[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1353 Engrossed in Senate (ES)]

113th CONGRESS
  2d Session
                                S. 1353

_______________________________________________________________________

                                 AN ACT


 
  To provide for an ongoing, voluntary public-private partnership to 
  improve cybersecurity, and to strengthen cybersecurity research and 
development, workforce development and education, and public awareness 
               and preparedness, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Cybersecurity 
Enhancement Act of 2014''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. No regulatory authority.
Sec. 4. No additional funds authorized.
         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

Sec. 101. Public-private collaboration on cybersecurity.
            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 201. Federal cybersecurity research and development.
Sec. 202. Computer and network security research centers.
Sec. 203. Cybersecurity automation and checklists for government 
                            systems.
Sec. 204. National Institute of Standards and Technology cybersecurity 
                            research and development.
             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.
           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

Sec. 401. National cybersecurity awareness and education program.
       TITLE V--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

Sec. 501. Definitions.
Sec. 502. International cybersecurity technical standards.
Sec. 503. Cloud computing strategy.
Sec. 504. Identity management research and development.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Cybersecurity mission.--The term ``cybersecurity 
        mission'' means activities that encompass the full range of 
        threat reduction, vulnerability reduction, deterrence, 
        international engagement, incident response, resiliency, and 
        recovery policies and activities, including computer network 
        operations, information assurance, law enforcement, diplomacy, 
        military, and intelligence missions as such activities relate 
        to the security and stability of cyberspace.
            (2) Information system.--The term ``information system'' 
        has the meaning given that term in section 3502 of title 44, 
        United States Code.

SEC. 3. NO REGULATORY AUTHORITY.

    Nothing in this Act shall be construed to confer any regulatory 
authority on any Federal, State, tribal, or local department or agency.

SEC. 4. NO ADDITIONAL FUNDS AUTHORIZED.

    No additional funds are authorized to carry out this Act, and the 
amendments made by this Act. This Act, and the amendments made by this 
Act, shall be carried out using amounts otherwise authorized or 
appropriated.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.

    (a) Cybersecurity.--Section 2(c) of the National Institute of 
Standards and Technology Act (15 U.S.C. 272(c)) is amended--
            (1) by redesignating paragraphs (15) through (22) as 
        paragraphs (16) through (23), respectively; and
            (2) by inserting after paragraph (14) the following:
            ``(15) on an ongoing basis, facilitate and support the 
        development of a voluntary, consensus-based, industry-led set 
        of standards, guidelines, best practices, methodologies, 
        procedures, and processes to cost-effectively reduce cyber 
        risks to critical infrastructure (as defined under subsection 
        (e));''.
    (b) Scope and Limitations.--Section 2 of the National Institute of 
Standards and Technology Act (15 U.S.C. 272) is amended by adding at 
the end the following:
    ``(e) Cyber Risks.--
            ``(1) In general.--In carrying out the activities under 
        subsection (c)(15), the Director--
                    ``(A) shall--
                            ``(i) coordinate closely and regularly with 
                        relevant private sector personnel and entities, 
                        critical infrastructure owners and operators, 
                        and other relevant industry organizations, 
                        including Sector Coordinating Councils and 
                        Information Sharing and Analysis Centers, and 
                        incorporate industry expertise;
                            ``(ii) consult with the heads of agencies 
                        with national security responsibilities, 
                        sector-specific agencies and other appropriate 
                        agencies, State and local governments, the 
                        governments of other nations, and international 
                        organizations;
                            ``(iii) identify a prioritized, flexible, 
                        repeatable, performance-based, and cost-
                        effective approach, including information 
                        security measures and controls, that may be 
                        voluntarily adopted by owners and operators of 
                        critical infrastructure to help them identify, 
                        assess, and manage cyber risks;
                            ``(iv) include methodologies--
                                    ``(I) to identify and mitigate 
                                impacts of the cybersecurity measures 
                                or controls on business 
                                confidentiality; and
                                    ``(II) to protect individual 
                                privacy and civil liberties;
                            ``(v) incorporate voluntary consensus 
                        standards and industry best practices;
                            ``(vi) align with voluntary international 
                        standards to the fullest extent possible;
                            ``(vii) prevent duplication of regulatory 
                        processes and prevent conflict with or 
                        superseding of regulatory requirements, 
                        mandatory standards, and related processes; and
                            ``(viii) include such other similar and 
                        consistent elements as the Director considers 
                        necessary; and
                    ``(B) shall not prescribe or otherwise require--
                            ``(i) the use of specific solutions;
                            ``(ii) the use of specific information or 
                        communications technology products or services; 
                        or
                            ``(iii) that information or communications 
                        technology products or services be designed, 
                        developed, or manufactured in a particular 
                        manner.
            ``(2) Limitation.--Information shared with or provided to 
        the Institute for the purpose of the activities described under 
        subsection (c)(15) shall not be used by any Federal, State, 
        tribal, or local department or agency to regulate the activity 
        of any entity. Nothing in this paragraph shall be construed to 
        modify any regulatory requirement to report or submit 
        information to a Federal, State, tribal, or local department or 
        agency.
            ``(3) Definitions.--In this subsection:
                    ``(A) Critical infrastructure.--The term `critical 
                infrastructure' has the meaning given the term in 
                section 1016(e) of the USA PATRIOT Act of 2001 (42 
                U.S.C. 5195c(e)).
                    ``(B) Sector-specific agency.--The term `sector-
                specific agency' means the Federal department or agency 
                responsible for providing institutional knowledge and 
                specialized expertise as well as leading, facilitating, 
                or supporting the security and resilience programs and 
                associated activities of its designated critical 
                infrastructure sector in the all-hazards 
                environment.''.
    (c) Study and Reports.--
            (1) Study.--The Comptroller General of the United States 
        shall conduct a study that assesses--
                    (A) the progress made by the Director of the 
                National Institute of Standards and Technology in 
                facilitating the development of standards and 
                procedures to reduce cyber risks to critical 
                infrastructure in accordance with section 2(c)(15) of 
                the National Institute of Standards and Technology Act, 
                as added by this section;
                    (B) the extent to which the Director's facilitation 
                efforts are consistent with the directive in such 
                section that the development of such standards and 
                procedures be voluntary and led by industry 
                representatives;
                    (C) the extent to which other Federal agencies have 
                promoted and sectors of critical infrastructure (as 
                defined in section 1016(e) of the USA PATRIOT Act of 
                2001 (42 U.S.C. 5195c(e))) have adopted a voluntary, 
                industry-led set of standards, guidelines, best 
                practices, methodologies, procedures, and processes to 
                reduce cyber risks to critical infrastructure in 
                accordance with such section 2(c)(15);
                    (D) the reasons behind the decisions of sectors of 
                critical infrastructure (as defined in subparagraph 
                (C)) to adopt or to not adopt the voluntary standards 
                described in subparagraph (C); and
                    (E) the extent to which such voluntary standards 
                have proved successful in protecting critical 
                infrastructure from cyber threats.
            (2) Reports.--Not later than 1 year after the date of the 
        enactment of this Act, and every 2 years thereafter for the 
        following 6 years, the Comptroller General shall submit a 
        report, which summarizes the findings of the study conducted 
        under paragraph (1), to the Committee on Commerce, Science, and 
        Transportation of the Senate and the Committee on Science, 
        Space, and Technology of the House of Representatives.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

