[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 756 Reported in House (RH)]

                                                  Union Calendar No. 19
113th CONGRESS
  1st Session
                                H. R. 756

                          [Report No. 113-33]

     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 15, 2013

    Mr. McCaul (for himself, Mr. Lipinski, Mr. Smith of Texas, Mr. 
 Langevin, Mr. Meehan, Ms. Matsui, Mr. Hall, and Mr. Ben Ray Lujan of 
 New Mexico) introduced the following bill; which was referred to the 
              Committee on Science, Space, and Technology

                             April 11, 2013

 Additional sponsors: Mr. Rogers of Michigan, Mrs. Miller of Michigan, 
         Mr. Garrett, Mr. Thornberry, Mr. Stewart, and Ms. Esty

                             April 11, 2013

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           February 15, 2013]


_______________________________________________________________________

                                 A BILL


 
     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cybersecurity Enhancement Act of 
2013''.

                   TITLE I--RESEARCH AND DEVELOPMENT

SEC. 101. DEFINITIONS.

    In this title:
            (1) National coordination office.--The term National 
        Coordination Office means the National Coordination Office for 
        the Networking and Information Technology Research and 
        Development program.
            (2) Program.--The term Program means the Networking and 
        Information Technology Research and Development program which 
        has been established under section 101 of the High-Performance 
        Computing Act of 1991 (15 U.S.C. 5511).

SEC. 102. FINDINGS.

    Section 2 of the Cyber Security Research and Development Act (15 
U.S.C. 7401) is amended--
            (1) by amending paragraph (1) to read as follows:
            ``(1) Advancements in information and communications 
        technology have resulted in a globally interconnected network 
        of government, commercial, scientific, and education 
        infrastructures, including critical infrastructures for 
        electric power, natural gas and petroleum production and 
        distribution, telecommunications, transportation, water supply, 
        banking and finance, and emergency and government services.'';
            (2) in paragraph (2), by striking ``Exponential increases 
        in interconnectivity have facilitated enhanced communications, 
        economic growth,'' and inserting ``These advancements have 
        significantly contributed to the growth of the United States 
        economy,'';
            (3) by amending paragraph (3) to read as follows:
            ``(3) The Cyberspace Policy Review published by the 
        President in May, 2009, concluded that our information 
        technology and communications infrastructure is vulnerable and 
        has `suffered intrusions that have allowed criminals to steal 
        hundreds of millions of dollars and nation-states and other 
        entities to steal intellectual property and sensitive military 
        information'.''; and
            (4) by amending paragraph (6) to read as follows:
            ``(6) While African-Americans, Hispanics, and Native 
        Americans constitute 33 percent of the college-age population, 
        members of these minorities comprise less than 20 percent of 
        bachelor degree recipients in the field of computer 
        sciences.''.

SEC. 103. CYBERSECURITY STRATEGIC RESEARCH AND DEVELOPMENT PLAN.

