

 S1353 ENR: Cybersecurity Enhancement Act of 2014
U.S. Senate

text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



One Hundred Thirteenth Congress of the United States of America2d SessionBegun and held at the City of Washington on Friday, the third day of January, two thousand and
			 fourteenS. 1353IN THE SENATE OF THE UNITED STATESAN ACTTo provide for an ongoing, voluntary public-private
		  partnership to improve cybersecurity, and to strengthen cybersecurity research
		  and development, workforce development and education, and public awareness and
		  preparedness, and for other purposes.1.Short title; table of
			 contents(a)Short
			 titleThis Act may be cited
			 as the Cybersecurity Enhancement Act of 2014.(b)Table of
			 contentsThe table of
			 contents of this Act is as follows:Sec. 1. Short title; table of contents.Sec. 2. Definitions.Sec. 3. No regulatory authority.Sec. 4. No additional funds authorized.TITLE I—Public-private collaboration on cybersecuritySec. 101. Public-private collaboration on cybersecurity.TITLE II—Cybersecurity research and developmentSec. 201. Federal cybersecurity research and development.Sec. 202. Computer and network security research centers.Sec. 203. Cybersecurity automation and checklists for government systems.Sec. 204. National Institute of Standards and Technology cybersecurity research and development.TITLE III—Education and Workforce DevelopmentSec. 301.  Cybersecurity competitions and challenges.Sec. 302. Federal cyber scholarship-for-service program.TITLE IV—Cybersecurity Awareness and PreparednessSec. 401. National cybersecurity awareness and education program.TITLE V—Advancement of cybersecurity technical standardsSec. 501. Definitions.Sec. 502. International cybersecurity technical standards.Sec. 503. Cloud computing strategy.Sec. 504. Identity management research and development.2.DefinitionsIn this Act:(1)Cybersecurity
			 missionThe term cybersecurity mission means
			 activities that encompass the full range of threat reduction,
			 vulnerability
			 reduction, deterrence, international engagement, incident response,
			 resiliency,
			 and recovery policies and activities, including computer network
			 operations,
			 information assurance, law enforcement, diplomacy, military, and
			 intelligence
			 missions as such activities relate to the security and stability of
			 cyberspace.(2)Information
			 systemThe term information system has the meaning
			 given that term in section 3502 of title 44, United States Code.3.No regulatory
			 authorityNothing in this Act
			 shall be construed to confer any regulatory authority on any Federal,
			 State,
			 tribal, or local department or agency.4.No additional funds authorizedNo additional funds are authorized to carry out this Act, and the amendments made by this Act. This
			 Act, and the amendments made by this Act, shall be carried out using
			 amounts otherwise authorized or appropriated.IPublic-private
			 collaboration on cybersecurity101.Public-private
			 collaboration on cybersecurity(a)CybersecuritySection
			 2(c) of the National Institute of Standards and Technology Act (15 U.S.C.
			 272(c)) is amended—(1)by redesignating
			 paragraphs (15) through (22) as paragraphs (16) through (23),
			 respectively;
			 and(2)by inserting after
			 paragraph (14) the following:(15)on an ongoing basis,
				facilitate and support the development of a voluntary,
			 consensus-based, industry-led
			 set of
				standards, guidelines, best practices, methodologies, procedures,
			 and processes
				to cost-effectively reduce cyber risks to critical infrastructure
			 (as defined under
			 subsection
				(e));.(b)Scope and
			 limitationsSection 2 of the National Institute of Standards and
			 Technology Act (15 U.S.C. 272) is amended by adding at the end the
			 following:(e)Cyber risks(1)In
				generalIn carrying out the activities under subsection (c)(15),
				the Director—(A)shall—(i)coordinate closely and
				regularly with relevant private sector personnel and entities,
			 critical
				infrastructure owners and operators, and other relevant industry
			 organizations, including Sector Coordinating Councils and
			 Information
				Sharing and Analysis Centers, and
				incorporate industry expertise;(ii)consult with the heads
				of agencies with national security responsibilities,
			 sector-specific agencies and other appropriate agencies,
				State and local governments, the governments of other nations, and
				international organizations;(iii)identify a prioritized,
				flexible, repeatable, performance-based, and cost-effective
			 approach, including
				information security measures and controls, that may be voluntarily
			 adopted by
				owners and operators of critical infrastructure to help them
			 identify, assess,
				and manage cyber risks;(iv)include
				methodologies—(I)to identify and mitigate
				impacts of the cybersecurity measures or controls on business
			 confidentiality;
				and(II)to protect individual
				privacy and civil liberties;(v)incorporate voluntary
				consensus standards and industry best practices;(vi)align with voluntary
				international standards to the fullest extent possible;(vii)prevent duplication of
				regulatory processes and prevent conflict with or superseding of
			 regulatory
				requirements, mandatory standards, and related processes; and(viii)include such other
				similar and consistent elements as the Director considers
			 necessary; and(B)shall not prescribe or
				otherwise require—(i)the use of specific
				solutions;(ii)the use of specific
				information or communications technology products or services; or(iii)that information or
				communications technology products or services be designed,
			 developed, or