    (a) Fundamental Cybersecurity Research.--
            (1) Federal cybersecurity research and development 
        strategic plan.--The heads of the applicable agencies and 
        departments, working through the National Science and 
        Technology Council and the Networking and Information 
        Technology Research and Development Program, shall develop and 
        update every 4 years a Federal cybersecurity research and 
        development strategic plan (referred to in this subsection as 
        the ``strategic plan'') based on an assessment of cybersecurity 
        risk to guide the overall direction of Federal cybersecurity 
        and information assurance research and development for 
        information technology and networking systems. The heads of the 
        applicable agencies and departments shall build upon existing 
        programs and plans to develop the strategic plan to meet 
        objectives in cybersecurity, such as--
                    (A) how to design and build complex software-
                intensive systems that are secure and reliable when 
                first deployed;
                    (B) how to test and verify that software and 
                hardware, whether developed locally or obtained from a 
                third party, is free of significant known security 
                flaws;
                    (C) how to test and verify that software and 
                hardware obtained from a third party correctly 
                implements stated functionality, and only that 
                functionality;
                    (D) how to guarantee the privacy of an individual, 
                including that individual's identity, information, and 
                lawful transactions when stored in distributed systems 
                or transmitted over networks;
                    (E) how to build new protocols to enable the 
                Internet to have robust security as one of the key 
                capabilities of the Internet;
                    (F) how to determine the origin of a message 
                transmitted over the Internet;
                    (G) how to support privacy in conjunction with 
                improved security;
                    (H) how to address the problem of insider threats;
                    (I) how improved consumer education and digital 
                literacy initiatives can address human factors that 
                contribute to cybersecurity;
                    (J) how to protect information processed, 
                transmitted, or stored using cloud computing or 
                transmitted through wireless services; and
                    (K) any additional objectives the heads of the 
                applicable agencies and departments, in coordination 
                with the head of any relevant Federal agency and with 
                input from stakeholders, including appropriate national 
                laboratories, industry, and academia, determine 
                appropriate.
            (2) Requirements.--
                    (A) Contents of plan.--The strategic plan shall--
                            (i) specify and prioritize near-term, mid-
                        term, and long-term research objectives, 
                        including objectives associated with the 
                        research identified in section 4(a)(1) of the 
                        Cyber Security Research and Development Act (15 
                        U.S.C. 7403(a)(1));
                            (ii) specify how the near-term objectives 
                        described in clause (i) complement research and 
                        development areas in which the private sector 
                        is actively engaged;
                            (iii) describe how the heads of the 
                        applicable agencies and departments will focus 
                        on innovative, transformational technologies 
                        with the potential to enhance the security, 
                        reliability, resilience, and trustworthiness of 
                        the digital infrastructure, and to protect 
                        consumer privacy;
                            (iv) describe how the heads of the 
                        applicable agencies and departments will foster 
                        the rapid transfer of research and development 
                        results into new cybersecurity technologies and 
                        applications for the timely benefit of society 
                        and the national interest, including through 
                        the dissemination of best practices and other 
                        outreach activities;
                            (v) describe how the heads of the 
                        applicable agencies and departments will 
                        establish and maintain a national research 
                        infrastructure for creating, testing, and 
                        evaluating the next generation of secure 
                        networking and information technology systems; 
                        and
                            (vi) describe how the heads of the 
                        applicable agencies and departments will 
                        facilitate access by academic researchers to 
                        the infrastructure described in clause (v), as 
                        well as to relevant data, including event data.
                    (B) Private sector efforts.--In developing, 
                implementing, and updating the strategic plan, the 
                heads of the applicable agencies and departments, 
                working through the National Science and Technology 
                Council and Networking and Information Technology 
                Research and Development Program, shall work in close 
                cooperation with industry, academia, and other 
                interested stakeholders to ensure, to the extent 
                possible, that Federal cybersecurity research and 
                development is not duplicative of private sector 
                efforts.
                    (C) Recommendations.--In developing and updating 
                the strategic plan the heads of the applicable agencies 
                and departments shall solicit recommendations and 
                advice from--
                            (i) the advisory committee established 
                        under section 101(b)(1) of the High-Performance 
                        Computing Act of 1991 (15 U.S.C. 5511(b)(1)); 
                        and
                            (ii) a wide range of stakeholders, 
                        including industry, academia, including 
                        representatives of minority serving 
                        institutions and community colleges, National 
                        Laboratories, and other relevant organizations 
                        and institutions.
                    (D) Implementation roadmap.--The heads of the 
                applicable agencies and departments, working through 
                the National Science and Technology Council and 
                Networking and Information Technology Research and 
                Development Program, shall develop and annually update 
                an implementation roadmap for the strategic plan. The 
                implementation roadmap shall--
                            (i) specify the role of each Federal agency 
                        in carrying out or sponsoring research and 
                        development to meet the research objectives of 
                        the strategic plan, including a description of 
                        how progress toward the research objectives 
                        will be evaluated;
                            (ii) specify the funding allocated to each 
                        major research objective of the strategic plan 
                        and the source of funding by agency for the 
                        current fiscal year;
                            (iii) estimate the funding required for 
                        each major research objective of the strategic 
                        plan for the following 3 fiscal years; and
                            (iv) track ongoing and completed Federal 