    (a) In General.--Not later than 12 months after the date of 
enactment of this Act, the agencies identified in subsection 
101(a)(3)(B)(i) through (x) of the High-Performance Computing Act of 
1991 (15 U.S.C. 5511(a)(3)(B)(i) through (x)) or designated under 
section 101(a)(3)(B)(xi) of such Act, working through the National 
Science and Technology Council and with the assistance of the National 
Coordination Office, shall transmit to Congress a strategic plan based 
on an assessment of cybersecurity risk to guide the overall direction 
of Federal cybersecurity and information assurance research and 
development for information technology and networking systems. Once 
every 3 years after the initial strategic plan is transmitted to 
Congress under this section, such agencies shall prepare and transmit 
to Congress an update of such plan.
    (b) Contents of Plan.--The strategic plan required under subsection 
(a) shall--
            (1) specify and prioritize near-term, mid-term and long-
        term research objectives, including objectives associated with 
        the research areas identified in section 4(a)(1) of the Cyber 
        Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
        and how the near-term objectives complement research and 
        development areas in which the private sector is actively 
        engaged;
            (2) describe how the Program will focus on innovative, 
        transformational technologies with the potential to enhance the 
        security, reliability, resilience, and trustworthiness of the 
        digital infrastructure, and to protect consumer privacy;
            (3) describe how the Program will foster the rapid transfer 
        of research and development results into new cybersecurity 
        technologies and applications for the timely benefit of society 
        and the national interest, including through the dissemination 
        of best practices and other outreach activities;
            (4) describe how the Program will establish and maintain a 
        national research infrastructure for creating, testing, and 
        evaluating the next generation of secure networking and 
        information technology systems;
            (5) describe how the Program will facilitate access by 
        academic researchers to the infrastructure described in 
        paragraph (4), as well as to relevant data, including event 
        data;
            (6) describe how the Program will engage females and 
        individuals identified in section 33 or 34 of the Science and 
        Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b) 
        to foster a more diverse workforce in this area; and
            (7) describe how the Program will help to recruit and 
        prepare veterans for the Federal cybersecurity workforce.
    (c) Development of Roadmap.--The agencies described in subsection 
(a) shall develop and annually update an implementation roadmap for the 
strategic plan required in this section. Such roadmap shall--
            (1) specify the role of each Federal agency in carrying out 
        or sponsoring research and development to meet the research 
        objectives of the strategic plan, including a description of 
        how progress toward the research objectives will be evaluated;
            (2) specify the funding allocated to each major research 
        objective of the strategic plan and the source of funding by 
        agency for the current fiscal year; and
            (3) estimate the funding required for each major research 
        objective of the strategic plan for the following 3 fiscal 
        years.
    (d) Recommendations.--In developing and updating the strategic plan 
under subsection (a), the agencies involved shall solicit 
recommendations and advice from--
            (1) the advisory committee established under section 
        101(b)(1) of the High-Performance Computing Act of 1991 (15 
        U.S.C. 5511(b)(1)); and
            (2) a wide range of stakeholders, including industry, 
        academia, including representatives of minority serving 
        institutions and community colleges, National Laboratories, and 
        other relevant organizations and institutions.
    (e) Appending to Report.--The implementation roadmap required under 
subsection (c), and its annual updates, shall be appended to the report 
required under section 101(a)(2)(D) of the High-Performance Computing 
Act of 1991 (15 U.S.C. 5511(a)(2)(D)).
    (f) Cybersecurity Research Database.--The agencies involved in 
developing and updating the strategic plan under subsection (a) shall 
establish, in coordination with the Office of Management and Budget, a 
mechanism to track ongoing and completed Federal cybersecurity research 
and development projects and associated funding, and shall make such 
information publically available.

SEC. 104. SOCIAL AND BEHAVIORAL RESEARCH IN CYBERSECURITY.

    Section 4(a)(1) of the Cyber Security Research and Development Act 
(15 U.S.C. 7403(a)(1)) is amended--
            (1) by inserting ``and usability'' after ``to the 
        structure'';
            (2) in subparagraph (H), by striking ``and'' after the 
        semicolon;
            (3) in subparagraph (I), by striking the period at the end 
        and inserting ``; and''; and
            (4) by adding at the end the following new subparagraph:
                    ``(J) social and behavioral factors, including 
                human-computer interactions, usability, and user 
                motivations.''.

SEC. 105. NATIONAL SCIENCE FOUNDATION CYBERSECURITY RESEARCH AND 
              DEVELOPMENT PROGRAMS.

