DELETED>    (6) Patent rights to inventions.--The provisions 
        of chapter 18 of title 35, United States Code, shall (to the 
        extent not inconsistent with this section) apply to the 
        promotion of technology from research by Centers under this 
        section except for contracts for such specific technology 
        extension or transfer services as may be specified by statute 
        or by the President, or the President's designee.</DELETED>
<DELETED>    (d) Acceptance of Funds From Other Federal Departments and 
Agencies.--In addition to such sums as may be authorized and 
appropriated to the Secretary and President, or the President's 
designee, to operate the Centers program, the Secretary and the 
President, or the President's designee, also may accept funds from 
other Federal departments and agencies for the purpose of providing 
Federal funds to support Centers. Any Center which is supported with 
funds which originally came from other Federal departments and agencies 
shall be selected and operated according to the provisions of this 
section.</DELETED>

<DELETED>SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.</DELETED>

<DELETED>    (a) In General.--Within 1 year after the date of enactment 
of this Act, the National Institute of Standards and Technology shall 
establish measurable and auditable cybersecurity standards for all 
Federal Government, government contractor, or grantee critical 
infrastructure information systems and networks in the following 
areas:</DELETED>
        <DELETED>    (1) Cybersecurity metrics research.--The Director 
        of the National Institute of Standards and Technology shall 
        establish a research program to develop cybersecurity metrics 
        and benchmarks that can assess the economic impact of 
        cybersecurity. These metrics should measure risk reduction and 
        the cost of defense. The research shall include the development 
        automated tools to assess vulnerability and 
        compliance.</DELETED>
        <DELETED>    (2) Security controls.--The Institute shall 
        establish standards for continuously measuring the 
        effectiveness of a prioritized set of security controls that 
        are known to block or mitigate known attacks.</DELETED>
        <DELETED>    (3) Software security.--The Institute shall 
        establish standards for measuring the software security using a 
        prioritized list of software weaknesses known to lead to 
        exploited and exploitable vulnerabilities. The Institute will 
        also establish a separate set of such standards for measuring 
        security in embedded software such as that found in industrial 
        control systems.</DELETED>
        <DELETED>    (4) Software configuration specification 
        language.--The Institute shall, establish standard computer-
        readable language for completely specifying the configuration 
        of software on computer systems widely used in the Federal 
        Government, by government contractors and grantees, and in 
        private sector owned critical infrastructure information 
        systems and networks.</DELETED>
        <DELETED>    (5) Standard software configuration.--The 
        Institute shall establish standard configurations consisting of 
        security settings for operating system software and software 
        utilities widely used in the Federal Government, by government 
        contractors and grantees, and in private sector owned critical 
        infrastructure information systems and networks.</DELETED>
        <DELETED>    (6) Vulnerability specification language.--The 
        Institute shall establish standard computer-readable language 
        for specifying vulnerabilities in software to enable software 
        vendors to communicate vulnerability data to software users in 
        real time.</DELETED>
        <DELETED>    (7) National compliance standards for all 
        software.--</DELETED>
                <DELETED>    (A) Protocol.--The Institute shall 
                establish a standard testing and accreditation protocol 
                for software built by or for the Federal Government, 
                its contractors, and grantees, and private sector owned 
                critical infrastructure information systems and 
                networks. to ensure that it--</DELETED>
                        <DELETED>    (i) meets the software security 
                        standards of paragraph (2); and</DELETED>
                        <DELETED>    (ii) does not require or cause any 
                        changes to be made in the standard 
                        configurations described in paragraph 
                        (4).</DELETED>
                <DELETED>    (B) Compliance.--The Institute shall 
                develop a process or procedure to verify that--
                </DELETED>
                        <DELETED>    (i) software development 
                        organizations comply with the protocol 
                        established under subparagraph (A) during the 
                        software development process; and</DELETED>
                        <DELETED>    (ii) testing results showing 
                        evidence of adequate testing and defect 
                        reduction are provided to the Federal 
                        Government prior to deployment of 
                        software.</DELETED>
<DELETED>    (b) Criteria for Standards.--Notwithstanding any other 
provision of law (including any Executive Order), rule, regulation, or 
guideline, in establishing standards under this section, the Institute 
shall disregard the designation of an information system or network as 
a national security system or on the basis of presence of classified or 
confidential information, and shall establish standards based on risk 
profiles.</DELETED>
<DELETED>    (c) International Standards.--The Director, through the 
Institute and in coordination with appropriate Federal agencies, shall 
be responsible for United States representation in all international 
standards development related to cybersecurity, and shall develop and 
implement a strategy to optimize the United States position with 
respect to international cybersecurity standards.</DELETED>
<DELETED>    (d) Compliance Enforcement.--The Director shall--
</DELETED>
        <DELETED>    (1) enforce compliance with the standards 
        developed by the Institute under this section by software 
        manufacturers, distributors, and vendors; and</DELETED>
        <DELETED>    (2) shall require each Federal agency, and each 
        operator of an information system or network designated by the 
        President as a critical infrastructure information system or 
        network, periodically to demonstrate compliance with the 
        standards established under this section.</DELETED>
<DELETED>    (e) FCC National Broadband Plan.--In developing the 
national broadband plan pursuant to section 6001(k) of the American 
Recovery and Reinvestment Act of 2009, the Federal Communications 
Commission shall report on the most effective and efficient means to 
ensure the cybersecurity of commercial broadband networks, including 
consideration of consumer education and outreach programs.</DELETED>

<DELETED>SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY 
              PROFESSIONALS.</DELETED>

<DELETED>    (a) In General.--Within 1 year after the date of enactment 
of this Act, the Secretary of Commerce shall develop or coordinate and 
integrate a national licensing, certification, and periodic 
recertification program for cybersecurity professionals.</DELETED>
<DELETED>    (b) Mandatory Licensing.--Beginning 3 years after the date 
of enactment of this Act, it shall be unlawful for any individual to 
engage in business in the United States, or to be employed in the 
United States, as a provider of cybersecurity services to any Federal 
agency or an information system or network designated by the President, 
or the President's designee, as a critical infrastructure information 
system or network, who is not licensed and certified under the 
program.</DELETED>

<DELETED>SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.</DELETED>

<DELETED>    (a) In General.--No action by the Assistant Secretary of 
Commerce for Communications and Information after the date of enactment 
of this Act with respect to the renewal or modification of a contract 
related to the operation of the Internet Assigned Numbers Authority, 
shall be final until the Advisory Panel--</DELETED>
        <DELETED>    (1) has reviewed the action;</DELETED>
        <DELETED>    (2) considered the commercial and national 
        security implications of the action; and</DELETED>
        <DELETED>    (3) approved the action.</DELETED>
<DELETED>    (b) Approval Procedure.--If the Advisory Panel does not 
approve such an action, it shall immediately notify the Assistant 
Secretary in writing of the disapproval and the reasons therefor. The 
Advisory Panel may provide recommendations to the Assistant Secretary 
in the notice for any modifications the it deems necessary to secure 
approval of the action.</DELETED>

<DELETED>SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.</DELETED>

<DELETED>    (a) In General.--Within 3 years after the date of 
enactment of this Act, the Assistant Secretary of Commerce for 
Communications and Information shall develop a strategy to implement a 
secure domain name addressing system. The Assistant Secretary shall 
publish notice of the system requirements in the Federal Register 
together with an implementation schedule for Federal agencies and 
information systems or networks designated by the President, or the 
President's designee, as critical infrastructure information systems or 
networks.</DELETED>
<DELETED>    (b) Compliance Required.--The President shall ensure that 
each Federal agency and each such system or network implements the 
secure domain name addressing system in accordance with the schedule 
published by the Assistant Secretary.</DELETED>

<DELETED>SEC. 10. PROMOTING CYBERSECURITY AWARENESS.</DELETED>

<DELETED>    The Secretary of Commerce shall develop and implement a 
national cybersecurity awareness campaign that--</DELETED>
        <DELETED>    (1) is designed to heighten public awareness of 
        cybersecurity issues and concerns;</DELETED>
        <DELETED>    (2) communicates the Federal Government's role in 
        securing the Internet and protecting privacy and civil 
        liberties with respect to Internet-related activities; 
        and</DELETED>
        <DELETED>    (3) utilizes public and private sector means of 
        providing information to the public, including public service 
        announcements.</DELETED>

<DELETED>SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND 
              DEVELOPMENT.</DELETED>

