[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1353 Enrolled Bill (ENR)]

        S.1353

                     One Hundred Thirteenth Congress

                                 of the

                        United States of America


                          AT THE SECOND SESSION

           Begun and held at the City of Washington on Friday,
           the third day of January, two thousand and fourteen


                                 An Act


 
   To provide for an ongoing, voluntary public-private partnership to 
  improve cybersecurity, and to strengthen cybersecurity research and 
 development, workforce development and education, and public awareness 
                and preparedness, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
    (a) Short Title.--This Act may be cited as the ``Cybersecurity 
Enhancement Act of 2014''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. No regulatory authority.
Sec. 4. No additional funds authorized.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

Sec. 101. Public-private collaboration on cybersecurity.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 201. Federal cybersecurity research and development.
Sec. 202. Computer and network security research centers.
Sec. 203. Cybersecurity automation and checklists for government 
          systems.
Sec. 204. National Institute of Standards and Technology cybersecurity 
          research and development.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

Sec. 401. National cybersecurity awareness and education program.

        TITLE V--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

Sec. 501. Definitions.
Sec. 502. International cybersecurity technical standards.
Sec. 503. Cloud computing strategy.
Sec. 504. Identity management research and development.
SEC. 2. DEFINITIONS.
    In this Act:
        (1) Cybersecurity mission.--The term ``cybersecurity mission'' 
    means activities that encompass the full range of threat reduction, 
    vulnerability reduction, deterrence, international engagement, 
    incident response, resiliency, and recovery policies and 
    activities, including computer network operations, information 
    assurance, law enforcement, diplomacy, military, and intelligence 
    missions as such activities relate to the security and stability of 
    cyberspace.
        (2) Information system.--The term ``information system'' has 
    the meaning given that term in section 3502 of title 44, United 
    States Code.
SEC. 3. NO REGULATORY AUTHORITY.
    Nothing in this Act shall be construed to confer any regulatory 
authority on any Federal, State, tribal, or local department or agency.
SEC. 4. NO ADDITIONAL FUNDS AUTHORIZED.
    No additional funds are authorized to carry out this Act, and the 
amendments made by this Act. This Act, and the amendments made by this 
Act, shall be carried out using amounts otherwise authorized or 
appropriated.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

    SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.
    (a) Cybersecurity.--Section 2(c) of the National Institute of 
Standards and Technology Act (15 U.S.C. 272(c)) is amended--
        (1) by redesignating paragraphs (15) through (22) as paragraphs 
    (16) through (23), respectively; and
        (2) by inserting after paragraph (14) the following:
        ``(15) on an ongoing basis, facilitate and support the 
    development of a voluntary, consensus-based, industry-led set of 
    standards, guidelines, best practices, methodologies, procedures, 
    and processes to cost-effectively reduce cyber risks to critical 
    infrastructure (as defined under subsection (e));''.
    (b) Scope and Limitations.--Section 2 of the National Institute of 
Standards and Technology Act (15 U.S.C. 272) is amended by adding at 
the end the following:
    ``(e) Cyber Risks.--
        ``(1) In general.--In carrying out the activities under 
    subsection (c)(15), the Director--
            ``(A) shall--
                ``(i) coordinate closely and regularly with relevant 
            private sector personnel and entities, critical 
            infrastructure owners and operators, and other relevant 
            industry organizations, including Sector Coordinating 
            Councils and Information Sharing and Analysis Centers, and 
            incorporate industry expertise;
                ``(ii) consult with the heads of agencies with national 
            security responsibilities, sector-specific agencies and 
            other appropriate agencies, State and local governments, 
            the governments of other nations, and international 
            organizations;
                ``(iii) identify a prioritized, flexible, repeatable, 
            performance-based, and cost-effective approach, including 
            information security measures and controls, that may be 
            voluntarily adopted by owners and operators of critical 
            infrastructure to help them identify, assess, and manage 
            cyber risks;
                ``(iv) include methodologies--

                    ``(I) to identify and mitigate impacts of the 
                cybersecurity measures or controls on business 
                confidentiality; and
                    ``(II) to protect individual privacy and civil 
                liberties;