    (a) Computer and Network Security Research Areas.--Section 4(a)(1) 
of the Cyber Security Research and Development Act (15 U.S.C. 
7403(a)(1)) is amended--
            (1) in subparagraph (A) by inserting ``identity 
        management,'' after ``cryptography,''; and
            (2) in subparagraph (I), by inserting ``, crimes against 
        children, and organized crime'' after ``intellectual 
        property''.
    (b) Computer and Network Security Research Grants.--Section 4(a)(3) 
of such Act (15 U.S.C. 7403(a)(3)) is amended by striking subparagraphs 
(A) through (E) and inserting the following new subparagraphs:
                    ``(A) $119,000,000 for fiscal year 2014;
                    ``(B) $119,000,000 for fiscal year 2015; and
                    ``(C) $119,000,000 for fiscal year 2016.''.
    (c) Computer and Network Security Research Centers.--Section 4(b) 
of such Act (15 U.S.C. 7403(b)) is amended--
            (1) in paragraph (4)--
                    (A) in subparagraph (C), by striking ``and'' after 
                the semicolon;
                    (B) in subparagraph (D), by striking the period and 
                inserting ``; and''; and
                    (C) by adding at the end the following new 
                subparagraph:
                    ``(E) how the center will partner with government 
                laboratories, for-profit entities, other institutions 
                of higher education, or nonprofit research 
                institutions.''; and
            (2) in paragraph (7) by striking subparagraphs (A) through 
        (E) and inserting the following new subparagraphs:
                    ``(A) $5,000,000 for fiscal year 2014;
                    ``(B) $5,000,000 for fiscal year 2015; and
                    ``(C) $5,000,000 for fiscal year 2016.''.
    (d) Computer and Network Security Capacity Building Grants.--
Section 5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended by 
striking subparagraphs (A) through (E) and inserting the following new 
subparagraphs:
                    ``(A) $25,000,000 for fiscal year 2014;
                    ``(B) $25,000,000 for fiscal year 2015; and
                    ``(C) $25,000,000 for fiscal year 2016.''.
    (e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2) 
of such Act (15 U.S.C. 7404(b)(2)) is amended by striking subparagraphs 
(A) through (E) and inserting the following new subparagraphs:
                    ``(A) $4,000,000 for fiscal year 2014;
                    ``(B) $4,000,000 for fiscal year 2015; and
                    ``(C) $4,000,000 for fiscal year 2016.''.
    (f) Graduate Traineeships in Computer and Network Security.--
Section 5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is amended by 
striking subparagraphs (A) through (E) and inserting the following new 
subparagraphs:
                    ``(A) $32,000,000 for fiscal year 2014;
                    ``(B) $32,000,000 for fiscal year 2015; and
                    ``(C) $32,000,000 for fiscal year 2016.''.
    (g) Cyber Security Faculty Development Traineeship Program.--
Section 5(e) of such Act (15 U.S.C. 7404(e)) is repealed.

SEC. 106. FEDERAL CYBER SCHOLARSHIP FOR SERVICE PROGRAM.

