[Congressional Bills 111th Congress]
[From the U.S. Government Publishing Office]
[S. 773 Reported in Senate (RS)]
Calendar No. 707
111th CONGRESS
2d Session
S. 773
To ensure the continued free flow of commerce within the United States
and with its global trading partners through secure cyber
communications, to provide for the continued development and
exploitation of the Internet and intranet communications for such
purposes, to provide for the development of a cadre of information
technology specialists to improve and maintain effective cyber security
defenses against disruption, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 1, 2009
Mr. Rockefeller (for himself, Ms. Snowe, Mr. Nelson of Florida, Mr.
Bayh, and Ms. Mikulski) introduced the following bill; which was read
twice and referred to the Committee on Commerce, Science, and
Transportation
December 17, 2010
Reported by Mr. Rockefeller, with an amendment
[Strike all after the enacting clause and insert the part printed in
italic]
_______________________________________________________________________
A BILL
To ensure the continued free flow of commerce within the United States
and with its global trading partners through secure cyber
communications, to provide for the continued development and
exploitation of the Internet and intranet communications for such
purposes, to provide for the development of a cadre of information
technology specialists to improve and maintain effective cybersecurity
defenses against disruption, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>
<DELETED> (a) Short Title.--This Act may be cited as the
``Cybersecurity Act of 2009''.</DELETED>
<DELETED> (b) Table of Contents.--The table of contents for this Act
is as follows:</DELETED>
<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Findings.
<DELETED>Sec. 3. Cybersecurity Advisory Panel.
<DELETED>Sec. 4. Real-time cybersecurity dashboard.
<DELETED>Sec. 5. State and regional cybersecurity enhancement program.
<DELETED>Sec. 6. NIST standards development and compliance.
<DELETED>Sec. 7. Licensing and certification of cybersecurity
professionals.
<DELETED>Sec. 8. Review of NTIA domain name contracts.
<DELETED>Sec. 9. Secure domain name addressing system.
<DELETED>Sec. 10. Promoting cybersecurity awareness.
<DELETED>Sec. 11. Federal cybersecurity research and development.
<DELETED>Sec. 12. Federal Cyber Scholarship-for-Service program.
<DELETED>Sec. 13. Cybersecurity competition and challenge.
<DELETED>Sec. 14. Public-private clearinghouse.
<DELETED>Sec. 15. Cybersecurity risk management report.
<DELETED>Sec. 16. Legal framework review and report.
<DELETED>Sec. 17. Authentication and civil liberties report.
<DELETED>Sec. 18. Cybersecurity responsibilities and authorities.
<DELETED>Sec. 19. Quadrennial cyber review.
<DELETED>Sec. 20. Joint intelligence threat assessment.
<DELETED>Sec. 21. International norms and cybersecurity deterrence
measures.
<DELETED>Sec. 22. Federal Secure Products and Services Acquisitions
Board.
<DELETED>Sec. 23. Definitions.
<DELETED>SEC. 2. FINDINGS.</DELETED>
<DELETED> The Congress finds the following:</DELETED>
<DELETED> (1) America's failure to protect cyberspace is one
of the most urgent national security problems facing the
country.</DELETED>
<DELETED> (2) Since intellectual property is now often
stored in digital form, industrial espionage that exploits weak
cybersecurity dilutes our investment in innovation while
subsidizing the research and development efforts of foreign
competitors. In the new global competition, where economic
strength and technological leadership are vital components of
national power, failing to secure cyberspace puts us at a
disadvantage.</DELETED>
<DELETED> (3) According to the 2009 Annual Threat
Assessment, ``a successful cyber attack against a major
financial service provider could severely impact the national
economy, while cyber attacks against physical infrastructure
computer systems such as those that control power grids or oil
refineries have the potential to disrupt services for hours or
weeks'' and that ``Nation states and criminals target our
government and private sector information networks to gain
competitive advantage in the commercial sector.''.</DELETED>
<DELETED> (4) The Director of National Intelligence
testified before the Congress on February 19, 2009, that ``a
growing array of state and non-state adversaries are
increasingly targeting-for exploitation and potentially
disruption or destruction-our information infrastructure,
including the Internet, telecommunications networks, computer
systems, and embedded processors and controllers in critical
industries'' and these trends are likely to continue.</DELETED>
<DELETED> (5) John Brennan, the Assistant to the President
for Homeland Security and Counterterrorism wrote on March 2,
2009, that ``our nation's security and economic prosperity
depend on the security, stability, and integrity of
communications and information infrastructure that are largely
privately-owned and globally-operated.''.</DELETED>
<DELETED> (6) Paul Kurtz, a Partner and chief operating
officer of Good Harbor Consulting as well as a senior advisor
to the Obama Transition Team for cybersecurity, recently stated
that the United States is unprepared to respond to a ``cyber-
Katrina'' and that ``a massive cyber disruption could have a
cascading, long-term impact without adequate co-ordination
between government and the private sector.''.</DELETED>
<DELETED> (7) The Cyber Strategic Inquiry 2008, sponsored by
Business Executives for National Security and executed by Booz
Allen Hamilton, recommended to ``establish a single voice for
cybersecurity within government'' concluding that the ``unique
nature of cybersecurity requires a new leadership
paradigm.''.</DELETED>
<DELETED> (8) Alan Paller, the Director of Research at the
SANS Institute, testified before the Congress that ``the fight
against cybercrime resembles an arms race where each time the
defenders build a new wall, the attackers create new tools to
scale the wall. What is particularly important in this analogy
is that, unlike conventional warfare where deployment takes
time and money and is quite visible, in the cyber world, when
the attackers find a new weapon, they can attack millions of
computers, and successfully infect hundreds of thousands, in a
few hours or days, and remain completely hidden.''.</DELETED>
<DELETED> (9) According to the February 2003 National
Strategy to Secure Cyberspace, ``our nation's critical
infrastructures are composed of public and private institutions
in the sectors of agriculture, food, water, public health,
emergency services, government, defense industrial base,
information and telecommunications, energy, transportation,
banking finance, chemicals and hazardous materials, and postal
and shipping. Cyberspace is their nervous system--the control
system of our country'' and that ``the cornerstone of America's
cyberspace security strategy is and will remain a public-
private partnership.''.</DELETED>
<DELETED> (10) According to the National Journal, Mike
McConnell, the former Director of National Intelligence, told
President Bush in May 2007 that if the 9/11 attackers had
chosen computers instead of airplanes as their weapons and had
waged a massive assault on a U.S. bank, the economic
consequences would have been ``an order of magnitude greater''
than those cased by the physical attack on the World Trade
Center. Mike McConnell has subsequently referred to
cybersecurity as the ``soft underbelly of this
country.''.</DELETED>
<DELETED> (11) The Center for Strategic and International
Studies report on Cybersecurity for the 44th Presidency
concluded that (A) cybersecurity is now a major national
security problem for the United States, (B) decisions and
actions must respect privacy and civil liberties, and (C) only
a comprehensive national security strategy that embraces both
the domestic and international aspects of cybersecurity will
make us more secure. The report continued stating that the
United States faces ``a long-term challenge in cyberspace from
foreign intelligence agencies and militaries, criminals, and
others, and that losing this struggle will wreak serious damage
on the economic health and national security of the United
States.''.</DELETED>
<DELETED> (12) James Lewis, Director and Senior Fellow,
Technology and Public Policy Program, Center for Strategic and
International Studies, testified on behalf of the Center for
Strategic and International Studies that ``the United States is
not organized and lacks a coherent national strategy for
addressing'' cybersecurity.</DELETED>
<DELETED> (13) President Obama said in a speech at Purdue
University on July 16, 2008, that ``every American depends--
directly or indirectly--on our system of information networks.
They are increasingly the backbone of our economy and our
infrastructure; our national security and our personal well-
being. But it's no secret that terrorists could use our
computer networks to deal us a crippling blow. We know that
cyber-espionage and common crime is already on the rise. And
yet while countries like China have been quick to recognize
this change, for the last eight years we have been dragging our
feet.'' Moreover, President Obama stated that ``we need to
build the capacity to identify, isolate, and respond to any
cyber-attack.''.</DELETED>
<DELETED> (14) The President's Information Technology
Advisory Committee reported in 2005 that software is a major
vulnerability and that ``software development methods that have
been the norm fail to provide the high-quality, reliable, and
secure software that the IT infrastructure requires. . . .
Today, as with cancer, vulnerable software can be invaded and
modified to cause damage to previously healthy software, and
infected software can replicate itself and be carried across
networks to cause damage in other systems.''.</DELETED>
<DELETED>SEC. 3. CYBERSECURITY ADVISORY PANEL.</DELETED>
<DELETED> (a) In General.--The President shall establish or
designate a Cybersecurity Advisory Panel.</DELETED>
<DELETED> (b) Qualifications.--The President--</DELETED>
<DELETED> (1) shall appoint as members of the panel
representatives of industry, academic, non-profit
organizations, interest groups and advocacy organizations, and
State and local governments who are qualified to provide advice
and information on cybersecurity research, development,
demonstrations, education, technology transfer, commercial
application, or societal and civil liberty concerns;
and</DELETED>
<DELETED> (2) may seek and give consideration to
recommendations from the Congress, industry, the cybersecurity
community, the defense community, State and local governments,
and other appropriate organizations.</DELETED>
<DELETED> (c) Duties.--The panel shall advise the President on
matters relating to the national cybersecurity program and strategy and
shall assess--</DELETED>
<DELETED> (1) trends and developments in cybersecurity
science research and development;</DELETED>
<DELETED> (2) progress made in implementing the
strategy;</DELETED>
<DELETED> (3) the need to revise the strategy;</DELETED>
<DELETED> (4) the balance among the components of the
national strategy, including funding for program
components;</DELETED>
<DELETED> (5) whether the strategy, priorities, and goals
are helping to maintain United States leadership and defense in
cybersecurity;</DELETED>
<DELETED> (6) the management, coordination, implementation,
and activities of the strategy; and</DELETED>
<DELETED> (7) whether societal and civil liberty concerns
are adequately addressed.</DELETED>
<DELETED> (d) Reports.--The panel shall report, not less frequently
than once every 2 years, to the President on its assessments under
subsection (c) and its recommendations for ways to improve the
strategy.</DELETED>
<DELETED> (e) Travel Expenses of Non-Federal Members.--Non-Federal
members of the panel, while attending meetings of the panel or while
otherwise serving at the request of the head of the panel while away
from their homes or regular places of business, may be allowed travel
expenses, including per diem in lieu of subsistence, as authorized by
section 5703 of title 5, United States Code, for individuals in the
government serving without pay. Nothing in this subsection shall be
construed to prohibit members of the panel who are officers or
employees of the United States from being allowed travel expenses,
including per diem in lieu of subsistence, in accordance with
law.</DELETED>
<DELETED> (f) Exemption From FACA Sunset.--Section 14 of the Federal
Advisory Committee Act (5 U.S.C. App.) shall not apply to the Advisory
Panel.</DELETED>
<DELETED>SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.</DELETED>
<DELETED> The Secretary of Commerce shall--</DELETED>
<DELETED> (1) in consultation with the Office of Management
and Budget, develop a plan within 90 days after the date of
enactment of this Act to implement a system to provide dynamic,
comprehensive, real-time cybersecurity status and vulnerability
information of all Federal Government information systems and
networks managed by the Department of Commerce; and</DELETED>
<DELETED> (2) implement the plan within 1 year after the
date of enactment of this Act.</DELETED>
<DELETED>SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT
PROGRAM.</DELETED>
<DELETED> (a) Creation and Support of Cybersecurity Centers.--The
Secretary of Commerce shall provide assistance for the creation and
support of Regional Cybersecurity Centers for the promotion and
implementation of cybersecurity standards. Each Center shall be
affiliated with a United States-based nonprofit institution or
organization, or consortium thereof, that applies for and is awarded
financial assistance under this section.</DELETED>
<DELETED> (b) Purpose.--The purpose of the Centers is to enhance the
cybersecurity of small and medium sized businesses in United States
through--</DELETED>
<DELETED> (1) the transfer of cybersecurity standards,
processes, technology, and techniques developed at the National
Institute of Standards and Technology to Centers and, through
them, to small- and medium-sized companies throughout the
United States;</DELETED>
<DELETED> (2) the participation of individuals from
industry, universities, State governments, other Federal
agencies, and, when appropriate, the Institute in cooperative
technology transfer activities;</DELETED>
<DELETED> (3) efforts to make new cybersecurity technology,
standards, and processes usable by United States-based small-
and medium-sized companies;</DELETED>
<DELETED> (4) the active dissemination of scientific,
engineering, technical, and management information about
cybersecurity to industrial firms, including small- and medium-
sized companies; and</DELETED>
<DELETED> (5) the utilization, when appropriate, of the
expertise and capability that exists in Federal laboratories
other than the Institute.</DELETED>
<DELETED> (c) Activities.--The Centers shall--</DELETED>
<DELETED> (1) disseminate cybersecurity technologies,
standard, and processes based on research by the Institute for
the purpose of demonstrations and technology
transfer;</DELETED>
<DELETED> (2) actively transfer and disseminate
cybersecurity strategies, best practices, standards, and
technologies to protect against and mitigate the risk of cyber
attacks to a wide range of companies and enterprises,
particularly small- and medium-sized businesses; and</DELETED>
<DELETED> (3) make loans, on a selective, short-term basis,
of items of advanced cybersecurity countermeasures to small
businesses with less than 100 employees.</DELETED>
<DELETED> (c) Duration and Amount of Support; Program Descriptions;
Applications; Merit Review; Evaluations of Assistance.--</DELETED>
<DELETED> (1) Financial support.--The Secretary may provide
financial support, not to exceed 50 percent of its annual
operating and maintenance costs, to any Center for a period not
to exceed 6 years (except as provided in paragraph
(5)(D)).</DELETED>
<DELETED> (2) Program description.--Within 90 days after the
date of enactment of this Act, the Secretary shall publish in
the Federal Register a draft description of a program for
establishing Centers and, after a 30-day comment period, shall
publish a final description of the program. The description
shall include--</DELETED>
<DELETED> (A) a description of the
program;</DELETED>
<DELETED> (B) procedures to be followed by
applicants;</DELETED>
<DELETED> (C) criteria for determining qualified
applicants;</DELETED>
<DELETED> (D) criteria, including those described in
paragraph (4), for choosing recipients of financial
assistance under this section from among the qualified
applicants; and</DELETED>
<DELETED> (E) maximum support levels expected to be
available to Centers under the program in the fourth
through sixth years of assistance under this
section.</DELETED>
<DELETED> (3) Applications; support commitment.--Any
nonprofit institution, or consortia of nonprofit institutions,
may submit to the Secretary an application for financial
support under this section, in accordance with the procedures
established by the Secretary. In order to receive assistance
under this section, an applicant shall provide adequate
assurances that it will contribute 50 percent or more of the
proposed Center's annual operating and maintenance costs for
the first 3 years and an increasing share for each of the next
3 years.</DELETED>
<DELETED> (4) Award criteria.--Awards shall be made on a
competitive, merit-based review. In making a decision whether
to approve an application and provide financial support under
this section, the Secretary shall consider, at a minimum--
</DELETED>
<DELETED> (A) the merits of the application,
particularly those portions of the application
regarding technology transfer, training and education,
and adaptation of cybersecurity technologies to the
needs of particular industrial sectors;</DELETED>
<DELETED> (B) the quality of service to be
provided;</DELETED>
<DELETED> (C) geographical diversity and extent of
service area; and</DELETED>
<DELETED> (D) the percentage of funding and amount
of in-kind commitment from other sources.</DELETED>
<DELETED> (5) Third year evaluation.--</DELETED>
<DELETED> (A) In general.--Each Center which
receives financial assistance under this section shall
be evaluated during its third year of operation by an
evaluation panel appointed by the Secretary.</DELETED>
<DELETED> (B) Evaluation panel.--Each evaluation
panel shall be composed of private experts, none of
whom shall be connected with the involved Center, and
Federal officials. An official of the Institute shall
chair the panel. Each evaluation panel shall measure
the Center's performance against the objectives
specified in this section.</DELETED>
<DELETED> (C) Positive evaluation required for
continued funding.--The Secretary may not provide
funding for the fourth through the sixth years of a
Center's operation unless the evaluation by the
evaluation panel is positive. If the evaluation is
positive, the Secretary may provide continued funding
through the sixth year at declining levels.</DELETED>
<DELETED> (D) Funding after sixth year.--After the
sixth year, the Secretary may provide additional
financial support to a Center if it has received a
positive evaluation through an independent review,
under procedures established by the Institute. An
additional independent review shall be required at
least every 2 years after the sixth year of operation.
Funding received for a fiscal year under this section
after the sixth year of operation may not exceed one
third of the annual operating and maintenance costs of
the Center.</DELETED>
<DELETED> (6) Patent rights to inventions.--The provisions
of chapter 18 of title 35, United States Code, shall (to the
extent not inconsistent with this section) apply to the
promotion of technology from research by Centers under this
section except for contracts for such specific technology
extension or transfer services as may be specified by statute
or by the President, or the President's designee.</DELETED>
<DELETED> (d) Acceptance of Funds From Other Federal Departments and
Agencies.--In addition to such sums as may be authorized and
appropriated to the Secretary and President, or the President's
designee, to operate the Centers program, the Secretary and the
President, or the President's designee, also may accept funds from
other Federal departments and agencies for the purpose of providing
Federal funds to support Centers. Any Center which is supported with
funds which originally came from other Federal departments and agencies
shall be selected and operated according to the provisions of this
section.</DELETED>
<DELETED>SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.</DELETED>
<DELETED> (a) In General.--Within 1 year after the date of enactment
of this Act, the National Institute of Standards and Technology shall
establish measurable and auditable cybersecurity standards for all
Federal Government, government contractor, or grantee critical
infrastructure information systems and networks in the following
areas:</DELETED>
<DELETED> (1) Cybersecurity metrics research.--The Director
of the National Institute of Standards and Technology shall
establish a research program to develop cybersecurity metrics
and benchmarks that can assess the economic impact of
cybersecurity. These metrics should measure risk reduction and
the cost of defense. The research shall include the development
automated tools to assess vulnerability and
compliance.</DELETED>
<DELETED> (2) Security controls.--The Institute shall
establish standards for continuously measuring the
effectiveness of a prioritized set of security controls that
are known to block or mitigate known attacks.</DELETED>
<DELETED> (3) Software security.--The Institute shall
establish standards for measuring the software security using a
prioritized list of software weaknesses known to lead to
exploited and exploitable vulnerabilities. The Institute will
also establish a separate set of such standards for measuring
security in embedded software such as that found in industrial
control systems.</DELETED>
<DELETED> (4) Software configuration specification
language.--The Institute shall, establish standard computer-
readable language for completely specifying the configuration
of software on computer systems widely used in the Federal
Government, by government contractors and grantees, and in
private sector owned critical infrastructure information
systems and networks.</DELETED>
<DELETED> (5) Standard software configuration.--The
Institute shall establish standard configurations consisting of
security settings for operating system software and software
utilities widely used in the Federal Government, by government
contractors and grantees, and in private sector owned critical
infrastructure information systems and networks.</DELETED>
<DELETED> (6) Vulnerability specification language.--The
Institute shall establish standard computer-readable language
for specifying vulnerabilities in software to enable software
vendors to communicate vulnerability data to software users in
real time.</DELETED>
<DELETED> (7) National compliance standards for all
software.--</DELETED>
<DELETED> (A) Protocol.--The Institute shall
establish a standard testing and accreditation protocol
for software built by or for the Federal Government,
its contractors, and grantees, and private sector owned
critical infrastructure information systems and
networks. to ensure that it--</DELETED>
<DELETED> (i) meets the software security
standards of paragraph (2); and</DELETED>
<DELETED> (ii) does not require or cause any
changes to be made in the standard
configurations described in paragraph
(4).</DELETED>
<DELETED> (B) Compliance.--The Institute shall
develop a process or procedure to verify that--
</DELETED>
<DELETED> (i) software development
organizations comply with the protocol
established under subparagraph (A) during the
software development process; and</DELETED>
<DELETED> (ii) testing results showing
evidence of adequate testing and defect
reduction are provided to the Federal
Government prior to deployment of
software.</DELETED>
<DELETED> (b) Criteria for Standards.--Notwithstanding any other
provision of law (including any Executive Order), rule, regulation, or
guideline, in establishing standards under this section, the Institute
shall disregard the designation of an information system or network as
a national security system or on the basis of presence of classified or
confidential information, and shall establish standards based on risk
profiles.</DELETED>
<DELETED> (c) International Standards.--The Director, through the
Institute and in coordination with appropriate Federal agencies, shall
be responsible for United States representation in all international
standards development related to cybersecurity, and shall develop and
implement a strategy to optimize the United States position with
respect to international cybersecurity standards.</DELETED>
<DELETED> (d) Compliance Enforcement.--The Director shall--
</DELETED>
<DELETED> (1) enforce compliance with the standards
developed by the Institute under this section by software
manufacturers, distributors, and vendors; and</DELETED>
<DELETED> (2) shall require each Federal agency, and each
operator of an information system or network designated by the
President as a critical infrastructure information system or
network, periodically to demonstrate compliance with the
standards established under this section.</DELETED>
<DELETED> (e) FCC National Broadband Plan.--In developing the
national broadband plan pursuant to section 6001(k) of the American
Recovery and Reinvestment Act of 2009, the Federal Communications
Commission shall report on the most effective and efficient means to
ensure the cybersecurity of commercial broadband networks, including
consideration of consumer education and outreach programs.</DELETED>
<DELETED>SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY
PROFESSIONALS.</DELETED>
<DELETED> (a) In General.--Within 1 year after the date of enactment
of this Act, the Secretary of Commerce shall develop or coordinate and
integrate a national licensing, certification, and periodic
recertification program for cybersecurity professionals.</DELETED>
<DELETED> (b) Mandatory Licensing.--Beginning 3 years after the date
of enactment of this Act, it shall be unlawful for any individual to
engage in business in the United States, or to be employed in the
United States, as a provider of cybersecurity services to any Federal
agency or an information system or network designated by the President,
or the President's designee, as a critical infrastructure information
system or network, who is not licensed and certified under the
program.</DELETED>
<DELETED>SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.</DELETED>
<DELETED> (a) In General.--No action by the Assistant Secretary of
Commerce for Communications and Information after the date of enactment
of this Act with respect to the renewal or modification of a contract
related to the operation of the Internet Assigned Numbers Authority,
shall be final until the Advisory Panel--</DELETED>
<DELETED> (1) has reviewed the action;</DELETED>
<DELETED> (2) considered the commercial and national
security implications of the action; and</DELETED>
<DELETED> (3) approved the action.</DELETED>
<DELETED> (b) Approval Procedure.--If the Advisory Panel does not
approve such an action, it shall immediately notify the Assistant
Secretary in writing of the disapproval and the reasons therefor. The
Advisory Panel may provide recommendations to the Assistant Secretary
in the notice for any modifications the it deems necessary to secure
approval of the action.</DELETED>
<DELETED>SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.</DELETED>
<DELETED> (a) In General.--Within 3 years after the date of
enactment of this Act, the Assistant Secretary of Commerce for
Communications and Information shall develop a strategy to implement a
secure domain name addressing system. The Assistant Secretary shall
publish notice of the system requirements in the Federal Register
together with an implementation schedule for Federal agencies and
information systems or networks designated by the President, or the
President's designee, as critical infrastructure information systems or
networks.</DELETED>
<DELETED> (b) Compliance Required.--The President shall ensure that
each Federal agency and each such system or network implements the
secure domain name addressing system in accordance with the schedule
published by the Assistant Secretary.</DELETED>
<DELETED>SEC. 10. PROMOTING CYBERSECURITY AWARENESS.</DELETED>
<DELETED> The Secretary of Commerce shall develop and implement a
national cybersecurity awareness campaign that--</DELETED>
<DELETED> (1) is designed to heighten public awareness of
cybersecurity issues and concerns;</DELETED>
<DELETED> (2) communicates the Federal Government's role in
securing the Internet and protecting privacy and civil
liberties with respect to Internet-related activities;
and</DELETED>
<DELETED> (3) utilizes public and private sector means of
providing information to the public, including public service
announcements.</DELETED>
<DELETED>SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND
DEVELOPMENT.</DELETED>
<DELETED> (a) Fundamental Cybersecurity Research.--The Director of
the National Science Foundation shall give priority to computer and
information science and engineering research to ensure substantial
support is provided to meet the following challenges in
cybersecurity:</DELETED>
<DELETED> (1) How to design and build complex software-
intensive systems that are secure and reliable when first
deployed.</DELETED>
<DELETED> (2) How to test and verify that software, whether
developed locally or obtained from a third party, is free of
significant known security flaws.</DELETED>
<DELETED> (3) How to test and verify that software obtained
from a third party correctly implements stated functionality,
and only that functionality.</DELETED>
<DELETED> (4) How to guarantee the privacy of an
individual's identity, information, or lawful transactions when
stored in distributed systems or transmitted over
networks.</DELETED>
<DELETED> (5) How to build new protocols to enable the
Internet to have robust security as one of its key
capabilities.</DELETED>
<DELETED> (6) How to determine the origin of a message
transmitted over the Internet.</DELETED>
<DELETED> (7) How to support privacy in conjunction with
improved security.</DELETED>
<DELETED> (8) How to address the growing problem of insider
threat.</DELETED>
<DELETED> (b) Secure Coding Research.--The Director shall support
research that evaluates selected secure coding education and
improvement programs. The Director shall also support research on new
methods of integrating secure coding improvement into the core
curriculum of computer science programs and of other programs where
graduates have a substantial probability of developing software after
graduation.</DELETED>
<DELETED> (c) Assessment of Secure Coding Education in Colleges and
Universities.--Within one year after the date of enactment of this Act,
the Director shall submit to the Senate Committee on Commerce, Science,
and Transportation and the House of Representatives Committee on
Science and Technology a report on the state of secure coding education
in America's colleges and universities for each school that received
National Science Foundation funding in excess of $1,000,000 during
fiscal year 2008. The report shall include--</DELETED>
<DELETED> (1) the number of students who earned
undergraduate degrees in computer science or in each other
program where graduates have a substantial probability of being
engaged in software design or development after
graduation;</DELETED>
<DELETED> (2) the percentage of those students who completed
substantive secure coding education or improvement programs
during their undergraduate experience; and</DELETED>
<DELETED> (3) descriptions of the length and content of the
education and improvement programs, and a measure of the
effectiveness of those programs in enabling the students to
master secure coding and design.</DELETED>
<DELETED> (d) Cybersecurity Modeling and Testbeds.--The Director
shall establish a program to award grants to institutions of higher
education to establish cybersecurity testbeds capable of realistic
modeling of real-time cyber attacks and defenses. The purpose of this
program is to support the rapid development of new cybersecurity
defenses, techniques, and processes by improving understanding and
assessing the latest technologies in a real-world environment. The
testbeds shall be sufficiently large in order to model the scale and
complexity of real world networks and environments.</DELETED>
<DELETED> (e) NSF Computer and Network Security Research Grant
Areas.--Section 4(a)(1) of the Cybersecurity Research and Development
Act (15 U.S.C. 7403(a)(1)) is amended--</DELETED>
<DELETED> (1) by striking ``and'' after the semicolon in
subparagraph (H);</DELETED>
<DELETED> (2) by striking ``property.'' in subparagraph (I)
and inserting ``property;''; and</DELETED>
<DELETED> (3) by adding at the end the following:</DELETED>
<DELETED> ``(J) secure fundamental protocols that are at the
heart of inter-network communications and data
exchange;</DELETED>
<DELETED> ``(K) secure software engineering and software
assurance, including--</DELETED>
<DELETED> ``(i) programming languages and systems
that include fundamental security features;</DELETED>
<DELETED> ``(ii) portable or reusable code that
remains secure when deployed in various
environments;</DELETED>
<DELETED> ``(iii) verification and validation
technologies to ensure that requirements and
specifications have been implemented; and</DELETED>
<DELETED> ``(iv) models for comparison and metrics
to assure that required standards have been
met;</DELETED>
<DELETED> ``(L) holistic system security that--</DELETED>
<DELETED> ``(i) addresses the building of secure
systems from trusted and untrusted
components;</DELETED>
<DELETED> ``(ii) proactively reduces
vulnerabilities;</DELETED>
<DELETED> ``(iii) addresses insider threats;
and</DELETED>
<DELETED> ``(iv) supports privacy in conjunction
with improved security;</DELETED>
<DELETED> ``(M) monitoring and detection; and</DELETED>
<DELETED> ``(N) mitigation and rapid recovery
methods.''.</DELETED>
<DELETED> (f) NSF Computer and Network Security Grants.--Section
4(a)(3) of the Cybersecurity Research and Development Act (15 U.S.C.