                ``(v) incorporate voluntary consensus standards and 
            industry best practices;
                ``(vi) align with voluntary international standards to 
            the fullest extent possible;
                ``(vii) prevent duplication of regulatory processes and 
            prevent conflict with or superseding of regulatory 
            requirements, mandatory standards, and related processes; 
            and
                ``(viii) include such other similar and consistent 
            elements as the Director considers necessary; and
            ``(B) shall not prescribe or otherwise require--
                ``(i) the use of specific solutions;
                ``(ii) the use of specific information or 
            communications technology products or services; or
                ``(iii) that information or communications technology 
            products or services be designed, developed, or 
            manufactured in a particular manner.
        ``(2) Limitation.--Information shared with or provided to the 
    Institute for the purpose of the activities described under 
    subsection (c)(15) shall not be used by any Federal, State, tribal, 
    or local department or agency to regulate the activity of any 
    entity. Nothing in this paragraph shall be construed to modify any 
    regulatory requirement to report or submit information to a 
    Federal, State, tribal, or local department or agency.
        ``(3) Definitions.--In this subsection:
            ``(A) Critical infrastructure.--The term `critical 
        infrastructure' has the meaning given the term in section 
        1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
            ``(B) Sector-specific agency.--The term `sector-specific 
        agency' means the Federal department or agency responsible for 
        providing institutional knowledge and specialized expertise as 
        well as leading, facilitating, or supporting the security and 
        resilience programs and associated activities of its designated 
        critical infrastructure sector in the all-hazards 
        environment.''.
    (c) Study and Reports.--
        (1) Study.--The Comptroller General of the United States shall 
    conduct a study that assesses--
            (A) the progress made by the Director of the National 
        Institute of Standards and Technology in facilitating the 
        development of standards and procedures to reduce cyber risks 
        to critical infrastructure in accordance with section 2(c)(15) 
        of the National Institute of Standards and Technology Act, as 
        added by this section;
            (B) the extent to which the Director's facilitation efforts 
        are consistent with the directive in such section that the 
        development of such standards and procedures be voluntary and 
        led by industry representatives;
            (C) the extent to which other Federal agencies have 
        promoted and sectors of critical infrastructure (as defined in 
        section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 
        5195c(e))) have adopted a voluntary, industry-led set of 
        standards, guidelines, best practices, methodologies, 
        procedures, and processes to reduce cyber risks to critical 
        infrastructure in accordance with such section 2(c)(15);
            (D) the reasons behind the decisions of sectors of critical 
        infrastructure (as defined in subparagraph (C)) to adopt or to 
        not adopt the voluntary standards described in subparagraph 
        (C); and
            (E) the extent to which such voluntary standards have 
        proved successful in protecting critical infrastructure from 
        cyber threats.
        (2) Reports.--Not later than 1 year after the date of the 
    enactment of this Act, and every 2 years thereafter for the 
    following 6 years, the Comptroller General shall submit a report, 
    which summarizes the findings of the study conducted under 
    paragraph (1), to the Committee on Commerce, Science, and 
    Transportation of the Senate and the Committee on Science, Space, 
    and Technology of the House of Representatives.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

    SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
    (a) Fundamental Cybersecurity Research.--
        (1) Federal cybersecurity research and development strategic 
    plan.--The heads of the applicable agencies and departments, 
    working through the National Science and Technology Council and the 
    Networking and Information Technology Research and Development 
    Program, shall develop and update every 4 years a Federal 
    cybersecurity research and development strategic plan (referred to 
    in this subsection as the ``strategic plan'') based on an 
    assessment of cybersecurity risk to guide the overall direction of 
    Federal cybersecurity and information assurance research and 
    development for information technology and networking systems. The 
    heads of the applicable agencies and departments shall build upon 
    existing programs and plans to develop the strategic plan to meet 
    objectives in cybersecurity, such as--
            (A) how to design and build complex software-intensive 
        systems that are secure and reliable when first deployed;
            (B) how to test and verify that software and hardware, 
        whether developed locally or obtained from a third party, is 
        free of significant known security flaws;
            (C) how to test and verify that software and hardware 
        obtained from a third party correctly implements stated 
        functionality, and only that functionality;
            (D) how to guarantee the privacy of an individual, 
        including that individual's identity, information, and lawful 
        transactions when stored in distributed systems or transmitted 
        over networks;
            (E) how to build new protocols to enable the Internet to 
        have robust security as one of the key capabilities of the 
        Internet;
            (F) how to determine the origin of a message transmitted 
        over the Internet;
            (G) how to support privacy in conjunction with improved 
        security;
            (H) how to address the problem of insider threats;
            (I) how improved consumer education and digital literacy 
        initiatives can address human factors that contribute to 
        cybersecurity;
            (J) how to protect information processed, transmitted, or 
        stored using cloud computing or transmitted through wireless 
        services; and
            (K) any additional objectives the heads of the applicable 
        agencies and departments, in coordination with the head of any 
        relevant Federal agency and with input from stakeholders, 
        including appropriate national laboratories, industry, and 
        academia, determine appropriate.
        (2) Requirements.--
            (A) Contents of plan.--The strategic plan shall--
                (i) specify and prioritize near-term, mid-term, and 
            long-term research objectives, including objectives 
            associated with the research identified in section 4(a)(1) 
            of the Cyber Security Research and Development Act (15 
            U.S.C. 7403(a)(1));
                (ii) specify how the near-term objectives described in 
            clause (i) complement research and development areas in 
            which the private sector is actively engaged;
                (iii) describe how the heads of the applicable agencies 
            and departments will focus on innovative, transformational 
            technologies with the potential to enhance the security, 
            reliability, resilience, and trustworthiness of the digital 
            infrastructure, and to protect consumer privacy;
                (iv) describe how the heads of the applicable agencies 
            and departments will foster the rapid transfer of research 
            and development results into new cybersecurity technologies 
            and applications for the timely benefit of society and the 
            national interest, including through the dissemination of 
            best practices and other outreach activities;
                (v) describe how the heads of the applicable agencies 
            and departments will establish and maintain a national 
            research infrastructure for creating, testing, and 
            evaluating the next generation of secure networking and 
            information technology systems; and
                (vi) describe how the heads of the applicable agencies 
            and departments will facilitate access by academic 
            researchers to the infrastructure described in clause (v), 
            as well as to relevant data, including event data.
            (B) Private sector efforts.--In developing, implementing, 
        and updating the strategic plan, the heads of the applicable 
        agencies and departments, working through the National Science 
        and Technology Council and Networking and Information 
        Technology Research and Development Program, shall work in 
        close cooperation with industry, academia, and other interested 
        stakeholders to ensure, to the extent possible, that Federal 
        cybersecurity research and development is not duplicative of 
        private sector efforts.
            (C) Recommendations.--In developing and updating the 
        strategic plan the heads of the applicable agencies and 
        departments shall solicit recommendations and advice from--
                (i) the advisory committee established under section 
            101(b)(1) of the High-Performance Computing Act of 1991 (15 
            U.S.C. 5511(b)(1)); and
                (ii) a wide range of stakeholders, including industry, 
            academia, including representatives of minority serving 
            institutions and community colleges, National Laboratories, 
            and other relevant organizations and institutions.
            (D) Implementation roadmap.--The heads of the applicable 
        agencies and departments, working through the National Science 
        and Technology Council and Networking and Information 
        Technology Research and Development Program, shall develop and 
        annually update an implementation roadmap for the strategic 
        plan. The implementation roadmap shall--
                (i) specify the role of each Federal agency in carrying 
            out or sponsoring research and development to meet the 
            research objectives of the strategic plan, including a 
            description of how progress toward the research objectives 
            will be evaluated;
                (ii) specify the funding allocated to each major 
            research objective of the strategic plan and the source of 
            funding by agency for the current fiscal year;
                (iii) estimate the funding required for each major 
            research objective of the strategic plan for the following 
            3 fiscal years; and
                (iv) track ongoing and completed Federal cybersecurity 
            research and development projects.
        (3) Reports to congress.--The heads of the applicable agencies 
    and departments, working through the National Science and 
    Technology Council and Networking and Information Technology 
    Research and Development Program, shall submit to the Committee on 
    Commerce, Science, and Transportation of the Senate and the 
    Committee on Science, Space, and Technology of the House of 
    Representatives--
            (A) the strategic plan not later than 1 year after the date 
        of enactment of this Act;
            (B) each quadrennial update to the strategic plan; and
            (C) the implementation roadmap under subparagraph (D), and 
        its annual updates, which shall be appended to the annual 
        report required under section 101(a)(2)(D) of the High-
        Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)(D)).
        (4) Definition of applicable agencies and departments.--In this 
    subsection, the term ``applicable agencies and departments'' means 
    the agencies and departments identified in clauses (i) through (x) 
    of section 101(a)(3)(B) of the High-Performance Computing Act of 
    1991 (15 U.S.C. 5511(a)(3)(B)) or designated under clause (xi) of 
    that section.
    (b) Cybersecurity Practices Research.--The Director of the National 
Science Foundation shall support research that--
        (1) develops, evaluates, disseminates, and integrates new 
    cybersecurity practices and concepts into the core curriculum of 
    computer science programs and of other programs where graduates of 
    such programs have a substantial probability of developing software 
    after graduation, including new practices and concepts relating to 
    secure coding education and improvement programs; and
        (2) develops new models for professional development of faculty 
    in cybersecurity education, including secure coding development.
    (c) Cybersecurity Modeling and Test Beds.--
        (1) Review.--Not later than 1 year after the date of enactment 
    of this Act, the Director of the National Science Foundation, in 
    coordination with the Director of the Office of Science and 
    Technology Policy, shall conduct a review of cybersecurity test 
    beds in existence on the date of enactment of this Act to inform 
    the grants under paragraph (2). The review shall include an 
    assessment of whether a sufficient number of cybersecurity test 
    beds are available to meet the research needs under the Federal 
    cybersecurity research and development strategic plan. Upon 
    completion, the Director shall submit the review to the Committee 
    on Commerce, Science, and Transportation of the Senate and the 
    Committee on Science, Space, and Technology of the House of 
    Representatives.
        (2) Additional cybersecurity modeling and test beds.--
            (A) In general.--If the Director of the National Science 
        Foundation, after the review under paragraph (1), determines 
        that the research needs under the Federal cybersecurity 
        research and development strategic plan require the 
        establishment of additional cybersecurity test beds, the 
        Director of the National Science Foundation, in coordination 
        with the Secretary of Commerce and the Secretary of Homeland 
        Security, may award grants to institutions of higher education 
        or research and development non-profit institutions to 
        establish cybersecurity test beds.
            (B) Requirement.--The cybersecurity test beds under 
        subparagraph (A) shall be sufficiently robust in order to model 
        the scale and complexity of real-time cyber attacks and 
        defenses on real world networks and environments.
            (C) Assessment required.--The Director of the National 
        Science Foundation, in coordination with the Secretary of 
        Commerce and the Secretary of Homeland Security, shall evaluate 
        the effectiveness of any grants awarded under this subsection 
        in meeting the objectives of the Federal cybersecurity research 
        and development strategic plan not later than 2 years after the 
        review under paragraph (1) of this subsection, and periodically 
        thereafter.
    (d) Coordination With Other Research Initiatives.--In accordance 
with the responsibilities under section 101 of the High-Performance 
Computing Act of 1991 (15 U.S.C. 5511), the Director of the Office of 
Science and Technology Policy shall coordinate, to the extent 
practicable, Federal research and development activities under this 
section with other ongoing research and development security-related 
initiatives, including research being conducted by--
        (1) the National Science Foundation;
        (2) the National Institute of Standards and Technology;
        (3) the Department of Homeland Security;
        (4) other Federal agencies;
        (5) other Federal and private research laboratories, research 
    entities, and universities;
        (6) institutions of higher education;
        (7) relevant nonprofit organizations; and
        (8) international partners of the United States.
    (e) National Science Foundation Computer and Network Security 
Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research 
and Development Act (15 U.S.C. 7403(a)(1)) is amended--
        (1) in subparagraph (H), by striking ``and'' at the end;
        (2) in subparagraph (I), by striking the period at the end and 
    inserting a semicolon; and
        (3) by adding at the end the following:
            ``(J) secure fundamental protocols that are integral to 
        inter-network communications and data exchange;
            ``(K) secure software engineering and software assurance, 
        including--
                ``(i) programming languages and systems that include 
            fundamental security features;
                ``(ii) portable or reusable code that remains secure 
            when deployed in various environments;
                ``(iii) verification and validation technologies to 
            ensure that requirements and specifications have been 
            implemented; and
                ``(iv) models for comparison and metrics to assure that 
            required standards have been met;
            ``(L) holistic system security that--
                ``(i) addresses the building of secure systems from 
            trusted and untrusted components;
                ``(ii) proactively reduces vulnerabilities;
                ``(iii) addresses insider threats; and
                ``(iv) supports privacy in conjunction with improved 
            security;
            ``(M) monitoring and detection;
            ``(N) mitigation and rapid recovery methods;
            ``(O) security of wireless networks and mobile devices; and
            ``(P) security of cloud infrastructure and services.''.
    (f) Research on the Science of Cybersecurity.--The head of each 
agency and department identified under section 101(a)(3)(B) of the 
High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)), 
through existing programs and activities, shall support research that 
will lead to the development of a scientific foundation for the field 
of cybersecurity, including research that increases understanding of 
the underlying principles of securing complex networked systems, 
enables repeatable experimentation, and creates quantifiable security 
metrics.
    SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.
    Section 4(b) of the Cyber Security Research and Development Act (15 
U.S.C. 7403(b)) is amended--
        (1) in paragraph (3), by striking ``the research areas'' and 
    inserting the following: ``improving the security and resiliency of 
    information technology, reducing cyber vulnerabilities, and 
    anticipating and mitigating consequences of cyber attacks on 
    critical infrastructure, by conducting research in the areas'';
        (2) by striking ``the center'' in paragraph (4)(D) and 
    inserting ``the Center''; and
        (3) in paragraph (5)--
            (A) by striking ``and'' at the end of subparagraph (C);
            (B) by striking the period at the end of subparagraph (D) 
        and inserting a semicolon; and
            (C) by adding at the end the following:
            ``(E) the demonstrated capability of the applicant to 
        conduct high performance computation integral to complex 
        computer and network security research, through on-site or off-
        site computing;
            ``(F) the applicant's affiliation with private sector 
        entities involved with industrial research described in 
        subsection (a)(1);
            ``(G) the capability of the applicant to conduct research 
        in a secure environment;
            ``(H) the applicant's affiliation with existing research 
        programs of the Federal Government;
            ``(I) the applicant's experience managing public-private 
        partnerships to transition new technologies into a commercial 
        setting or the government user community;
            ``(J) the capability of the applicant to conduct 
        interdisciplinary cybersecurity research, basic and applied, 
        such as in law, economics, or behavioral sciences; and
            ``(K) the capability of the applicant to conduct research 
        in areas such as systems security, wireless security, 
        networking and protocols, formal methods and high-performance 
        computing, nanotechnology, or industrial control systems.''.
    SEC. 203. CYBERSECURITY AUTOMATION AND CHECKLISTS FOR GOVERNMENT 
      SYSTEMS.
    Section 8(c) of the Cyber Security Research and Development Act (15 
U.S.C. 7406(c)) is amended to read as follows:
    ``(c) Security Automation and Checklists for Government Systems.--
        ``(1) In general.--The Director of the National Institute of 
    Standards and Technology shall, as necessary, develop and revise 
    security automation standards, associated reference materials 
    (including protocols), and checklists providing settings and option 
    selections that minimize the security risks associated with each 
    information technology hardware or software system and security 
    tool that is, or is likely to become, widely used within the 
    Federal Government, thereby enabling standardized and interoperable 
    technologies, architectures, and frameworks for continuous 
    monitoring of information security within the Federal Government.
        ``(2) Priorities for development.--The Director of the National 
    Institute of Standards and Technology shall establish priorities 
    for the development of standards, reference materials, and 
    checklists under this subsection on the basis of--
            ``(A) the security risks associated with the use of the 
        system;
            ``(B) the number of agencies that use a particular system 
        or security tool;
            ``(C) the usefulness of the standards, reference materials, 
        or checklists to Federal agencies that are users or potential 
        users of the system;
            ``(D) the effectiveness of the associated standard, 
        reference material, or checklist in creating or enabling 
        continuous monitoring of information security; or
            ``(E) such other factors as the Director of the National 
        Institute of Standards and Technology determines to be 
        appropriate.
        ``(3) Excluded systems.--The Director of the National Institute 
    of Standards and Technology may exclude from the application of 
    paragraph (1) any information technology hardware or software 
    system or security tool for which such Director determines that the 
    development of a standard, reference material, or checklist is 
    inappropriate because of the infrequency of use of the system, the 
    obsolescence of the system, or the lack of utility or 
    impracticability of developing a standard, reference material, or 
    checklist for the system.
        ``(4) Dissemination of standards and related materials.--The 
    Director of the National Institute of Standards and Technology 
    shall ensure that Federal agencies are informed of the availability 
    of any standard, reference material, checklist, or other item 
    developed under this subsection.
        ``(5) Agency use requirements.--The development of standards, 
    reference materials, and checklists under paragraph (1) for an 
    information technology hardware or software system or tool does 
    not--
            ``(A) require any Federal agency to select the specific 
        settings or options recommended by the standard, reference 
        material, or checklist for the system;
            ``(B) establish conditions or prerequisites for Federal 
        agency procurement or deployment of any such system;
            ``(C) imply an endorsement of any such system by the 
        Director of the National Institute of Standards and Technology; 
        or
            ``(D) preclude any Federal agency from procuring or 
        deploying other information technology hardware or software 
        systems for which no such standard, reference material, or 
        checklist has been developed or identified under paragraph 
        (1).''.
    SEC. 204. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 
      CYBERSECURITY RESEARCH AND DEVELOPMENT.
    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended--
        (1) by redesignating subsection (e) as subsection (f); and
        (2) by inserting after subsection (d) the following:
    ``(e) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (d)(3), the 
Institute shall, to the extent practicable and appropriate--
        ``(1) conduct a research program to develop a unifying and 
    standardized identity, privilege, and access control management 
    framework for the execution of a wide variety of resource 
    protection policies and that is amenable to implementation within a 
    wide variety of existing and emerging computing environments;
        ``(2) carry out research associated with improving the security 
    of information systems and networks;
        ``(3) carry out research associated with improving the testing, 
    measurement, usability, and assurance of information systems and 
    networks;
        ``(4) carry out research associated with improving security of 
    industrial control systems;
        ``(5) carry out research associated with improving the security 
    and integrity of the information technology supply chain; and
        ``(6) carry out any additional research the Institute 
    determines appropriate.''.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

    SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.
    (a) In General.--The Secretary of Commerce, Director of the 
National Science Foundation, and Secretary of Homeland Security, in 
consultation with the Director of the Office of Personnel Management, 
shall--
        (1) support competitions and challenges under section 24 of the 
    Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3719) 
    (as amended by section 105 of the America COMPETES Reauthorization 
    Act of 2010 (124 Stat. 3989)) or any other provision of law, as 
    appropriate--
            (A) to identify, develop, and recruit talented individuals 
        to perform duties relating to the security of information 
        technology in Federal, State, local, and tribal government 
        agencies, and the private sector; or
            (B) to stimulate innovation in basic and applied 
        cybersecurity research, technology development, and prototype 
        demonstration that has the potential for application to the 
        information technology activities of the Federal Government; 
        and
        (2) ensure the effective operation of the competitions and 
    challenges under this section.
    (b) Participation.--Participants in the competitions and challenges 
under subsection (a)(1) may include--
        (1) students enrolled in grades 9 through 12;
        (2) students enrolled in a postsecondary program of study 
    leading to a baccalaureate degree at an institution of higher 
    education;
        (3) students enrolled in a postbaccalaureate program of study 
    at an institution of higher education;
        (4) institutions of higher education and research institutions;
        (5) veterans; and
        (6) other groups or individuals that the Secretary of Commerce, 
    Director of the National Science Foundation, and Secretary of 
    Homeland Security determine appropriate.
    (c) Affiliation and Cooperative Agreements.--Competitions and 
challenges under this section may be carried out through affiliation 
and cooperative agreements with--
        (1) Federal agencies;
        (2) regional, State, or school programs supporting the 
    development of cyber professionals;
        (3) State, local, and tribal governments; or
        (4) other private sector organizations.
    (d) Areas of Skill.--Competitions and challenges under subsection 
(a)(1)(A) shall be designed to identify, develop, and recruit 
exceptional talent relating to--
        (1) ethical hacking;
        (2) penetration testing;
        (3) vulnerability assessment;
        (4) continuity of system operations;
        (5) security in design;
        (6) cyber forensics;
        (7) offensive and defensive cyber operations; and
        (8) other areas the Secretary of Commerce, Director of the 
    National Science Foundation, and Secretary of Homeland Security 
    consider necessary to fulfill the cybersecurity mission.
    (e) Topics.--In selecting topics for competitions and challenges 
under subsection (a)(1), the Secretary of Commerce, Director of the 
National Science Foundation, and Secretary of Homeland Security--
        (1) shall consult widely both within and outside the Federal 
    Government; and
        (2) may empanel advisory committees.
    (f) Internships.--The Director of the Office of Personnel 
Management may support, as appropriate, internships or other work 
experience in the Federal Government to the winners of the competitions 
and challenges under this section.
    SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
    (a) In General.--The Director of the National Science Foundation, 
in coordination with the Director of the Office of Personnel Management 
and Secretary of Homeland Security, shall continue a Federal cyber 
scholarship-for-service program to recruit and train the next 
generation of information technology professionals, industrial control 
system security professionals, and security managers to meet the needs 
of the cybersecurity mission for Federal, State, local, and tribal 
governments.
    (b) Program Description and Components.--The Federal Cyber 
Scholarship-for-Service Program shall--
        (1) provide scholarships through qualified institutions of 
    higher education, including community colleges, to students who are 
    enrolled in programs of study at institutions of higher education 
    leading to degrees or specialized program certifications in the 
    cybersecurity field;
        (2) provide the scholarship recipients with summer internship 
    opportunities or other meaningful temporary appointments in the 
    Federal information technology workforce; and
        (3) prioritize the employment placement of scholarship 
    recipients in the Federal Government.
    (c) Scholarship Amounts.--Each scholarship under subsection (b) 
shall be in an amount that covers the student's tuition and fees at the 
institution under subsection (b)(1) for not more than 3 years and 
provides the student with an additional stipend.
    (d) Post-award Employment Obligations.--Each scholarship recipient, 
as a condition of receiving a scholarship under the program, shall 
enter into an agreement under which the recipient agrees to work in the 
cybersecurity mission of a Federal, State, local, or tribal agency for 
a period equal to the length of the scholarship following receipt of 
the student's degree.
    (e) Hiring Authority.--
        (1) Appointment in excepted service.--Notwithstanding any 
    provision of chapter 33 of title 5, United States Code, governing 
    appointments in the competitive service, an agency shall appoint in 
    the excepted service an individual who has completed the eligible 
    degree program for which a scholarship was awarded.
        (2) Noncompetitive conversion.--Except as provided in paragraph 
    (4), upon fulfillment of the service term, an employee appointed 
    under paragraph (1) may be converted noncompetitively to term, 
    career-conditional or career appointment.
        (3) Timing of conversion.--An agency may noncompetitively 
    convert a term employee appointed under paragraph (2) to a career-
    conditional or career appointment before the term appointment 
    expires.
        (4) Authority to decline conversion.--An agency may decline to 
    make the noncompetitive conversion or appointment under paragraph 
    (2) for cause.
    (f) Eligibility.--To be eligible to receive a scholarship under 
this section, an individual shall--
        (1) be a citizen or lawful permanent resident of the United 
    States;
        (2) demonstrate a commitment to a career in improving the 
    security of information technology;
        (3) have demonstrated a high level of proficiency in 
    mathematics, engineering, or computer sciences;
        (4) be a full-time student in an eligible degree program at a 
    qualified institution of higher education, as determined by the 
    Director of the National Science Foundation; and
        (5) accept the terms of a scholarship under this section.
    (g) Conditions of Support.--
        (1) In general.--As a condition of receiving a scholarship 
    under this section, a recipient shall agree to provide the 
    qualified institution of higher education with annual verifiable 
    documentation of post-award employment and up-to-date contact 
    information.
        (2) Terms.--A scholarship recipient under this section shall be 
    liable to the United States as provided in subsection (i) if the 
    individual--
            (A) fails to maintain an acceptable level of academic 
        standing at the applicable institution of higher education, as 
        determined by the Director of the National Science Foundation;
            (B) is dismissed from the applicable institution of higher 
        education for disciplinary reasons;
            (C) withdraws from the eligible degree program before 
        completing the program;
            (D) declares that the individual does not intend to fulfill 
        the post-award employment obligation under this section; or
            (E) fails to fulfill the post-award employment obligation 
        of the individual under this section.
    (h) Monitoring Compliance.--As a condition of participating in the 
program, a qualified institution of higher education shall--
        (1) enter into an agreement with the Director of the National 
    Science Foundation, to monitor the compliance of scholarship 
    recipients with respect to their post-award employment obligations; 
    and
        (2) provide to the Director of the National Science Foundation, 
    on an annual basis, the post-award employment documentation 
    required under subsection (g)(1) for scholarship recipients through 
    the completion of their post-award employment obligations.
    (i) Amount of Repayment.--
        (1) Less than 1 year of service.--If a circumstance described 
    in subsection (g)(2) occurs before the completion of 1 year of a 
    post-award employment obligation under this section, the total 
    amount of scholarship awards received by the individual under this 
    section shall--
            (A) be repaid; or
            (B) be treated as a loan to be repaid in accordance with 
        subsection (j).
        (2) 1 or more years of service.--If a circumstance described in 
    subparagraph (D) or (E) of subsection (g)(2) occurs after the 
    completion of 1 or more years of a post-award employment obligation 
    under this section, the total amount of scholarship awards received 
    by the individual under this section, reduced by the ratio of the 
    number of years of service completed divided by the number of years 
    of service required, shall--
            (A) be repaid; or
            (B) be treated as a loan to be repaid in accordance with 
        subsection (j).
    (j) Repayments.--A loan described subsection (i) shall--
        (1) be treated as a Federal Direct Unsubsidized Stafford Loan 
    under part D of title IV of the Higher Education Act of 1965 (20 
    U.S.C. 1087a et seq.); and
        (2) be subject to repayment, together with interest thereon 
    accruing from the date of the scholarship award, in accordance with 
    terms and conditions specified by the Director of the National 
    Science Foundation (in consultation with the Secretary of 
    Education) in regulations promulgated to carry out this subsection.
    (k) Collection of Repayment.--
        (1) In general.--In the event that a scholarship recipient is 
    required to repay the scholarship award under this section, the 
    qualified institution of higher education providing the scholarship 
    shall--
            (A) determine the repayment amounts and notify the 
        recipient and the Director of the National Science Foundation 
        of the amounts owed; and
            (B) collect the repayment amounts within a period of time 
        as determined by the Director of the National Science 
        Foundation, or the repayment amounts shall be treated as a loan 
        in accordance with subsection (j).
        (2) Returned to treasury.--Except as provided in paragraph (3), 
    any repayment under this subsection shall be returned to the 
    Treasury of the United States.
        (3) Retain percentage.--A qualified institution of higher 
    education may retain a percentage of any repayment the institution 
    collects under this subsection to defray administrative costs 
    associated with the collection. The Director of the National 
    Science Foundation shall establish a single, fixed percentage that 
    will apply to all eligible entities.
    (l) Exceptions.--The Director of the National Science Foundation 
may provide for the partial or total waiver or suspension of any 
service or payment obligation by an individual under this section 
whenever compliance by the individual with the obligation is impossible 
or would involve extreme hardship to the individual, or if enforcement 
of such obligation with respect to the individual would be 
unconscionable.
    (m) Evaluation and Report.--The Director of the National Science 
Foundation shall evaluate and report periodically to Congress on the 
success of recruiting individuals for scholarships under this section 
and on hiring and retaining those individuals in the public sector 
workforce.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

    SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND EDUCATION PROGRAM.
    (a) National Cybersecurity Awareness and Education Program.--The 
Director of the National Institute of Standards and Technology 
(referred to in this section as the ``Director''), in consultation with 
appropriate Federal agencies, industry, educational institutions, 
National Laboratories, the Networking and Information Technology 
Research and Development program, and other organizations shall 
continue to coordinate a national cybersecurity awareness and education 
program, that includes activities such as--
        (1) the widespread dissemination of cybersecurity technical 
    standards and best practices identified by the Director;
        (2) efforts to make cybersecurity best practices usable by 
    individuals, small to medium-sized businesses, educational 
    institutions, and State, local, and tribal governments;
        (3) increasing public awareness of cybersecurity, cyber safety, 
    and cyber ethics;
        (4) increasing the understanding of State, local, and tribal 
    governments, institutions of higher education, and private sector 
    entities of--
            (A) the benefits of ensuring effective risk management of 
        information technology versus the costs of failure to do so; 
        and
            (B) the methods to mitigate and remediate vulnerabilities;
        (5) supporting formal cybersecurity education programs at all 
    education levels to prepare and improve a skilled cybersecurity and 
    computer science workforce for the private sector and Federal, 
    State, local, and tribal government; and
        (6) promoting initiatives to evaluate and forecast future 
    cybersecurity workforce needs of the Federal Government and develop 
    strategies for recruitment, training, and retention.
    (b) Considerations.--In carrying out the authority described in 
subsection (a), the Director, in consultation with appropriate Federal 
agencies, shall leverage existing programs designed to inform the 
public of safety and security of products or services, including self-
certifications and independently verified assessments regarding the 
quantification and valuation of information security risk.
    (c) Strategic Plan.--The Director, in cooperation with relevant 
Federal agencies and other stakeholders, shall build upon programs and 
plans in effect as of the date of enactment of this Act to develop and 
implement a strategic plan to guide Federal programs and activities in 
support of the national cybersecurity awareness and education program 
under subsection (a).
    (d) Report.--Not later than 1 year after the date of enactment of 
this Act, and every 5 years thereafter, the Director shall transmit the 
strategic plan under subsection (c) to the Committee on Commerce, 
Science, and Transportation of the Senate and the Committee on Science, 
Space, and Technology of the House of Representatives.

       TITLE V--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

    SEC. 501. DEFINITIONS.
    In this title:
        (1) Director.--The term ``Director'' means the Director of the 
    National Institute of Standards and Technology.
        (2) Institute.--The term ``Institute'' means the National 
    Institute of Standards and Technology.
    SEC. 502. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
    (a) In General.--The Director, in coordination with appropriate 
Federal authorities, shall--
        (1) as appropriate, ensure coordination of Federal agencies 
    engaged in the development of international technical standards 
    related to information system security; and
        (2) not later than 1 year after the date of enactment of this 
    Act, develop and transmit to Congress a plan for ensuring such 
    Federal agency coordination.
    (b) Consultation With the Private Sector.--In carrying out the 
activities specified in subsection (a)(1), the Director shall ensure 
consultation with appropriate private sector stakeholders.
    SEC. 503. CLOUD COMPUTING STRATEGY.
    (a) In General.--The Director, in coordination with the Office of 
Management and Budget, in collaboration with the Federal Chief 
Information Officers Council, and in consultation with other relevant 
Federal agencies and stakeholders from the private sector, shall 
continue to develop and encourage the implementation of a comprehensive 
strategy for the use and adoption of cloud computing services by the 
Federal Government.
    (b) Activities.--In carrying out the strategy described under 
subsection (a), the Director shall give consideration to activities 
that--
        (1) accelerate the development, in collaboration with the 
    private sector, of standards that address interoperability and 
    portability of cloud computing services;
        (2) advance the development of conformance testing performed by 
    the private sector in support of cloud computing standardization; 
    and
        (3) support, in coordination with the Office of Management and 
    Budget, and in consultation with the private sector, the 
    development of appropriate security frameworks and reference 
    materials, and the identification of best practices, for use by 
    Federal agencies to address security and privacy requirements to 
    enable the use and adoption of cloud computing services, including 
    activities--
            (A) to ensure the physical security of cloud computing data 
        centers and the data stored in such centers;
            (B) to ensure secure access to the data stored in cloud 
        computing data centers;
            (C) to develop security standards as required under section 
        20 of the National Institute of Standards and Technology Act 
        (15 U.S.C. 278g-3); and
            (D) to support the development of the automation of 
        continuous monitoring systems.
    SEC. 504. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
    The Director shall continue a program to support the development of 
voluntary and cost-effective technical standards, metrology, testbeds, 
and conformance criteria, taking into account appropriate user 
concerns--
        (1) to improve interoperability among identity management 
    technologies;
        (2) to strengthen authentication methods of identity management 
    systems;
        (3) to improve privacy protection in identity management 
    systems, including health information technology systems, through 
    authentication and security protocols; and
        (4) to improve the usability of identity management systems.

                               Speaker of the House of Representatives.

                            Vice President of the United States and    
                                               President of the Senate.