    (a) In General.--The Director of the National Science Foundation 
shall continue a Scholarship for Service program under section 5(a) of 
the Cyber Security Research and Development Act (15 U.S.C. 7404(a)) to 
recruit and train the next generation of Federal cybersecurity 
professionals and to increase the capacity of the higher education 
system to produce an information technology workforce with the skills 
necessary to enhance the security of the Nation's communications and 
information infrastructure.
    (b) Characteristics of Program.--The program under this section 
shall--
            (1) provide, through qualified institutions of higher 
        education, including community colleges, scholarships that 
        provide tuition, fees, and a competitive stipend for up to 2 
        years to students pursing a bachelor's or master's degree and 
        up to 3 years to students pursuing a doctoral degree in a 
        cybersecurity field;
            (2) provide the scholarship recipients with summer 
        internship opportunities or other meaningful temporary 
        appointments in the Federal information technology workforce; 
        and
            (3) increase the capacity of institutions of higher 
        education throughout all regions of the United States to 
        produce highly qualified cybersecurity professionals, through 
        the award of competitive, merit-reviewed grants that support 
        such activities as--
                    (A) faculty professional development, including 
                technical, hands-on experiences in the private sector 
                or government, workshops, seminars, conferences, and 
                other professional development opportunities that will 
                result in improved instructional capabilities;
                    (B) institutional partnerships, including minority 
                serving institutions and community colleges;
                    (C) development and evaluation of cybersecurity-
                related courses and curricula; and
                    (D) public-private partnerships that will integrate 
                research experiences and hands-on learning into 
                cybersecurity degree programs.
    (c) Scholarship Requirements.--
            (1) Eligibility.--Scholarships under this section shall be 
        available only to students who--
                    (A) are citizens or permanent residents of the 
                United States;
                    (B) are full-time students in an eligible degree 
                program, as determined by the Director, that is focused 
                on computer security or information assurance at an 
                awardee institution; and
                    (C) accept the terms of a scholarship pursuant to 
                this section.
            (2) Selection.--Individuals shall be selected to receive 
        scholarships primarily on the basis of academic merit, with 
        consideration given to financial need, to the goal of promoting 
        the participation of females and individuals identified in 
        section 33 or 34 of the Science and Engineering Equal 
        Opportunities Act (42 U.S.C. 1885a or 1885b), and to veterans. 
        For purposes of this paragraph, the term ``veteran'' means a 
        person who--
                    (A) served on active duty (other than active duty 
                for training) in the Armed Forces of the United States 
                for a period of more than 180 consecutive days, and who 
                was discharged or released therefrom under conditions 
                other than dishonorable; or
                    (B) served on active duty (other than active duty 
                for training) in the Armed Forces of the United States 
                and was discharged or released from such service for a 
                service-connected disability before serving 180 
                consecutive days.
        For purposes of subparagraph (B), the term ``service-
        connected'' has the meaning given such term under section 101 
        of title 38, United States Code.
            (3) Service obligation.--If an individual receives a 
        scholarship under this section, as a condition of receiving 
        such scholarship, the individual upon completion of their 
        degree must serve as a cybersecurity professional within the 
        Federal workforce for a period of time as provided in paragraph 
        (5). If a scholarship recipient is not offered employment by a 
        Federal agency or a federally funded research and development 
        center, the service requirement can be satisfied at the 
        Director's discretion by--
                    (A) serving as a cybersecurity professional in a 
                State, local, or tribal government agency; or
                    (B) teaching cybersecurity courses at an 
                institution of higher education.
            (4) Conditions of support.--As a condition of acceptance of 
        a scholarship under this section, a recipient shall agree to 
        provide the awardee institution with annual verifiable 
        documentation of employment and up-to-date contact information.
            (5) Length of service.--The length of service required in 
        exchange for a scholarship under this subsection shall be 1 
        year more than the number of years for which the scholarship 
        was received.
    (d) Failure To Complete Service Obligation.--
            (1) General rule.--If an individual who has received a 
        scholarship under this section--
                    (A) fails to maintain an acceptable level of 
                academic standing in the educational institution in 
                which the individual is enrolled, as determined by the 
                Director;
                    (B) is dismissed from such educational institution 
                for disciplinary reasons;