                        cybersecurity research and development 
                        projects.
            (3) Reports to congress.--The heads of the applicable 
        agencies and departments, working through the National Science 
        and Technology Council and Networking and Information 
        Technology Research and Development Program, shall submit to 
        the Committee on Commerce, Science, and Transportation of the 
        Senate and the Committee on Science, Space, and Technology of 
        the House of Representatives--
                    (A) the strategic plan not later than 1 year after 
                the date of enactment of this Act;
                    (B) each quadrennial update to the strategic plan; 
                and
                    (C) the implementation roadmap under subparagraph 
                (D), and its annual updates, which shall be appended to 
                the annual report required under section 101(a)(2)(D) 
                of the High-Performance Computing Act of 1991 (15 
                U.S.C. 5511(a)(2)(D)).
            (4) Definition of applicable agencies and departments.--In 
        this subsection, the term ``applicable agencies and 
        departments'' means the agencies and departments identified in 
        clauses (i) through (x) of section 101(a)(3)(B) of the High-
        Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)) or 
        designated under clause (xi) of that section.
    (b) Cybersecurity Practices Research.--The Director of the National 
Science Foundation shall support research that--
            (1) develops, evaluates, disseminates, and integrates new 
        cybersecurity practices and concepts into the core curriculum 
        of computer science programs and of other programs where 
        graduates of such programs have a substantial probability of 
        developing software after graduation, including new practices 
        and concepts relating to secure coding education and 
        improvement programs; and
            (2) develops new models for professional development of 
        faculty in cybersecurity education, including secure coding 
        development.
    (c) Cybersecurity Modeling and Test Beds.--
            (1) Review.--Not later than 1 year after the date of 
        enactment of this Act, the Director of the National Science 
        Foundation, in coordination with the Director of the Office of 
        Science and Technology Policy, shall conduct a review of 
        cybersecurity test beds in existence on the date of enactment 
        of this Act to inform the grants under paragraph (2). The 
        review shall include an assessment of whether a sufficient 
        number of cybersecurity test beds are available to meet the 
        research needs under the Federal cybersecurity research and 
        development strategic plan. Upon completion, the Director shall 
        submit the review to the Committee on Commerce, Science, and 
        Transportation of the Senate and the Committee on Science, 
        Space, and Technology of the House of Representatives.
            (2) Additional cybersecurity modeling and test beds.--
                    (A) In general.--If the Director of the National 
                Science Foundation, after the review under paragraph 
                (1), determines that the research needs under the 
                Federal cybersecurity research and development 
                strategic plan require the establishment of additional 
                cybersecurity test beds, the Director of the National 
                Science Foundation, in coordination with the Secretary 
                of Commerce and the Secretary of Homeland Security, may 
                award grants to institutions of higher education or 
                research and development non-profit institutions to 
                establish cybersecurity test beds.
                    (B) Requirement.--The cybersecurity test beds under 
                subparagraph (A) shall be sufficiently robust in order 
                to model the scale and complexity of real-time cyber 
                attacks and defenses on real world networks and 
                environments.
                    (C) Assessment required.--The Director of the 
                National Science Foundation, in coordination with the 
                Secretary of Commerce and the Secretary of Homeland 
                Security, shall evaluate the effectiveness of any 
                grants awarded under this subsection in meeting the 
                objectives of the Federal cybersecurity research and 
                development strategic plan not later than 2 years after 
                the review under paragraph (1) of this subsection, and 
                periodically thereafter.
    (d) Coordination With Other Research Initiatives.--In accordance 
with the responsibilities under section 101 of the High-Performance 
Computing Act of 1991 (15 U.S.C. 5511), the Director of the Office of 
Science and Technology Policy shall coordinate, to the extent 
practicable, Federal research and development activities under this 
section with other ongoing research and development security-related 
initiatives, including research being conducted by--
            (1) the National Science Foundation;
            (2) the National Institute of Standards and Technology;
            (3) the Department of Homeland Security;
            (4) other Federal agencies;
            (5) other Federal and private research laboratories, 
        research entities, and universities;
            (6) institutions of higher education;
            (7) relevant nonprofit organizations; and
            (8) international partners of the United States.
    (e) National Science Foundation Computer and Network Security 
Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research 
and Development Act (15 U.S.C. 7403(a)(1)) is amended--
            (1) in subparagraph (H), by striking ``and'' at the end;
            (2) in subparagraph (I), by striking the period at the end 
        and inserting a semicolon; and
            (3) by adding at the end the following:
                    ``(J) secure fundamental protocols that are 
                integral to inter-network communications and data 
                exchange;
                    ``(K) secure software engineering and software 
                assurance, including--
                            ``(i) programming languages and systems 
                        that include fundamental security features;
                            ``(ii) portable or reusable code that 
                        remains secure when deployed in various 
                        environments;
                            ``(iii) verification and validation 
                        technologies to ensure that requirements and 
                        specifications have been implemented; and
                            ``(iv) models for comparison and metrics to 
                        assure that required standards have been met;
                    ``(L) holistic system security that--
                            ``(i) addresses the building of secure 
                        systems from trusted and untrusted components;
                            ``(ii) proactively reduces vulnerabilities;
                            ``(iii) addresses insider threats; and
                            ``(iv) supports privacy in conjunction with 
                        improved security;
                    ``(M) monitoring and detection;
                    ``(N) mitigation and rapid recovery methods;
                    ``(O) security of wireless networks and mobile 
                devices; and
                    ``(P) security of cloud infrastructure and 
                services.''.
    (f) Research on the Science of Cybersecurity.--The head of each 
agency and department identified under section 101(a)(3)(B) of the 
High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)), 
through existing programs and activities, shall support research that 
will lead to the development of a scientific foundation for the field 
of cybersecurity, including research that increases understanding of 
the underlying principles of securing complex networked systems, 
enables repeatable experimentation, and creates quantifiable security 
metrics.

SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.

    Section 4(b) of the Cyber Security Research and Development Act (15 
U.S.C. 7403(b)) is amended--
            (1) in paragraph (3), by striking ``the research areas'' 
        and inserting the following: ``improving the security and 
        resiliency of information technology, reducing cyber 
        vulnerabilities, and anticipating and mitigating consequences 
        of cyber attacks on critical infrastructure, by conducting 
        research in the areas'';
            (2) by striking ``the center'' in paragraph (4)(D) and 
        inserting ``the Center''; and
            (3) in paragraph (5)--
                    (A) by striking ``and'' at the end of subparagraph 
                (C);
                    (B) by striking the period at the end of 
                subparagraph (D) and inserting a semicolon; and
                    (C) by adding at the end the following:
                    ``(E) the demonstrated capability of the applicant 
                to conduct high performance computation integral to 
                complex computer and network security research, through 
                on-site or off-site computing;
                    ``(F) the applicant's affiliation with private 
                sector entities involved with industrial research 
                described in subsection (a)(1);
                    ``(G) the capability of the applicant to conduct 
                research in a secure environment;
                    ``(H) the applicant's affiliation with existing 
                research programs of the Federal Government;
                    ``(I) the applicant's experience managing public-
                private partnerships to transition new technologies 
                into a commercial setting or the government user 
                community;
                    ``(J) the capability of the applicant to conduct 
                interdisciplinary cybersecurity research, basic and 
                applied, such as in law, economics, or behavioral 
                sciences; and
                    ``(K) the capability of the applicant to conduct 
                research in areas such as systems security, wireless 
                security, networking and protocols, formal methods and 
                high-performance computing, nanotechnology, or 
                industrial control systems.''.