				manufactured in a particular manner.(2)LimitationInformation
				shared with or provided to the Institute for the purpose of the
			 activities
				described under subsection (c)(15) shall not be used by any
			 Federal, State,
				tribal, or local department or agency to regulate the activity of
			 any
				entity. Nothing in this paragraph
			 shall be construed to modify any regulatory requirement to report or
			 submit information to a Federal, State, tribal, or local
			 department or agency.(3)DefinitionsIn
				this subsection:(A)Critical
				infrastructureThe term critical infrastructure has
				the meaning given the term in section 1016(e) of the USA PATRIOT
			 Act of 2001
				(42 U.S.C. 5195c(e)).(B)Sector-specific
				agencyThe term sector-specific agency means the
				Federal department or agency responsible for providing
			 institutional knowledge
				and specialized expertise as well as leading, facilitating, or
			 supporting the
				security and resilience programs and associated activities of its
			 designated
				critical infrastructure sector in the all-hazards
				environment..(c)Study and
			 reports(1)StudyThe
			 Comptroller General of the United States shall conduct a study that
			 assesses—(A)the progress made by the
			 Director of the National Institute of Standards and Technology in
			 facilitating
			 the development of standards and procedures to reduce cyber risks to
			 critical
			 infrastructure in accordance with section 2(c)(15) of the National
			 Institute of
			 Standards and Technology Act, as added by this section;(B)the extent to which the
			 Director's facilitation efforts are consistent with the directive in such
			 section that the development of such standards and procedures be voluntary
			 and
			 led by industry representatives;(C)the extent to which
			 other Federal agencies have promoted  and sectors of critical
			 infrastructure (as defined in section 1016(e) of the
			 USA
			 PATRIOT Act of 2001 (42 U.S.C. 5195c(e))) have adopted a voluntary,
			 industry-led set of standards, guidelines, best practices, methodologies,
			 procedures, and processes to reduce cyber risks to critical infrastructure
			 in
			 accordance with such section 2(c)(15);(D)the reasons behind the
			 decisions of sectors of critical infrastructure (as defined in
			 subparagraph
			 (C)) to adopt or to not adopt the voluntary standards described in
			 subparagraph
			 (C); and(E)the extent to which such
			 voluntary standards have proved successful in protecting critical
			 infrastructure from cyber threats.(2)ReportsNot
			 later than 1 year after the date of the enactment of this Act, and every 2
			 years thereafter for the following 6 years, the Comptroller General shall
			 submit a report, which summarizes the findings of the study conducted
			 under
			 paragraph (1), to the
			 Committee on Commerce, Science, and
			 Transportation of the Senate and the
			 Committee on Science, Space, and Technology of
			 the House of Representatives.IICybersecurity research
			 and development201.Federal cybersecurity
			 research and development(a)Fundamental
			 cybersecurity research(1)Federal cybersecurity research and development
			 strategic planThe heads of the applicable agencies and departments,
			 working through the National Science and Technology
			 Council and the Networking and Information Technology Research and
			 Development Program, shall develop and update every 4 years a Federal
			 cybersecurity
			 research and development strategic plan (referred to in this subsection as
			 the strategic plan)  based on
			 an assessment of cybersecurity risk to guide the overall direction of
			 Federal cybersecurity and information assurance research and development
			 for information technology and networking systems.  The heads of the
			 applicable agencies and departments shall
			 build upon existing programs and
			 plans to develop the strategic plan to meet objectives in cybersecurity,
			 such as—(A)how to design and build
			 complex software-intensive systems that are secure and reliable when first
			 deployed;(B)how to test and verify
			 that software and hardware, whether developed locally or obtained from a
			 third
			 party, is free of significant known security flaws;(C)how to test and verify
			 that software and hardware obtained from a third party correctly
			 implements
			 stated functionality, and only that functionality;(D)how to guarantee the
			 privacy of an individual, including that individual's identity,
			 information,
			 and lawful transactions when stored in distributed systems or transmitted
			 over
			 networks;(E)how to build new
			 protocols to enable the Internet to have robust security as one of the key
			 capabilities of the Internet;(F)how to determine the
			 origin of a message transmitted over the Internet;(G)how to support privacy in
			 conjunction with improved security;(H)how to address the problem of insider threats;(I)how improved consumer
			 education and digital literacy initiatives can address human factors that
			 contribute to cybersecurity;(J)how to protect
			 information processed, transmitted, or stored using cloud computing or
			 transmitted through wireless services; and(K)any additional objectives
			 the heads of the applicable agencies and departments, in
			 coordination
			 with the head of any relevant Federal agency and with input from
			 stakeholders,
			 including appropriate national laboratories, industry, and academia,
			 determine
			 appropriate.(2)Requirements(A)Contents of planThe strategic plan shall—(i)specify and prioritize near-term, mid-term, and long-term research
			 objectives, including objectives associated with the research identified
			 in section
			 4(a)(1) of