                    (C) withdraws from the program for which the award 
                was made before the completion of such program;
                    (D) declares that the individual does not intend to 
                fulfill the service obligation under this section; or
                    (E) fails to fulfill the service obligation of the 
                individual under this section,
        such individual shall be liable to the United States as 
        provided in paragraph (3).
            (2) Monitoring compliance.--As a condition of participating 
        in the program, a qualified institution of higher education 
        receiving a grant under this section shall--
                    (A) enter into an agreement with the Director of 
                the National Science Foundation to monitor the 
                compliance of scholarship recipients with respect to 
                their service obligation; and
                    (B) provide to the Director, on an annual basis, 
                post-award employment information required under 
                subsection (c)(4) for scholarship recipients through 
                the completion of their service obligation.
            (3) Amount of repayment.--
                    (A) Less than one year of service.--If a 
                circumstance described in paragraph (1) occurs before 
                the completion of 1 year of a service obligation under 
                this section, the total amount of awards received by 
                the individual under this section shall be repaid or 
                such amount shall be treated as a loan to be repaid in 
                accordance with subparagraph (C).
                    (B) More than one year of service.--If a 
                circumstance described in subparagraph (D) or (E) of 
                paragraph (1) occurs after the completion of 1 year of 
                a service obligation under this section, the total 
                amount of scholarship awards received by the individual 
                under this section, reduced by the ratio of the number 
                of years of service completed divided by the number of 
                years of service required, shall be repaid or such 
                amount shall be treated as a loan to be repaid in 
                accordance with subparagraph (C).
                    (C) Repayments.--A loan described in subparagraph 
                (A) or (B) shall be treated as a Federal Direct 
                Unsubsidized Stafford Loan under part D of title IV of 
                the Higher Education Act of 1965 (20 U.S.C. 1087a and 
                following), and shall be subject to repayment, together 
                with interest thereon accruing from the date of the 
                scholarship award, in accordance with terms and 
                conditions specified by the Director (in consultation 
                with the Secretary of Education) in regulations 
                promulgated to carry out this paragraph.
            (4) Collection of repayment.--
                    (A) In general.--In the event that a scholarship 
                recipient is required to repay the scholarship under 
                this subsection, the institution providing the 
                scholarship shall--
                            (i) be responsible for determining the 
                        repayment amounts and for notifying the 
                        recipient and the Director of the amount owed; 
                        and
                            (ii) collect such repayment amount within a 
                        period of time as determined under the 
                        agreement described in paragraph (2), or the 
                        repayment amount shall be treated as a loan in 
                        accordance with paragraph (3)(C).
                    (B) Returned to treasury.--Except as provided in 
                subparagraph (C) of this paragraph, any such repayment 
                shall be returned to the Treasury of the United States.
                    (C) Retain percentage.--An institution of higher 
                education may retain a percentage of any repayment the 
                institution collects under this paragraph to defray 
                administrative costs associated with the collection. 
                The Director shall establish a single, fixed percentage 
                that will apply to all eligible entities.
            (5) Exceptions.--The Director may provide for the partial 
        or total waiver or suspension of any service or payment 
        obligation by an individual under this section whenever 
        compliance by the individual with the obligation is impossible 
        or would involve extreme hardship to the individual, or if 
        enforcement of such obligation with respect to the individual 
        would be unconscionable.
    (e) Hiring Authority.--
            (1) Appointment in excepted service.--Notwithstanding any 
        provision of chapter 33 of title 5, United States Code, 
        governing appointments in the competitive service, an agency 
        shall appoint in the excepted service an individual who has 
        completed the academic program for which a scholarship was 
        awarded.
            (2) Noncompetitive conversion.--Except as provided in 
        paragraph (4), upon fulfillment of the service term, an 
        employee appointed under paragraph (1) may be converted 
        noncompetitively to term, career-conditional or career 
        appointment.
            (3) Timing of conversion.--An agency may noncompetitively 
        convert a term employee appointed under paragraph (2) to a 
        career-conditional or career appointment before the term 
        appointment expires.
            (4) Authority to decline conversion.--An agency may decline 
        to make the noncompetitive conversion or appointment under 
        paragraph (2) for cause.