SEC. 203. CYBERSECURITY AUTOMATION AND CHECKLISTS FOR GOVERNMENT 
              SYSTEMS.

    Section 8(c) of the Cyber Security Research and Development Act (15 
U.S.C. 7406(c)) is amended to read as follows:
    ``(c) Security Automation and Checklists for Government Systems.--
            ``(1) In general.--The Director of the National Institute 
        of Standards and Technology shall, as necessary, develop and 
        revise security automation standards, associated reference 
        materials (including protocols), and checklists providing 
        settings and option selections that minimize the security risks 
        associated with each information technology hardware or 
        software system and security tool that is, or is likely to 
        become, widely used within the Federal Government, thereby 
        enabling standardized and interoperable technologies, 
        architectures, and frameworks for continuous monitoring of 
        information security within the Federal Government.
            ``(2) Priorities for development.--The Director of the 
        National Institute of Standards and Technology shall establish 
        priorities for the development of standards, reference 
        materials, and checklists under this subsection on the basis 
        of--
                    ``(A) the security risks associated with the use of 
                the system;
                    ``(B) the number of agencies that use a particular 
                system or security tool;
                    ``(C) the usefulness of the standards, reference 
                materials, or checklists to Federal agencies that are 
                users or potential users of the system;
                    ``(D) the effectiveness of the associated standard, 
                reference material, or checklist in creating or 
                enabling continuous monitoring of information security; 
                or
                    ``(E) such other factors as the Director of the 
                National Institute of Standards and Technology 
                determines to be appropriate.
            ``(3) Excluded systems.--The Director of the National 
        Institute of Standards and Technology may exclude from the 
        application of paragraph (1) any information technology 
        hardware or software system or security tool for which such 
        Director determines that the development of a standard, 
        reference material, or checklist is inappropriate because of 
        the infrequency of use of the system, the obsolescence of the 
        system, or the lack of utility or impracticability of 
        developing a standard, reference material, or checklist for the 
        system.
            ``(4) Dissemination of standards and related materials.--
        The Director of the National Institute of Standards and 
        Technology shall ensure that Federal agencies are informed of 
        the availability of any standard, reference material, 
        checklist, or other item developed under this subsection.
            ``(5) Agency use requirements.--The development of 
        standards, reference materials, and checklists under paragraph 
        (1) for an information technology hardware or software system 
        or tool does not--
                    ``(A) require any Federal agency to select the 
                specific settings or options recommended by the 
                standard, reference material, or checklist for the 
                system;
                    ``(B) establish conditions or prerequisites for 
                Federal agency procurement or deployment of any such 
                system;
                    ``(C) imply an endorsement of any such system by 
                the Director of the National Institute of Standards and 
                Technology; or
                    ``(D) preclude any Federal agency from procuring or 
                deploying other information technology hardware or 
                software systems for which no such standard, reference 
                material, or checklist has been developed or identified 
                under paragraph (1).''.

SEC. 204. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY 
              RESEARCH AND DEVELOPMENT.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended--
            (1) by redesignating subsection (e) as subsection (f); and
            (2) by inserting after subsection (d) the following:
    ``(e) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (d)(3), the 
Institute shall, to the extent practicable and appropriate--
            ``(1) conduct a research program to develop a unifying and 
        standardized identity, privilege, and access control management 
        framework for the execution of a wide variety of resource 
        protection policies and that is amenable to implementation 
        within a wide variety of existing and emerging computing 
        environments;
            ``(2) carry out research associated with improving the 
        security of information systems and networks;
            ``(3) carry out research associated with improving the 
        testing, measurement, usability, and assurance of information 
        systems and networks;
            ``(4) carry out research associated with improving security 
        of industrial control systems;
            ``(5) carry out research associated with improving the 
        security and integrity of the information technology supply 
        chain; and
            ``(6) carry out any additional research the Institute 
        determines appropriate.''.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.

    (a) In General.--The Secretary of Commerce, Director of the 
National Science Foundation, and Secretary of Homeland Security, in 
consultation with the Director of the Office of Personnel Management, 
shall--
            (1) support competitions and challenges under section 24 of 
        the Stevenson-Wydler Technology Innovation Act of 1980 (15 
        U.S.C. 3719) (as amended by section 105 of the America COMPETES 
        Reauthorization Act of 2010 (124 Stat. 3989)) or any other 
        provision of law, as appropriate--
                    (A) to identify, develop, and recruit talented 
                individuals to perform duties relating to the security 
                of information technology in Federal, State, local, and 
                tribal government agencies, and the private sector; or
                    (B) to stimulate innovation in basic and applied 
                cybersecurity research, technology development, and 
                prototype demonstration that has the potential for 
                application to the information technology activities of 
                the Federal Government; and
            (2) ensure the effective operation of the competitions and 
        challenges under this section.
    (b) Participation.--Participants in the competitions and challenges 
under subsection (a)(1) may include--
            (1) students enrolled in grades 9 through 12;
            (2) students enrolled in a postsecondary program of study 
        leading to a baccalaureate degree at an institution of higher 
        education;
            (3) students enrolled in a postbaccalaureate program of 
        study at an institution of higher education;
            (4) institutions of higher education and research 
        institutions;
            (5) veterans; and
            (6) other groups or individuals that the Secretary of 
        Commerce, Director of the National Science Foundation, and 
        Secretary of Homeland Security determine appropriate.
    (c) Affiliation and Cooperative Agreements.--Competitions and 
challenges under this section may be carried out through affiliation 
and cooperative agreements with--
            (1) Federal agencies;
            (2) regional, State, or school programs supporting the 
        development of cyber professionals;
            (3) State, local, and tribal governments; or
            (4) other private sector organizations.
    (d) Areas of Skill.--Competitions and challenges under subsection 
(a)(1)(A) shall be designed to identify, develop, and recruit 
exceptional talent relating to--
            (1) ethical hacking;
            (2) penetration testing;
            (3) vulnerability assessment;
            (4) continuity of system operations;
            (5) security in design;
            (6) cyber forensics;
            (7) offensive and defensive cyber operations; and
            (8) other areas the Secretary of Commerce, Director of the 
        National Science Foundation, and Secretary of Homeland Security 
        consider necessary to fulfill the cybersecurity mission.
    (e) Topics.--In selecting topics for competitions and challenges 
under subsection (a)(1), the Secretary of Commerce, Director of the 
National Science Foundation, and Secretary of Homeland Security--
            (1) shall consult widely both within and outside the 
        Federal Government; and
            (2) may empanel advisory committees.
    (f) Internships.--The Director of the Office of Personnel 
Management may support, as appropriate, internships or other work 
experience in the Federal Government to the winners of the competitions 
and challenges under this section.

SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

    (a) In General.--The Director of the National Science Foundation, 
in coordination with the Director of the Office of Personnel Management 
and Secretary of Homeland Security, shall continue a Federal cyber 
scholarship-for-service program to recruit and train the next 
generation of information technology professionals, industrial control 
system security professionals, and security managers to meet the needs 
of the cybersecurity mission for Federal, State, local, and tribal 
governments.
    (b) Program Description and Components.--The Federal Cyber 
Scholarship-for-Service Program shall--
            (1) provide scholarships through qualified institutions of 
        higher education, including community colleges, to students who 
        are enrolled in programs of study at institutions of higher 
        education leading to degrees or specialized program 
        certifications in the cybersecurity field;
            (2) provide the scholarship recipients with summer 
        internship opportunities or other meaningful temporary 
        appointments in the Federal information technology workforce; 
        and
            (3) prioritize the employment placement of scholarship 
        recipients in the Federal Government.
    (c) Scholarship Amounts.--Each scholarship under subsection (b) 
shall be in an amount that covers the student's tuition and fees at the 
institution under subsection (b)(1) for not more than 3 years and 
provides the student with an additional stipend.
    (d) Post-award Employment Obligations.--Each scholarship recipient, 
as a condition of receiving a scholarship under the program, shall 
enter into an agreement under which the recipient agrees to work in the 
cybersecurity mission of a Federal, State, local, or tribal agency for 
a period equal to the length of the scholarship following receipt of 
the student's degree.
    (e) Hiring Authority.--
            (1) Appointment in excepted service.--Notwithstanding any 
        provision of chapter 33 of title 5, United States Code, 
        governing appointments in the competitive service, an agency 
        shall appoint in the excepted service an individual who has 
        completed the eligible degree program for which a scholarship 
        was awarded.
            (2) Noncompetitive conversion.--Except as provided in 
        paragraph (4), upon fulfillment of the service term, an 
        employee appointed under paragraph (1) may be converted 
        noncompetitively to term, career-conditional or career 
        appointment.
            (3) Timing of conversion.--An agency may noncompetitively 
        convert a term employee appointed under paragraph (2) to a 
        career-conditional or career appointment before the term 
        appointment expires.
            (4) Authority to decline conversion.--An agency may decline 
        to make the noncompetitive conversion or appointment under 
        paragraph (2) for cause.
    (f) Eligibility.--To be eligible to receive a scholarship under 
this section, an individual shall--
            (1) be a citizen or lawful permanent resident of the United 
        States;
            (2) demonstrate a commitment to a career in improving the 
        security of information technology;
            (3) have demonstrated a high level of proficiency in 
        mathematics, engineering, or computer sciences;
            (4) be a full-time student in an eligible degree program at 
        a qualified institution of higher education, as determined by 
        the Director of the National Science Foundation; and
            (5) accept the terms of a scholarship under this section.
    (g) Conditions of Support.--
            (1) In general.--As a condition of receiving a scholarship 
        under this section, a recipient shall agree to provide the 
        qualified institution of higher education with annual 
        verifiable documentation of post-award employment and up-to-
        date contact information.
            (2) Terms.--A scholarship recipient under this section 
        shall be liable to the United States as provided in subsection 
        (i) if the individual--
                    (A) fails to maintain an acceptable level of 
                academic standing at the applicable institution of 
                higher education, as determined by the Director of the 
                National Science Foundation;
                    (B) is dismissed from the applicable institution of 
                higher education for disciplinary reasons;
                    (C) withdraws from the eligible degree program 
                before completing the program;
                    (D) declares that the individual does not intend to 
                fulfill the post-award employment obligation under this 
                section; or
                    (E) fails to fulfill the post-award employment 
                obligation of the individual under this section.
    (h) Monitoring Compliance.--As a condition of participating in the 
program, a qualified institution of higher education shall--
            (1) enter into an agreement with the Director of the 
        National Science Foundation, to monitor the compliance of 
        scholarship recipients with respect to their post-award 
        employment obligations; and
            (2) provide to the Director of the National Science 
        Foundation, on an annual basis, the post-award employment 
        documentation required under subsection (g)(1) for scholarship 
        recipients through the completion of their post-award 
        employment obligations.
    (i) Amount of Repayment.--
            (1) Less than 1 year of service.--If a circumstance 
        described in subsection (g)(2) occurs before the completion of 
        1 year of a post-award employment obligation under this 
        section, the total amount of scholarship awards received by the 
        individual under this section shall--
                    (A) be repaid; or
                    (B) be treated as a loan to be repaid in accordance 
                with subsection (j).
            (2) 1 or more years of service.--If a circumstance 
        described in subparagraph (D) or (E) of subsection (g)(2) 
        occurs after the completion of 1 or more years of a post-award 
        employment obligation under this section, the total amount of 
        scholarship awards received by the individual under this 
        section, reduced by the ratio of the number of years of service 
        completed divided by the number of years of service required, 
        shall--
                    (A) be repaid; or
                    (B) be treated as a loan to be repaid in accordance 
                with subsection (j).
    (j) Repayments.--A loan described subsection (i) shall--
            (1) be treated as a Federal Direct Unsubsidized Stafford 
        Loan under part D of title IV of the Higher Education Act of 
        1965 (20 U.S.C. 1087a et seq.); and
            (2) be subject to repayment, together with interest thereon 
        accruing from the date of the scholarship award, in accordance 
        with terms and conditions specified by the Director of the 
        National Science Foundation (in consultation with the Secretary 
        of Education) in regulations promulgated to carry out this 
        subsection.
    (k) Collection of Repayment.--
            (1) In general.--In the event that a scholarship recipient 
        is required to repay the scholarship award under this section, 
        the qualified institution of higher education providing the 
        scholarship shall--
                    (A) determine the repayment amounts and notify the 
                recipient and the Director of the National Science 
                Foundation of the amounts owed; and
                    (B) collect the repayment amounts within a period 
                of time as determined by the Director of the National 
                Science Foundation, or the repayment amounts shall be 
                treated as a loan in accordance with subsection (j).
            (2) Returned to treasury.--Except as provided in paragraph 
        (3), any repayment under this subsection shall be returned to 
        the Treasury of the United States.
            (3) Retain percentage.--A qualified institution of higher 
        education may retain a percentage of any repayment the 
        institution collects under this subsection to defray 
        administrative costs associated with the collection. The 
        Director of the National Science Foundation shall establish a 
        single, fixed percentage that will apply to all eligible 
        entities.
    (l) Exceptions.--The Director of the National Science Foundation 
may provide for the partial or total waiver or suspension of any 
service or payment obligation by an individual under this section 
whenever compliance by the individual with the obligation is impossible 
or would involve extreme hardship to the individual, or if enforcement 
of such obligation with respect to the individual would be 
unconscionable.
    (m) Evaluation and Report.--The Director of the National Science 
Foundation shall evaluate and report periodically to Congress on the 
success of recruiting individuals for scholarships under this section 
and on hiring and retaining those individuals in the public sector 
workforce.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND EDUCATION PROGRAM.

    (a) National Cybersecurity Awareness and Education Program.--The 
Director of the National Institute of Standards and Technology 
(referred to in this section as the ``Director''), in consultation with 
appropriate Federal agencies, industry, educational institutions, 
National Laboratories, the Networking and Information Technology 
Research and Development program, and other organizations shall 
continue to coordinate a national cybersecurity awareness and education 
program, that includes activities such as--
            (1) the widespread dissemination of cybersecurity technical 
        standards and best practices identified by the Director;
            (2) efforts to make cybersecurity best practices usable by 
        individuals, small to medium-sized businesses, educational 
        institutions, and State, local, and tribal governments;
            (3) increasing public awareness of cybersecurity, cyber 
        safety, and cyber ethics;
            (4) increasing the understanding of State, local, and 
        tribal governments, institutions of higher education, and 
        private sector entities of--
                    (A) the benefits of ensuring effective risk 
                management of information technology versus the costs 
                of failure to do so; and
                    (B) the methods to mitigate and remediate 
                vulnerabilities;
            (5) supporting formal cybersecurity education programs at 
        all education levels to prepare and improve a skilled 
        cybersecurity and computer science workforce for the private 
        sector and Federal, State, local, and tribal government; and
            (6) promoting initiatives to evaluate and forecast future 
        cybersecurity workforce needs of the Federal Government and 
        develop strategies for recruitment, training, and retention.
    (b) Considerations.--In carrying out the authority described in 
subsection (a), the Director, in consultation with appropriate Federal 
agencies, shall leverage existing programs designed to inform the 
public of safety and security of products or services, including self-
certifications and independently verified assessments regarding the 
quantification and valuation of information security risk.
    (c) Strategic Plan.--The Director, in cooperation with relevant 
Federal agencies and other stakeholders, shall build upon programs and 
plans in effect as of the date of enactment of this Act to develop and 
implement a strategic plan to guide Federal programs and activities in 
support of the national cybersecurity awareness and education program 
under subsection (a).
    (d) Report.--Not later than 1 year after the date of enactment of 
this Act, and every 5 years thereafter, the Director shall transmit the 
strategic plan under subsection (c) to the Committee on Commerce, 
Science, and Transportation of the Senate and the Committee on Science, 
Space, and Technology of the House of Representatives.

       TITLE V--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

SEC. 501. DEFINITIONS.

    In this title:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Institute.--The term ``Institute'' means the National 
        Institute of Standards and Technology.

SEC. 502. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.

    (a) In General.--The Director, in coordination with appropriate 
Federal authorities, shall--
            (1) as appropriate, ensure coordination of Federal agencies 
        engaged in the development of international technical standards 
        related to information system security; and
            (2) not later than 1 year after the date of enactment of 
        this Act, develop and transmit to Congress a plan for ensuring 
        such Federal agency coordination.
    (b) Consultation With the Private Sector.--In carrying out the 
activities specified in subsection (a)(1), the Director shall ensure 
consultation with appropriate private sector stakeholders.

SEC. 503. CLOUD COMPUTING STRATEGY.

    (a) In General.--The Director, in coordination with the Office of 
Management and Budget, in collaboration with the Federal Chief 
Information Officers Council, and in consultation with other relevant 
Federal agencies and stakeholders from the private sector, shall 
continue to develop and encourage the implementation of a comprehensive 
strategy for the use and adoption of cloud computing services by the 
Federal Government.
    (b) Activities.--In carrying out the strategy described under 
subsection (a), the Director shall give consideration to activities 
that--
            (1) accelerate the development, in collaboration with the 
        private sector, of standards that address interoperability and 
        portability of cloud computing services;
            (2) advance the development of conformance testing 
        performed by the private sector in support of cloud computing 
        standardization; and
            (3) support, in coordination with the Office of Management 
        and Budget, and in consultation with the private sector, the 
        development of appropriate security frameworks and reference 
        materials, and the identification of best practices, for use by 
        Federal agencies to address security and privacy requirements 
        to enable the use and adoption of cloud computing services, 
        including activities--
                    (A) to ensure the physical security of cloud 
                computing data centers and the data stored in such 
                centers;
                    (B) to ensure secure access to the data stored in 
                cloud computing data centers;
                    (C) to develop security standards as required under 
                section 20 of the National Institute of Standards and 
                Technology Act (15 U.S.C. 278g-3); and
                    (D) to support the development of the automation of 
                continuous monitoring systems.

SEC. 504. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    The Director shall continue a program to support the development of 
voluntary and cost-effective technical standards, metrology, testbeds, 
and conformance criteria, taking into account appropriate user 
concerns--
            (1) to improve interoperability among identity management 
        technologies;
            (2) to strengthen authentication methods of identity 
        management systems;
            (3) to improve privacy protection in identity management 
        systems, including health information technology systems, 
        through authentication and security protocols; and
            (4) to improve the usability of identity management 
        systems.

            Passed the Senate December 11, 2014.

            Attest:

                                                             Secretary.
113th CONGRESS

  2d Session

                                S. 1353

_______________________________________________________________________

                                 AN ACT

  To provide for an ongoing, voluntary public-private partnership to 
  improve cybersecurity, and to strengthen cybersecurity research and 
development, workforce development and education, and public awareness 
               and preparedness, and for other purposes.