			 the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1));(ii)specify how the near-term objectives described in clause (i) complement research and development
			 areas in which the private sector is actively engaged;(iii)describe how the heads of the applicable agencies and departments will focus on innovative,
			 transformational technologies with the potential to enhance the
			 security, reliability, resilience, and trustworthiness of the digital
			 infrastructure, and to protect consumer privacy;(iv)describe how the heads of the applicable agencies and departments will foster the rapid transfer of
			 research and development results into new cybersecurity
			 technologies and applications for the timely benefit of society and the
			 national interest, including through the dissemination of best practices
			 and other outreach activities;(v)describe how the heads of the applicable agencies and departments will establish and maintain a
			 national research infrastructure for creating, testing, and
			 evaluating the next generation of secure networking and information
			 technology systems; and(vi)describe how the heads of the applicable agencies and departments will facilitate access by
			 academic researchers to the infrastructure described in clause (v), as
			 well as to relevant data, including event data.(B)Private sector
			 effortsIn developing, implementing, and updating the strategic plan, the heads of the applicable agencies
			 and departments, working through the National Science
			 and Technology Council and Networking and Information Technology Research
			 and Development Program,  shall work in close cooperation with
			 industry,
			 academia, and other interested stakeholders to ensure, to the extent
			 possible,
			 that Federal cybersecurity research and development is not duplicative of
			 private sector efforts.(C)RecommendationsIn developing and updating the strategic plan the heads of the applicable agencies and departments
			 shall solicit recommendations and advice from—(i)the advisory committee established under section 101(b)(1) of the High-Performance Computing Act of
			 1991 (15 U.S.C. 5511(b)(1)); and(ii)a wide range of stakeholders, including industry, academia, including representatives of minority
			 serving institutions and community colleges, National Laboratories, and
			 other relevant organizations and institutions.(D)Implementation roadmapThe heads of the applicable agencies and departments, working through the National Science
			 and Technology Council and Networking and Information Technology Research
			 and Development Program, shall develop and annually update an
			 implementation roadmap for the strategic plan. The implementation roadmap
			 shall—(i)specify the role of each Federal agency in carrying out or sponsoring research and development to
			 meet the research objectives of the strategic plan, including a
			 description of how progress toward the research objectives will be
			 evaluated;(ii)specify the funding allocated to each major research objective of the strategic plan and the source
			 of funding by agency for the current fiscal year;(iii)estimate the funding required for each major research objective of the strategic plan for the
			 following 3 fiscal years; and(iv)track ongoing and completed Federal cybersecurity research and development projects.(3)Reports to CongressThe heads of the applicable agencies and departments, working through the National Science and
			 Technology Council and Networking and Information Technology Research and
			 Development Program, shall submit to the Committee on Commerce, Science,
			 and Transportation of the Senate and the Committee on Science, Space, and
			 Technology of the House of Representatives—(A)the strategic plan not later than 1 year after the date of enactment of this Act;(B)each quadrennial update to the strategic plan; and(C)the implementation roadmap under subparagraph (D), and its annual updates, which shall be appended
			 to the
			 annual report required under section 101(a)(2)(D) of the High-Performance
			 Computing Act of 1991 (15 U.S.C. 5511(a)(2)(D)).(4)Definition of applicable agencies and departmentsIn this subsection, the term applicable agencies and departments means the agencies and departments identified in clauses (i) through (x) of  section 101(a)(3)(B)
			 of the High-Performance
			 Computing
			 Act of
			 1991 (15 U.S.C. 5511(a)(3)(B)) or designated under clause (xi) of that
			 section.(b)Cybersecurity practices
			 researchThe Director of the National Science Foundation shall
			 support research that—(1)develops, evaluates,
			 disseminates, and integrates new cybersecurity practices and concepts into
			 the
			 core curriculum of computer science programs and of other programs where
			 graduates of such programs have a substantial probability of developing
			 software after graduation, including new practices and concepts relating
			 to
			 secure coding education and improvement programs; and(2)develops new models for
			 professional development of faculty in cybersecurity education, including
			 secure coding development.(c)Cybersecurity modeling
			 and test beds(1)ReviewNot
			 later than 1 year after the date of enactment of this Act, the Director
			 of the
			 National Science Foundation, in coordination with the Director of the
			 Office of
			 Science and Technology Policy, shall conduct a review of cybersecurity
			 test
			 beds in existence on the date of enactment of this Act to inform the
			 grants
			 under paragraph (2). The review shall include an assessment of whether a
			 sufficient number of cybersecurity test beds are available to meet the
			 research
			 needs under the Federal cybersecurity research and development strategic