SEC. 107. CYBERSECURITY WORKFORCE ASSESSMENT.

    Not later than 180 days after the date of enactment of this Act the 
President shall transmit to the Congress a report addressing the 
cybersecurity workforce needs of the Federal Government. The report 
shall include--
            (1) an examination of the current state of and the 
        projected needs of the Federal cybersecurity workforce, 
        including a comparison of the different agencies and 
        departments, and an analysis of the capacity of such agencies 
        and departments to meet those needs;
            (2) an analysis of the sources and availability of 
        cybersecurity talent, a comparison of the skills and expertise 
        sought by the Federal Government and the private sector, an 
        examination of the current and future capacity of United States 
        institutions of higher education, including community colleges, 
        to provide current and future cybersecurity professionals, 
        through education and training activities, with those skills 
        sought by the Federal Government, State and local entities, and 
        the private sector, and a description of how successful 
        programs are engaging the talents of females and individuals 
        identified in section 33 or 34 of the Science and Engineering 
        Equal Opportunities Act (42 U.S.C. 1885a or 1885b);
            (3) an examination of the effectiveness of the National 
        Centers of Academic Excellence in Information Assurance 
        Education, the Centers of Academic Excellence in Research, and 
        the Federal Cyber Scholarship for Service programs in promoting 
        higher education and research in cybersecurity and information 
        assurance and in producing a growing number of professionals 
        with the necessary cybersecurity and information assurance 
        expertise, including individuals from States or regions in 
        which the unemployment rate exceeds the national average;
            (4) an analysis of any barriers to the Federal Government 
        recruiting and hiring cybersecurity talent, including barriers 
        relating to compensation, the hiring process, job 
        classification, and hiring flexibilities; and
            (5) recommendations for Federal policies to ensure an 
        adequate, well-trained Federal cybersecurity workforce.

SEC. 108. CYBERSECURITY UNIVERSITY-INDUSTRY TASK FORCE.

    (a) Establishment of University-Industry Task Force.--Not later 
than 180 days after the date of enactment of this Act, the Director of 
the Office of Science and Technology Policy shall convene a task force 
to explore mechanisms for carrying out collaborative research, 
development, education, and training activities for cybersecurity 
through a consortium or other appropriate entity with participants from 
institutions of higher education and industry.
    (b) Functions.--The task force shall--
            (1) develop options for a collaborative model and an 
        organizational structure for such entity under which the joint 
        research and development activities could be planned, managed, 
        and conducted effectively, including mechanisms for the 
        allocation of resources among the participants in such entity 
        for support of such activities;
            (2) identify and prioritize at least three cybersecurity 
        grand challenges, focused on nationally significant problems 
        requiring collaborative and interdisciplinary solutions;
            (3) propose a process for developing a research and 
        development agenda for such entity to address the grand 
        challenges identified under paragraph (2);
            (4) define the roles and responsibilities for the 
        participants from institutions of higher education and industry 
        in such entity;
            (5) propose guidelines for assigning intellectual property 
        rights and for the transfer of research and development results 
        to the private sector; and
            (6) make recommendations for how such entity could be 
        funded from Federal, State, and nongovernmental sources.
    (c) Composition.--In establishing the task force under subsection 
(a), the Director of the Office of Science and Technology Policy shall 
appoint an equal number of individuals from institutions of higher 
education, including minority-serving institutions and community 
colleges, and from industry with knowledge and expertise in 
cybersecurity.
    (d) Report.--Not later than 12 months after the date of enactment 
of this Act, the Director of the Office of Science and Technology 
Policy shall transmit to the Congress a report describing the findings 
and recommendations of the task force.
    (e) Termination.--The task force shall terminate upon transmittal 
of the report required under subsection (d).
    (f) Compensation and Expenses.--Members of the task force shall 
serve without compensation.

SEC. 109. CYBERSECURITY AUTOMATION AND CHECKLISTS FOR GOVERNMENT 
              SYSTEMS.