7403(a)(3)) is amended--</DELETED>
<DELETED> (1) by striking ``and'' in subparagraph
(D);</DELETED>
<DELETED> (2) by striking ``2007'' in subparagraph (E) and
inserting ``2007;''; and</DELETED>
<DELETED> (3) by adding at the end of the
following:</DELETED>
<DELETED> ``(F) $150,000,000 for fiscal year
2010;</DELETED>
<DELETED> ``(G) $155,000,000 for fiscal year
2011;</DELETED>
<DELETED> ``(H) $160,000,000 for fiscal year
2012;</DELETED>
<DELETED> ``(I) $165,000,000 for fiscal year 2013;
and</DELETED>
<DELETED> ``(J) $170,000,000 for fiscal year
2014.''.</DELETED>
<DELETED> (g) Computer and Network Security Centers.--Section
4(b)(7) of such Act (15 U.S.C. 7403(b)(7)) is amended--</DELETED>
<DELETED> (1) by striking ``and'' in subparagraph
(D);</DELETED>
<DELETED> (2) by striking ``2007'' in subparagraph (E) and
inserting ``2007;''; and</DELETED>
<DELETED> (3) by adding at the end of the
following:</DELETED>
<DELETED> ``(F) $50,000,000 for fiscal year
2010;</DELETED>
<DELETED> ``(G) $52,000,000 for fiscal year
2011;</DELETED>
<DELETED> ``(H) $54,000,000 for fiscal year
2012;</DELETED>
<DELETED> ``(I) $56,000,000 for fiscal year 2013;
and</DELETED>
<DELETED> ``(J) $58,000,000 for fiscal year
2014.''.</DELETED>
<DELETED> (h) Computer and Network Security Capacity Building
Grants.--Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is
amended--</DELETED>
<DELETED> (1) by striking ``and'' in subparagraph
(D);</DELETED>
<DELETED> (2) by striking ``2007'' in subparagraph (E) and
inserting ``2007;''; and</DELETED>
<DELETED> (3) by adding at the end of the
following:</DELETED>
<DELETED> ``(F) $40,000,000 for fiscal year
2010;</DELETED>
<DELETED> ``(G) $42,000,000 for fiscal year
2011;</DELETED>
<DELETED> ``(H) $44,000,000 for fiscal year
2012;</DELETED>
<DELETED> ``(I) $46,000,000 for fiscal year 2013;
and</DELETED>
<DELETED> ``(J) $48,000,000 for fiscal year
2014.''.</DELETED>
<DELETED> (i) Scientific and Advanced Technology Act Grants.--
Section 5(b)(2) of such Act (15 U.S.C. 7404(b)(2)) is amended--
</DELETED>
<DELETED> (1) by striking ``and'' in subparagraph
(D);</DELETED>
<DELETED> (2) by striking ``2007'' in subparagraph (E) and
inserting ``2007;''; and</DELETED>
<DELETED> (3) by adding at the end of the
following:</DELETED>
<DELETED> ``(F) $5,000,000 for fiscal year
2010;</DELETED>
<DELETED> ``(G) $6,000,000 for fiscal year
2011;</DELETED>
<DELETED> ``(H) $7,000,000 for fiscal year
2012;</DELETED>
<DELETED> ``(I) $8,000,000 for fiscal year 2013;
and</DELETED>
<DELETED> ``(J) $9,000,000 for fiscal year
2014.''.</DELETED>
<DELETED> (j) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is
amended--</DELETED>
<DELETED> (1) by striking ``and'' in subparagraph
(D);</DELETED>
<DELETED> (2) by striking ``2007'' in subparagraph (E) and
inserting ``2007;''; and</DELETED>
<DELETED> (3) by adding at the end of the
following:</DELETED>
<DELETED> ``(F) $20,000,000 for fiscal year
2010;</DELETED>
<DELETED> ``(G) $22,000,000 for fiscal year
2011;</DELETED>
<DELETED> ``(H) $24,000,000 for fiscal year
2012;</DELETED>
<DELETED> ``(I) $26,000,000 for fiscal year 2013;
and</DELETED>
<DELETED> ``(J) $28,000,000 for fiscal year
2014.''.</DELETED>
<DELETED> (k) Cybersecurity Faculty Development Traineeship
Program.--Section 5(e)(9) of such Act (15 U.S.C. 7404(e)(9)) is amended
by striking ``2007.'' and inserting ``2007 and for each of fiscal years
2010 through 2014.''.</DELETED>
<DELETED> (l) networking and Information Technology Research and
Development Program.--Section 204(a)(1) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5524(a)(1)) is amended--</DELETED>
<DELETED> (1) by striking ``and'' after the semicolon in
subparagraph (B); and</DELETED>
<DELETED> (2) by inserting after subparagraph (C) the
following:</DELETED>
<DELETED> ``(D) develop and propose standards and
guidelines, and develop measurement techniques and test
methods, for enhanced cybersecurity for computer
networks and common user interfaces to systems;
and''.</DELETED>
<DELETED>SEC. 12. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE
PROGRAM.</DELETED>
<DELETED> (a) In General.--The Director of the National Science
Foundation shall establish a Federal Cyber Scholarship-for-Service
program to recruit and train the next generation of Federal information
technology workers and security managers.</DELETED>
<DELETED> (b) Program Description and Components.--The program--
</DELETED>
<DELETED> (1) shall provide scholarships, that provide full
tuition, fees, and a stipend, for up to 1,000 students per year
in their pursuit of undergraduate or graduate degrees in the
cybersecurity field;</DELETED>
<DELETED> (2) shall require scholarship recipients, as a
condition of receiving a scholarship under the program, to
agree to serve in the Federal information technology workforce
for a period equal to the length of the scholarship following
graduation if offered employment in that field by a Federal
agency;</DELETED>
<DELETED> (3) shall provide opportunities for students to
receive temporary appointments for meaningful employment in the
Federal information technology workforce during school vacation
periods and for internships;</DELETED>
<DELETED> (4) shall provide a procedure for identifying
promising K-12 students for participation in summer work and
internship programs that would lead to certification of Federal
information technology workforce standards and possible future
employment; and</DELETED>
<DELETED> (5) shall examine and develop, if appropriate,
programs to promote computer security awareness in secondary
and high school classrooms.</DELETED>
<DELETED> (c) Hiring Authority.--For purposes of any law or
regulation governing the appointment of individuals in the Federal
civil service, upon the successful completion of their studies,
students receiving a scholarship under the program shall be hired under
the authority provided for in section 213.3102(r) of title 5, Code of
Federal Regulations, and be exempt from competitive service. Upon
fulfillment of the service term, such individuals shall be converted to
a competitive service position without competition if the individual
meets the requirements for that position.</DELETED>
<DELETED> (d) Eligibility.--To be eligible to receive a scholarship
under this section, an individual shall--</DELETED>
<DELETED> (1) be a citizen of the United States;
and</DELETED>
<DELETED> (2) demonstrate a commitment to a career in
improving the Nation's cyber defenses.</DELETED>
<DELETED> (e) Consideration and Preference.--In making selections
for scholarships under this section, the Director shall--</DELETED>
<DELETED> (1) consider, to the extent possible, a diverse
pool of applicants whose interests are of an interdisciplinary
nature, encompassing the social scientific as well as the
technical dimensions of cyber security; and</DELETED>
<DELETED> (2) give preference to applicants that have
participated in the competition and challenge described in
section 13.</DELETED>
<DELETED> (f) Evaluation and Report.--The Director shall evaluate
and report to the Senate Committee on Commerce, Science, and
Transportation and the House of Representatives Committee on Science
and Technology on the success of recruiting individuals for the
scholarships.</DELETED>
<DELETED> (g) Authorization of Appropriations.--There are authorized
to be appropriated to the National Science Foundation to carry out this
section--</DELETED>
<DELETED> (1) $50,000,000 for fiscal year 2010;</DELETED>
<DELETED> (2) $55,000,000 for fiscal year 2011;</DELETED>
<DELETED> (3) $60,000,000 for fiscal year 2012;</DELETED>
<DELETED> (4) $65,000,000 for fiscal year 2013;
and</DELETED>
<DELETED> (5) $70,000,000 for fiscal year 2014.</DELETED>
<DELETED>SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE.</DELETED>
<DELETED> (a) In General.--The Director of the National Institute of
Standards and Technology, directly or through appropriate Federal
entities, shall establish cybersecurity competitions and challenges
with cash prizes in order to--</DELETED>
<DELETED> (1) attract, identify, evaluate, and recruit
talented individuals for the Federal information technology
workforce; and</DELETED>
<DELETED> (2) stimulate innovation in basic and applied
cybersecurity research, technology development, and prototype
demonstration that have the potential for application to the
Federal information technology activities of the Federal
Government.</DELETED>
<DELETED> (b) Types of Competitions and Challenges.--The Director
shall establish different competitions and challenges targeting the
following groups:</DELETED>
<DELETED> (1) High school students.</DELETED>
<DELETED> (2) Undergraduate students.</DELETED>
<DELETED> (3) Graduate students.</DELETED>
<DELETED> (4) Academic and research institutions.</DELETED>
<DELETED> (c) Topics.--In selecting topics for prize competitions,
the Director shall consult widely both within and outside the Federal
Government, and may empanel advisory committees.</DELETED>
<DELETED> (d) Advertising.--The Director shall widely advertise
prize competitions, in coordination with the awareness campaign under
section 10, to encourage participation.</DELETED>
<DELETED> (e) Requirements and Registration.--For each prize
competition, the Director shall publish a notice in the Federal
Register announcing the subject of the competition, the rules for being
eligible to participate in the competition, the amount of the prize,
and the basis on which a winner will be selected.</DELETED>
<DELETED> (f) Eligibility.--To be eligible to win a prize under this
section, an individual or entity--</DELETED>
<DELETED> (1) shall have registered to participate in the
competition pursuant to any rules promulgated by the Director
under subsection (d);</DELETED>
<DELETED> (2) shall have complied with all the requirements
under this section;</DELETED>
<DELETED> (3) in the case of a private entity, shall be
incorporated in and maintain a primary place of business in the
United States, and in the case of an individual, whether
participating singly or in a group, shall be a citizen or
permanent resident of the United States; and</DELETED>
<DELETED> (4) shall not be a Federal entity or Federal
employee acting within the scope of his or her
employment.</DELETED>
<DELETED> (g) Judges.--For each competition, the Director, either
directly or through an agreement under subsection (h), shall assemble a
panel of qualified judges to select the winner or winners of the prize
competition. Judges for each competition shall include individuals from
the private sector. A judge may not--</DELETED>
<DELETED> (1) have personal or financial interests in, or be
an employee, officer, director, or agent of any entity that is
a registered participant in a competition; or</DELETED>
<DELETED> (2) have a familial or financial relationship with
an individual who is a registered participant.</DELETED>
<DELETED> (h) Administering the Competition.--The Director may enter
into an agreement with a private, nonprofit entity to administer the
prize competition, subject to the provisions of this section.</DELETED>
<DELETED> (i) Funding.--</DELETED>
<DELETED> (1) Prizes.--Prizes under this section may consist
of Federal appropriated funds and funds provided by the private
sector for such cash prizes. The Director may accept funds from
other Federal agencies for such cash prizes. The Director may
not give special consideration to any private sector entity in
return for a donation.</DELETED>
<DELETED> (2) Use of unexpended funds.--Notwithstanding any
other provision of law, funds appropriated for prize awards
under this section shall remain available until expended, and
may be transferred, reprogrammed, or expended for other
purposes only after the expiration of 10 fiscal years after the
fiscal year for which the funds were originally appropriated.
No provision in this section permits obligation or payment of
funds in violation of the Anti-Deficiency Act (31 U.S.C.
1341).</DELETED>
<DELETED> (3) Funding required before prize announced.--No
prize may be announced until all the funds needed to pay out
the announced amount of the prize have been appropriated or
committed in writing by a private source. The Director may
increase the amount of a prize after an initial announcement is
made under subsection (d) if--</DELETED>
<DELETED> (A) notice of the increase is provided in
the same manner as the initial notice of the prize;
and</DELETED>
<DELETED> (B) the funds needed to pay out the
announced amount of the increase have been appropriated
or committed in writing by a private source.</DELETED>
<DELETED> (4) Notice required for large awards.--No prize
competition under this section may offer a prize in an amount
greater than $5,000,000 unless 30 days have elapsed after
written notice has been transmitted to the Senate Committee on
Commerce, Science, and Transportation and the House of
Representatives Committee on Science and Technology.</DELETED>
<DELETED> (5) Director's approval required for certain
awards.--No prize competition under this section may result in
the award of more than $1,000,000 in cash prizes without the
approval of the Director.</DELETED>
<DELETED> (j) Use of Federal Insignia.--A registered participant in
a competition under this section may use any Federal agency's name,
initials, or insignia only after prior review and written approval by
the Director.</DELETED>
<DELETED> (k) Compliance With Existing Law.--The Federal Government
shall not, by virtue of offering or providing a prize under this
section, be responsible for compliance by registered participants in a
prize competition with Federal law, including licensing, export
control, and non-proliferation laws and related regulations.</DELETED>
<DELETED> (l) Authorization of Appropriations.--There are authorized
to be appropriated to the National Institute of Standards and
Technology to carry out this section $15,000,000 for each of fiscal
years 2010 through 2014.</DELETED>
<DELETED>SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.</DELETED>
<DELETED> (a) Designation.--The Department of Commerce shall serve
as the clearinghouse of cybersecurity threat and vulnerability
information to Federal Government and private sector owned critical
infrastructure information systems and networks.</DELETED>
<DELETED> (b) Functions.--The Secretary of Commerce--</DELETED>
<DELETED> (1) shall have access to all relevant data
concerning such networks without regard to any provision of
law, regulation, rule, or policy restricting such
access;</DELETED>
<DELETED> (2) shall manage the sharing of Federal Government
and other critical infrastructure threat and vulnerability
information between the Federal Government and the persons
primarily responsible for the operation and maintenance of the
networks concerned; and</DELETED>
<DELETED> (3) shall report regularly to the Congress on
threat information held by the Federal Government that is not
shared with the persons primarily responsible for the operation
and maintenance of the networks concerned.</DELETED>
<DELETED> (c) Information Sharing Rules and Procedures.--Within 90
days after the date of enactment of this Act, the Secretary shall
publish in the Federal Register a draft description of rules and
procedures on how the Federal Government will share cybersecurity
threat and vulnerability information with private sector critical
infrastructure information systems and networks owners. After a 30 day
comment period, the Secretary shall publish a final description of the
rules and procedures. The description shall include--</DELETED>
<DELETED> (1) the rules and procedures on how the Federal
Government will share cybersecurity threat and vulnerability
information with private sector critical infrastructure
information systems and networks owners;</DELETED>
<DELETED> (2) the criteria in which private sector owners of
critical infrastructure information systems and networks shall
share actionable cybersecurity threat and vulnerability
information and relevant data with the Federal Government;
and</DELETED>
<DELETED> (3) any other rule or procedure that will enhance
the sharing of cybersecurity threat and vulnerability
information between private sector owners of critical
infrastructure information systems and networks and the Federal
Government.</DELETED>
<DELETED>SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT.</DELETED>
<DELETED> Within 1 year after the date of enactment of this Act, the
President, or the President's designee, shall report to the Senate
Committee on Commerce, Science, and Transportation and the House of
Representatives Committee on Science and Technology on the feasibility
of--</DELETED>
<DELETED> (1) creating a market for cybersecurity risk
management, including the creation of a system of civil
liability and insurance (including government reinsurance);
and</DELETED>
<DELETED> (2) requiring cybersecurity to be a factor in all
bond ratings.</DELETED>
<DELETED>SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT.</DELETED>
<DELETED> (a) In General.--Within 1 year after the date of enactment
of this Act, the President, or the President's designee, through an
appropriate entity, shall complete a comprehensive review of the
Federal statutory and legal framework applicable to cyber-related
activities in the United States, including--</DELETED>
<DELETED> (1) the Privacy Protection Act of 1980 (42 U.S.C.
2000aa);</DELETED>
<DELETED> (2) the Electronic Communications Privacy Act of
1986 (18 U.S.C. 2510 note);</DELETED>
<DELETED> (3) the Computer Security Act of 1987 (15 U.S.C.
271 et seq.; 40 U.S.C. 759);</DELETED>
<DELETED> (4) the Federal Information Security Management
Act of 2002 (44 U.S.C. 3531 et seq.);</DELETED>
<DELETED> (5) the E-Government Act of 2002 (44 U.S.C. 9501
et seq.);</DELETED>
<DELETED> (6) the Defense Production Act of 1950 (50 U.S.C.
App. 2061 et seq.);</DELETED>
<DELETED> (7) any other Federal law bearing upon cyber-
related activities; and</DELETED>
<DELETED> (8) any applicable Executive Order or agency rule,
regulation, guideline.</DELETED>
<DELETED> (b) Report.--Upon completion of the review, the President,
or the President's designee, shall submit a report to the Senate
Committee on Commerce, Science, and Transportation, the House of
Representatives Committee on Science and Technology, and other
appropriate Congressional Committees containing the President's, or the
President's designee's, findings, conclusions, and
recommendations.</DELETED>
<DELETED>SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT.</DELETED>
<DELETED> Within 1 year after the date of enactment of this Act, the
President, or the President's designee, shall review, and report to
Congress, on the feasibility of an identity management and
authentication program, with the appropriate civil liberties and
privacy protections, for government and critical infrastructure
information systems and networks.</DELETED>
<DELETED>SEC. 18. CYBERSECURITY RESPONSIBILITIES AND
AUTHORITY.</DELETED>
<DELETED> The President--</DELETED>
<DELETED> (1) within 1 year after the date of enactment of
this Act, shall develop and implement a comprehensive national
cybersecurity strategy, which shall include--</DELETED>
<DELETED> (A) a long-term vision of the Nation's
cybersecurity future; and</DELETED>
<DELETED> (B) a plan that encompasses all aspects of
national security, including the participation of the
private sector, including critical infrastructure
operators and managers;</DELETED>
<DELETED> (2) may declare a cybersecurity emergency and
order the limitation or shutdown of Internet traffic to and
from any compromised Federal Government or United States
critical infrastructure information system or
network;</DELETED>
<DELETED> (3) shall designate an agency to be responsible
for coordinating the response and restoration of any Federal
Government or United States critical infrastructure information
system or network affected by a cybersecurity emergency
declaration under paragraph (2);</DELETED>
<DELETED> (4) shall, through the appropriate department or
agency, review equipment that would be needed after a
cybersecurity attack and develop a strategy for the
acquisition, storage, and periodic replacement of such
equipment;</DELETED>
<DELETED> (5) shall direct the periodic mapping of Federal
Government and United States critical infrastructure
information systems or networks, and shall develop metrics to
measure the effectiveness of the mapping process;</DELETED>
<DELETED> (6) may order the disconnection of any Federal
Government or United States critical infrastructure information
systems or networks in the interest of national
security;</DELETED>
<DELETED> (7) shall, through the Office of Science and
Technology Policy, direct an annual review of all Federal cyber
technology research and development investments;</DELETED>
<DELETED> (8) may delegate original classification authority
to the appropriate Federal official for the purposes of
improving the Nation's cybersecurity posture;</DELETED>
<DELETED> (9) shall, through the appropriate department or
agency, promulgate rules for Federal professional
responsibilities regarding cybersecurity, and shall provide to
the Congress an annual report on Federal agency compliance with
those rules;</DELETED>
<DELETED> (10) shall withhold additional compensation,
direct corrective action for Federal personnel, or terminate a
Federal contract in violation of Federal rules, and shall
report any such action to the Congress in an unclassified
format within 48 hours after taking any such action;
and</DELETED>
<DELETED> (11) shall notify the Congress within 48 hours
after providing a cyber-related certification of legality to a
United States person.</DELETED>
<DELETED>SEC. 19. QUADRENNIAL CYBER REVIEW.</DELETED>
<DELETED> (a) In General.--Beginning with 2013 and in every fourth
year thereafter, the President, or the President's designee, shall
complete a review of the cyber posture of the United States, including
an unclassified summary of roles, missions, accomplishments, plans, and
programs. The review shall include a comprehensive examination of the
cyber strategy, force structure, modernization plans, infrastructure,
budget plan, the Nation's ability to recover from a cyberemergency, and
other elements of the cyber program and policies with a view toward
determining and expressing the cyber strategy of the United States and
establishing a revised cyber program for the next 4 years.</DELETED>
<DELETED> (b) Involvement of Cybersecurity Advisory Panel.--
</DELETED>
<DELETED> (1) The President, or the President's designee,
shall apprise the Cybersecurity Advisory Panel established or
designated under section 3, on an ongoing basis, of the work
undertaken in the conduct of the review.</DELETED>
<DELETED> (2) Not later than 1 year before the completion
date for the review, the Chairman of the Advisory Panel shall
submit to the President, or the President's designee, the
Panel's assessment of work undertaken in the conduct of the
review as of that date and shall include in the assessment the
recommendations of the Panel for improvements to the review,
including recommendations for additional matters to be covered
in the review.</DELETED>
<DELETED> (c) Assessment of Review.--Upon completion of the review,
the Chairman of the Advisory Panel, on behalf of the Panel, shall
prepare and submit to the President, or the President's designee, an
assessment of the review in time for the inclusion of the assessment in
its entirety in the report under subsection (d).</DELETED>
<DELETED> (d) Report.--Not later than September 30, 2013, and every
4 years thereafter, the President, or the President's designee, shall
submit to the relevant congressional Committees a comprehensive report
on the review. The report shall include--</DELETED>
<DELETED> (1) the results of the review, including a
comprehensive discussion of the cyber strategy of the United
States and the collaboration between the public and private
sectors best suited to implement that strategy;</DELETED>
<DELETED> (2) the threats examined for purposes of the
review and the scenarios developed in the examination of such
threats;</DELETED>
<DELETED> (3) the assumptions used in the review, including
assumptions relating to the cooperation of other countries and
levels of acceptable risk; and</DELETED>
<DELETED> (4) the Advisory Panel's assessment.</DELETED>
<DELETED>SEC. 20. JOINT INTELLIGENCE THREAT ASSESSMENT.</DELETED>
<DELETED> The Director of National Intelligence and the Secretary of
Commerce shall submit to the Congress an annual assessment of, and
report on, cybersecurity threats to and vulnerabilities of critical
national information, communication, and data network
infrastructure.</DELETED>
<DELETED>SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE
MEASURES.</DELETED>
<DELETED> The President shall--</DELETED>
<DELETED> (1) work with representatives of foreign
governments--</DELETED>
<DELETED> (A) to develop norms, organizations, and
other cooperative activities for international
engagement to improve cybersecurity; and</DELETED>
<DELETED> (B) to encourage international cooperation
in improving cybersecurity on a global basis;
and</DELETED>
<DELETED> (2) provide an annual report to the Congress on
the progress of international initiatives undertaken pursuant
to subparagraph (A).</DELETED>
<DELETED>SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS
BOARD.</DELETED>
<DELETED> (a) Establishment.--There is established a Secure Products
and Services Acquisitions Board. The Board shall be responsible for
cybersecurity review and approval of high value products and services
acquisition and, in coordination with the National Institute of
Standards and Technology, for the establishment of appropriate
standards for the validation of software to be acquired by the Federal
Government. The Director of the National Institute of Standards and
Technology shall develop the review process and provide guidance to the
Board. In reviewing software under this subsection, the Board may
consider independent secure software validation and verification as key
factor for approval.</DELETED>
<DELETED> (b) Acquisition Standards.--The Director, in cooperation
with the Office of Management and Budget and other appropriate Federal
agencies, shall ensure that the Board approval is included as a
prerequisite to the acquisition of any product or service--</DELETED>
<DELETED> (1) subject to review by the Board; and</DELETED>
<DELETED> (2) subject to Federal acquisition
standards.</DELETED>
<DELETED> (c) Acquisition Compliance.--After the publication of the
standards developed under subsection (a), any proposal submitted in
response to a request for proposals issued by a Federal agency shall
demonstrate compliance with any such applicable standard in order to
ensure that cybersecurity products and services are designed to be an
integral part of the overall acquisition.</DELETED>
<DELETED>SEC. 23. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Advisory panel.--The term ``Advisory Panel''
means the Cybersecurity Advisory Panel established or
designated under section 3.</DELETED>
<DELETED> (2) Cyber.--The term ``cyber'' means--</DELETED>
<DELETED> (A) any process, program, or protocol
relating to the use of the Internet or an intranet,
automatic data processing or transmission, or
telecommunication via the Internet or an intranet;
and</DELETED>
<DELETED> (B) any matter relating to, or involving
the use of, computers or computer networks.</DELETED>
<DELETED> (3) Federal government and united states critical
infrastructure information systems and networks.--The term
``Federal Government and United States critical infrastructure
information systems and networks'' includes--</DELETED>
<DELETED> (A) Federal Government information systems
and networks; and</DELETED>
<DELETED> (B) State, local, and nongovernmental
information systems and networks in the United States
designated by the President as critical infrastructure
information systems and networks.</DELETED>
<DELETED> (4) Internet.--The term ``Internet'' has the
meaning given that term by section 4(4) of the High-Performance
Computing Act of 1991 (15 U.S.C. 5503(4)).</DELETED>
<DELETED> (5) Network.--The term ``network'' has the meaning
given that term by section 4(5) of such Act (15 U.S.C.
5503(5)).</DELETED>
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Cybersecurity Act
of 2010''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Definitions.
Sec. 4. Procedure for designation of critical infrastructure
information systems.
TITLE I--WORKFORCE DEVELOPMENT
Sec. 101. Certification and training of cybersecurity professionals.
Sec. 102. Federal Cyber Scholarship-for-Service Program.
Sec. 103. Cybersecurity competition and challenge.
Sec. 104. Cybersecurity workforce plan.
Sec. 105. Measures of cybersecurity hiring effectiveness.
TITLE II--PLANS AND AUTHORITY
Sec. 201. Cybersecurity responsibilities and authorities.
Sec. 202. Biennial cyber review.
Sec. 203. Cybersecurity dashboard pilot project.
Sec. 204. NIST cybersecurity guidance.
Sec. 205. Legal framework review and report.