<DELETED>    (a) Fundamental Cybersecurity Research.--The Director of 
the National Science Foundation shall give priority to computer and 
information science and engineering research to ensure substantial 
support is provided to meet the following challenges in 
cybersecurity:</DELETED>
        <DELETED>    (1) How to design and build complex software-
        intensive systems that are secure and reliable when first 
        deployed.</DELETED>
        <DELETED>    (2) How to test and verify that software, whether 
        developed locally or obtained from a third party, is free of 
        significant known security flaws.</DELETED>
        <DELETED>    (3) How to test and verify that software obtained 
        from a third party correctly implements stated functionality, 
        and only that functionality.</DELETED>
        <DELETED>    (4) How to guarantee the privacy of an 
        individual's identity, information, or lawful transactions when 
        stored in distributed systems or transmitted over 
        networks.</DELETED>
        <DELETED>    (5) How to build new protocols to enable the 
        Internet to have robust security as one of its key 
        capabilities.</DELETED>
        <DELETED>    (6) How to determine the origin of a message 
        transmitted over the Internet.</DELETED>
        <DELETED>    (7) How to support privacy in conjunction with 
        improved security.</DELETED>
        <DELETED>    (8) How to address the growing problem of insider 
        threat.</DELETED>
<DELETED>    (b) Secure Coding Research.--The Director shall support 
research that evaluates selected secure coding education and 
improvement programs. The Director shall also support research on new 
methods of integrating secure coding improvement into the core 
curriculum of computer science programs and of other programs where 
graduates have a substantial probability of developing software after 
graduation.</DELETED>
<DELETED>    (c) Assessment of Secure Coding Education in Colleges and 
Universities.--Within one year after the date of enactment of this Act, 
the Director shall submit to the Senate Committee on Commerce, Science, 
and Transportation and the House of Representatives Committee on 
Science and Technology a report on the state of secure coding education 
in America's colleges and universities for each school that received 
National Science Foundation funding in excess of $1,000,000 during 
fiscal year 2008. The report shall include--</DELETED>
        <DELETED>    (1) the number of students who earned 
        undergraduate degrees in computer science or in each other 
        program where graduates have a substantial probability of being 
        engaged in software design or development after 
        graduation;</DELETED>
        <DELETED>    (2) the percentage of those students who completed 
        substantive secure coding education or improvement programs 
        during their undergraduate experience; and</DELETED>
        <DELETED>    (3) descriptions of the length and content of the 
        education and improvement programs, and a measure of the 
        effectiveness of those programs in enabling the students to 
        master secure coding and design.</DELETED>
<DELETED>    (d) Cybersecurity Modeling and Testbeds.--The Director 
shall establish a program to award grants to institutions of higher 
education to establish cybersecurity testbeds capable of realistic 
modeling of real-time cyber attacks and defenses. The purpose of this 
program is to support the rapid development of new cybersecurity 
defenses, techniques, and processes by improving understanding and 
assessing the latest technologies in a real-world environment. The 
testbeds shall be sufficiently large in order to model the scale and 
complexity of real world networks and environments.</DELETED>
<DELETED>    (e) NSF Computer and Network Security Research Grant 
Areas.--Section 4(a)(1) of the Cybersecurity Research and Development 
Act (15 U.S.C. 7403(a)(1)) is amended--</DELETED>
        <DELETED>    (1) by striking ``and'' after the semicolon in 
        subparagraph (H);</DELETED>
        <DELETED>    (2) by striking ``property.'' in subparagraph (I) 
        and inserting ``property;''; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
        <DELETED>    ``(J) secure fundamental protocols that are at the 
        heart of inter-network communications and data 
        exchange;</DELETED>
        <DELETED>    ``(K) secure software engineering and software 
        assurance, including--</DELETED>
                <DELETED>    ``(i) programming languages and systems 
                that include fundamental security features;</DELETED>
                <DELETED>    ``(ii) portable or reusable code that 
                remains secure when deployed in various 
                environments;</DELETED>
                <DELETED>    ``(iii) verification and validation 
                technologies to ensure that requirements and 
                specifications have been implemented; and</DELETED>
                <DELETED>    ``(iv) models for comparison and metrics 
                to assure that required standards have been 
                met;</DELETED>
        <DELETED>    ``(L) holistic system security that--</DELETED>
                <DELETED>    ``(i) addresses the building of secure 
                systems from trusted and untrusted 
                components;</DELETED>
                <DELETED>    ``(ii) proactively reduces 
                vulnerabilities;</DELETED>
                <DELETED>    ``(iii) addresses insider threats; 
                and</DELETED>
                <DELETED>    ``(iv) supports privacy in conjunction 
                with improved security;</DELETED>
        <DELETED>    ``(M) monitoring and detection; and</DELETED>
        <DELETED>    ``(N) mitigation and rapid recovery 
        methods.''.</DELETED>
<DELETED>    (f) NSF Computer and Network Security Grants.--Section 
4(a)(3) of the Cybersecurity Research and Development Act (15 U.S.C. 
7403(a)(3)) is amended--</DELETED>
        <DELETED>    (1) by striking ``and'' in subparagraph 
        (D);</DELETED>
        <DELETED>    (2) by striking ``2007'' in subparagraph (E) and 
        inserting ``2007;''; and</DELETED>
        <DELETED>    (3) by adding at the end of the 
        following:</DELETED>
                <DELETED>    ``(F) $150,000,000 for fiscal year 
                2010;</DELETED>
                <DELETED>    ``(G) $155,000,000 for fiscal year 
                2011;</DELETED>
                <DELETED>    ``(H) $160,000,000 for fiscal year 
                2012;</DELETED>
                <DELETED>    ``(I) $165,000,000 for fiscal year 2013; 
                and</DELETED>
                <DELETED>    ``(J) $170,000,000 for fiscal year 
                2014.''.</DELETED>
<DELETED>    (g) Computer and Network Security Centers.--Section 
4(b)(7) of such Act (15 U.S.C. 7403(b)(7)) is amended--</DELETED>
        <DELETED>    (1) by striking ``and'' in subparagraph 
        (D);</DELETED>
        <DELETED>    (2) by striking ``2007'' in subparagraph (E) and 
        inserting ``2007;''; and</DELETED>
        <DELETED>    (3) by adding at the end of the 
        following:</DELETED>
                <DELETED>    ``(F) $50,000,000 for fiscal year 
                2010;</DELETED>
                <DELETED>    ``(G) $52,000,000 for fiscal year 
                2011;</DELETED>
                <DELETED>    ``(H) $54,000,000 for fiscal year 
                2012;</DELETED>
                <DELETED>    ``(I) $56,000,000 for fiscal year 2013; 
                and</DELETED>
                <DELETED>    ``(J) $58,000,000 for fiscal year 
                2014.''.</DELETED>
<DELETED>    (h) Computer and Network Security Capacity Building 
Grants.--Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is 
amended--</DELETED>
        <DELETED>    (1) by striking ``and'' in subparagraph 
        (D);</DELETED>
        <DELETED>    (2) by striking ``2007'' in subparagraph (E) and 
        inserting ``2007;''; and</DELETED>
        <DELETED>    (3) by adding at the end of the 
        following:</DELETED>
                <DELETED>    ``(F) $40,000,000 for fiscal year 
                2010;</DELETED>
                <DELETED>    ``(G) $42,000,000 for fiscal year 
                2011;</DELETED>
                <DELETED>    ``(H) $44,000,000 for fiscal year 
                2012;</DELETED>
                <DELETED>    ``(I) $46,000,000 for fiscal year 2013; 
                and</DELETED>
                <DELETED>    ``(J) $48,000,000 for fiscal year 
                2014.''.</DELETED>
<DELETED>    (i) Scientific and Advanced Technology Act Grants.--
Section 5(b)(2) of such Act (15 U.S.C. 7404(b)(2)) is amended--
</DELETED>
        <DELETED>    (1) by striking ``and'' in subparagraph 
        (D);</DELETED>
        <DELETED>    (2) by striking ``2007'' in subparagraph (E) and 
        inserting ``2007;''; and</DELETED>
        <DELETED>    (3) by adding at the end of the 
        following:</DELETED>
                <DELETED>    ``(F) $5,000,000 for fiscal year 
                2010;</DELETED>
                <DELETED>    ``(G) $6,000,000 for fiscal year 
                2011;</DELETED>
                <DELETED>    ``(H) $7,000,000 for fiscal year 
                2012;</DELETED>
                <DELETED>    ``(I) $8,000,000 for fiscal year 2013; 
                and</DELETED>
                <DELETED>    ``(J) $9,000,000 for fiscal year 
                2014.''.</DELETED>
<DELETED>    (j) Graduate Traineeships in Computer and Network Security 
Research.--Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is 
amended--</DELETED>
        <DELETED>    (1) by striking ``and'' in subparagraph 
        (D);</DELETED>
        <DELETED>    (2) by striking ``2007'' in subparagraph (E) and 
        inserting ``2007;''; and</DELETED>
        <DELETED>    (3) by adding at the end of the 
        following:</DELETED>
                <DELETED>    ``(F) $20,000,000 for fiscal year 
                2010;</DELETED>
                <DELETED>    ``(G) $22,000,000 for fiscal year 
                2011;</DELETED>
                <DELETED>    ``(H) $24,000,000 for fiscal year 
                2012;</DELETED>
                <DELETED>    ``(I) $26,000,000 for fiscal year 2013; 
                and</DELETED>
                <DELETED>    ``(J) $28,000,000 for fiscal year 
                2014.''.</DELETED>
<DELETED>    (k) Cybersecurity Faculty Development Traineeship 
Program.--Section 5(e)(9) of such Act (15 U.S.C. 7404(e)(9)) is amended 
by striking ``2007.'' and inserting ``2007 and for each of fiscal years 
2010 through 2014.''.</DELETED>
<DELETED>    (l) networking and Information Technology Research and 
Development Program.--Section 204(a)(1) of the High-Performance 
Computing Act of 1991 (15 U.S.C. 5524(a)(1)) is amended--</DELETED>
        <DELETED>    (1) by striking ``and'' after the semicolon in 
        subparagraph (B); and</DELETED>
        <DELETED>    (2) by inserting after subparagraph (C) the 
        following:</DELETED>
                <DELETED>    ``(D) develop and propose standards and 
                guidelines, and develop measurement techniques and test 
                methods, for enhanced cybersecurity for computer 
                networks and common user interfaces to systems; 
                and''.</DELETED>

<DELETED>SEC. 12. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE 
              PROGRAM.</DELETED>

<DELETED>    (a) In General.--The Director of the National Science 
Foundation shall establish a Federal Cyber Scholarship-for-Service 
program to recruit and train the next generation of Federal information 
technology workers and security managers.</DELETED>
<DELETED>    (b) Program Description and Components.--The program--
</DELETED>
        <DELETED>    (1) shall provide scholarships, that provide full 
        tuition, fees, and a stipend, for up to 1,000 students per year 
        in their pursuit of undergraduate or graduate degrees in the 
        cybersecurity field;</DELETED>
        <DELETED>    (2) shall require scholarship recipients, as a 
        condition of receiving a scholarship under the program, to 
        agree to serve in the Federal information technology workforce 
        for a period equal to the length of the scholarship following 
        graduation if offered employment in that field by a Federal 
        agency;</DELETED>
        <DELETED>    (3) shall provide opportunities for students to 
        receive temporary appointments for meaningful employment in the 
        Federal information technology workforce during school vacation 
        periods and for internships;</DELETED>
        <DELETED>    (4) shall provide a procedure for identifying 
        promising K-12 students for participation in summer work and 
        internship programs that would lead to certification of Federal 
        information technology workforce standards and possible future 
        employment; and</DELETED>
        <DELETED>    (5) shall examine and develop, if appropriate, 
        programs to promote computer security awareness in secondary 
        and high school classrooms.</DELETED>
<DELETED>    (c) Hiring Authority.--For purposes of any law or 
regulation governing the appointment of individuals in the Federal 
civil service, upon the successful completion of their studies, 
students receiving a scholarship under the program shall be hired under 
the authority provided for in section 213.3102(r) of title 5, Code of 
Federal Regulations, and be exempt from competitive service. Upon 
fulfillment of the service term, such individuals shall be converted to 
a competitive service position without competition if the individual 
meets the requirements for that position.</DELETED>
<DELETED>    (d) Eligibility.--To be eligible to receive a scholarship 
under this section, an individual shall--</DELETED>
        <DELETED>    (1) be a citizen of the United States; 
        and</DELETED>
        <DELETED>    (2) demonstrate a commitment to a career in 
        improving the Nation's cyber defenses.</DELETED>
<DELETED>    (e) Consideration and Preference.--In making selections 
for scholarships under this section, the Director shall--</DELETED>
        <DELETED>    (1) consider, to the extent possible, a diverse 
        pool of applicants whose interests are of an interdisciplinary 
        nature, encompassing the social scientific as well as the 
        technical dimensions of cyber security; and</DELETED>
        <DELETED>    (2) give preference to applicants that have 
        participated in the competition and challenge described in 
        section 13.</DELETED>
<DELETED>    (f) Evaluation and Report.--The Director shall evaluate 
and report to the Senate Committee on Commerce, Science, and 
Transportation and the House of Representatives Committee on Science 
and Technology on the success of recruiting individuals for the 
scholarships.</DELETED>
<DELETED>    (g) Authorization of Appropriations.--There are authorized 
to be appropriated to the National Science Foundation to carry out this 
section--</DELETED>
        <DELETED>    (1) $50,000,000 for fiscal year 2010;</DELETED>
        <DELETED>    (2) $55,000,000 for fiscal year 2011;</DELETED>
        <DELETED>    (3) $60,000,000 for fiscal year 2012;</DELETED>
        <DELETED>    (4) $65,000,000 for fiscal year 2013; 
        and</DELETED>
        <DELETED>    (5) $70,000,000 for fiscal year 2014.</DELETED>

<DELETED>SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE.</DELETED>

<DELETED>    (a) In General.--The Director of the National Institute of 
Standards and Technology, directly or through appropriate Federal 
entities, shall establish cybersecurity competitions and challenges 
with cash prizes in order to--</DELETED>
        <DELETED>    (1) attract, identify, evaluate, and recruit 
        talented individuals for the Federal information technology 
        workforce; and</DELETED>
        <DELETED>    (2) stimulate innovation in basic and applied 
        cybersecurity research, technology development, and prototype 
        demonstration that have the potential for application to the 
        Federal information technology activities of the Federal 
        Government.</DELETED>
<DELETED>    (b) Types of Competitions and Challenges.--The Director 
shall establish different competitions and challenges targeting the 
following groups:</DELETED>
        <DELETED>    (1) High school students.</DELETED>
        <DELETED>    (2) Undergraduate students.</DELETED>
        <DELETED>    (3) Graduate students.</DELETED>
        <DELETED>    (4) Academic and research institutions.</DELETED>
<DELETED>    (c) Topics.--In selecting topics for prize competitions, 
the Director shall consult widely both within and outside the Federal 
Government, and may empanel advisory committees.</DELETED>
<DELETED>    (d) Advertising.--The Director shall widely advertise 
prize competitions, in coordination with the awareness campaign under 
section 10, to encourage participation.</DELETED>
<DELETED>    (e) Requirements and Registration.--For each prize 
competition, the Director shall publish a notice in the Federal 
Register announcing the subject of the competition, the rules for being 
eligible to participate in the competition, the amount of the prize, 
and the basis on which a winner will be selected.</DELETED>
<DELETED>    (f) Eligibility.--To be eligible to win a prize under this 
section, an individual or entity--</DELETED>
        <DELETED>    (1) shall have registered to participate in the 
        competition pursuant to any rules promulgated by the Director 
        under subsection (d);</DELETED>
        <DELETED>    (2) shall have complied with all the requirements 
        under this section;</DELETED>
        <DELETED>    (3) in the case of a private entity, shall be 
        incorporated in and maintain a primary place of business in the 
        United States, and in the case of an individual, whether 
        participating singly or in a group, shall be a citizen or 
        permanent resident of the United States; and</DELETED>
        <DELETED>    (4) shall not be a Federal entity or Federal 
        employee acting within the scope of his or her 
        employment.</DELETED>
<DELETED>    (g) Judges.--For each competition, the Director, either 
directly or through an agreement under subsection (h), shall assemble a 
panel of qualified judges to select the winner or winners of the prize 
competition. Judges for each competition shall include individuals from 
the private sector. A judge may not--</DELETED>
        <DELETED>    (1) have personal or financial interests in, or be 
        an employee, officer, director, or agent of any entity that is 
        a registered participant in a competition; or</DELETED>
        <DELETED>    (2) have a familial or financial relationship with 
        an individual who is a registered participant.</DELETED>
<DELETED>    (h) Administering the Competition.--The Director may enter 
into an agreement with a private, nonprofit entity to administer the 
prize competition, subject to the provisions of this section.</DELETED>
<DELETED>    (i) Funding.--</DELETED>
        <DELETED>    (1) Prizes.--Prizes under this section may consist 
        of Federal appropriated funds and funds provided by the private 
        sector for such cash prizes. The Director may accept funds from 
        other Federal agencies for such cash prizes. The Director may 
        not give special consideration to any private sector entity in 
        return for a donation.</DELETED>
        <DELETED>    (2) Use of unexpended funds.--Notwithstanding any 
        other provision of law, funds appropriated for prize awards 
        under this section shall remain available until expended, and 
        may be transferred, reprogrammed, or expended for other 
        purposes only after the expiration of 10 fiscal years after the 
        fiscal year for which the funds were originally appropriated. 
        No provision in this section permits obligation or payment of 
        funds in violation of the Anti-Deficiency Act (31 U.S.C. 
        1341).</DELETED>
        <DELETED>    (3) Funding required before prize announced.--No 
        prize may be announced until all the funds needed to pay out 
        the announced amount of the prize have been appropriated or 
        committed in writing by a private source. The Director may 
        increase the amount of a prize after an initial announcement is 
        made under subsection (d) if--</DELETED>
                <DELETED>    (A) notice of the increase is provided in 
                the same manner as the initial notice of the prize; 
                and</DELETED>
                <DELETED>    (B) the funds needed to pay out the 
                announced amount of the increase have been appropriated 
                or committed in writing by a private source.</DELETED>
        <DELETED>    (4) Notice required for large awards.--No prize 
        competition under this section may offer a prize in an amount 
        greater than $5,000,000 unless 30 days have elapsed after 
        written notice has been transmitted to the Senate Committee on 
        Commerce, Science, and Transportation and the House of 
        Representatives Committee on Science and Technology.</DELETED>
        <DELETED>    (5) Director's approval required for certain 
        awards.--No prize competition under this section may result in 
        the award of more than $1,000,000 in cash prizes without the 
        approval of the Director.</DELETED>
<DELETED>    (j) Use of Federal Insignia.--A registered participant in 
a competition under this section may use any Federal agency's name, 
initials, or insignia only after prior review and written approval by 
the Director.</DELETED>
<DELETED>    (k) Compliance With Existing Law.--The Federal Government 
shall not, by virtue of offering or providing a prize under this 
section, be responsible for compliance by registered participants in a 
prize competition with Federal law, including licensing, export 
control, and non-proliferation laws and related regulations.</DELETED>
<DELETED>    (l) Authorization of Appropriations.--There are authorized 
to be appropriated to the National Institute of Standards and 
Technology to carry out this section $15,000,000 for each of fiscal 
years 2010 through 2014.</DELETED>

<DELETED>SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.</DELETED>

<DELETED>    (a) Designation.--The Department of Commerce shall serve 
as the clearinghouse of cybersecurity threat and vulnerability 
information to Federal Government and private sector owned critical 
infrastructure information systems and networks.</DELETED>
<DELETED>    (b) Functions.--The Secretary of Commerce--</DELETED>
        <DELETED>    (1) shall have access to all relevant data 
        concerning such networks without regard to any provision of 
        law, regulation, rule, or policy restricting such 
        access;</DELETED>
        <DELETED>    (2) shall manage the sharing of Federal Government 
        and other critical infrastructure threat and vulnerability 
        information between the Federal Government and the persons 
        primarily responsible for the operation and maintenance of the 
        networks concerned; and</DELETED>
        <DELETED>    (3) shall report regularly to the Congress on 
        threat information held by the Federal Government that is not 
        shared with the persons primarily responsible for the operation 
        and maintenance of the networks concerned.</DELETED>
<DELETED>    (c) Information Sharing Rules and Procedures.--Within 90 
days after the date of enactment of this Act, the Secretary shall 
publish in the Federal Register a draft description of rules and 
procedures on how the Federal Government will share cybersecurity 
threat and vulnerability information with private sector critical 
infrastructure information systems and networks owners. After a 30 day 
comment period, the Secretary shall publish a final description of the 
rules and procedures. The description shall include--</DELETED>
        <DELETED>    (1) the rules and procedures on how the Federal 
        Government will share cybersecurity threat and vulnerability 
        information with private sector critical infrastructure 
        information systems and networks owners;</DELETED>
        <DELETED>    (2) the criteria in which private sector owners of 
        critical infrastructure information systems and networks shall 
        share actionable cybersecurity threat and vulnerability 
        information and relevant data with the Federal Government; 
        and</DELETED>
        <DELETED>    (3) any other rule or procedure that will enhance 
        the sharing of cybersecurity threat and vulnerability 
        information between private sector owners of critical 
        infrastructure information systems and networks and the Federal 
        Government.</DELETED>

<DELETED>SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT.</DELETED>

<DELETED>    Within 1 year after the date of enactment of this Act, the 
President, or the President's designee, shall report to the Senate 
Committee on Commerce, Science, and Transportation and the House of 
Representatives Committee on Science and Technology on the feasibility 
of--</DELETED>
        <DELETED>    (1) creating a market for cybersecurity risk 
        management, including the creation of a system of civil 
        liability and insurance (including government reinsurance); 
        and</DELETED>
        <DELETED>    (2) requiring cybersecurity to be a factor in all 
        bond ratings.</DELETED>

<DELETED>SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT.</DELETED>

<DELETED>    (a) In General.--Within 1 year after the date of enactment 
of this Act, the President, or the President's designee, through an 
appropriate entity, shall complete a comprehensive review of the 
Federal statutory and legal framework applicable to cyber-related 
activities in the United States, including--</DELETED>
        <DELETED>    (1) the Privacy Protection Act of 1980 (42 U.S.C. 
        2000aa);</DELETED>
        <DELETED>    (2) the Electronic Communications Privacy Act of 
        1986 (18 U.S.C. 2510 note);</DELETED>
        <DELETED>    (3) the Computer Security Act of 1987 (15 U.S.C. 
        271 et seq.; 40 U.S.C. 759);</DELETED>
        <DELETED>    (4) the Federal Information Security Management 
        Act of 2002 (44 U.S.C. 3531 et seq.);</DELETED>
        <DELETED>    (5) the E-Government Act of 2002 (44 U.S.C. 9501 
        et seq.);</DELETED>
        <DELETED>    (6) the Defense Production Act of 1950 (50 U.S.C. 
        App. 2061 et seq.);</DELETED>
        <DELETED>    (7) any other Federal law bearing upon cyber-
        related activities; and</DELETED>
        <DELETED>    (8) any applicable Executive Order or agency rule, 
        regulation, guideline.</DELETED>
<DELETED>    (b) Report.--Upon completion of the review, the President, 
or the President's designee, shall submit a report to the Senate 
Committee on Commerce, Science, and Transportation, the House of 
Representatives Committee on Science and Technology, and other 
appropriate Congressional Committees containing the President's, or the 
President's designee's, findings, conclusions, and 
recommendations.</DELETED>

<DELETED>SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT.</DELETED>

<DELETED>    Within 1 year after the date of enactment of this Act, the 
President, or the President's designee, shall review, and report to 
Congress, on the feasibility of an identity management and 
authentication program, with the appropriate civil liberties and 
privacy protections, for government and critical infrastructure 
information systems and networks.</DELETED>

<DELETED>SEC. 18. CYBERSECURITY RESPONSIBILITIES AND 
              AUTHORITY.</DELETED>

<DELETED>    The President--</DELETED>
        <DELETED>    (1) within 1 year after the date of enactment of 
        this Act, shall develop and implement a comprehensive national 
        cybersecurity strategy, which shall include--</DELETED>
                <DELETED>    (A) a long-term vision of the Nation's 
                cybersecurity future; and</DELETED>
                <DELETED>    (B) a plan that encompasses all aspects of 
                national security, including the participation of the 
                private sector, including critical infrastructure 
                operators and managers;</DELETED>
        <DELETED>    (2) may declare a cybersecurity emergency and 
        order the limitation or shutdown of Internet traffic to and 
        from any compromised Federal Government or United States 
        critical infrastructure information system or 
        network;</DELETED>
        <DELETED>    (3) shall designate an agency to be responsible 
        for coordinating the response and restoration of any Federal 
        Government or United States critical infrastructure information 
        system or network affected by a cybersecurity emergency 
        declaration under paragraph (2);</DELETED>
        <DELETED>    (4) shall, through the appropriate department or 
        agency, review equipment that would be needed after a 
        cybersecurity attack and develop a strategy for the 
        acquisition, storage, and periodic replacement of such 
        equipment;</DELETED>
        <DELETED>    (5) shall direct the periodic mapping of Federal 
        Government and United States critical infrastructure 
        information systems or networks, and shall develop metrics to 
        measure the effectiveness of the mapping process;</DELETED>
        <DELETED>    (6) may order the disconnection of any Federal 
        Government or United States critical infrastructure information 
        systems or networks in the interest of national 
        security;</DELETED>
        <DELETED>    (7) shall, through the Office of Science and 
        Technology Policy, direct an annual review of all Federal cyber 
        technology research and development investments;</DELETED>
        <DELETED>    (8) may delegate original classification authority 
        to the appropriate Federal official for the purposes of 
        improving the Nation's cybersecurity posture;</DELETED>
        <DELETED>    (9) shall, through the appropriate department or 
        agency, promulgate rules for Federal professional 
        responsibilities regarding cybersecurity, and shall provide to 
        the Congress an annual report on Federal agency compliance with 
        those rules;</DELETED>
        <DELETED>    (10) shall withhold additional compensation, 
        direct corrective action for Federal personnel, or terminate a 
        Federal contract in violation of Federal rules, and shall 
        report any such action to the Congress in an unclassified 
        format within 48 hours after taking any such action; 
        and</DELETED>
        <DELETED>    (11) shall notify the Congress within 48 hours 
        after providing a cyber-related certification of legality to a 
        United States person.</DELETED>

<DELETED>SEC. 19. QUADRENNIAL CYBER REVIEW.</DELETED>

<DELETED>    (a) In General.--Beginning with 2013 and in every fourth 
year thereafter, the President, or the President's designee, shall 
complete a review of the cyber posture of the United States, including 
an unclassified summary of roles, missions, accomplishments, plans, and 
programs. The review shall include a comprehensive examination of the 
cyber strategy, force structure, modernization plans, infrastructure, 
budget plan, the Nation's ability to recover from a cyberemergency, and 
other elements of the cyber program and policies with a view toward 
determining and expressing the cyber strategy of the United States and 
establishing a revised cyber program for the next 4 years.</DELETED>
<DELETED>    (b) Involvement of Cybersecurity Advisory Panel.--
</DELETED>
        <DELETED>    (1) The President, or the President's designee, 
        shall apprise the Cybersecurity Advisory Panel established or 
        designated under section 3, on an ongoing basis, of the work 
        undertaken in the conduct of the review.</DELETED>
        <DELETED>    (2) Not later than 1 year before the completion 
        date for the review, the Chairman of the Advisory Panel shall 
        submit to the President, or the President's designee, the 
        Panel's assessment of work undertaken in the conduct of the 
        review as of that date and shall include in the assessment the 
        recommendations of the Panel for improvements to the review, 
        including recommendations for additional matters to be covered 
        in the review.</DELETED>
<DELETED>    (c) Assessment of Review.--Upon completion of the review, 
the Chairman of the Advisory Panel, on behalf of the Panel, shall 
prepare and submit to the President, or the President's designee, an 
assessment of the review in time for the inclusion of the assessment in 
its entirety in the report under subsection (d).</DELETED>
<DELETED>    (d) Report.--Not later than September 30, 2013, and every 
4 years thereafter, the President, or the President's designee, shall 
submit to the relevant congressional Committees a comprehensive report 
on the review. The report shall include--</DELETED>
        <DELETED>    (1) the results of the review, including a 
        comprehensive discussion of the cyber strategy of the United 
        States and the collaboration between the public and private 
        sectors best suited to implement that strategy;</DELETED>
        <DELETED>    (2) the threats examined for purposes of the 
        review and the scenarios developed in the examination of such 
        threats;</DELETED>
        <DELETED>    (3) the assumptions used in the review, including 
        assumptions relating to the cooperation of other countries and 
        levels of acceptable risk; and</DELETED>
        <DELETED>    (4) the Advisory Panel's assessment.</DELETED>

<DELETED>SEC. 20. JOINT INTELLIGENCE THREAT ASSESSMENT.</DELETED>

<DELETED>    The Director of National Intelligence and the Secretary of 
Commerce shall submit to the Congress an annual assessment of, and 
report on, cybersecurity threats to and vulnerabilities of critical 
national information, communication, and data network 
infrastructure.</DELETED>

<DELETED>SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE 
              MEASURES.</DELETED>

<DELETED>    The President shall--</DELETED>
        <DELETED>    (1) work with representatives of foreign 
        governments--</DELETED>
                <DELETED>    (A) to develop norms, organizations, and 
                other cooperative activities for international 
                engagement to improve cybersecurity; and</DELETED>
                <DELETED>    (B) to encourage international cooperation 
                in improving cybersecurity on a global basis; 
                and</DELETED>
        <DELETED>    (2) provide an annual report to the Congress on 
        the progress of international initiatives undertaken pursuant 
        to subparagraph (A).</DELETED>

<DELETED>SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS 
              BOARD.</DELETED>

<DELETED>    (a) Establishment.--There is established a Secure Products 
and Services Acquisitions Board. The Board shall be responsible for 
cybersecurity review and approval of high value products and services 
acquisition and, in coordination with the National Institute of 
Standards and Technology, for the establishment of appropriate 
standards for the validation of software to be acquired by the Federal 
Government. The Director of the National Institute of Standards and 
Technology shall develop the review process and provide guidance to the 
Board. In reviewing software under this subsection, the Board may 
consider independent secure software validation and verification as key 
factor for approval.</DELETED>
<DELETED>    (b) Acquisition Standards.--The Director, in cooperation 
with the Office of Management and Budget and other appropriate Federal 
agencies, shall ensure that the Board approval is included as a 
prerequisite to the acquisition of any product or service--</DELETED>
        <DELETED>    (1) subject to review by the Board; and</DELETED>
        <DELETED>    (2) subject to Federal acquisition 
        standards.</DELETED>
<DELETED>    (c) Acquisition Compliance.--After the publication of the 
standards developed under subsection (a), any proposal submitted in 
response to a request for proposals issued by a Federal agency shall 
demonstrate compliance with any such applicable standard in order to 
ensure that cybersecurity products and services are designed to be an 
integral part of the overall acquisition.</DELETED>

<DELETED>SEC. 23. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Advisory panel.--The term ``Advisory Panel'' 
        means the Cybersecurity Advisory Panel established or 
        designated under section 3.</DELETED>
        <DELETED>    (2) Cyber.--The term ``cyber'' means--</DELETED>
                <DELETED>    (A) any process, program, or protocol 
                relating to the use of the Internet or an intranet, 
                automatic data processing or transmission, or 
                telecommunication via the Internet or an intranet; 
                and</DELETED>
                <DELETED>    (B) any matter relating to, or involving 
                the use of, computers or computer networks.</DELETED>
        <DELETED>    (3) Federal government and united states critical 
        infrastructure information systems and networks.--The term 
        ``Federal Government and United States critical infrastructure 
        information systems and networks'' includes--</DELETED>
                <DELETED>    (A) Federal Government information systems 
                and networks; and</DELETED>
                <DELETED>    (B) State, local, and nongovernmental 
                information systems and networks in the United States 
                designated by the President as critical infrastructure 
                information systems and networks.</DELETED>
        <DELETED>    (4) Internet.--The term ``Internet'' has the 
        meaning given that term by section 4(4) of the High-Performance 
        Computing Act of 1991 (15 U.S.C. 5503(4)).</DELETED>
        <DELETED>    (5) Network.--The term ``network'' has the meaning 
        given that term by section 4(5) of such Act (15 U.S.C. 
        5503(5)).</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Cybersecurity Act 
of 2010''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
Sec. 4. Procedure for designation of critical infrastructure 
                            information systems.

                     TITLE I--WORKFORCE DEVELOPMENT

Sec. 101. Certification and training of cybersecurity professionals.
Sec. 102. Federal Cyber Scholarship-for-Service Program.
Sec. 103. Cybersecurity competition and challenge.
Sec. 104. Cybersecurity workforce plan.
Sec. 105. Measures of cybersecurity hiring effectiveness.

                     TITLE II--PLANS AND AUTHORITY

Sec. 201. Cybersecurity responsibilities and authorities.
Sec. 202. Biennial cyber review.
Sec. 203. Cybersecurity dashboard pilot project.
Sec. 204. NIST cybersecurity guidance.
Sec. 205. Legal framework review and report.
Sec. 206. Joint intelligence threat and vulnerability assessment.
Sec. 207. International norms and cybersecurity deterrence measures.
Sec. 208. Federal secure products and services acquisitions.
Sec. 209. Private sector access to classified information.
Sec. 210. Authentication and civil liberties report.
Sec. 211. Report on evaluation of certain identity authentication 
                            functionalities.

             TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT

Sec. 301. Promoting cybersecurity awareness and education.
Sec. 302. Federal cybersecurity research and development.
Sec. 303. Development of curricula for incorporating cybersecurity into 
                            educational programs for future industrial 
                            control system designers.

                 TITLE IV--PUBLIC-PRIVATE COLLABORATION

Sec. 401. Cybersecurity Advisory Panel.
Sec. 402. State and regional cybersecurity enhancement program.
Sec. 403. Public-private clearinghouse.
Sec. 404. Cybersecurity risk management report.

SEC. 2. FINDINGS.

    The Congress finds the following:
            (1) As a fundamental principle, cyberspace is a vital asset 
        for the nation and the United States should protect it using 
        all instruments of national power, in order to ensure national 
        security, public safety, economic prosperity, and the delivery 
        of critical services to the American public.
            (2) President Obama has rightfully determined that ``our 
        digital infrastructure--the networks and computers we depend on 
        every day--will be treated . . . as a strategic national 
        asset''.
            (3) According to the Obama Administration Cyberspace Policy 
        Review, ``the architecture of the Nation's digital 
        infrastructure is not secure or resilient. Without major 
        advances in the security of these systems or significant change 
        in how they are constructed or operated, it is doubtful that 
        the United States can protect itself from the growing threat of 
        cybercrime and state-sponsored intrusions and operations.''.
            (4) With more than 85 percent of the Nation's critical 
        infrastructure owned and operated by the private sector, it is 
        vital that the public and private sectors cooperate to protect 
        this strategic national asset.
            (5) According to the 2010 Annual Threat Assessment, that 
        ``sensitive information is stolen daily from both government 
        and private sector networks'' and that ``we cannot protect 
        cyberspace without a coordinated and collaborative effort that 
        incorporates both the US private sector and our international 
        partners.''.
            (6) The Director of National Intelligence testified before 
        the Congress on February 2, 2010, that intrusions are a stark 
        reminder of the importance of these cyber assets and should 
        serve as ``a wake-up call to those who have not taken this 
        problem seriously.''.
            (7) The National Cybersecurity Coordinator, Howard Schmidt, 
        stated on March 2, 2010, ``we will not defeat our cyber 
        adversaries because they are weakening, we will defeat them by 
        becoming collectively stronger, through stronger technology, a 
        stronger cadre of security professionals, and stronger 
        partnerships.''.
            (8) According to the National Journal, Mike McConnell, the 
        former Director of National Intelligence, told President Bush 
        in May 2007 that if the 9/11 attackers had chosen computers 
        instead of airplanes as their weapons and had waged a massive 
        assault on a United States bank, the economic consequences 
        would have been ``an order of magnitude greater'' than those 
        cased by the physical attack on the World Trade Center. Mike 
        McConnell has subsequently referred to cybersecurity as the 
        ``soft underbelly of this country''.
            (9) Paul Kurtz, a partner and chief operating officer of 
        Good Harbor Consulting as well as a senior advisor to the Obama 
        Transition Team for cybersecurity, has stated that the United 
        States is unprepared to respond to a ``cyber-Katrina'' and that 
        ``a massive cyber disruption could have a cascading, long-term 
        impact without adequate co-ordination between government and 
        the private sector''.
            (10) According to the February 2003 National Strategy to 
        Secure Cyberspace, ``our nation's critical infrastructures are 
        composed of public and private institutions in the sectors of 
        agriculture, food, water, public health, emergency services, 
        government, defense industrial base, information and 
        telecommunications, energy, transportation, banking finance, 
        chemicals and hazardous materials, and postal and shipping. 
        Cyberspace is their nervous system the control system of our 
        country'' and that ``the cornerstone of America's cyberspace 
        security strategy is and will remain a public-private 
        partnership''.
            (11) The Center for Strategic and International Studies 
        report on Cybersecurity for the 44th Presidency concluded that 
        (A) cybersecurity is now a major national security problem for 
        the United States, (B) decisions and actions must respect 
        privacy and civil liberties, and (C) only a comprehensive 
        national security strategy that embraces both the domestic and 
        international aspects of cybersecurity will make us more 
        secure. The report continued, stating that the United States 
        faces ``a long-term challenge in cyberspace from foreign 
        intelligence agencies and militaries, criminals, and others, 
        and that losing this struggle will wreak serious damage on the 
        economic health and national security of the United States''.
            (12) James Lewis, Director and Senior Fellow, Technology 
        and Public Policy Program, Center for Strategic and 
        International Studies, testified on behalf of the Center for 
        Strategic and International Studies that ``the United States is 
        not organized for, and lacks a coherent national strategy for, 
        addressing cybersecurity''.
            (13) The Cyber Strategic Inquiry 2008, sponsored by 
        Business Executives for National Security and executed by Booz 
        Allen Hamilton, recommended to ``establish a single voice for 
        cybersecurity within government'' concluding that the ``unique 
        nature of cybersecurity requires a new leadership paradigm''.
            (14) Alan Paller, the Director of Research at the SANS 
        Institute, testified before the Congress that ``Congress can 
        reduce the threat of damage from these new cyber attacks both 
        against government and against the critical infrastructure by 
        shifting the government's cyber security emphasis from report 
        writing to automated, real-time defenses'' and that ``only 
        active White House leadership will get the job done''.
            (15) A 2009 Partnership for Public Service study and 
        analysis reports concluded that ``the Federal government will 
        be unable to combat cyber threats without a more coordinated, 
        sustained effort to increase cybersecurity expertise in the 
        federal workforce'' and that ``the President's success in 
        combating these threats . . . must include building a vibrant, 
        highly trained and dedicated cybersecurity workforce in this 
        country''.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Advisory panel.--The term ``Advisory Panel'' means the 
        Cybersecurity Advisory Panel established or designated under 
        section 401.
            (2) Cybersecurity.--The term ``cybersecurity'' means 
        information security (as defined in section 3532(b)(1) of title 
        44, United States Code).
            (3) Cybersecurity professional.--The term ``cybersecurity 
        professional'' means a person who maintains a certification 
        under section 101 of this Act.
            (4) Information system.--The term ``information system'' 
        has the meaning given that term by section 3532(b)(4) of title 
        44, United States Code, and includes industrial control systems 
        that are used for purposes described in that section.
            (5) Internet.--The term ``Internet'' has the meaning given 
        that term by section 4(4) of the High-Performance Computing Act 
        of 1991 (15 U.S.C. 5503(4)).
            (6) United States critical infrastructure information 
        system.--The term ``United States critical infrastructure 
        information system'' means an information system designated 
        under section 4 of this Act.

SEC. 4. PROCEDURE FOR DESIGNATION OF CRITICAL INFRASTRUCTURE 
              INFORMATION SYSTEMS.

    (a) Establishment of Designation Procedure.--Within 90 days after 
the date of enactment of this Act, or as soon thereafter as may be 
practicable, the President, in consultation with sector coordinating 
councils, relevant government agencies, and regulatory entities, shall 
initiate a rulemaking in accordance with the requirements of chapter 5 
of title 5, United States Code, to establish a procedure for the 
designation of any information system the infiltration, incapacitation, 
or disruption of which would have a debilitating impact on national 
security, including national economic security and national public 
health or safety, as a critical infrastructure information system under 
this Act.
    (b) Threshold Requirements.--The final rule, at a minimum, shall--
            (1) set forth objective criteria that meet the standard in 
        section (a) for such designations generally;
            (2) provide for emergency and temporary designations when 
        necessary and in the public interest;
            (3) ensure the protection of confidential and proprietary 
        information associated with nongovernmental systems from 
        disclosure;
            (4) ensure the protection of classified and sensitive 
        security information; and
            (5) establish a procedure, in accordance with chapter 7 of 
        title 5, United States Code, by which the owner or operator of 
        an information system may appeal, or request modification of, 
        the designation of that system or network as a critical 
        infrastructure information system under this Act.

                     TITLE I--WORKFORCE DEVELOPMENT

SEC. 101. CERTIFICATION AND TRAINING OF CYBERSECURITY PROFESSIONALS.

    (a) Study.--
            (1) In general.--The President shall enter into an 
        agreement with the National Academies to conduct a 
        comprehensive study of government, academic, and private-sector 
        accreditation, training, and certification programs for 
        personnel working in cybersecurity. The agreement shall require 
        that the National Academies consult with sector coordinating 
        councils and relevant governmental agencies, regulatory 
        entities, and nongovernmental organizations in the course of 
        the study.
            (2) Scope.--The study shall include--
                    (A) an evaluation of the body of knowledge and 
                various skills that specific categories of personnel 
                working in cybersecurity should possess in order to 
                secure information systems;
                    (B) an assessment of whether existing government, 
                academic, and private-sector accreditation, training, 
                and certification programs provide the body of 
                knowledge and skills described in subparagraph (A); and
                    (C) any other factors that should be considered for 
                any accreditation, training, and certification 
                programs.
            (3) Report.--Not later than 1 year after the date of 
        enactment of this Act, the National Academies shall submit to 
        the President and the Congress a report on the results of the 
        study required by this subsection. The report shall include--
                    (A) findings regarding the state of cybersecurity 
                accreditation, training, and certification programs, 
                including specific areas of deficiency and demonstrable 
                progress; and
                    (B) recommendations for the improvement of 
                cybersecurity accreditation, training, and 
                certification programs.
    (b) Federal Information Systems.--Beginning no later than 6 months 
after receiving the report under subsection (a)(3), the President, in 
close and regular consultation with sector coordinating councils and 
relevant governmental agencies, regulatory entities, industry sectors, 
and nongovernmental organizations, shall--
            (1) develop and annually review and update--
                    (A) guidance for the identification and 
                categorization of positions for personnel conducting 
                cybersecurity functions within the Federal government; 
                and
                    (B) requirements for certification of personnel for 
                categories identified under subparagraph (A); and
            (2) annually evaluate compliance with the requirements in 
        paragraph (1)(B).
    (c) United States Critical Infrastructure Information Systems.--
            (1) Identification, categorization, and certification of 
        positions.--Not later than 6 months after receiving the report 
        under section (a)(3), the President, in close and regular 
        consultation with sector coordinating councils and relevant 
        governmental agencies, regulatory entities, and nongovernmental 
        organizations, shall require owners and operators of United 
        States critical infrastructure information systems to develop 
        and annually review and update--
                    (A) guidance for the identification and 
                categorization of positions for personnel conducting 
                cybersecurity functions within their respective 
                information systems; and
                    (B) requirements for certification of personnel for 
                categories identified under subparagraph (A).
            (2) Accreditation, training, and certification programs.--
        Not later than 6 months after receiving the certification 
        requirements submitted under paragraph (1)(B), the President, 
        in consultation with sector coordinating councils, relevant 
        governmental agencies, regulatory entities, and nongovernmental 
        organizations, shall convene sector specific working groups to 
        establish auditable private-sector developed accreditation, 
        training, and certification programs for critical 
        infrastructure information system personnel working in 
        cybersecurity.
            (3) Positive recognition.--Beginning no later than 1 year 
        after the President first convenes sector specific working 
        groups under paragraph (2), the President shall--
                    (A) recognize and promote auditable private-sector 
                developed accreditation, training, and certification 
                programs established in subsection (b); and
                    (B) on an ongoing basis, but not less frequently 
                than annually, review and reconsider recognitions under 
                subparagraph (A) in order to account for advances in 
                accreditation, training, and certification programs for 
                personnel working in cybersecurity.
            (4) United States critical infrastructure information 
        systems compliance.--
                    (A) In general.--Beginning no later than 1 year 
                after the President first recognizes a program under 
                paragraph (3)(A), and on a semi-annual basis 
                thereafter, the President shall require each owner or 
                operator of a United States critical infrastructure 
                information system to report the results of independent 
                audits that evaluate compliance with the accreditation, 
                training, and certification programs recognized under 
                paragraph (3).
                    (B) Positive recognition.--The President, in 
                consultation with sector coordinating councils, 
                relevant governmental agencies, and regulatory 
                entities, and with the consent of individual companies, 
                may publicly recognize those owners and operators of 
                United States critical infrastructure information 
                systems whose independent audits demonstrate compliance 
                with the accreditation, training, and certification 
                programs recognized under paragraph (3).
                    (C) Collaborative remediation.--The President shall 
                require owners or operators of United States critical 
                infrastructure information systems that fail to 
                demonstrate substantial compliance with the 
                accreditation, training, and certification programs 
                recognized under paragraph (3) through 2 consecutive 
                independent audits, in consultation with sector 
                coordinating councils, relevant governmental agencies, 
                and regulatory entities, to collaboratively develop and 
                implement a remediation plan.
    (d) Reference List for Consumers.--The President, in close and 
regular consultation with sector coordinating councils and relevant 
governmental agencies, regulatory entities, and nongovernmental 
organizations, shall annually--
            (1) evaluate the cybersecurity accreditation, training, and 
        certification programs identified in this section;
            (2) identify those cybersecurity accreditation, training, 
        and certification programs whose rigor and effectiveness are 
        beneficial to cybersecurity; and
            (3) publish a noncompulsory reference list of those 
        programs identified under paragraph (2).

SEC. 102. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

    (a) In General.--The Director of the National Science Foundation 
shall establish a Federal Cyber Scholarship-for-Service program to 
recruit and train the next generation of information technology 
professionals and security managers for Federal, State, local, and 
tribal governments.
    (b) Program Description and Components.--The program shall--
            (1) provide scholarships that provide full tuition, fees, 
        and a stipend, for up to 1,000 students per year in their 
        pursuit of undergraduate or graduate degrees in the 
        cybersecurity field;
            (2) require scholarship recipients, as a condition of 
        receiving a scholarship under the program, to agree to serve in 
        a Federal, State, local, or tribal information technology 
        workforce for a period equal to the length of the scholarship 
        following graduation if offered employment in that field by a 
        Federal, State, local, or tribal agency;
            (3) provide a procedure by which the Foundation or a 
        Federal agency may, consistent with regulations of the Office 
        of Personnel Management, request and fund security clearances 
        for scholarship recipients;
            (4) provide opportunities for students to receive temporary 
        appointments for meaningful employment in the Federal 
        information technology workforce during school vacation periods 
        and for internships;
            (5) provide a procedure for identifying promising K-12 
        students for participation in summer work and internship 
        programs that would lead to certification of Federal 
        information technology workforce standards and possible future 
        employment; and
            (6) examine and develop, if appropriate, programs to 
        promote computer security awareness in secondary and high 
        school classrooms.
    (c) Hiring Authority.--For purposes of any law or regulation 
governing the appointment of individuals in the Federal civil service, 
upon the successful completion of their studies, students receiving a 
scholarship under the program shall be hired under the authority 
provided for in section 213.3102(r) of title 5, Code of Federal 
Regulations, and be exempt from competitive service. Upon satisfactory 
fulfillment of the service term, such individuals may be converted to a 
competitive service position without competition if the individual 
meets the requirements for that position.
    (d) Eligibility.--To be eligible to receive a scholarship under 
this section, an individual shall--
            (1) be a citizen of the United States;
            (2) demonstrate a commitment to a career in improving the 
        Nation's cyber defenses; and
            (3) have demonstrated a level of proficiency in math or 
        computer sciences.
    (e) Evaluation and Report.--The Director shall evaluate and report 
periodically to the Congress on the success of recruiting individuals 
for the scholarships and on hiring and retaining those individuals in 
the public sector workforce.
    (f) Authorization of Appropriations.--There are authorized to be 
appropriated to the National Science Foundation to carry out this 
section--
            (1) $50,000,000 for fiscal year 2010;
            (2) $55,000,000 for fiscal year 2011;
            (3) $60,000,000 for fiscal year 2012;
            (4) $65,000,000 for fiscal year 2013; and
            (5) $70,000,000 for fiscal year 2014.

SEC. 103. CYBERSECURITY COMPETITION AND CHALLENGE.

    (a) In General.--The Director of the National Institute of 
Standards and Technology, directly or through appropriate Federal 
entities, shall establish cybersecurity competitions and challenges 
with cash prizes, and promulgate rules for participation in such 
competitions and challenges, in order to--
            (1) attract, identify, evaluate, and recruit talented 
        individuals for the Federal information technology workforce; 
        and
            (2) stimulate innovation in basic and applied cybersecurity 
        research, technology development, and prototype demonstration 
        that has the potential for application to the information 
        technology activities of the Federal Government.
    (b) Types of Competitions and Challenges.--The Director shall 
establish different competitions and challenges targeting the following 
groups:
            (1) Middle school students.
            (2) High school students.
            (3) Undergraduate students.
            (4) Graduate students.
            (5) Academic and research institutions.
    (c) Topics.--In selecting topics for prize competitions, the 
Director shall consult widely both within and outside the Federal 
Government, and may empanel advisory committees.
    (d) Advertising.--The Director shall widely advertise prize 
competitions, in coordination with the awareness campaign under section 
301, to encourage participation.
    (e) Requirements and Registration.--For each prize competition, the 
Director shall publish a notice in the Federal Register announcing the 
subject of the competition, the rules for being eligible to participate 
in the competition, the amount of the prize, and the basis on which a 
winner will be selected.
    (f) Eligibility.--To be eligible to win a prize under this section, 
an individual or entity--
            (1) shall have registered to participate in the competition 
        pursuant to any rules promulgated by the Director under 
        subsection (a);
            (2) shall have complied with all the requirements under 
        this section;
            (3) in the case of a public or private entity, shall be 
        incorporated in and maintain a primary place of business in the 
        United States, and in the case of an individual, whether 
        participating singly or in a group, shall be a citizen or 
        permanent resident of the United States; and
            (4) shall not be a Federal entity or Federal employee 
        acting within the scope of his or her employment.
    (g) Judges.--For each competition, the Director, either directly or 
through an agreement under subsection (h), shall assemble a panel of 
qualified judges to select the winner or winners of the prize 
competition. Judges for each competition shall include individuals from 
the private sector. A judge may not--
            (1) have personal or financial interests in, or be an 
        employee, officer, director, or agent of any entity that is a 
        registered participant in a competition; or
            (2) have a familial or financial relationship with an 
        individual who is a registered participant.
    (h) Administering the Competition.--The Director may enter into an 
agreement with a private, nonprofit entity to administer the prize 
competition, subject to the provisions of this section.
    (i) Funding.--
            (1) Prizes.--Prizes under this section may consist of 
        Federal appropriated funds and funds provided by the private 
        sector for such cash prizes. The Director may accept funds from 
        other Federal agencies for such cash prizes. The Director may 
        not give special consideration to any private sector entity in 
        return for a donation.
            (2) Funding required before prize announced.--No prize may 
        be announced until all the funds needed to pay out the 
        announced amount of the prize have been appropriated or 
        committed in writing by a private source. The Director may 
        increase the amount of a prize after an initial announcement is 
        made under subsection (d) if--
                    (A) notice of the increase is provided in the same 
                manner as the initial notice of the prize; and
                    (B) the funds needed to pay out the announced 
                amount of the increase have been appropriated or 
                committed in writing by a private source.
            (3) Notice required for large awards.--No prize competition 
        under this section may offer a prize in an amount greater than 
        $5,000,000 unless 30 days have elapsed after written notice has 
        been transmitted to the Senate Committee on Commerce, Science, 
        and Transportation and the House of Representatives Committee 
        on Science and Technology.
            (4) Director's approval required for certain awards.--No 
        prize competition under this section may result in the award of 
        more than $1,000,000 in cash prizes without the approval of the 
        Director.
    (j) Use of Federal Insignia.--A registered participant in a 
competition under this section may use any Federal agency's name, 
initials, or insignia only after prior review and written approval by 
the Director.
    (k) Compliance With Existing Law.--The Federal Government shall 
not, by virtue of offering or providing a prize under this section, be 
responsible for compliance by registered participants in a prize 
competition with Federal law, including licensing, export control, and 
non-proliferation laws and related regulations.
    (l) Authorization of Appropriations.--There are authorized to be 
appropriated to the National Institute of Standards and Technology to 
carry out this section $15,000,000 for each of fiscal years 2010 
through 2014.

SEC. 104. CYBERSECURITY WORKFORCE PLAN.

    (a) Development of Plan.--Not later than 180 days after the date of 
enactment of this Act and in every subsequent year, the head of each 
Federal agency, based on guidance from the President, the Office of 
Personnel Management, the Chief Human Capital Officers Council, and the 
Chief Information Officers Council, shall develop a strategic 
cybersecurity workforce plan as part of the agency performance plan 
required under section 1115 of title 31, United States Code. The plan 
shall include--
            (1) cybersecurity hiring projections, including occupation 
        and grade level, over a 2-year period;
            (2) long-term and short-term strategic planning to address 
        critical skills deficiencies, including analysis of the numbers 
        of and reasons for cybersecurity employee attrition;
            (3) recruitment strategies, including the use of student 
        internships, to attract highly qualified candidates from 
        diverse backgrounds;
            (4) an assessment of the sources and availability of talent 
        with needed expertise;
            (5) streamlining the hiring process;
            (6) a specific analysis of the capacity of the agency 
        workforce to manage contractors who are performing 
        cybersecurity work on behalf of the Federal government;
            (7) an analysis of the barriers to recruiting and hiring 
        cybersecurity talent, including compensation, classification, 
        hiring flexibilities, and the hiring process, and 
        recommendations to overcome those barriers; and,
            (8) a cybersecurity-related training and development plan 
        to enhance or keep current the knowledge level of employees.
    (b) Hiring Projections.--Each Federal agency shall make hiring 
projections made under its strategic cybersecurity workforce plan 
available to the public, including on its website.
    (c) Classification.--Based on the agency analyses and 
recommendations made under subsection (a)(7) of this section and other 
relevant information, the President or the President's designee, in 
consultation with affected Federal agencies and councils, shall 
coordinate the establishment of new job classifications for 
cybersecurity functions in government and certification requirements 
for each job category.

SEC. 105. MEASURES OF CYBERSECURITY HIRING EFFECTIVENESS.

    (a) In General.--Each agency shall measure and collect information 
on cybersecurity hiring effectiveness with respect to the following:
            (1) Recruiting and hiring.--
                    (A) Ability to reach and recruit well-qualified 
                talent from diverse talent pools.
                    (B) Use and impact of special hiring authorities 
                and flexibilities to recruit most qualified applicants, 
                including the use of student internship and scholarship 
                programs as a talent pool for permanent hires.
                    (C) Use and impact of special hiring authorities 
                and flexibilities to recruit diverse candidates, 
                including veteran, minority, and disabled candidates.
                    (D) The age, educational level, and source of 
                applicants.
            (2) Hiring manager assessment.--
                    (A) Manager satisfaction with the quality of the 
                applicants interviewed and new hires.
                    (B) Manager satisfaction with the match between the 
                skills of newly hired individuals and the needs of the 
                agency.
                    (C) Manager satisfaction with the hiring process 
                and hiring outcomes.
                    (D) Mission-critical deficiencies closed by new 
                hires and the connection between mission-critical 
                deficiencies and annual agency performance.
                    (E) Manager satisfaction with the length of time to 
                fill a position.
            (3) Applicant assessment.--Applicant satisfaction with the 
        hiring process (including clarity of job announcement, reasons 
        for withdrawal of application should that apply, user-
        friendliness of the application process, communication 
        regarding status of application, and timeliness of job offer).
            (4) New hire assessment.--
                    (A) New hire satisfaction with the hiring process 
                (including clarity of job announcement, user-
                friendliness of the application process, communication 
                regarding status of application, and timeliness of 
                hiring decision).
                    (B) Satisfaction with the onboarding experience 
                (including timeliness of onboarding after the hiring 
                decision, welcoming and orientation processes, and 
                being provided with timely and useful new employee 
                information and assistance).
                    (C) New hire attrition, including by performance 
                level and occupation.
                    (D) Investment in training and development for 
                employees during their first year of employment.
                    (E) Exit interview results.
                    (F) Other indicators and measures as required by 
                the Office of Personnel Management.
    (b) Reports.--
            (1) In general.--Each agency shall submit the information 
        collected under subsection (a) to the Office of Personnel 
        Management annually in accordance with the regulations 
        prescribed under subsection (c).
            (2) Availability of recruiting and hiring information.--
        Each year the Office of Personnel Management shall provide the 
        information received under paragraph (1) in a consistent format 
        to allow for a comparison of hiring effectiveness and 
        experience across demographic groups and agencies to--
                    (A) the Congress before that information is made 
                publicly available; and
                    (B) the public on the website of the Office within 
                90 days after receipt of the information under 
                subsection (b)(1).
    (c) Regulations.--Not later than 180 days after the date of 
enactment of this Act, the Director of the Office of Personnel 
Management shall prescribe regulations establishing the methodology, 
timing, and reporting of the data described in subsection (a).

                     TITLE II--PLANS AND AUTHORITY

SEC. 201. CYBERSECURITY RESPONSIBILITIES AND AUTHORITIES.

    (a) In General.--The President shall--
            (1) within 180 days after the date of enactment of this 
        Act, after notice and opportunity for public comment, develop 
        and implement a comprehensive national cybersecurity strategy, 
        which shall include--
                    (A) a long-term vision of the Nation's 
                cybersecurity future; and
                    (B) a plan that addresses all aspects of national 
                security, as it relates to cybersecurity, including the 
                proactive engagement of, and collaboration between, the 
                Federal government and the private sector;
            (2) in consultation with sector coordinating councils and 
        relevant governmental agencies, regulatory entities, and 
        nongovernmental organizations, review critical functions likely 
        to be impacted by a cyber attack and develop a strategy for the 
        acquisition, storage, and periodic replacement of assets to 
        support those functions;
            (3) through the Office of Science and Technology Policy, 
        direct an annual review of all Federal cyber technology 
        research and development investments; and
            (4) through the Office of Personnel Management, promulgate 
        rules for Federal professional responsibilities regarding 
        cybersecurity, and provide to the Congress an annual report on 
        Federal agency compliance with those rules.
    (b) Collaborative Emergency Response and Restoration.--The 
President--
            (1) shall, in collaboration with owners and operators of 
        United States critical infrastructure information systems, 
        sector coordinating councils and relevant governmental 
        agencies, regulatory entities, and nongovernmental 
        organizations, develop and rehearse detailed response and 
        restoration plans that clarify specific roles, 
        responsibilities, and authorities of government and private 
        sector actors during cybersecurity emergencies, and that 
        identify the types of events and incidents that would 
        constitute a cybersecurity emergency;
            (2) may, in the event of an immediate threat to strategic 
        national interests involving compromised Federal Government or 
        United States critical infrastructure information systems--
                    (A) declare a cybersecurity emergency; and
                    (B) implement the collaborative emergency response 
                and restoration plans developed under paragraph (1);
            (3) shall, in the event of a declaration of a cybersecurity 
        emergency--
                    (A) within 48 hours submit to Congress a report in 
                writing setting forth--
                            (i) the circumstances necessitating the 
                        emergency declaration; and
                            (ii) the estimated scope and duration of 
                        the emergency; and
                    (B) so long as the cybersecurity emergency 
                declaration remains in effect, report to the Congress 
                periodically, but in no event less frequently than once 
                every 30 days, on the status of emergency as well as on 
                the scope and duration of the emergency.
    (c) Rule of Construction.--This section does not authorize, and 
shall not be construed to authorize, an expansion of existing 
Presidential authorities.

SEC. 202. BIENNIAL CYBER REVIEW.

    (a) In General.--Beginning with 2010 and in every second year 
thereafter, the President, or the President's designee, shall complete 
a review of the cyber posture of the United States, including an 
unclassified summary of roles, missions, accomplishments, plans, and 
programs. The review shall include a comprehensive examination of the 
cyber strategy, force structure, personnel, modernization plans, 
infrastructure, budget plan, the Nation's ability to recover from a 
cyber emergency, and other elements of the cyber program and policies 
with a view toward determining and expressing the cyber strategy of the 
United States and establishing a revised cyber program for the next 2 
years.
    (b) Involvement of Cybersecurity Advisory Panel.--
            (1) The President, or the President's designee, shall 
        apprise the Cybersecurity Advisory Panel established or 
        designated under section 401, on an ongoing basis, of the work 
        undertaken in the conduct of the review.
            (2) Not later than 1 year before the completion date for 
        the review, the Chairman of the Advisory Panel shall submit to 
        the President, or the President's designee, the Panel's 
        assessment of work undertaken in the conduct of the review as 
        of that date and shall include in the assessment the 
        recommendations of the Panel for improvements to the review, 
        including recommendations for additional matters to be covered 
        in the review.
    (c) Assessment of Review.--Upon completion of the review, the 
Chairman of the Advisory Panel, on behalf of the Panel, shall prepare 
and submit to the President, or the President's designee, an assessment 
of the review in time for the inclusion of the assessment in its 
entirety in the report under subsection (d).
    (d) Report.--Not later than September 30, 2010, and every 2 years 
thereafter, the President, or the President's designee, shall submit to 
the relevant congressional Committees a comprehensive report on the 
review. The report shall include--
            (1) the results of the review, including a comprehensive 
        discussion of the cyber strategy of the United States and the 
        collaboration between the public and private sectors best 
        suited to implement that strategy;
            (2) the threats examined for purposes of the review and the 
        scenarios developed in the examination of such threats;
            (3) the assumptions used in the review, including 
        assumptions relating to the cooperation of other countries and 
        levels of acceptable risk; and
            (4) the Advisory Panel's assessment.

SEC. 203. CYBERSECURITY DASHBOARD PILOT PROJECT.

    The Secretary of Commerce shall--
            (1) in consultation with the Office of Management and 
        Budget, develop a plan within 90 days after the date of 
        enactment of this Act to implement a system to provide dynamic, 
        comprehensive, real-time cybersecurity status and vulnerability 
        information of all Federal Government information systems 
        managed by the Department of Commerce, including an inventory 
        of such, vulnerabilities of such systems, and corrective action 
        plans for those vulnerabilities;
            (2) implement the plan within 1 year after the date of 
        enactment of this Act; and
            (3) submit a report to the Congress on the implementation 
        of the plan.

SEC. 204. NIST CYBERSECURITY GUIDANCE.

    (a) In General.--Beginning no later than 1 year after the date of 
enactment of this Act, the National Institute of Standards and 
Technology, in close and regular consultation with sector coordinating 
councils and relevant governmental agencies, regulatory entities, and 
nongovernmental organizations, shall--
            (1) recognize and promote auditable, private sector 
        developed cybersecurity risk measurement techniques, risk 
        management measures and best practices for all Federal 
        Government and United States critical infrastructure 
        information systems; and
            (2) on an ongoing basis, but not less frequently than semi-
        annually, review and reconsider its recognitions under 
        paragraph (1) in order to account for advances in cybersecurity 
        risk measurement techniques, risk management measures, and best 
        practices.
    (b) Federal Information Systems.--Within 1 year after the National 
Institute of Standards and Technology issues guidance under subsection 
(a)(1), the President shall require all Federal departments and 
agencies to measure their risk in each operating unit using the 
techniques recognized under subsection (a) and to comply with or exceed 
the cybersecurity risk management measures and best practices 
recognized under subsection (a).
    (c) United States Critical Infrastructure Information Systems.--
            (1) In general.--On the earlier of the date on which the 
        final rule in the rulemaking required by section 4 is 
        promulgated, or 1 year after the President first recognizes the 
        cybersecurity risk measurement techniques, risk management 
        measures and best practices under subsection (a), and on a 
        semi-annual basis thereafter, the President shall require each 
        owner or operator of a United States critical infrastructure 
        information system to report the results of independent audits 
        that evaluate compliance with cybersecurity risk measurement 
        techniques, risk management measures, and best practices 
        recognized under subsection (a).
            (2) Positive recognition.--The President, in consultation 
        with sector coordinating councils, relevant governmental 
        agencies, and regulatory entities, and with the consent of 
        individual companies, may publicly recognize those owners and 
        operators of United States critical infrastructure information 
        systems whose independent audits demonstrate compliance with 
        cybersecurity risk measurement techniques, risk management 
        measures, and best practices recognized under subsection (a);
            (3) Collaborative remediation.--The President shall require 
        owners or operators of United States critical infrastructure 
        information systems that fail to demonstrate substantial 
        compliance with cybersecurity risk measurement techniques, risk 
        management measures, and best practices recognized under 
        subsection (a) through 2 consecutive independent audits, in 
        consultation with sector coordinating councils, relevant 
        governmental agencies, and regulatory entities, to 
        collaboratively develop and implement a remediation plan.
    (d) International Standards Development.--Within 1 year after the 
date of enactment of this Act, the Director, in coordination with the 
Department of State and other relevant governmental agencies and 
regulatory entities, and in consultation with sector coordinating 
councils and relevant nongovernmental organizations, shall--
            (1) direct United States cybersecurity efforts before all 
        international standards development bodies related to 
        cybersecurity;
            (2) develop and implement a strategy to engage 
        international standards bodies with respect to the development 
        of technical standards related to cybersecurity; and
            (3) submit the strategy to the Congress.
    (e) Criteria for Federal Information Systems.--Notwithstanding any 
other provision of law (including any Executive Order), rule, 
regulation, or guideline pertaining to the distinction between national 
security systems and civilian agency systems, the Institute shall adopt 
a risk-based approach in the development of Federal cybersecurity 
guidance for Federal information systems.
    (f) FCC Broadband Cybersecurity Review.--Within 1 year after the 
date of enactment of this Act, the Federal Communications Commission 
shall report to Congress on effective and efficient means to ensure the 
cybersecurity of commercial broadband networks as related to public 
safety, consumer welfare, healthcare, education, energy, government, 
security and other national purposes. This report should also consider 
consumer education and outreach programs to assist individuals in 
protecting their home and personal computers and other devices.
    (g) Elimination of Duplicative Requirements.--The President shall 
direct the National Institute of Standards and Technology and other 
appropriate Federal agencies to identify private sector entities 
already required to report their compliance with cybersecurity laws, 
directives, and regulations to streamline compliance with duplicative 
reporting requirements.

SEC. 205. LEGAL FRAMEWORK REVIEW AND REPORT.

    (a) In General.--Within 1 year after the date of enactment of this 
Act, the Comptroller General shall complete a comprehensive review of 
the Federal statutory and legal framework applicable to cybersecurity-
related activities in the United States, including--
            (1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
            (2) the Electronic Communications Privacy Act of 1986 (18 
        U.S.C. 2510 note);
            (3) the Computer Security Act of 1987 (15 U.S.C. 271 et 
        seq.; 40 U.S.C. 759);
            (4) the Federal Information Security Management Act of 2002 
        (44 U.S.C. 3531 et seq.);
            (5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
            (6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 
        et seq.);
            (7) section 552 of title 5, United States Code;
            (8) the Federal Advisory Committee Act (5 U.S.C. App.);
            (9) any other Federal law bearing upon cybersecurity-
        related activities; and
            (10) any applicable Executive Order or agency rule, 
        regulation, or guideline.
    (b) Report.--Upon completion of the review the Comptroller General 
shall submit a report to the Congress containing the Comptroller 
General's, findings, conclusions, and recommendations regarding changes 
needed to advance cybersecurity and protect civil liberties in light of 
new cybersecurity measures.

SEC. 206. JOINT INTELLIGENCE THREAT AND VULNERABILITY ASSESSMENT.

    The Director of National Intelligence, the Secretary of Commerce, 
the Secretary of Homeland Security, the Attorney General, the Secretary 
of Defense, and the Secretary of State shall submit to the Congress a 
joint assessment of, and report on, cybersecurity threats to and 
vulnerabilities of Federal information systems and United States 
critical infrastructure information systems.

SEC. 207. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.

    The President shall--
            (1) work with representatives of foreign governments, 
        private sector entities, and nongovernmental organizations--
                    (A) to develop norms, organizations, and other 
                cooperative activities for international engagement to 
                improve cybersecurity; and
                    (B) to encourage international cooperation in 
                improving cybersecurity on a global basis; and
            (2) provide an annual report to the Congress on the 
        progress of international initiatives undertaken pursuant to 
        subparagraph (A).

SEC. 208. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS.

    (a) Acquisition Requirements.--The Administrator of the General 
Services Administration, in cooperation with the Office of Management 
and Budget and other appropriate Federal agencies, shall require that 
requests for information and requests for proposals for Federal 
information systems products and services include cybersecurity risk 
measurement techniques, risk management measures, and best practices 
recognized under section 204 and the cybersecurity professional 
certifications recognized under section 101 of this Act.
    (b) Acquisition Compliance.--After the publication of the 
requirements established by the Administrator under subsection (a), a 
Federal agency may not issue a request for proposals for Federal 
information systems products and services that does not comply with the 
requirements.

SEC. 209. PRIVATE SECTOR ACCESS TO CLASSIFIED INFORMATION.

    (a) Evaluation.--The President shall conduct an annual evaluation 
of the sufficiency of present access to classified information among 
owners and operators of United States critical infrastructure 
information systems and submit a report to the Congress on the 
evaluation.
    (b) Security Clearances.--To the extent determined by the President 
to be necessary to enhance public-private information sharing and 
cybersecurity collaboration, the President may--
            (1) grant additional security clearances to owners and 
        operators of United States critical infrastructure information 
        systems; and
            (2) delegate original classification authority to 
        appropriate Federal officials on matters related to 
        cybersecurity.

SEC. 210. AUTHENTICATION AND CIVIL LIBERTIES REPORT.

    Within 1 year after the date of enactment of this Act, the 
President, or the President's designee, in consultation with sector 
coordinating councils, relevant governmental agencies, regulatory 
entities, and nongovernmental organizations, shall review, and report 
to Congress, on the feasibility of an identity management and 
authentication program, with the appropriate civil liberties and 
privacy protections, for Federal government and United States critical 
infrastructure information systems.

SEC. 211. REPORT ON EVALUATION OF CERTAIN IDENTITY AUTHENTICATION 
              FUNCTIONALITIES.

    (a) In General.--Not later than 90 days after the date of enactment 
of this Act, the National Institute of Standards and Technology shall 
issue a public report evaluating identity authentication solutions to 
determine the necessary level of functionality and privacy protection, 
based on risk, commensurate with the level of data assurance and 
sensitivity, as defined by OMB e-Authentication Guidance Memorandum 04-
04 (OMB 04-04).
    (b) Contents.--The report shall--
            (1) assess strategies and best practices for mapping the 4 
        authentication levels with authentication functionalities 
        appropriate for each level; and
            (2) address specifically authentication levels and 
        appropriate functionalities necessary and available for the 
        protection of electronic medical records and health 
        information.

             TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT

SEC. 301. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.

    (a) In General.--The Secretary of Commerce, in consultation with 
sector coordinating councils, relevant governmental agencies, 
regulatory entities, and nongovernmental organizations, shall develop 
and implement a national cybersecurity awareness campaign that--
            (1) calls a new generation of Americans to service in the 
        field of cybersecurity;
            (2) heightens public awareness of cybersecurity issues and 
        concerns;
            (3) communicates the Federal Government's role in securing 
        the Internet and protecting privacy and civil liberties with 
        respect to Internet-related activities; and
            (4) utilizes public and private sector means of providing 
        information to the public, including public service 
        announcements.
    (b) Educational Programs.--The Secretary of Education, in 
consultation with State school superintendents, relevant Federal 
agencies, industry sectors, and nongovernmental organizations, shall 
identify and promote age appropriate information and programs for 
grades K-12 regarding cyber safety, cybersecurity, and cyber ethics.

SEC. 302. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

    (a) Fundamental Cybersecurity Research.--The Director of the 
National Science Foundation, in coordination with the Office of Science 
and Technology Policy, and drawing on the recommendations of the Office 
of Science and Technology Policy's annual review of all Federal cyber 
technology research and development investments required by section 
201(a)(3), shall develop a national cybersecurity research and 
development plan. The plan shall encourage computer and information 
science and engineering research to meet the following challenges in 
cybersecurity:
            (1) How to design and build complex software-intensive 
        systems that are secure and reliable when first deployed.
            (2) How to test and verify that software, whether developed 
        locally or obtained from a third party, is free of significant 
        known security flaws.
            (3) How to test and verify that software obtained from a 
        third party correctly implements stated functionality, and only 
        that functionality.
            (4) How to guarantee the privacy of an individual's 
        identity, information, or lawful transactions when stored in 
        distributed systems or transmitted over networks.
            (5) How to build new protocols to enable the Internet to 
        have robust security as one of its key capabilities.
            (6) How to determine the origin of a message transmitted 
        over the Internet.
            (7) How to support privacy in conjunction with improved 
        security.
            (8) How to address the growing problem of insider threat.
            (9) How improved consumer education and digital literacy 
        initiatives can address human factors that contribute to 
        cybersecurity.
    (b) Secure Coding Research.--The Director shall support research 
that evaluates selected secure coding education and improvement 
programs. The Director shall also support research on new methods of 
integrating secure coding improvement into the core curriculum of 
computer science programs and of other programs where graduates have a 
substantial probability of developing software after graduation.
    (c) Assessment of Secure Coding Education in Colleges and 
Universities.--Within 1 year after the date of enactment of this Act, 
the Director shall submit to the Senate Committee on Commerce, Science, 
and Transportation and the House of Representatives Committee on 
Science and Technology a report on the state of secure coding education 
in America's colleges and universities for each school that received 
National Science Foundation funding in excess of $1,000,000 during 
fiscal year 2008. The report shall include--
            (1) the number of students who earned undergraduate degrees 
        in computer science or in each other program where graduates 
        have a substantial probability of being engaged in software 
        design or development after graduation;
            (2) the percentage of those students who completed 
        substantive secure coding education or improvement programs 
        during their undergraduate experience; and
            (3) descriptions of the length and content of the education 
        and improvement programs and an evaluation of the effectiveness 
        of those programs based on the students' scores on standard 
        tests of secure coding and design skills.
    (d) Cybersecurity Modeling and Testbeds.--Within 1 year after the 
date of enactment of this Act, the Director shall conduct a review of 
existing cybersecurity testbeds. Based on the results of that review, 
the Director shall establish a program to award grants to institutions 
of higher education to establish cybersecurity testbeds capable of 
realistic modeling of real-time cyber attacks and defenses. The purpose 
of this program is to support the rapid development of new 
cybersecurity defenses, techniques, and processes by improving 
understanding and assessing the latest technologies in a real-world 
environment. The testbeds shall be sufficiently large in order to model 
the scale and complexity of real world networks and environments.
    (e) NSF Computer and Network Security Research Grant Areas.--
Section 4(a)(1) of the Cybersecurity Research and Development Act (15 
U.S.C. 7403(a)(1)) is amended--
            (1) by striking ``and'' after the semicolon in subparagraph 
        (H);
            (2) by striking ``property.'' in subparagraph (I) and 
        inserting ``property;''; and
            (3) by adding at the end the following:
                    ``(J) secure fundamental protocols that are at the 
                heart of inter-network communications and data 
                exchange;
            ``(K) secure software engineering and software assurance, 
        including--
                            ``(i) programming languages and systems 
                        that include fundamental security features;
                            ``(ii) portable or reusable code that 
                        remains secure when deployed in various 
                        environments;
                            ``(iii) verification and validation 
                        technologies to ensure that requirements and 
                        specifications have been implemented; and
                            ``(iv) models for comparison and metrics to 
                        assure that required standards have been met;
                    ``(L) holistic system security that--
                            ``(i) addresses the building of secure 
                        systems from trusted and untrusted components;
                            ``(ii) proactively reduces vulnerabilities;
                            ``(iii) addresses insider threats; and
                            ``(iv) supports privacy in conjunction with 
                        improved security;
                    ``(M) monitoring and detection; and
                    ``(N) mitigation and rapid recovery methods.''.
    (f) NSF Computer and Network Security Grants.--Section 4(a)(3) of 
the Cybersecurity Research and Development Act (15 U.S.C. 7403(a)(3)) 
is amended--
            (1) by striking ``and'' in subparagraph (D);
            (2) by striking ``2007.'' in subparagraph (E) and inserting 
        ``2007;''; and
            (3) by adding at the end of the following:
                    ``(F) $150,000,000 for fiscal year 2010;
                    ``(G) $155,000,000 for fiscal year 2011;
                    ``(H) $160,000,000 for fiscal year 2012;
                    ``(I) $165,000,000 for fiscal year 2013; and
                    ``(J) $170,000,000 for fiscal year 2014.''.
    (g) Computer and Network Security Centers.--Section 4(b)(7) of such 
Act (15 U.S.C. 7403(b)(7)) is amended--
            (1) by striking ``and'' in subparagraph (D);
            (2) by striking ``2007.'' in subparagraph (E) and inserting 
        ``2007;''; and
            (3) by adding at the end of the following:
                    ``(F) $50,000,000 for fiscal year 2010;
                    ``(G) $52,000,000 for fiscal year 2011;
                    ``(H) $54,000,000 for fiscal year 2012;
                    ``(I) $56,000,000 for fiscal year 2013; and
                    ``(J) $58,000,000 for fiscal year 2014.''.
    (h) Computer and Network Security Capacity Building Grants.--
Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended--
            (1) by striking ``and'' in subparagraph (D);
            (2) by striking ``2007.'' in subparagraph (E) and inserting 
        ``2007;''; and
            (3) by adding at the end of the following:
                    ``(F) $40,000,000 for fiscal year 2010;
                    ``(G) $42,000,000 for fiscal year 2011;
                    ``(H) $44,000,000 for fiscal year 2012;
                    ``(I) $46,000,000 for fiscal year 2013; and
                    ``(J) $48,000,000 for fiscal year 2014.''.
    (i) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) 
of such Act (15 U.S.C. 7404(b)(2)) is amended--
            (1) by striking ``and'' in subparagraph (D);
            (2) by striking ``2007.'' in subparagraph (E) and inserting 
        ``2007;''; and
            (3) by adding at the end of the following:
                    ``(F) $5,000,000 for fiscal year 2010;
                    ``(G) $6,000,000 for fiscal year 2011;
                    ``(H) $7,000,000 for fiscal year 2012;
                    ``(I) $8,000,000 for fiscal year 2013; and
                    ``(J) $9,000,000 for fiscal year 2014.''.
    (j) Graduate Traineeships in Computer and Network Security 
Research.--Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is 
amended--
            (1) by striking ``and'' in subparagraph (D);
            (2) by striking ``2007.'' in subparagraph (E) and inserting 
        ``2007;''; and
            (3) by adding at the end of the following:
                    ``(F) $20,000,000 for fiscal year 2010;
                    ``(G) $22,000,000 for fiscal year 2011;
                    ``(H) $24,000,000 for fiscal year 2012;
                    ``(I) $26,000,000 for fiscal year 2013; and
                    ``(J) $28,000,000 for fiscal year 2014.''.
    (k) Cybersecurity Faculty Development Traineeship Program.--Section 
5(e)(9) of such Act (15 U.S.C. 7404(e)(9)) is amended by striking 
``2007.'' and inserting ``2007 and for each of fiscal years 2010 
through 2014.''.
    (l) Networking and Information Technology Research and Development 
Program.--Section 204(a)(1) of the High-Performance Computing Act of 
1991 (15 U.S.C. 5524(a)(1)) is amended--
            (1) by striking ``and'' after the semicolon in subparagraph 
        (B); and
            (2) by inserting after subparagraph (C) the following:
                    ``(D) develop and propose standards and guidelines, 
                and develop measurement techniques and test methods, 
                for enhanced cybersecurity for computer networks and 
                common user interfaces to systems; and''.

SEC. 303. DEVELOPMENT OF CURRICULA FOR INCORPORATING CYBERSECURITY INTO 
              EDUCATIONAL PROGRAMS FOR FUTURE INDUSTRIAL CONTROL SYSTEM 
              DESIGNERS.

    (a) In General.--The Director of the National Science Foundation 
shall establish a grant program to fund public and private educational 
institutions to develop graduate and undergraduate level curricula that 
address cybersecurity in modern industrial control systems. In 
administering the program, the Director--
            (1) shall establish such requirements for the submission of 
        applications containing such information, commitments, and 
        assurances as the Director finds necessary and appropriate;
            (2) shall award the grants on a competitive basis;
            (3) shall require grant recipients to make the developed 
        curricula and related materials to other public and private 
        educational institutions; and
            (4) may make up to 3 grants per year.
    (b) Authorization of Appropriations.--There are authorized to be 
appropriated to the Director to carry out the grant program under this 
section $2,000,000 for each of fiscal years 2011 and 2012.

                 TITLE IV--PUBLIC-PRIVATE COLLABORATION

SEC. 401. CYBERSECURITY ADVISORY PANEL.

    (a) In General.--The President shall establish or designate a 
Cybersecurity Advisory Panel.
    (b) Qualifications.--The President--
            (1) shall appoint as members of the panel representatives 
        of industry, academic, non-profit organizations, interest 
        groups and advocacy organizations, and State and local 
        governments who are qualified to provide advice and information 
        on cybersecurity research, development, demonstrations, 
        education, personnel, technology transfer, commercial 
        application, or societal and civil liberty concerns; and
            (2) may seek and give consideration to recommendations from 
        the Congress, industry, the cybersecurity community, the 
        defense community, State and local governments, and other 
        appropriate organizations.
    (c) Duties.--The panel shall advise the President on matters 
relating to the national cybersecurity program and strategy and shall 
assess--
            (1) trends and developments in cybersecurity science 
        research and development;
            (2) progress made in implementing the strategy;
            (3) the need to revise the strategy;
            (4) the readiness and capacity of the Federal and national 
        workforces to implement the national cybersecurity program and 
        strategy, and the steps necessary to improve workforce 
        readiness and capacity;
            (5) the balance among the components of the national 
        strategy, including funding for program components;
            (6) whether the strategy, priorities, and goals are helping 
        to maintain United States leadership and defense in 
        cybersecurity;
            (7) the management, coordination, implementation, and 
        activities of the strategy;
            (8) whether the concerns of Federal, State, and local law 
        enforcement entities are adequately addressed; and
            (9) whether societal and civil liberty concerns are 
        adequately addressed.
    (d) Reports.--The panel shall report, not less frequently than once 
every 2 years, to the President on its assessments under subsection (c) 
and its recommendations for ways to improve the strategy.
    (e) Travel Expenses of Non-Federal Members.--Non-Federal members of 
the panel, while attending meetings of the panel or while otherwise 
serving at the request of the head of the panel while away from their 
homes or regular places of business, may be allowed travel expenses, 
including per diem in lieu of subsistence, as authorized by section 
5703 of title 5, United States Code, for individuals in the government 
serving without pay. Nothing in this subsection shall be construed to 
prohibit members of the panel who are officers or employees of the 
United States from being allowed travel expenses, including per diem in 
lieu of subsistence, in accordance with law.
    (f) Exemption From FACA Sunset.--Section 14 of the Federal Advisory 
Committee Act (5 U.S.C. App.) shall not apply to the Advisory Panel.

SEC. 402. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.

    (a) Creation and Support of Cybersecurity Centers.--The Secretary 
of Commerce shall provide assistance for the creation and support of 
Regional Cybersecurity Centers for the promotion of private sector 
developed cybersecurity risk measurement techniques, risk management 
measures, and best practices. Each Center shall be affiliated with a 
United States-based nonprofit institution or organization, or 
consortium thereof, that applies for and is awarded financial 
assistance under this section.
    (b) Purpose.--The purpose of the Centers is to enhance the 
cybersecurity of small and medium sized businesses in the United States 
through--
            (1) the promotion of private sector developed cybersecurity 
        risk measurement techniques, risk management measures, and best 
        practices to small- and medium-sized companies throughout the 
        United States;
            (2) the voluntary participation of individuals from 
        industry, universities, State governments, other Federal 
        agencies, and, when appropriate, the Institute in cooperative 
        technology transfer activities in accordance with existing 
        technology transfer rules and intellectual property protection 
        measures;
            (3) efforts to make new cybersecurity technology, 
        standards, and processes usable by United States-based small- 
        and medium-sized companies;
            (4) the active dissemination of scientific, engineering, 
        technical, and management information about cybersecurity to 
        industrial firms, including small- and medium-sized companies;
            (5) the utilization, when appropriate, of the expertise and 
        capability that exists in Federal laboratories other than the 
        Institute; and
            (6) the performance of these and related activities in a 
        manner that supplements or coordinates with, and does not 
        compete with or duplicate, private sector activities.
    (c) Activities.--The Centers shall--
            (1) disseminate cybersecurity technologies, standards, and 
        processes based on research by the Institute for the purpose of 
        demonstrations and technology transfer;
            (2) actively transfer and disseminate private sector 
        developed cybersecurity risk measurement techniques, risk 
        management measures, and best practices to protect against and 
        mitigate the risk of cyber attacks to a wide range of companies 
        and enterprises, particularly small- and medium-sized 
        businesses; and
            (3) make loans, on a selective, short-term basis, of items 
        of advanced protective cybersecurity measures to small 
        businesses with less than 100 employees.
    (c) Duration and Amount of Support; Program Descriptions; 
Applications; Merit Review; Evaluations of Assistance.--
            (1) Financial support.--The Secretary may provide financial 
        support, not to exceed 50 percent of the Center's annual 
        operating and maintenance costs, to any Center for a period not 
        to exceed 6 years (except as provided in paragraph (5)(D)).
            (2) Program description.--Within 90 days after the date of 
        enactment of this Act, the Secretary shall publish in the 
        Federal Register a draft description of a program for 
        establishing Centers and, after a 30-day comment period, shall 
        publish a final description of the program. The description 
        shall include--
                    (A) a description of the program;
                    (B) procedures to be followed by applicants;
                    (C) criteria for determining qualified applicants;
                    (D) criteria, including those described in 
                paragraph (4), for choosing recipients of financial 
                assistance under this section from among the qualified 
                applicants; and
                    (E) maximum support levels expected to be available 
                to Centers under the program in the fourth through 
                sixth years of assistance under this section.
            (3) Applications; support commitment.--Any nonprofit 
        institution, or consortia of nonprofit institutions, may submit 
        to the Secretary an application for financial support under 
        this section, in accordance with the procedures established by 
        the Secretary. In order to receive assistance under this 
        section, an applicant shall provide adequate assurances that it 
        will contribute 50 percent or more of the proposed Center's 
        annual operating and maintenance costs for the first 3 years 
        and an increasing share for each of the next 3 years.
            (4) Award criteria.--Awards shall be made on a competitive, 
        merit-based review. In making a decision whether to approve an 
        application and provide financial support under this section, 
        the Secretary shall consider, at a minimum--
                    (A) the merits of the application, particularly 
                those portions of the application regarding technology 
                transfer, training and education, and adaptation of 
                cybersecurity technologies to the needs of particular 
                industrial sectors;
                    (B) the quality of service to be provided;
                    (C) geographical diversity and extent of service 
                area; and
                    (D) the percentage of funding and amount of in-kind 
                commitment from other sources.
            (5) Third year evaluation.--
                    (A) In general.--Each Center which receives 
                financial assistance under this section shall be 
                evaluated during its third year of operation by an 
                evaluation panel appointed by the Secretary.
                    (B) Evaluation panel.--Each evaluation panel shall 
                be composed of private experts and Federal officials, 
                none of whom shall be connected with the involved 
                Center. Each evaluation panel shall measure the 
                Center's performance against the objectives specified 
                in this section and ensure that the Center is not 
                competing with, or duplicating, private sector 
                activities.
                    (C) Positive evaluation required for continued 
                funding.--The Secretary may not provide funding for the 
                fourth through the sixth years of a Center's operation 
                unless the evaluation by the evaluation panel is 
                positive. If the evaluation is positive, the Secretary 
                may provide continued funding through the sixth year at 
                declining levels.
                    (D) Funding after sixth year.--After the sixth 
                year, the Secretary may provide additional financial 
                support to a Center if it has received a positive 
                evaluation through an independent review, under 
                procedures established by the Institute. An additional 
                independent review shall be required at least every 2 
                years after the sixth year of operation. Funding 
                received for a fiscal year under this section after the 
                sixth year of operation may not exceed one third of the 
                annual operating and maintenance costs of the Center.
            (6) Patent rights to inventions.--The provisions of chapter 
        18 of title 35, United States Code, shall (to the extent not 
        inconsistent with this section) apply to the promotion of 
        technology from research by Centers under this section except 
        for contracts for such specific technology extension or 
        transfer services as may be specified by statute or by the 
        President, or the President's designee.
    (d) Acceptance of Funds From Other Federal Departments and 
Agencies.--In addition to such sums as may be authorized and 
appropriated to the Secretary and President, or the President's 
designee, to operate the Centers program, the Secretary and the 
President, or the President's designee, also may accept funds from 
other Federal departments and agencies for the purpose of providing 
Federal funds to support Centers. Any Center which is supported with 
funds which originally came from other Federal departments and agencies 
shall be selected and operated according to the provisions of this 
section.

SEC. 403. PUBLIC-PRIVATE CLEARINGHOUSE.

    (a) Survey of Existing Models of Interagency and Public-private 
Information Sharing.--Within 180 days after the date of enactment of 
this Act, the President, or the President's designee, in consultation 
with sector coordinating councils, relevant governmental agencies and 
regulatory entities, and nongovernmental organizations, shall conduct a 
review and assessment of existing information sharing models used by 
Federal agencies.
    (b) Designation.--Pursuant to the results of the review and 
assessment required by subsection (a), the President shall establish or 
designate a facility to serve as the central cybersecurity threat and 
vulnerability information clearinghouse for the Federal Government and 
United States critical infrastructure information systems. The facility 
shall incorporate the best practices and concepts of operations of 
existing information sharing models in order to effectively promote the 
sharing of public-private cybersecurity threat and vulnerability 
information.
    (c) Information Sharing Rules and Procedures.--The President, or 
the President's designee, in consultation with sector coordinating 
councils, relevant governmental agencies and regulatory entities, and 
nongovernmental organizations, shall promulgate rules and procedures 
regarding cybersecurity threat and vulnerability information sharing, 
that--
            (1) expand the Federal Government's sharing of 
        cybersecurity threat and vulnerability information with owners 
        and operators of United States critical infrastructure 
        information systems;
            (2) ensure confidentiality and privacy protections for 
        individuals and personally identifiable information;
            (3) ensure confidentiality and privacy protections for 
        private sector-owned intellectual property and proprietary 
        information;
            (4) establish criteria under which owners or operators of 
        United States critical infrastructure information systems share 
        actionable cybersecurity threat and vulnerability information 
        and relevant data with the Federal Government;
            (5) protect against, or mitigate, civil and criminal 
        liability implicated by information shared; and
            (6) otherwise will enhance the sharing of cybersecurity 
        threat and vulnerability information between owners or 
        operators of United States critical infrastructure information 
        systems and the Federal Government.

SEC. 404. CYBERSECURITY RISK MANAGEMENT REPORT.

    Within 1 year after the date of enactment of this Act, the 
President, or the President's designee, shall report to the Congress on 
the feasibility of creating a market for cybersecurity risk management.
                                                       Calendar No. 707

111th CONGRESS

  2d Session

                                 S. 773

_______________________________________________________________________

                                 A BILL

To ensure the continued free flow of commerce within the United States 
       and with its global trading partners through secure cyber 
     communications, to provide for the continued development and 
   exploitation of the Internet and intranet communications for such 
  purposes, to provide for the development of a cadre of information 
technology specialists to improve and maintain effective cyber security 
          defenses against disruption, and for other purposes.

_______________________________________________________________________

                           December 17, 2010

                       Reported with an amendment