    Section 8(c) of the Cyber Security Research and Development Act (15 
U.S.C. 7406(c)) is amended to read as follows:
    ``(c) Security Automation and Checklists for Government Systems.--
            ``(1) In general.--The Director of the National Institute 
        of Standards and Technology shall develop, and revise as 
        necessary, security automation standards, associated reference 
        materials (including protocols), and checklists providing 
        settings and option selections that minimize the security risks 
        associated with each information technology hardware or 
        software system and security tool that is, or is likely to 
        become, widely used within the Federal Government in order to 
        enable standardized and interoperable technologies, 
        architectures, and frameworks for continuous monitoring of 
        information security within the Federal Government.
            ``(2) Priorities for development.--The Director of the 
        National Institute of Standards and Technology shall establish 
        priorities for the development of standards, reference 
        materials, and checklists under this subsection on the basis 
        of--
                    ``(A) the security risks associated with the use of 
                the system;
                    ``(B) the number of agencies that use a particular 
                system or security tool;
                    ``(C) the usefulness of the standards, reference 
                materials, or checklists to Federal agencies that are 
                users or potential users of the system;
                    ``(D) the effectiveness of the associated standard, 
                reference material, or checklist in creating or 
                enabling continuous monitoring of information security; 
                or
                    ``(E) such other factors as the Director of the 
                National Institute of Standards and Technology 
                determines to be appropriate.
            ``(3) Excluded systems.--The Director of the National 
        Institute of Standards and Technology may exclude from the 
        application of paragraph (1) any information technology 
        hardware or software system or security tool for which such 
        Director determines that the development of a standard, 
        reference material, or checklist is inappropriate because of 
        the infrequency of use of the system, the obsolescence of the 
        system, or the inutility or impracticability of developing a 
        standard, reference material, or checklist for the system.
            ``(4) Dissemination of standards and related materials.--
        The Director of the National Institute of Standards and 
        Technology shall ensure that Federal agencies are informed of 
        the availability of any standard, reference material, 
        checklist, or other item developed under this subsection.
            ``(5) Agency use requirements.--The development of 
        standards, reference materials, and checklists under paragraph 
        (1) for an information technology hardware or software system 
        or tool does not--
                    ``(A) require any Federal agency to select the 
                specific settings or options recommended by the 
                standard, reference material, or checklist for the 
                system;
                    ``(B) establish conditions or prerequisites for 
                Federal agency procurement or deployment of any such 
                system;
                    ``(C) imply an endorsement of any such system by 
                the Director of the National Institute of Standards and 
                Technology; or
                    ``(D) preclude any Federal agency from procuring or 
                deploying other information technology hardware or 
                software systems for which no such standard, reference 
                material, or checklist has been developed or identified 
                under paragraph (1).''.

SEC. 110. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY 
              RESEARCH AND DEVELOPMENT.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended by redesignating subsection (e) as 
subsection (f), and by inserting after subsection (d) the following:
    ``(e) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (d)(3), the 
Institute shall--
            ``(1) conduct a research program to develop a unifying and 
        standardized identity, privilege, and access control management 
        framework for the execution of a wide variety of resource 
        protection policies and that is amenable to implementation 
        within a wide variety of existing and emerging computing 
        environments;
            ``(2) carry out research associated with improving the 
        security of information systems and networks;
            ``(3) carry out research associated with improving the 
        testing, measurement, usability, and assurance of information 
        systems and networks;
            ``(4) carry out research associated with improving security 
        of industrial control systems; and
            ``(5) carry out research associated with improving the 
        security and integrity of the information technology supply 
        chain.''.

SEC. 111. RESEARCH ON THE SCIENCE OF CYBERSECURITY.

    The Director of the National Science Foundation and the Director of 
the National Institute of Standards and Technology shall, through 
existing programs and activities, support research that will lead to 
the development of a scientific foundation for the field of 
cybersecurity, including research that increases understanding of the 
underlying principles of securing complex networked systems, enables 
repeatable experimentation, and creates quantifiable security metrics.

       TITLE II--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

SEC. 201. DEFINITIONS.

    In this title:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Institute.--The term ``Institute'' means the National 
        Institute of Standards and Technology.

SEC. 202. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

    (a) In General.--The Director, in coordination with appropriate 
Federal authorities, shall--
            (1) as appropriate, ensure coordination of Federal agencies 
        engaged in the development of international technical standards 
        related to information system security; and
            (2) not later than 1 year after the date of enactment of 
        this Act, develop and transmit to the Congress a plan for 
        ensuring such Federal agency coordination.
    (b) Consultation With the Private Sector.--In carrying out the 
activities specified in subsection (a)(1), the Director shall ensure 
consultation with appropriate private sector stakeholders.