Sec. 206. Joint intelligence threat and vulnerability assessment.
Sec. 207. International norms and cybersecurity deterrence measures.
Sec. 208. Federal secure products and services acquisitions.
Sec. 209. Private sector access to classified information.
Sec. 210. Authentication and civil liberties report.
Sec. 211. Report on evaluation of certain identity authentication
functionalities.
TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT
Sec. 301. Promoting cybersecurity awareness and education.
Sec. 302. Federal cybersecurity research and development.
Sec. 303. Development of curricula for incorporating cybersecurity into
educational programs for future industrial
control system designers.
TITLE IV--PUBLIC-PRIVATE COLLABORATION
Sec. 401. Cybersecurity Advisory Panel.
Sec. 402. State and regional cybersecurity enhancement program.
Sec. 403. Public-private clearinghouse.
Sec. 404. Cybersecurity risk management report.
SEC. 2. FINDINGS.
The Congress finds the following:
(1) As a fundamental principle, cyberspace is a vital asset
for the nation and the United States should protect it using
all instruments of national power, in order to ensure national
security, public safety, economic prosperity, and the delivery
of critical services to the American public.
(2) President Obama has rightfully determined that ``our
digital infrastructure--the networks and computers we depend on
every day--will be treated . . . as a strategic national
asset''.
(3) According to the Obama Administration Cyberspace Policy
Review, ``the architecture of the Nation's digital
infrastructure is not secure or resilient. Without major
advances in the security of these systems or significant change
in how they are constructed or operated, it is doubtful that
the United States can protect itself from the growing threat of
cybercrime and state-sponsored intrusions and operations.''.
(4) With more than 85 percent of the Nation's critical
infrastructure owned and operated by the private sector, it is
vital that the public and private sectors cooperate to protect
this strategic national asset.
(5) According to the 2010 Annual Threat Assessment, that
``sensitive information is stolen daily from both government
and private sector networks'' and that ``we cannot protect
cyberspace without a coordinated and collaborative effort that
incorporates both the US private sector and our international
partners.''.
(6) The Director of National Intelligence testified before
the Congress on February 2, 2010, that intrusions are a stark
reminder of the importance of these cyber assets and should
serve as ``a wake-up call to those who have not taken this
problem seriously.''.
(7) The National Cybersecurity Coordinator, Howard Schmidt,
stated on March 2, 2010, ``we will not defeat our cyber
adversaries because they are weakening, we will defeat them by
becoming collectively stronger, through stronger technology, a
stronger cadre of security professionals, and stronger
partnerships.''.
(8) According to the National Journal, Mike McConnell, the
former Director of National Intelligence, told President Bush
in May 2007 that if the 9/11 attackers had chosen computers
instead of airplanes as their weapons and had waged a massive
assault on a United States bank, the economic consequences
would have been ``an order of magnitude greater'' than those
cased by the physical attack on the World Trade Center. Mike
McConnell has subsequently referred to cybersecurity as the
``soft underbelly of this country''.
(9) Paul Kurtz, a partner and chief operating officer of
Good Harbor Consulting as well as a senior advisor to the Obama
Transition Team for cybersecurity, has stated that the United
States is unprepared to respond to a ``cyber-Katrina'' and that
``a massive cyber disruption could have a cascading, long-term
impact without adequate co-ordination between government and
the private sector''.
(10) According to the February 2003 National Strategy to
Secure Cyberspace, ``our nation's critical infrastructures are
composed of public and private institutions in the sectors of
agriculture, food, water, public health, emergency services,
government, defense industrial base, information and
telecommunications, energy, transportation, banking finance,
chemicals and hazardous materials, and postal and shipping.
Cyberspace is their nervous system the control system of our
country'' and that ``the cornerstone of America's cyberspace
security strategy is and will remain a public-private
partnership''.
(11) The Center for Strategic and International Studies
report on Cybersecurity for the 44th Presidency concluded that
(A) cybersecurity is now a major national security problem for
the United States, (B) decisions and actions must respect
privacy and civil liberties, and (C) only a comprehensive
national security strategy that embraces both the domestic and
international aspects of cybersecurity will make us more
secure. The report continued, stating that the United States
faces ``a long-term challenge in cyberspace from foreign
intelligence agencies and militaries, criminals, and others,
and that losing this struggle will wreak serious damage on the
economic health and national security of the United States''.
(12) James Lewis, Director and Senior Fellow, Technology
and Public Policy Program, Center for Strategic and
International Studies, testified on behalf of the Center for
Strategic and International Studies that ``the United States is
not organized for, and lacks a coherent national strategy for,
addressing cybersecurity''.
(13) The Cyber Strategic Inquiry 2008, sponsored by
Business Executives for National Security and executed by Booz
Allen Hamilton, recommended to ``establish a single voice for
cybersecurity within government'' concluding that the ``unique
nature of cybersecurity requires a new leadership paradigm''.
(14) Alan Paller, the Director of Research at the SANS
Institute, testified before the Congress that ``Congress can
reduce the threat of damage from these new cyber attacks both
against government and against the critical infrastructure by
shifting the government's cyber security emphasis from report
writing to automated, real-time defenses'' and that ``only
active White House leadership will get the job done''.
(15) A 2009 Partnership for Public Service study and
analysis reports concluded that ``the Federal government will
be unable to combat cyber threats without a more coordinated,
sustained effort to increase cybersecurity expertise in the
federal workforce'' and that ``the President's success in
combating these threats . . . must include building a vibrant,
highly trained and dedicated cybersecurity workforce in this
country''.
SEC. 3. DEFINITIONS.
In this Act:
(1) Advisory panel.--The term ``Advisory Panel'' means the
Cybersecurity Advisory Panel established or designated under
section 401.
(2) Cybersecurity.--The term ``cybersecurity'' means
information security (as defined in section 3532(b)(1) of title
44, United States Code).
(3) Cybersecurity professional.--The term ``cybersecurity
professional'' means a person who maintains a certification
under section 101 of this Act.
(4) Information system.--The term ``information system''
has the meaning given that term by section 3532(b)(4) of title
44, United States Code, and includes industrial control systems
that are used for purposes described in that section.
(5) Internet.--The term ``Internet'' has the meaning given
that term by section 4(4) of the High-Performance Computing Act
of 1991 (15 U.S.C. 5503(4)).
(6) United States critical infrastructure information
system.--The term ``United States critical infrastructure
information system'' means an information system designated
under section 4 of this Act.
SEC. 4. PROCEDURE FOR DESIGNATION OF CRITICAL INFRASTRUCTURE
INFORMATION SYSTEMS.
(a) Establishment of Designation Procedure.--Within 90 days after
the date of enactment of this Act, or as soon thereafter as may be
practicable, the President, in consultation with sector coordinating
councils, relevant government agencies, and regulatory entities, shall
initiate a rulemaking in accordance with the requirements of chapter 5
of title 5, United States Code, to establish a procedure for the
designation of any information system the infiltration, incapacitation,
or disruption of which would have a debilitating impact on national
security, including national economic security and national public
health or safety, as a critical infrastructure information system under
this Act.
(b) Threshold Requirements.--The final rule, at a minimum, shall--
(1) set forth objective criteria that meet the standard in
section (a) for such designations generally;
(2) provide for emergency and temporary designations when
necessary and in the public interest;
(3) ensure the protection of confidential and proprietary
information associated with nongovernmental systems from
disclosure;
(4) ensure the protection of classified and sensitive
security information; and
(5) establish a procedure, in accordance with chapter 7 of
title 5, United States Code, by which the owner or operator of
an information system may appeal, or request modification of,
the designation of that system or network as a critical
infrastructure information system under this Act.
TITLE I--WORKFORCE DEVELOPMENT
SEC. 101. CERTIFICATION AND TRAINING OF CYBERSECURITY PROFESSIONALS.
(a) Study.--
(1) In general.--The President shall enter into an
agreement with the National Academies to conduct a
comprehensive study of government, academic, and private-sector
accreditation, training, and certification programs for
personnel working in cybersecurity. The agreement shall require
that the National Academies consult with sector coordinating
councils and relevant governmental agencies, regulatory
entities, and nongovernmental organizations in the course of
the study.
(2) Scope.--The study shall include--
(A) an evaluation of the body of knowledge and
various skills that specific categories of personnel
working in cybersecurity should possess in order to
secure information systems;
(B) an assessment of whether existing government,
academic, and private-sector accreditation, training,
and certification programs provide the body of
knowledge and skills described in subparagraph (A); and
(C) any other factors that should be considered for
any accreditation, training, and certification
programs.
(3) Report.--Not later than 1 year after the date of
enactment of this Act, the National Academies shall submit to
the President and the Congress a report on the results of the
study required by this subsection. The report shall include--
(A) findings regarding the state of cybersecurity
accreditation, training, and certification programs,
including specific areas of deficiency and demonstrable
progress; and
(B) recommendations for the improvement of
cybersecurity accreditation, training, and
certification programs.
(b) Federal Information Systems.--Beginning no later than 6 months
after receiving the report under subsection (a)(3), the President, in
close and regular consultation with sector coordinating councils and
relevant governmental agencies, regulatory entities, industry sectors,
and nongovernmental organizations, shall--
(1) develop and annually review and update--
(A) guidance for the identification and
categorization of positions for personnel conducting
cybersecurity functions within the Federal government;
and
(B) requirements for certification of personnel for
categories identified under subparagraph (A); and
(2) annually evaluate compliance with the requirements in
paragraph (1)(B).
(c) United States Critical Infrastructure Information Systems.--
(1) Identification, categorization, and certification of
positions.--Not later than 6 months after receiving the report
under section (a)(3), the President, in close and regular
consultation with sector coordinating councils and relevant
governmental agencies, regulatory entities, and nongovernmental
organizations, shall require owners and operators of United
States critical infrastructure information systems to develop
and annually review and update--
(A) guidance for the identification and
categorization of positions for personnel conducting
cybersecurity functions within their respective
information systems; and
(B) requirements for certification of personnel for
categories identified under subparagraph (A).
(2) Accreditation, training, and certification programs.--
Not later than 6 months after receiving the certification
requirements submitted under paragraph (1)(B), the President,
in consultation with sector coordinating councils, relevant
governmental agencies, regulatory entities, and nongovernmental
organizations, shall convene sector specific working groups to
establish auditable private-sector developed accreditation,
training, and certification programs for critical
infrastructure information system personnel working in
cybersecurity.
(3) Positive recognition.--Beginning no later than 1 year
after the President first convenes sector specific working
groups under paragraph (2), the President shall--
(A) recognize and promote auditable private-sector
developed accreditation, training, and certification
programs established in subsection (b); and
(B) on an ongoing basis, but not less frequently
than annually, review and reconsider recognitions under
subparagraph (A) in order to account for advances in
accreditation, training, and certification programs for
personnel working in cybersecurity.
(4) United States critical infrastructure information
systems compliance.--
(A) In general.--Beginning no later than 1 year
after the President first recognizes a program under
paragraph (3)(A), and on a semi-annual basis
thereafter, the President shall require each owner or
operator of a United States critical infrastructure
information system to report the results of independent
audits that evaluate compliance with the accreditation,
training, and certification programs recognized under
paragraph (3).
(B) Positive recognition.--The President, in
consultation with sector coordinating councils,
relevant governmental agencies, and regulatory
entities, and with the consent of individual companies,
may publicly recognize those owners and operators of
United States critical infrastructure information
systems whose independent audits demonstrate compliance
with the accreditation, training, and certification
programs recognized under paragraph (3).
(C) Collaborative remediation.--The President shall
require owners or operators of United States critical
infrastructure information systems that fail to
demonstrate substantial compliance with the
accreditation, training, and certification programs
recognized under paragraph (3) through 2 consecutive
independent audits, in consultation with sector
coordinating councils, relevant governmental agencies,
and regulatory entities, to collaboratively develop and
implement a remediation plan.
(d) Reference List for Consumers.--The President, in close and
regular consultation with sector coordinating councils and relevant
governmental agencies, regulatory entities, and nongovernmental
organizations, shall annually--
(1) evaluate the cybersecurity accreditation, training, and
certification programs identified in this section;
(2) identify those cybersecurity accreditation, training,
and certification programs whose rigor and effectiveness are
beneficial to cybersecurity; and
(3) publish a noncompulsory reference list of those
programs identified under paragraph (2).
SEC. 102. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) In General.--The Director of the National Science Foundation
shall establish a Federal Cyber Scholarship-for-Service program to
recruit and train the next generation of information technology
professionals and security managers for Federal, State, local, and
tribal governments.
(b) Program Description and Components.--The program shall--
(1) provide scholarships that provide full tuition, fees,
and a stipend, for up to 1,000 students per year in their
pursuit of undergraduate or graduate degrees in the
cybersecurity field;
(2) require scholarship recipients, as a condition of
receiving a scholarship under the program, to agree to serve in
a Federal, State, local, or tribal information technology
workforce for a period equal to the length of the scholarship
following graduation if offered employment in that field by a
Federal, State, local, or tribal agency;
(3) provide a procedure by which the Foundation or a
Federal agency may, consistent with regulations of the Office
of Personnel Management, request and fund security clearances
for scholarship recipients;
(4) provide opportunities for students to receive temporary
appointments for meaningful employment in the Federal
information technology workforce during school vacation periods
and for internships;
(5) provide a procedure for identifying promising K-12
students for participation in summer work and internship
programs that would lead to certification of Federal
information technology workforce standards and possible future
employment; and
(6) examine and develop, if appropriate, programs to
promote computer security awareness in secondary and high
school classrooms.
(c) Hiring Authority.--For purposes of any law or regulation
governing the appointment of individuals in the Federal civil service,
upon the successful completion of their studies, students receiving a
scholarship under the program shall be hired under the authority
provided for in section 213.3102(r) of title 5, Code of Federal
Regulations, and be exempt from competitive service. Upon satisfactory
fulfillment of the service term, such individuals may be converted to a
competitive service position without competition if the individual
meets the requirements for that position.
(d) Eligibility.--To be eligible to receive a scholarship under
this section, an individual shall--
(1) be a citizen of the United States;
(2) demonstrate a commitment to a career in improving the
Nation's cyber defenses; and
(3) have demonstrated a level of proficiency in math or
computer sciences.
(e) Evaluation and Report.--The Director shall evaluate and report
periodically to the Congress on the success of recruiting individuals
for the scholarships and on hiring and retaining those individuals in
the public sector workforce.
(f) Authorization of Appropriations.--There are authorized to be
appropriated to the National Science Foundation to carry out this
section--
(1) $50,000,000 for fiscal year 2010;
(2) $55,000,000 for fiscal year 2011;
(3) $60,000,000 for fiscal year 2012;
(4) $65,000,000 for fiscal year 2013; and
(5) $70,000,000 for fiscal year 2014.
SEC. 103. CYBERSECURITY COMPETITION AND CHALLENGE.
(a) In General.--The Director of the National Institute of
Standards and Technology, directly or through appropriate Federal
entities, shall establish cybersecurity competitions and challenges
with cash prizes, and promulgate rules for participation in such
competitions and challenges, in order to--
(1) attract, identify, evaluate, and recruit talented
individuals for the Federal information technology workforce;
and
(2) stimulate innovation in basic and applied cybersecurity
research, technology development, and prototype demonstration
that has the potential for application to the information
technology activities of the Federal Government.
(b) Types of Competitions and Challenges.--The Director shall
establish different competitions and challenges targeting the following
groups:
(1) Middle school students.
(2) High school students.
(3) Undergraduate students.
(4) Graduate students.
(5) Academic and research institutions.
(c) Topics.--In selecting topics for prize competitions, the
Director shall consult widely both within and outside the Federal
Government, and may empanel advisory committees.
(d) Advertising.--The Director shall widely advertise prize
competitions, in coordination with the awareness campaign under section
301, to encourage participation.
(e) Requirements and Registration.--For each prize competition, the
Director shall publish a notice in the Federal Register announcing the
subject of the competition, the rules for being eligible to participate
in the competition, the amount of the prize, and the basis on which a
winner will be selected.
(f) Eligibility.--To be eligible to win a prize under this section,
an individual or entity--
(1) shall have registered to participate in the competition
pursuant to any rules promulgated by the Director under
subsection (a);
(2) shall have complied with all the requirements under
this section;
(3) in the case of a public or private entity, shall be
incorporated in and maintain a primary place of business in the
United States, and in the case of an individual, whether
participating singly or in a group, shall be a citizen or
permanent resident of the United States; and
(4) shall not be a Federal entity or Federal employee
acting within the scope of his or her employment.
(g) Judges.--For each competition, the Director, either directly or
through an agreement under subsection (h), shall assemble a panel of
qualified judges to select the winner or winners of the prize
competition. Judges for each competition shall include individuals from
the private sector. A judge may not--
(1) have personal or financial interests in, or be an
employee, officer, director, or agent of any entity that is a
registered participant in a competition; or
(2) have a familial or financial relationship with an
individual who is a registered participant.
(h) Administering the Competition.--The Director may enter into an
agreement with a private, nonprofit entity to administer the prize
competition, subject to the provisions of this section.
(i) Funding.--
(1) Prizes.--Prizes under this section may consist of
Federal appropriated funds and funds provided by the private
sector for such cash prizes. The Director may accept funds from
other Federal agencies for such cash prizes. The Director may
not give special consideration to any private sector entity in
return for a donation.
(2) Funding required before prize announced.--No prize may
be announced until all the funds needed to pay out the
announced amount of the prize have been appropriated or
committed in writing by a private source. The Director may
increase the amount of a prize after an initial announcement is
made under subsection (d) if--
(A) notice of the increase is provided in the same
manner as the initial notice of the prize; and
(B) the funds needed to pay out the announced
amount of the increase have been appropriated or
committed in writing by a private source.
(3) Notice required for large awards.--No prize competition
under this section may offer a prize in an amount greater than
$5,000,000 unless 30 days have elapsed after written notice has
been transmitted to the Senate Committee on Commerce, Science,
and Transportation and the House of Representatives Committee
on Science and Technology.
(4) Director's approval required for certain awards.--No
prize competition under this section may result in the award of
more than $1,000,000 in cash prizes without the approval of the
Director.
(j) Use of Federal Insignia.--A registered participant in a
competition under this section may use any Federal agency's name,
initials, or insignia only after prior review and written approval by
the Director.
(k) Compliance With Existing Law.--The Federal Government shall
not, by virtue of offering or providing a prize under this section, be
responsible for compliance by registered participants in a prize
competition with Federal law, including licensing, export control, and
non-proliferation laws and related regulations.
(l) Authorization of Appropriations.--There are authorized to be
appropriated to the National Institute of Standards and Technology to
carry out this section $15,000,000 for each of fiscal years 2010
through 2014.
SEC. 104. CYBERSECURITY WORKFORCE PLAN.
(a) Development of Plan.--Not later than 180 days after the date of
enactment of this Act and in every subsequent year, the head of each
Federal agency, based on guidance from the President, the Office of
Personnel Management, the Chief Human Capital Officers Council, and the
Chief Information Officers Council, shall develop a strategic
cybersecurity workforce plan as part of the agency performance plan
required under section 1115 of title 31, United States Code. The plan
shall include--
(1) cybersecurity hiring projections, including occupation
and grade level, over a 2-year period;
(2) long-term and short-term strategic planning to address
critical skills deficiencies, including analysis of the numbers
of and reasons for cybersecurity employee attrition;
(3) recruitment strategies, including the use of student
internships, to attract highly qualified candidates from
diverse backgrounds;
(4) an assessment of the sources and availability of talent
with needed expertise;
(5) streamlining the hiring process;
(6) a specific analysis of the capacity of the agency
workforce to manage contractors who are performing
cybersecurity work on behalf of the Federal government;
(7) an analysis of the barriers to recruiting and hiring
cybersecurity talent, including compensation, classification,
hiring flexibilities, and the hiring process, and
recommendations to overcome those barriers; and,
(8) a cybersecurity-related training and development plan
to enhance or keep current the knowledge level of employees.
(b) Hiring Projections.--Each Federal agency shall make hiring
projections made under its strategic cybersecurity workforce plan
available to the public, including on its website.
(c) Classification.--Based on the agency analyses and
recommendations made under subsection (a)(7) of this section and other
relevant information, the President or the President's designee, in
consultation with affected Federal agencies and councils, shall
coordinate the establishment of new job classifications for
cybersecurity functions in government and certification requirements
for each job category.
SEC. 105. MEASURES OF CYBERSECURITY HIRING EFFECTIVENESS.
(a) In General.--Each agency shall measure and collect information
on cybersecurity hiring effectiveness with respect to the following:
(1) Recruiting and hiring.--
(A) Ability to reach and recruit well-qualified
talent from diverse talent pools.
(B) Use and impact of special hiring authorities
and flexibilities to recruit most qualified applicants,
including the use of student internship and scholarship
programs as a talent pool for permanent hires.
(C) Use and impact of special hiring authorities
and flexibilities to recruit diverse candidates,
including veteran, minority, and disabled candidates.
(D) The age, educational level, and source of
applicants.
(2) Hiring manager assessment.--
(A) Manager satisfaction with the quality of the
applicants interviewed and new hires.
(B) Manager satisfaction with the match between the
skills of newly hired individuals and the needs of the
agency.
(C) Manager satisfaction with the hiring process
and hiring outcomes.
(D) Mission-critical deficiencies closed by new
hires and the connection between mission-critical
deficiencies and annual agency performance.
(E) Manager satisfaction with the length of time to
fill a position.
(3) Applicant assessment.--Applicant satisfaction with the
hiring process (including clarity of job announcement, reasons
for withdrawal of application should that apply, user-
friendliness of the application process, communication
regarding status of application, and timeliness of job offer).
(4) New hire assessment.--
(A) New hire satisfaction with the hiring process
(including clarity of job announcement, user-
friendliness of the application process, communication
regarding status of application, and timeliness of
hiring decision).
(B) Satisfaction with the onboarding experience
(including timeliness of onboarding after the hiring
decision, welcoming and orientation processes, and
being provided with timely and useful new employee
information and assistance).
(C) New hire attrition, including by performance
level and occupation.
(D) Investment in training and development for
employees during their first year of employment.
(E) Exit interview results.
(F) Other indicators and measures as required by
the Office of Personnel Management.
(b) Reports.--
(1) In general.--Each agency shall submit the information
collected under subsection (a) to the Office of Personnel
Management annually in accordance with the regulations
prescribed under subsection (c).
(2) Availability of recruiting and hiring information.--
Each year the Office of Personnel Management shall provide the
information received under paragraph (1) in a consistent format
to allow for a comparison of hiring effectiveness and
experience across demographic groups and agencies to--
(A) the Congress before that information is made
publicly available; and
(B) the public on the website of the Office within
90 days after receipt of the information under
subsection (b)(1).
(c) Regulations.--Not later than 180 days after the date of
enactment of this Act, the Director of the Office of Personnel
Management shall prescribe regulations establishing the methodology,
timing, and reporting of the data described in subsection (a).
TITLE II--PLANS AND AUTHORITY
SEC. 201. CYBERSECURITY RESPONSIBILITIES AND AUTHORITIES.
(a) In General.--The President shall--
(1) within 180 days after the date of enactment of this
Act, after notice and opportunity for public comment, develop
and implement a comprehensive national cybersecurity strategy,
which shall include--
(A) a long-term vision of the Nation's
cybersecurity future; and
(B) a plan that addresses all aspects of national
security, as it relates to cybersecurity, including the
proactive engagement of, and collaboration between, the
Federal government and the private sector;
(2) in consultation with sector coordinating councils and
relevant governmental agencies, regulatory entities, and
nongovernmental organizations, review critical functions likely
to be impacted by a cyber attack and develop a strategy for the
acquisition, storage, and periodic replacement of assets to
support those functions;
(3) through the Office of Science and Technology Policy,
direct an annual review of all Federal cyber technology
research and development investments; and
(4) through the Office of Personnel Management, promulgate
rules for Federal professional responsibilities regarding
cybersecurity, and provide to the Congress an annual report on
Federal agency compliance with those rules.
(b) Collaborative Emergency Response and Restoration.--The
President--
(1) shall, in collaboration with owners and operators of
United States critical infrastructure information systems,
sector coordinating councils and relevant governmental
agencies, regulatory entities, and nongovernmental
organizations, develop and rehearse detailed response and
restoration plans that clarify specific roles,
responsibilities, and authorities of government and private
sector actors during cybersecurity emergencies, and that
identify the types of events and incidents that would
constitute a cybersecurity emergency;
(2) may, in the event of an immediate threat to strategic
national interests involving compromised Federal Government or
United States critical infrastructure information systems--
(A) declare a cybersecurity emergency; and
(B) implement the collaborative emergency response
and restoration plans developed under paragraph (1);
(3) shall, in the event of a declaration of a cybersecurity
emergency--
(A) within 48 hours submit to Congress a report in
writing setting forth--
(i) the circumstances necessitating the
emergency declaration; and
(ii) the estimated scope and duration of
the emergency; and
(B) so long as the cybersecurity emergency
declaration remains in effect, report to the Congress
periodically, but in no event less frequently than once
every 30 days, on the status of emergency as well as on
the scope and duration of the emergency.
(c) Rule of Construction.--This section does not authorize, and
shall not be construed to authorize, an expansion of existing
Presidential authorities.
SEC. 202. BIENNIAL CYBER REVIEW.
(a) In General.--Beginning with 2010 and in every second year
thereafter, the President, or the President's designee, shall complete
a review of the cyber posture of the United States, including an
unclassified summary of roles, missions, accomplishments, plans, and
programs. The review shall include a comprehensive examination of the
cyber strategy, force structure, personnel, modernization plans,
infrastructure, budget plan, the Nation's ability to recover from a
cyber emergency, and other elements of the cyber program and policies
with a view toward determining and expressing the cyber strategy of the
United States and establishing a revised cyber program for the next 2
years.
(b) Involvement of Cybersecurity Advisory Panel.--
(1) The President, or the President's designee, shall
apprise the Cybersecurity Advisory Panel established or
designated under section 401, on an ongoing basis, of the work
undertaken in the conduct of the review.
(2) Not later than 1 year before the completion date for
the review, the Chairman of the Advisory Panel shall submit to
the President, or the President's designee, the Panel's
assessment of work undertaken in the conduct of the review as
of that date and shall include in the assessment the
recommendations of the Panel for improvements to the review,
including recommendations for additional matters to be covered
in the review.
(c) Assessment of Review.--Upon completion of the review, the
Chairman of the Advisory Panel, on behalf of the Panel, shall prepare
and submit to the President, or the President's designee, an assessment
of the review in time for the inclusion of the assessment in its
entirety in the report under subsection (d).
(d) Report.--Not later than September 30, 2010, and every 2 years
thereafter, the President, or the President's designee, shall submit to
the relevant congressional Committees a comprehensive report on the
review. The report shall include--
(1) the results of the review, including a comprehensive
discussion of the cyber strategy of the United States and the
collaboration between the public and private sectors best
suited to implement that strategy;
(2) the threats examined for purposes of the review and the
scenarios developed in the examination of such threats;
(3) the assumptions used in the review, including
assumptions relating to the cooperation of other countries and
levels of acceptable risk; and
(4) the Advisory Panel's assessment.
SEC. 203. CYBERSECURITY DASHBOARD PILOT PROJECT.
The Secretary of Commerce shall--
(1) in consultation with the Office of Management and
Budget, develop a plan within 90 days after the date of
enactment of this Act to implement a system to provide dynamic,
comprehensive, real-time cybersecurity status and vulnerability
information of all Federal Government information systems
managed by the Department of Commerce, including an inventory
of such, vulnerabilities of such systems, and corrective action
plans for those vulnerabilities;
(2) implement the plan within 1 year after the date of
enactment of this Act; and
(3) submit a report to the Congress on the implementation
of the plan.
SEC. 204. NIST CYBERSECURITY GUIDANCE.
(a) In General.--Beginning no later than 1 year after the date of
enactment of this Act, the National Institute of Standards and
Technology, in close and regular consultation with sector coordinating
councils and relevant governmental agencies, regulatory entities, and
nongovernmental organizations, shall--
(1) recognize and promote auditable, private sector
developed cybersecurity risk measurement techniques, risk
management measures and best practices for all Federal
Government and United States critical infrastructure
information systems; and
(2) on an ongoing basis, but not less frequently than semi-
annually, review and reconsider its recognitions under
paragraph (1) in order to account for advances in cybersecurity
risk measurement techniques, risk management measures, and best
practices.
(b) Federal Information Systems.--Within 1 year after the National
Institute of Standards and Technology issues guidance under subsection
(a)(1), the President shall require all Federal departments and
agencies to measure their risk in each operating unit using the
techniques recognized under subsection (a) and to comply with or exceed
the cybersecurity risk management measures and best practices
recognized under subsection (a).
(c) United States Critical Infrastructure Information Systems.--
(1) In general.--On the earlier of the date on which the
final rule in the rulemaking required by section 4 is
promulgated, or 1 year after the President first recognizes the
cybersecurity risk measurement techniques, risk management
measures and best practices under subsection (a), and on a
semi-annual basis thereafter, the President shall require each
owner or operator of a United States critical infrastructure
information system to report the results of independent audits
that evaluate compliance with cybersecurity risk measurement
techniques, risk management measures, and best practices
recognized under subsection (a).
(2) Positive recognition.--The President, in consultation
with sector coordinating councils, relevant governmental
agencies, and regulatory entities, and with the consent of
individual companies, may publicly recognize those owners and
operators of United States critical infrastructure information
systems whose independent audits demonstrate compliance with
cybersecurity risk measurement techniques, risk management
measures, and best practices recognized under subsection (a);
(3) Collaborative remediation.--The President shall require
owners or operators of United States critical infrastructure
information systems that fail to demonstrate substantial
compliance with cybersecurity risk measurement techniques, risk
management measures, and best practices recognized under
subsection (a) through 2 consecutive independent audits, in
consultation with sector coordinating councils, relevant
governmental agencies, and regulatory entities, to
collaboratively develop and implement a remediation plan.
(d) International Standards Development.--Within 1 year after the
date of enactment of this Act, the Director, in coordination with the
Department of State and other relevant governmental agencies and
regulatory entities, and in consultation with sector coordinating
councils and relevant nongovernmental organizations, shall--
(1) direct United States cybersecurity efforts before all
international standards development bodies related to
cybersecurity;
(2) develop and implement a strategy to engage
international standards bodies with respect to the development
of technical standards related to cybersecurity; and
(3) submit the strategy to the Congress.
(e) Criteria for Federal Information Systems.--Notwithstanding any
other provision of law (including any Executive Order), rule,
regulation, or guideline pertaining to the distinction between national
security systems and civilian agency systems, the Institute shall adopt
a risk-based approach in the development of Federal cybersecurity
guidance for Federal information systems.
(f) FCC Broadband Cybersecurity Review.--Within 1 year after the
date of enactment of this Act, the Federal Communications Commission
shall report to Congress on effective and efficient means to ensure the
cybersecurity of commercial broadband networks as related to public
safety, consumer welfare, healthcare, education, energy, government,
security and other national purposes. This report should also consider
consumer education and outreach programs to assist individuals in
protecting their home and personal computers and other devices.
(g) Elimination of Duplicative Requirements.--The President shall
direct the National Institute of Standards and Technology and other
appropriate Federal agencies to identify private sector entities
already required to report their compliance with cybersecurity laws,
directives, and regulations to streamline compliance with duplicative
reporting requirements.
SEC. 205. LEGAL FRAMEWORK REVIEW AND REPORT.
(a) In General.--Within 1 year after the date of enactment of this
Act, the Comptroller General shall complete a comprehensive review of
the Federal statutory and legal framework applicable to cybersecurity-
related activities in the United States, including--
(1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
(2) the Electronic Communications Privacy Act of 1986 (18
U.S.C. 2510 note);
(3) the Computer Security Act of 1987 (15 U.S.C. 271 et
seq.; 40 U.S.C. 759);
(4) the Federal Information Security Management Act of 2002
(44 U.S.C. 3531 et seq.);
(5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061
et seq.);
(7) section 552 of title 5, United States Code;
(8) the Federal Advisory Committee Act (5 U.S.C. App.);
(9) any other Federal law bearing upon cybersecurity-
related activities; and
(10) any applicable Executive Order or agency rule,
regulation, or guideline.
(b) Report.--Upon completion of the review the Comptroller General
shall submit a report to the Congress containing the Comptroller
General's, findings, conclusions, and recommendations regarding changes
needed to advance cybersecurity and protect civil liberties in light of
new cybersecurity measures.
SEC. 206. JOINT INTELLIGENCE THREAT AND VULNERABILITY ASSESSMENT.
The Director of National Intelligence, the Secretary of Commerce,
the Secretary of Homeland Security, the Attorney General, the Secretary
of Defense, and the Secretary of State shall submit to the Congress a
joint assessment of, and report on, cybersecurity threats to and
vulnerabilities of Federal information systems and United States
critical infrastructure information systems.
SEC. 207. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.
The President shall--
(1) work with representatives of foreign governments,
private sector entities, and nongovernmental organizations--
(A) to develop norms, organizations, and other
cooperative activities for international engagement to
improve cybersecurity; and
(B) to encourage international cooperation in
improving cybersecurity on a global basis; and
(2) provide an annual report to the Congress on the
progress of international initiatives undertaken pursuant to
subparagraph (A).
SEC. 208. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS.
(a) Acquisition Requirements.--The Administrator of the General
Services Administration, in cooperation with the Office of Management
and Budget and other appropriate Federal agencies, shall require that
requests for information and requests for proposals for Federal
information systems products and services include cybersecurity risk
measurement techniques, risk management measures, and best practices
recognized under section 204 and the cybersecurity professional
certifications recognized under section 101 of this Act.
(b) Acquisition Compliance.--After the publication of the
requirements established by the Administrator under subsection (a), a
Federal agency may not issue a request for proposals for Federal
information systems products and services that does not comply with the
requirements.
SEC. 209. PRIVATE SECTOR ACCESS TO CLASSIFIED INFORMATION.
(a) Evaluation.--The President shall conduct an annual evaluation
of the sufficiency of present access to classified information among
owners and operators of United States critical infrastructure
information systems and submit a report to the Congress on the
evaluation.
(b) Security Clearances.--To the extent determined by the President
to be necessary to enhance public-private information sharing and
cybersecurity collaboration, the President may--
(1) grant additional security clearances to owners and
operators of United States critical infrastructure information
systems; and
(2) delegate original classification authority to
appropriate Federal officials on matters related to
cybersecurity.
SEC. 210. AUTHENTICATION AND CIVIL LIBERTIES REPORT.
Within 1 year after the date of enactment of this Act, the
President, or the President's designee, in consultation with sector
coordinating councils, relevant governmental agencies, regulatory
entities, and nongovernmental organizations, shall review, and report
to Congress, on the feasibility of an identity management and
authentication program, with the appropriate civil liberties and
privacy protections, for Federal government and United States critical
infrastructure information systems.
SEC. 211. REPORT ON EVALUATION OF CERTAIN IDENTITY AUTHENTICATION
FUNCTIONALITIES.
(a) In General.--Not later than 90 days after the date of enactment
of this Act, the National Institute of Standards and Technology shall
issue a public report evaluating identity authentication solutions to
determine the necessary level of functionality and privacy protection,
based on risk, commensurate with the level of data assurance and
sensitivity, as defined by OMB e-Authentication Guidance Memorandum 04-
04 (OMB 04-04).
(b) Contents.--The report shall--
(1) assess strategies and best practices for mapping the 4
authentication levels with authentication functionalities
appropriate for each level; and
(2) address specifically authentication levels and
appropriate functionalities necessary and available for the
protection of electronic medical records and health
information.
TITLE III--CYBERSECURITY KNOWLEDGE DEVELOPMENT
SEC. 301. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.
(a) In General.--The Secretary of Commerce, in consultation with
sector coordinating councils, relevant governmental agencies,
regulatory entities, and nongovernmental organizations, shall develop
and implement a national cybersecurity awareness campaign that--
(1) calls a new generation of Americans to service in the
field of cybersecurity;
(2) heightens public awareness of cybersecurity issues and
concerns;
(3) communicates the Federal Government's role in securing
the Internet and protecting privacy and civil liberties with
respect to Internet-related activities; and
(4) utilizes public and private sector means of providing
information to the public, including public service
announcements.
(b) Educational Programs.--The Secretary of Education, in
consultation with State school superintendents, relevant Federal
agencies, industry sectors, and nongovernmental organizations, shall
identify and promote age appropriate information and programs for
grades K-12 regarding cyber safety, cybersecurity, and cyber ethics.
SEC. 302. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) Fundamental Cybersecurity Research.--The Director of the
National Science Foundation, in coordination with the Office of Science
and Technology Policy, and drawing on the recommendations of the Office
of Science and Technology Policy's annual review of all Federal cyber
technology research and development investments required by section
201(a)(3), shall develop a national cybersecurity research and
development plan. The plan shall encourage computer and information
science and engineering research to meet the following challenges in
cybersecurity:
(1) How to design and build complex software-intensive
systems that are secure and reliable when first deployed.
(2) How to test and verify that software, whether developed
locally or obtained from a third party, is free of significant
known security flaws.
(3) How to test and verify that software obtained from a
third party correctly implements stated functionality, and only
that functionality.
(4) How to guarantee the privacy of an individual's
identity, information, or lawful transactions when stored in
distributed systems or transmitted over networks.
(5) How to build new protocols to enable the Internet to
have robust security as one of its key capabilities.
(6) How to determine the origin of a message transmitted
over the Internet.
(7) How to support privacy in conjunction with improved
security.
(8) How to address the growing problem of insider threat.
(9) How improved consumer education and digital literacy
initiatives can address human factors that contribute to
cybersecurity.
(b) Secure Coding Research.--The Director shall support research
that evaluates selected secure coding education and improvement
programs. The Director shall also support research on new methods of
integrating secure coding improvement into the core curriculum of
computer science programs and of other programs where graduates have a
substantial probability of developing software after graduation.
(c) Assessment of Secure Coding Education in Colleges and
Universities.--Within 1 year after the date of enactment of this Act,
the Director shall submit to the Senate Committee on Commerce, Science,
and Transportation and the House of Representatives Committee on
Science and Technology a report on the state of secure coding education
in America's colleges and universities for each school that received
National Science Foundation funding in excess of $1,000,000 during
fiscal year 2008. The report shall include--
(1) the number of students who earned undergraduate degrees
in computer science or in each other program where graduates
have a substantial probability of being engaged in software
design or development after graduation;
(2) the percentage of those students who completed
substantive secure coding education or improvement programs
during their undergraduate experience; and
(3) descriptions of the length and content of the education
and improvement programs and an evaluation of the effectiveness
of those programs based on the students' scores on standard
tests of secure coding and design skills.
(d) Cybersecurity Modeling and Testbeds.--Within 1 year after the
date of enactment of this Act, the Director shall conduct a review of
existing cybersecurity testbeds. Based on the results of that review,
the Director shall establish a program to award grants to institutions
of higher education to establish cybersecurity testbeds capable of
realistic modeling of real-time cyber attacks and defenses. The purpose
of this program is to support the rapid development of new
cybersecurity defenses, techniques, and processes by improving
understanding and assessing the latest technologies in a real-world
environment. The testbeds shall be sufficiently large in order to model
the scale and complexity of real world networks and environments.
(e) NSF Computer and Network Security Research Grant Areas.--
Section 4(a)(1) of the Cybersecurity Research and Development Act (15
U.S.C. 7403(a)(1)) is amended--
(1) by striking ``and'' after the semicolon in subparagraph
(H);
(2) by striking ``property.'' in subparagraph (I) and
inserting ``property;''; and
(3) by adding at the end the following:
``(J) secure fundamental protocols that are at the
heart of inter-network communications and data
exchange;
``(K) secure software engineering and software assurance,
including--
``(i) programming languages and systems
that include fundamental security features;
``(ii) portable or reusable code that
remains secure when deployed in various
environments;
``(iii) verification and validation
technologies to ensure that requirements and
specifications have been implemented; and
``(iv) models for comparison and metrics to
assure that required standards have been met;
``(L) holistic system security that--
``(i) addresses the building of secure
systems from trusted and untrusted components;
``(ii) proactively reduces vulnerabilities;
``(iii) addresses insider threats; and
``(iv) supports privacy in conjunction with
improved security;
``(M) monitoring and detection; and
``(N) mitigation and rapid recovery methods.''.
(f) NSF Computer and Network Security Grants.--Section 4(a)(3) of
the Cybersecurity Research and Development Act (15 U.S.C. 7403(a)(3))
is amended--
(1) by striking ``and'' in subparagraph (D);
(2) by striking ``2007.'' in subparagraph (E) and inserting
``2007;''; and
(3) by adding at the end of the following:
``(F) $150,000,000 for fiscal year 2010;
``(G) $155,000,000 for fiscal year 2011;
``(H) $160,000,000 for fiscal year 2012;
``(I) $165,000,000 for fiscal year 2013; and
``(J) $170,000,000 for fiscal year 2014.''.
(g) Computer and Network Security Centers.--Section 4(b)(7) of such
Act (15 U.S.C. 7403(b)(7)) is amended--
(1) by striking ``and'' in subparagraph (D);
(2) by striking ``2007.'' in subparagraph (E) and inserting
``2007;''; and
(3) by adding at the end of the following:
``(F) $50,000,000 for fiscal year 2010;
``(G) $52,000,000 for fiscal year 2011;
``(H) $54,000,000 for fiscal year 2012;
``(I) $56,000,000 for fiscal year 2013; and
``(J) $58,000,000 for fiscal year 2014.''.
(h) Computer and Network Security Capacity Building Grants.--
Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended--
(1) by striking ``and'' in subparagraph (D);
(2) by striking ``2007.'' in subparagraph (E) and inserting
``2007;''; and
(3) by adding at the end of the following:
``(F) $40,000,000 for fiscal year 2010;
``(G) $42,000,000 for fiscal year 2011;
``(H) $44,000,000 for fiscal year 2012;
``(I) $46,000,000 for fiscal year 2013; and
``(J) $48,000,000 for fiscal year 2014.''.
(i) Scientific and Advanced Technology Act Grants.--Section 5(b)(2)
of such Act (15 U.S.C. 7404(b)(2)) is amended--
(1) by striking ``and'' in subparagraph (D);
(2) by striking ``2007.'' in subparagraph (E) and inserting
``2007;''; and
(3) by adding at the end of the following:
``(F) $5,000,000 for fiscal year 2010;
``(G) $6,000,000 for fiscal year 2011;
``(H) $7,000,000 for fiscal year 2012;
``(I) $8,000,000 for fiscal year 2013; and
``(J) $9,000,000 for fiscal year 2014.''.
(j) Graduate Traineeships in Computer and Network Security
Research.--Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is
amended--
(1) by striking ``and'' in subparagraph (D);
(2) by striking ``2007.'' in subparagraph (E) and inserting
``2007;''; and
(3) by adding at the end of the following:
``(F) $20,000,000 for fiscal year 2010;
``(G) $22,000,000 for fiscal year 2011;
``(H) $24,000,000 for fiscal year 2012;
``(I) $26,000,000 for fiscal year 2013; and
``(J) $28,000,000 for fiscal year 2014.''.
(k) Cybersecurity Faculty Development Traineeship Program.--Section
5(e)(9) of such Act (15 U.S.C. 7404(e)(9)) is amended by striking
``2007.'' and inserting ``2007 and for each of fiscal years 2010
through 2014.''.
(l) Networking and Information Technology Research and Development
Program.--Section 204(a)(1) of the High-Performance Computing Act of
1991 (15 U.S.C. 5524(a)(1)) is amended--
(1) by striking ``and'' after the semicolon in subparagraph
(B); and
(2) by inserting after subparagraph (C) the following:
``(D) develop and propose standards and guidelines,
and develop measurement techniques and test methods,
for enhanced cybersecurity for computer networks and
common user interfaces to systems; and''.
SEC. 303. DEVELOPMENT OF CURRICULA FOR INCORPORATING CYBERSECURITY INTO
EDUCATIONAL PROGRAMS FOR FUTURE INDUSTRIAL CONTROL SYSTEM
DESIGNERS.
(a) In General.--The Director of the National Science Foundation
shall establish a grant program to fund public and private educational
institutions to develop graduate and undergraduate level curricula that
address cybersecurity in modern industrial control systems. In
administering the program, the Director--
(1) shall establish such requirements for the submission of
applications containing such information, commitments, and
assurances as the Director finds necessary and appropriate;
(2) shall award the grants on a competitive basis;
(3) shall require grant recipients to make the developed
curricula and related materials to other public and private
educational institutions; and
(4) may make up to 3 grants per year.
(b) Authorization of Appropriations.--There are authorized to be
appropriated to the Director to carry out the grant program under this
section $2,000,000 for each of fiscal years 2011 and 2012.
TITLE IV--PUBLIC-PRIVATE COLLABORATION
SEC. 401. CYBERSECURITY ADVISORY PANEL.
(a) In General.--The President shall establish or designate a
Cybersecurity Advisory Panel.
(b) Qualifications.--The President--
(1) shall appoint as members of the panel representatives
of industry, academic, non-profit organizations, interest
groups and advocacy organizations, and State and local
governments who are qualified to provide advice and information
on cybersecurity research, development, demonstrations,
education, personnel, technology transfer, commercial
application, or societal and civil liberty concerns; and
(2) may seek and give consideration to recommendations from
the Congress, industry, the cybersecurity community, the
defense community, State and local governments, and other
appropriate organizations.
(c) Duties.--The panel shall advise the President on matters
relating to the national cybersecurity program and strategy and shall
assess--
(1) trends and developments in cybersecurity science
research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the readiness and capacity of the Federal and national
workforces to implement the national cybersecurity program and
strategy, and the steps necessary to improve workforce
readiness and capacity;
(5) the balance among the components of the national
strategy, including funding for program components;
(6) whether the strategy, priorities, and goals are helping
to maintain United States leadership and defense in
cybersecurity;
(7) the management, coordination, implementation, and
activities of the strategy;
(8) whether the concerns of Federal, State, and local law
enforcement entities are adequately addressed; and
(9) whether societal and civil liberty concerns are
adequately addressed.
(d) Reports.--The panel shall report, not less frequently than once
every 2 years, to the President on its assessments under subsection (c)
and its recommendations for ways to improve the strategy.
(e) Travel Expenses of Non-Federal Members.--Non-Federal members of
the panel, while attending meetings of the panel or while otherwise
serving at the request of the head of the panel while away from their
homes or regular places of business, may be allowed travel expenses,
including per diem in lieu of subsistence, as authorized by section
5703 of title 5, United States Code, for individuals in the government
serving without pay. Nothing in this subsection shall be construed to
prohibit members of the panel who are officers or employees of the
United States from being allowed travel expenses, including per diem in
lieu of subsistence, in accordance with law.
(f) Exemption From FACA Sunset.--Section 14 of the Federal Advisory
Committee Act (5 U.S.C. App.) shall not apply to the Advisory Panel.
SEC. 402. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.
(a) Creation and Support of Cybersecurity Centers.--The Secretary
of Commerce shall provide assistance for the creation and support of
Regional Cybersecurity Centers for the promotion of private sector
developed cybersecurity risk measurement techniques, risk management
measures, and best practices. Each Center shall be affiliated with a
United States-based nonprofit institution or organization, or
consortium thereof, that applies for and is awarded financial
assistance under this section.
(b) Purpose.--The purpose of the Centers is to enhance the
cybersecurity of small and medium sized businesses in the United States
through--
(1) the promotion of private sector developed cybersecurity
risk measurement techniques, risk management measures, and best
practices to small- and medium-sized companies throughout the
United States;
(2) the voluntary participation of individuals from
industry, universities, State governments, other Federal
agencies, and, when appropriate, the Institute in cooperative
technology transfer activities in accordance with existing
technology transfer rules and intellectual property protection
measures;
(3) efforts to make new cybersecurity technology,
standards, and processes usable by United States-based small-
and medium-sized companies;
(4) the active dissemination of scientific, engineering,
technical, and management information about cybersecurity to
industrial firms, including small- and medium-sized companies;
(5) the utilization, when appropriate, of the expertise and
capability that exists in Federal laboratories other than the
Institute; and
(6) the performance of these and related activities in a
manner that supplements or coordinates with, and does not
compete with or duplicate, private sector activities.
(c) Activities.--The Centers shall--
(1) disseminate cybersecurity technologies, standards, and
processes based on research by the Institute for the purpose of
demonstrations and technology transfer;
(2) actively transfer and disseminate private sector
developed cybersecurity risk measurement techniques, risk
management measures, and best practices to protect against and
mitigate the risk of cyber attacks to a wide range of companies
and enterprises, particularly small- and medium-sized
businesses; and
(3) make loans, on a selective, short-term basis, of items
of advanced protective cybersecurity measures to small
businesses with less than 100 employees.
(c) Duration and Amount of Support; Program Descriptions;
Applications; Merit Review; Evaluations of Assistance.--
(1) Financial support.--The Secretary may provide financial
support, not to exceed 50 percent of the Center's annual
operating and maintenance costs, to any Center for a period not
to exceed 6 years (except as provided in paragraph (5)(D)).
(2) Program description.--Within 90 days after the date of
enactment of this Act, the Secretary shall publish in the
Federal Register a draft description of a program for
establishing Centers and, after a 30-day comment period, shall
publish a final description of the program. The description
shall include--
(A) a description of the program;
(B) procedures to be followed by applicants;
(C) criteria for determining qualified applicants;
(D) criteria, including those described in
paragraph (4), for choosing recipients of financial
assistance under this section from among the qualified
applicants; and
(E) maximum support levels expected to be available
to Centers under the program in the fourth through
sixth years of assistance under this section.
(3) Applications; support commitment.--Any nonprofit
institution, or consortia of nonprofit institutions, may submit
to the Secretary an application for financial support under
this section, in accordance with the procedures established by
the Secretary. In order to receive assistance under this
section, an applicant shall provide adequate assurances that it
will contribute 50 percent or more of the proposed Center's
annual operating and maintenance costs for the first 3 years
and an increasing share for each of the next 3 years.
(4) Award criteria.--Awards shall be made on a competitive,
merit-based review. In making a decision whether to approve an
application and provide financial support under this section,
the Secretary shall consider, at a minimum--
(A) the merits of the application, particularly
those portions of the application regarding technology
transfer, training and education, and adaptation of
cybersecurity technologies to the needs of particular
industrial sectors;
(B) the quality of service to be provided;
(C) geographical diversity and extent of service
area; and
(D) the percentage of funding and amount of in-kind
commitment from other sources.
(5) Third year evaluation.--
(A) In general.--Each Center which receives
financial assistance under this section shall be
evaluated during its third year of operation by an
evaluation panel appointed by the Secretary.
(B) Evaluation panel.--Each evaluation panel shall
be composed of private experts and Federal officials,
none of whom shall be connected with the involved
Center. Each evaluation panel shall measure the
Center's performance against the objectives specified
in this section and ensure that the Center is not
competing with, or duplicating, private sector
activities.
(C) Positive evaluation required for continued
funding.--The Secretary may not provide funding for the
fourth through the sixth years of a Center's operation
unless the evaluation by the evaluation panel is
positive. If the evaluation is positive, the Secretary
may provide continued funding through the sixth year at
declining levels.
(D) Funding after sixth year.--After the sixth
year, the Secretary may provide additional financial
support to a Center if it has received a positive
evaluation through an independent review, under
procedures established by the Institute. An additional
independent review shall be required at least every 2
years after the sixth year of operation. Funding
received for a fiscal year under this section after the
sixth year of operation may not exceed one third of the
annual operating and maintenance costs of the Center.
(6) Patent rights to inventions.--The provisions of chapter
18 of title 35, United States Code, shall (to the extent not
inconsistent with this section) apply to the promotion of
technology from research by Centers under this section except
for contracts for such specific technology extension or
transfer services as may be specified by statute or by the
President, or the President's designee.
(d) Acceptance of Funds From Other Federal Departments and
Agencies.--In addition to such sums as may be authorized and
appropriated to the Secretary and President, or the President's
designee, to operate the Centers program, the Secretary and the
President, or the President's designee, also may accept funds from
other Federal departments and agencies for the purpose of providing
Federal funds to support Centers. Any Center which is supported with
funds which originally came from other Federal departments and agencies
shall be selected and operated according to the provisions of this
section.
SEC. 403. PUBLIC-PRIVATE CLEARINGHOUSE.
(a) Survey of Existing Models of Interagency and Public-private
Information Sharing.--Within 180 days after the date of enactment of
this Act, the President, or the President's designee, in consultation
with sector coordinating councils, relevant governmental agencies and
regulatory entities, and nongovernmental organizations, shall conduct a
review and assessment of existing information sharing models used by
Federal agencies.
(b) Designation.--Pursuant to the results of the review and
assessment required by subsection (a), the President shall establish or
designate a facility to serve as the central cybersecurity threat and
vulnerability information clearinghouse for the Federal Government and
United States critical infrastructure information systems. The facility
shall incorporate the best practices and concepts of operations of
existing information sharing models in order to effectively promote the
sharing of public-private cybersecurity threat and vulnerability
information.
(c) Information Sharing Rules and Procedures.--The President, or
the President's designee, in consultation with sector coordinating
councils, relevant governmental agencies and regulatory entities, and
nongovernmental organizations, shall promulgate rules and procedures
regarding cybersecurity threat and vulnerability information sharing,
that--
(1) expand the Federal Government's sharing of
cybersecurity threat and vulnerability information with owners
and operators of United States critical infrastructure
information systems;
(2) ensure confidentiality and privacy protections for
individuals and personally identifiable information;
(3) ensure confidentiality and privacy protections for
private sector-owned intellectual property and proprietary
information;
(4) establish criteria under which owners or operators of
United States critical infrastructure information systems share
actionable cybersecurity threat and vulnerability information
and relevant data with the Federal Government;
(5) protect against, or mitigate, civil and criminal
liability implicated by information shared; and
(6) otherwise will enhance the sharing of cybersecurity
threat and vulnerability information between owners or
operators of United States critical infrastructure information
systems and the Federal Government.
SEC. 404. CYBERSECURITY RISK MANAGEMENT REPORT.
Within 1 year after the date of enactment of this Act, the
President, or the President's designee, shall report to the Congress on
the feasibility of creating a market for cybersecurity risk management.
Calendar No. 707
111th CONGRESS
2d Session
S. 773
_______________________________________________________________________
A BILL
To ensure the continued free flow of commerce within the United States
and with its global trading partners through secure cyber
communications, to provide for the continued development and
exploitation of the Internet and intranet communications for such
purposes, to provide for the development of a cadre of information
technology specialists to improve and maintain effective cyber security
defenses against disruption, and for other purposes.
_______________________________________________________________________
December 17, 2010
Reported with an amendment