			 plan. Upon
			 completion, the Director shall submit the review to the Committee on
			 Commerce, Science, and Transportation of the Senate and the Committee on
			 Science, Space, and Technology of the House of Representatives.(2)Additional
			 cybersecurity modeling and test beds(A)In
			 generalIf the Director of the National Science Foundation, after
			 the review under paragraph (1), determines that the research needs under
			 the
			 Federal cybersecurity research and development strategic plan require the
			 establishment
			 of additional cybersecurity test beds, the Director of the National
			 Science
			 Foundation, in coordination with the Secretary of Commerce and the
			 Secretary of
			 Homeland Security, may award grants to institutions of higher education or
			 research and development non-profit institutions to establish
			 cybersecurity
			 test beds.(B)RequirementThe
			 cybersecurity test beds under subparagraph (A) shall be sufficiently
			 robust
			 in
			 order to model the scale and complexity of real-time cyber attacks and
			 defenses
			 on real world networks and environments.(C)Assessment
			 requiredThe Director of the National Science Foundation, in
			 coordination with the Secretary of Commerce and the Secretary of Homeland
			 Security, shall evaluate the effectiveness of any grants awarded under
			 this
			 subsection in meeting the objectives of the Federal cybersecurity research
			 and
			 development strategic plan not later than 2 years after the
			 review
			 under paragraph (1) of this subsection, and periodically thereafter.(d)Coordination With Other
			 Research InitiativesIn accordance with the responsibilities
			 under section 101 of the High-Performance Computing Act of 1991 (15 U.S.C.
			 5511), the Director of the Office of Science and Technology Policy shall
			 coordinate, to the extent practicable, Federal research and development
			 activities under this section with other ongoing research and development
			 security-related initiatives, including research being conducted by—(1)the National Science
			 Foundation;(2)the National Institute of
			 Standards and Technology;(3)the Department of
			 Homeland Security;(4)other Federal
			 agencies;(5)other Federal and private
			 research laboratories, research entities, and universities;(6)institutions of higher
			 education;(7)relevant nonprofit
			 organizations; and(8)international partners of
			 the United States.(e)National Science
			 Foundation Computer and Network Security Research Grant
			 AreasSection 4(a)(1) of the Cyber Security Research and
			 Development Act (15 U.S.C. 7403(a)(1)) is amended—(1)in subparagraph (H), by
			 striking and at the end;(2)in subparagraph (I), by
			 striking the period at the end and inserting a semicolon; and(3)by adding at the end the
			 following:(J)secure fundamental
				protocols that are integral to inter-network communications and
			 data
				exchange;(K)secure software
				engineering and software assurance, including—(i)programming languages and
				systems that include fundamental security features;(ii)portable or reusable
				code that remains secure when deployed in various environments;(iii)verification and
				validation technologies to ensure that requirements and
			 specifications have
				been implemented; and(iv)models for comparison
				and metrics to assure that required standards have been met;(L)holistic system security
				that—(i)addresses the building of
				secure systems from trusted and untrusted components;(ii)proactively reduces
				vulnerabilities;(iii)addresses insider
				threats; and(iv)supports privacy in
				conjunction with improved security;(M)monitoring and
				detection;(N)mitigation and rapid
				recovery methods;(O)security of wireless
				networks and mobile devices; and(P)security of cloud
				infrastructure and
				services..(f)Research on the science
			 of cybersecurityThe head of each agency and department
			 identified under section 101(a)(3)(B) of the High-Performance Computing
			 Act of
			 1991 (15 U.S.C. 5511(a)(3)(B)), through existing programs and activities,
			 shall
			 support research that will lead to the development of a scientific
			 foundation
			 for the field of cybersecurity, including research that increases
			 understanding
			 of the underlying principles of securing complex networked systems,
			 enables
			 repeatable experimentation, and creates quantifiable security metrics.202.Computer and network
			 security research centersSection 4(b) of the Cyber Security Research
			 and Development Act (15 U.S.C. 7403(b)) is amended—(1)in paragraph (3), by
			 striking the research areas and inserting the following:
			 improving the security and resiliency of information technology,
			 reducing cyber vulnerabilities, and anticipating and mitigating
			 consequences of
			 cyber attacks on critical infrastructure, by conducting research in the
			 areas;(2)by striking the
			 center in paragraph (4)(D) and inserting the Center;
			 and(3)in paragraph (5)—(A)by striking
			 and at the end of subparagraph (C);(B)by striking the period at
			 the end of subparagraph (D) and inserting a semicolon; and(C)by adding at the end the
			 following:(E)the demonstrated
				capability of the applicant to conduct high performance computation
			 integral to
				complex computer and network security research, through on-site or
			 off-site
				computing;(F)the applicant's
				affiliation with private sector entities involved with industrial
			 research
				described in subsection (a)(1);(G)the capability of the
				applicant to conduct research in a secure environment;(H)the applicant's
				affiliation with existing research programs of the Federal
			 Government;(I)the applicant's
				experience managing public-private partnerships to transition new
			 technologies
				into a commercial setting or the government user community;(J)the capability of the
				applicant to conduct interdisciplinary cybersecurity research,
			 basic and
				applied, such as in law, economics, or behavioral sciences; and(K)the capability of the
				applicant to conduct research in areas such as systems security,
			 wireless
				security, networking and protocols, formal methods and
			 high-performance
				computing, nanotechnology, or industrial control
				systems..203.Cybersecurity automation and checklists for government systemsSection 8(c) of the Cyber Security Research and Development Act (15 U.S.C. 7406(c)) is amended to
			 read as follows:(c)Security automation and checklists for government systems(1)In generalThe Director of the National Institute of Standards and Technology shall, as necessary, develop and
			 revise security  automation standards, associated reference materials
			 (including protocols), and checklists providing settings and option
			 selections that minimize the security risks associated with each
			 information technology hardware or software system and security tool that
			 is, or is likely to become, widely used within the Federal Government,
			 thereby enabling standardized and interoperable technologies,
			 architectures, and frameworks for continuous monitoring of information
			 security within the Federal Government.(2)Priorities for developmentThe Director of the National Institute of Standards and Technology shall establish priorities for
			 the development of standards, reference materials, and checklists under
			 this subsection on the basis of—(A)the security risks associated with the use of the system;(B)the number of agencies that use a particular system or security tool;(C)the usefulness of the standards, reference materials, or checklists to Federal agencies that are
			 users or potential users of the system;(D)the effectiveness of the associated standard, reference material, or checklist in creating or
			 enabling continuous monitoring of information security; or(E)such other factors as the Director of the National Institute of Standards and Technology determines
			 to be appropriate.(3)Excluded systemsThe Director of the National Institute of Standards and Technology may exclude from the application
			 of paragraph (1) any information technology hardware or software system or
			 security tool for which such Director determines that the development of a
			 standard, reference material, or checklist is inappropriate because of the
			 infrequency of use of the system, the obsolescence of the system, or the
			 lack of utility or impracticability of developing a standard, reference
			 material, or checklist for the system.(4)Dissemination of standards and related materialsThe Director of the National Institute of Standards and Technology shall ensure that Federal
			 agencies are informed of the availability of any standard, reference
			 material, checklist, or other item developed under this subsection.(5)Agency use requirementsThe development of standards, reference materials, and checklists under paragraph (1) for an
			 information technology hardware or software system or tool does not—(A)require any Federal agency to select the specific settings or options recommended by the standard,
			 reference material, or checklist for the system;(B)establish conditions or prerequisites for Federal agency procurement or deployment of any such
			 system;(C)imply an endorsement of any such system by the Director of the National Institute of Standards and
			 Technology; or(D)preclude any Federal agency from procuring or deploying other information technology hardware or
			 software systems for which no such standard, reference material, or
			 checklist has been developed or identified under paragraph (1)..204.National Institute of Standards and Technology cybersecurity research and developmentSection 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) is amended—(1)by redesignating subsection (e) as subsection (f); and(2)by inserting after subsection (d) the following:(e)Intramural Security ResearchAs part of the research activities conducted in accordance with subsection (d)(3), the Institute
			 shall, to the extent practicable and appropriate—(1)conduct a research program to develop a unifying and standardized identity, privilege, and access
			 control management framework for the execution of a wide variety of
			 resource protection policies and that is amenable to implementation within
			 a wide variety of existing and emerging computing environments;(2)carry out research associated with improving the security of information systems and networks;(3)carry out research associated with improving the testing, measurement, usability, and assurance of
			 information systems and networks;(4)carry out research associated with improving security of industrial control systems;(5)carry out research associated with improving the security and integrity of the information
			 technology supply chain; and(6)carry out any additional research the Institute determines appropriate..IIIEducation and Workforce
			 Development301. Cybersecurity
			 competitions and challenges(a)In
			 generalThe Secretary of Commerce, Director of the National
			 Science Foundation, and Secretary of Homeland Security, in consultation
			 with
			 the Director of the Office of Personnel Management, shall—(1)support competitions and
			 challenges under section  24 of the Stevenson-Wydler Technology Innovation
			 Act of 1980 (15 U.S.C. 3719) (as amended by section 105 of the America
			 COMPETES Reauthorization Act
			 of
			 2010 (124 Stat. 3989)) or any other provision of law, as appropriate—(A)to identify, develop, and
			 recruit talented individuals to perform duties relating to the security of
			 information technology in Federal, State, local, and tribal government
			 agencies,
			 and the private sector; or(B)to stimulate innovation
			 in basic and applied cybersecurity research, technology development, and
			 prototype demonstration that has the potential for application to the
			 information technology activities of the Federal Government; and(2)ensure the effective
			 operation of the competitions and challenges under this section.(b)ParticipationParticipants
			 in the competitions and challenges under subsection (a)(1) may include—(1)students enrolled in
			 grades 9 through 12;(2)students enrolled in a
			 postsecondary program of study leading to a baccalaureate degree at an
			 institution of higher education;(3)students enrolled in a
			 postbaccalaureate program of study at an institution of higher
			 education;(4)institutions of higher
			 education and research institutions;(5)veterans; and(6)other groups or
			 individuals that the Secretary of Commerce, Director of the National
			 Science
			 Foundation, and Secretary of Homeland Security determine appropriate.(c)Affiliation and
			 cooperative agreementsCompetitions and challenges under this
			 section may be carried out through affiliation and cooperative agreements
			 with—(1)Federal agencies;(2)regional, State, or
			 school programs supporting the development of cyber professionals;(3)State, local, and tribal
			 governments; or(4)other private sector
			 organizations.(d)Areas of
			 skillCompetitions and challenges under subsection (a)(1)(A)
			 shall be designed to identify, develop, and recruit exceptional talent
			 relating
			 to—(1)ethical hacking;(2)penetration
			 testing;(3)vulnerability
			 assessment;(4)continuity of system
			 operations;(5)security in
			 design;(6)cyber forensics;(7)offensive and defensive
			 cyber operations; and(8)other areas the Secretary
			 of Commerce, Director of the National Science Foundation, and Secretary of
			 Homeland Security consider necessary to fulfill the cybersecurity
			 mission.(e)TopicsIn
			 selecting topics for competitions and challenges under subsection (a)(1),
			 the
			 Secretary of Commerce, Director of the National Science Foundation, and
			 Secretary of Homeland Security—(1)shall consult widely both
			 within and outside the Federal Government; and(2)may empanel advisory
			 committees.(f)InternshipsThe
			 Director of the Office of Personnel Management may support, as
			 appropriate,
			 internships or other work experience in the Federal Government to the
			 winners
			 of the competitions and challenges under this section.302.Federal cyber
			 scholarship-for-service program(a)In
			 generalThe Director of the National Science Foundation, in
			 coordination with the Director of the Office of Personnel Management and
			 Secretary of Homeland Security, shall continue a Federal cyber
			 scholarship-for-service program to recruit and train the next generation
			 of
			 information technology professionals, industrial control system security
			 professionals, and security managers to meet the needs of the
			 cybersecurity
			 mission for Federal, State, local, and tribal governments.(b)Program description and
			 componentsThe Federal Cyber Scholarship-for-Service Program
			 shall—(1)provide scholarships through qualified institutions of higher education, including community
			 colleges, to
			 students who are enrolled in programs of study at institutions of higher
			 education leading to degrees or specialized program certifications in the
			 cybersecurity field;(2)provide the scholarship
			 recipients with summer internship opportunities or other meaningful
			 temporary
			 appointments in the Federal information technology workforce; and(3)prioritize the employment placement of scholarship recipients in the Federal Government.(c)Scholarship
			 amountsEach scholarship under subsection (b) shall be in an
			 amount that covers the student's tuition and fees at the institution under
			 subsection (b)(1) for not more than 3 years and provides the student with
			 an additional stipend.(d)Post-award employment obligationsEach scholarship recipient, as a condition of
			 receiving a scholarship under the program, shall enter into an agreement
			 under
			 which the recipient agrees to work in the cybersecurity mission of a
			 Federal,
			 State, local, or tribal agency for a period equal to the length of the
			 scholarship following receipt of the student's degree.(e)Hiring
			 authority(1)Appointment in excepted
			 serviceNotwithstanding any provision of chapter 33 of title 5,
			 United States Code, governing appointments in the competitive service, an
			 agency shall appoint in the excepted service an individual who has
			 completed
			 the eligible degree program for which a scholarship was awarded.(2)Noncompetitive
			 conversionExcept as provided in paragraph (4), upon fulfillment
			 of the service term, an employee appointed under paragraph (1) may be
			 converted
			 noncompetitively to term, career-conditional or career appointment.(3)Timing of
			 conversionAn agency may noncompetitively convert a term employee
			 appointed under paragraph (2) to a career-conditional or career
			 appointment
			 before the term appointment expires.(4)Authority to decline
			 conversionAn agency may decline to make the noncompetitive
			 conversion or appointment under paragraph (2) for cause.(f)EligibilityTo
			 be eligible to receive a scholarship under this section, an individual
			 shall—(1)be a citizen or lawful
			 permanent resident of the United States;(2)demonstrate a commitment
			 to a career in improving the security of information technology;(3)have demonstrated a high
			 level of proficiency in mathematics, engineering, or computer sciences;(4)be a full-time student in an eligible degree
			 program at a qualified institution of higher education, as determined by
			 the Director of the National
			 Science Foundation; and(5)accept the terms of a scholarship under this section.(g)Conditions of support(1)In generalAs a condition of receiving a scholarship under this section, a recipient shall agree to
			 provide the qualified institution of higher education
			 with annual verifiable documentation of post-award employment and
			 up-to-date contact information.(2)TermsA scholarship recipient under this
			 section shall be liable to the United States as provided in subsection (i)
			 if the individual—(A)fails to maintain an acceptable level of academic standing at the applicable institution of
			 higher
			 education, as determined by the Director of the National Science
			 Foundation;(B)is dismissed from the applicable institution of higher education for disciplinary reasons;(C)withdraws from the eligible degree program before completing the program;(D)declares that the individual does not intend to fulfill the post-award employment obligation under
			 this section;
			 or(E)fails to fulfill the post-award employment obligation of the individual under this section.(h)Monitoring complianceAs a condition of participating in the program, a qualified institution of higher education
			 shall—(1)enter into an agreement with the Director of the National Science Foundation, to monitor the
			 compliance of scholarship recipients with respect to their post-award
			 employment obligations; and(2)provide to the Director of the National Science Foundation, on an annual basis, the post-award
			 employment documentation required under subsection (g)(1) for scholarship
			 recipients through the completion of their post-award employment
			 obligations.(i)Amount of repayment(1)Less than 1 year of serviceIf a circumstance described in subsection (g)(2) occurs before the completion of 1 year of a
			 post-award employment obligation under this section, the total amount
			 of scholarship awards received by the individual under this section shall—(A)be repaid; or(B)be treated
			 as a loan to be repaid in accordance with subsection (j).(2)1 or more years of serviceIf a circumstance described in subparagraph (D) or (E) of subsection (g)(2) occurs after the
			 completion of 1 or more years of
			 a
			 post-award employment obligation under this section, the total amount of
			 scholarship
			 awards received by the
			 individual under this section, reduced by the ratio of the number of years
			 of service completed divided by the number of years of service required,
			 shall—(A)be repaid; or(B)be treated
			 as a loan to be repaid in accordance with subsection (j).(j)RepaymentsA loan described subsection (i) shall—(1)be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher
			 Education Act of 1965 (20 U.S.C. 1087a et seq.); and(2)be subject to repayment, together with interest thereon accruing from the date of the scholarship
			 award, in accordance with terms and conditions specified by the Director
			 of the National Science Foundation (in consultation with the Secretary of 
			 Education) in regulations promulgated to carry out this subsection.(k)Collection of repayment(1)In generalIn the event that a scholarship recipient is required to repay the scholarship award under this
			 section,
			 the qualified institution of higher education providing the scholarship
			 shall—(A)determine the repayment
			 amounts and notify the recipient and the Director of the National Science
			 Foundation of the amounts owed; and(B)collect the repayment amounts within a period of time as determined by the Director of the National
			 Science Foundation, or the repayment amounts shall be treated as a loan in
			 accordance with subsection (j).(2)Returned to TreasuryExcept as provided in paragraph (3), any repayment under this subsection shall be returned to the
			 Treasury of the
			 United States.(3)Retain percentageA qualified institution of higher education may retain a percentage of any repayment the
			 institution
			 collects under this subsection to defray administrative costs associated
			 with the collection. The Director of the National Science Foundation shall
			 establish a single, fixed percentage that will apply to all eligible
			 entities.(l)ExceptionsThe Director of the National Science Foundation may provide for the partial or total waiver or
			 suspension of any service or payment obligation by
			 an individual under this section whenever compliance by the individual
			 with the obligation is impossible or would involve extreme hardship to the
			 individual, or if enforcement of such obligation with respect to the
			 individual would be unconscionable.(m)Evaluation and
			 reportThe Director of the National Science Foundation shall
			 evaluate and report periodically to Congress on the success of recruiting
			 individuals for scholarships under this section and on hiring and
			 retaining
			 those individuals in the public sector workforce.IVCybersecurity Awareness
			 and Preparedness401.National cybersecurity
			 awareness and education program(a)National cybersecurity
			 awareness and education programThe Director of the National
			 Institute of Standards and Technology (referred to in this section as the
			 Director), in consultation with appropriate Federal agencies,
			 industry, educational institutions, National Laboratories, the Networking
			 and Information Technology
			 Research and Development program, and other organizations shall continue
			 to coordinate a national cybersecurity awareness and education program,
			 that includes activities such
			 as—(1)the widespread dissemination of cybersecurity technical standards and best practices identified by
			 the Director;(2)efforts to make cybersecurity best practices usable by individuals, small to medium-sized
			 businesses, educational institutions, and
			 State, local, and tribal governments;(3)increasing
			 public awareness of cybersecurity, cyber safety, and cyber ethics;(4)increasing
			 the understanding of State, local, and tribal governments, institutions of
			 higher
			 education, and private sector entities of—(A)the benefits of ensuring
			 effective risk management of information technology versus the
			 costs of
			 failure to do so; and(B)the methods to mitigate
			 and remediate vulnerabilities;(5)supporting formal
			 cybersecurity education programs at all education levels to prepare
			 and improve a skilled
			 cybersecurity and computer science workforce for the private sector and
			 Federal,
			 State, local, and tribal government; and(6)promoting initiatives to evaluate
			 and forecast future cybersecurity workforce needs of the Federal
			 Government and
			 develop strategies for recruitment, training, and retention.(b)ConsiderationsIn
			 carrying out the authority described in subsection (a), the Director, in
			 consultation with appropriate Federal agencies, shall leverage existing
			 programs designed to inform the public of safety and security of products
			 or
			 services, including self-certifications and independently verified
			 assessments
			 regarding the quantification and valuation of information security risk.(c)Strategic
			 planThe Director, in cooperation with relevant Federal agencies
			 and other stakeholders, shall build upon programs and plans in effect as
			 of the
			 date of enactment of this Act to develop and implement a strategic plan to
			 guide Federal programs and activities in support of the national
			 cybersecurity
			 awareness and education program under subsection (a).(d)ReportNot
			 later than 1 year after the date of enactment of this Act, and every 5
			 years
			 thereafter, the Director shall transmit the strategic plan under
			 subsection (c)
			 to the Committee on Commerce, Science, and Transportation of the Senate
			 and the
			 Committee on Science, Space, and Technology of the House of
			 Representatives.VAdvancement of cybersecurity technical standards501.DefinitionsIn this title:(1)DirectorThe term Director means the Director of the National Institute of Standards and Technology.(2)InstituteThe term Institute means the National Institute of Standards and Technology.502.International cybersecurity technical standards(a)In generalThe Director, in coordination with appropriate Federal authorities, shall—(1)as appropriate, ensure coordination of Federal agencies engaged in the development of international
			 technical standards related to information system security; and(2)not later than 1 year after the date of enactment of this Act, develop and transmit to Congress
			 a plan for ensuring such Federal agency coordination.(b)Consultation with the private sectorIn carrying out the activities specified in subsection (a)(1), the Director shall ensure
			 consultation with
			 appropriate private sector stakeholders.503.Cloud computing strategy(a)In generalThe Director, in coordination with the Office of Management and Budget, in collaboration with the
			 Federal Chief Information Officers Council, and in
			 consultation with other relevant Federal agencies and stakeholders from
			 the
			 private sector, shall continue to develop and encourage the implementation
			 of a comprehensive strategy for the use and adoption of cloud computing
			 services by the Federal Government.(b)ActivitiesIn carrying out the strategy described under subsection (a), the Director shall give consideration
			 to activities that—(1)accelerate the development, in collaboration with the private sector, of standards that address
			 interoperability and portability of cloud computing services;(2)advance the development of conformance testing performed by the private sector in support of cloud
			 computing standardization; and(3)support, in coordination with the Office of Management and Budget, and in consultation with the
			 private sector, the development of appropriate security
			 frameworks and reference materials, and the identification of best
			 practices, for use by Federal agencies to address security and privacy
			 requirements to enable the use and adoption of cloud computing services,
			 including activities—(A)to ensure the physical security of cloud computing data centers and the data stored in such
			 centers;(B)to ensure secure access to the data stored in cloud computing data centers;(C)to develop security standards as required under section 20 of the National Institute of Standards
			 and Technology Act (15 U.S.C. 278g–3); and(D)to support the development of the automation of continuous monitoring systems.504.Identity management research and developmentThe Director shall continue a program to support the development of voluntary and cost-effective
			 technical standards, metrology, testbeds, and conformance criteria, taking
			 into account appropriate user concerns—(1)to improve interoperability among identity management technologies;(2)to strengthen authentication methods of identity management systems;(3)to improve privacy protection in identity management systems, including health information
			 technology systems, through authentication and security protocols; and(4)to improve the usability of identity management systems.Speaker of the House of RepresentativesVice President of the United States and President of the Senate