SEC. 203. CLOUD COMPUTING STRATEGY.

    (a) In General.--The Director, in collaboration with the Federal 
CIO Council, and in consultation with other relevant Federal agencies 
and stakeholders from the private sector, shall continue to develop and 
encourage the implementation of a comprehensive strategy for the use 
and adoption of cloud computing services by the Federal Government.
    (b) Activities.--In carrying out the strategy developed under 
subsection (a), the Director shall give consideration to activities 
that--
            (1) accelerate the development, in collaboration with the 
        private sector, of standards that address interoperability and 
        portability of cloud computing services;
            (2) advance the development of conformance testing 
        performed by the private sector in support of cloud computing 
        standardization; and
            (3) support, in consultation with the private sector, the 
        development of appropriate security frameworks and reference 
        materials, and the identification of best practices, for use by 
        Federal agencies to address security and privacy requirements 
        to enable the use and adoption of cloud computing services, 
        including activities--
                    (A) to ensure the physical security of cloud 
                computing data centers and the data stored in such 
                centers;
                    (B) to ensure secure access to the data stored in 
                cloud computing data centers;
                    (C) to develop security standards as required under 
                section 20 of the National Institute of Standards and 
                Technology Act (15 U.S.C. 278g-3); and
                    (D) to support the development of the automation of 
                continuous monitoring systems.

SEC. 204. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.

    (a) Program.--The Director, in collaboration with relevant Federal 
agencies, industry, educational institutions, National Laboratories, 
the National Coordination Office of the Networking and Information 
Technology Research and Development program, and other organizations, 
shall continue to coordinate a cybersecurity awareness and education 
program to increase knowledge, skills, and awareness of cybersecurity 
risks, consequences, and best practices through--
            (1) the widespread dissemination of cybersecurity technical 
        standards and best practices identified by the Institute;
            (2) efforts to make cybersecurity best practices usable by 
        individuals, small to medium-sized businesses, State, local, 
        and tribal governments, and educational institutions;
            (3) improving the state of cybersecurity education at all 
        educational levels;
            (4) efforts to attract, recruit, and retain qualified 
        professionals to the Federal cybersecurity workforce; and
            (5) improving the skills, training, and professional 
        development of the Federal cybersecurity workforce.
    (b) Strategic Plan.--The Director shall, in cooperation with 
relevant Federal agencies and other stakeholders, develop and implement 
a strategic plan to guide Federal programs and activities in support of 
a comprehensive cybersecurity awareness and education program as 
described under subsection (a).
    (c) Report to Congress.--Not later than 1 year after the date of 
enactment of this Act and every 5 years thereafter, the Director shall 
transmit the strategic plan required under subsection (b) to the 
Committee on Science, Space, and Technology of the House of 
Representatives and the Committee on Commerce, Science, and 
Transportation of the Senate.

SEC. 205. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    The Director shall continue a program to support the development of 
technical standards, metrology, testbeds, and conformance criteria, 
taking into account appropriate user concerns, to--
            (1) improve interoperability among identity management 
        technologies;
            (2) strengthen authentication methods of identity 
        management systems;
            (3) improve privacy protection in identity management 
        systems, including health information technology systems, 
        through authentication and security protocols; and
            (4) improve the usability of identity management systems.

SEC. 206. AUTHORIZATIONS.

    No additional funds are authorized to carry out this Act, and the 
amendments made by this Act. This Act, and the amendments made by this 
Act, shall be carried out using amounts otherwise authorized or 
appropriated.
                                                  Union Calendar No. 19

113th CONGRESS

  1st Session

                               H. R. 756

                          [Report No. 113-33]

_______________________________________________________________________

                                 A BILL

     To advance cybersecurity research, development, and technical 
                   standards, and for other purposes.

_______________________________________________________________________

                             April 11, 2013

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed