[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 1353 Reported in Senate (RS)]

                                                       Calendar No. 490
113th CONGRESS
  2d Session
                                S. 1353

  To provide for an ongoing, voluntary public-private partnership to 
  improve cybersecurity, and to strengthen cybersecurity research and 
development, workforce development and education, and public awareness 
               and preparedness, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 24, 2013

 Mr. Rockefeller (for himself and Mr. Thune) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

                             July 24, 2014

             Reported by Mr. Rockefeller, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To provide for an ongoing, voluntary public-private partnership to 
  improve cybersecurity, and to strengthen cybersecurity research and 
development, workforce development and education, and public awareness 
               and preparedness, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the 
``Cybersecurity Act of 2013''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents of this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Definitions.
<DELETED>Sec. 3. No regulatory authority.
    <DELETED>TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

<DELETED>Sec. 101. Public-private collaboration on cybersecurity.
       <DELETED>TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

<DELETED>Sec. 201. Federal cybersecurity research and development.
<DELETED>Sec. 202. Computer and network security research centers.
        <DELETED>TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

<DELETED>Sec. 301. Cybersecurity competitions and challenges.
<DELETED>Sec. 302. Federal cyber scholarship-for-service program.
<DELETED>Sec. 303. Study and analysis of education, accreditation, 
                            training, and certification of information 
                            infrastructure and cybersecurity 
                            professionals.
      <DELETED>TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

<DELETED>Sec. 401. National cybersecurity awareness and preparedness 
                            campaign.

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Cybersecurity mission.--The term 
        ``cybersecurity mission'' means activities that encompass the 
        full range of threat reduction, vulnerability reduction, 
        deterrence, international engagement, incident response, 
        resiliency, and recovery policies and activities, including 
        computer network operations, information assurance, law 
        enforcement, diplomacy, military, and intelligence missions as 
        such activities relate to the security and stability of 
        cyberspace.</DELETED>
        <DELETED>    (2) Information infrastructure.--The term 
        ``information infrastructure'' means the underlying framework 
        that information systems and assets rely on to process, 
        transmit, receive, or store information electronically, 
        including programmable electronic devices, communications 
        networks, and industrial or supervisory control systems and any 
        associated hardware, software, or data.</DELETED>
        <DELETED>    (3) Information system.--The term ``information 
        system'' has the meaning given that term in section 3502 of 
        title 44, United States Code.</DELETED>

<DELETED>SEC. 3. NO REGULATORY AUTHORITY.</DELETED>

<DELETED>    Nothing in this Act shall be construed to confer any 
regulatory authority on any Federal, State, tribal, or local department 
or agency.</DELETED>

           <DELETED>TITLE I--PUBLIC-PRIVATE COLLABORATION ON 
                        CYBERSECURITY</DELETED>

<DELETED>SEC. 101. PUBLIC-PRIVATE COLLABORATION ON 
              CYBERSECURITY.</DELETED>

<DELETED>    (a) Cybersecurity.--Section 2(c) of the National Institute 
of Standards and Technology Act (15 U.S.C. 272(c)) is amended--
</DELETED>
        <DELETED>    (1) by redesignating paragraphs (15) through (22) 
        as paragraphs (16) through (23), respectively; and</DELETED>
        <DELETED>    (2) by inserting after paragraph (14) the 
        following:</DELETED>
        <DELETED>    ``(15) on an ongoing basis, facilitate and support 
        the development of a voluntary, industry-led set of standards, 
        guidelines, best practices, methodologies, procedures, and 
        processes to reduce cyber risks to critical infrastructure (as 
        defined under subsection (e));''.</DELETED>
<DELETED>    (b) Scope and Limitations.--Section 2 of the National 
Institute of Standards and Technology Act (15 U.S.C. 272) is amended by 
adding at the end the following:</DELETED>
<DELETED>    ``(e) Cyber Risks.--</DELETED>
        <DELETED>    ``(1) In general.--In carrying out the activities 
        under subsection (c)(15), the Director--</DELETED>
                <DELETED>    ``(A) shall--</DELETED>
                        <DELETED>    ``(i) coordinate closely and 
                        continuously with relevant private sector 
                        personnel and entities, critical infrastructure 
                        owners and operators, sector coordinating 
                        councils, Information Sharing and Analysis 
                        Centers, and other relevant industry 
                        organizations, and incorporate industry 
                        expertise;</DELETED>
                        <DELETED>    ``(ii) consult with the heads of 
                        agencies with national security 
                        responsibilities, sector-specific agencies, 
                        State and local governments, the governments of 
                        other nations, and international 
                        organizations;</DELETED>
                        <DELETED>    ``(iii) identify a prioritized, 
                        flexible, repeatable, performance-based, and 
                        cost-effective approach, including information 
                        security measures and controls, that may be 
                        voluntarily adopted by owners and operators of 
                        critical infrastructure to help them identify, 
                        assess, and manage cyber risks;</DELETED>
                        <DELETED>    ``(iv) include methodologies--
                        </DELETED>
                                <DELETED>    ``(I) to identify and 
                                mitigate impacts of the cybersecurity 
                                measures or controls on business 
                                confidentiality; and</DELETED>
                                <DELETED>    ``(II) to protect 
                                individual privacy and civil 
                                liberties;</DELETED>
                        <DELETED>    ``(v) incorporate voluntary 
                        consensus standards and industry best 
                        practices;</DELETED>
                        <DELETED>    ``(vi) align with voluntary 
                        international standards to the fullest extent 
                        possible;</DELETED>
                        <DELETED>    ``(vii) prevent duplication of 
                        regulatory processes and prevent conflict with 
                        or superseding of regulatory requirements, 
                        mandatory standards, and related processes; 
                        and</DELETED>
                        <DELETED>    ``(viii) include such other 
                        similar and consistent elements as the Director 
                        considers necessary; and</DELETED>
                <DELETED>    ``(B) shall not prescribe or otherwise 
                require--</DELETED>
                        <DELETED>    ``(i) the use of specific 
                        solutions;</DELETED>
                        <DELETED>    ``(ii) the use of specific 
                        information or communications technology 
                        products or services; or</DELETED>
                        <DELETED>    ``(iii) that information or 
                        communications technology products or services 
                        be designed, developed, or manufactured in a 
                        particular manner.</DELETED>
        <DELETED>    ``(2) Limitation.--Information shared with or 
        provided to the Institute for the purpose of the activities 
        described under subsection (c)(15) shall not be used by any 
        Federal, State, tribal, or local department or agency to 
        regulate the activity of any entity.</DELETED>
        <DELETED>    ``(3) Definitions.--In this subsection:</DELETED>
                <DELETED>    ``(A) Critical infrastructure.--The term 
                `critical infrastructure' has the meaning given the 
                term in section 1016(e) of the USA PATRIOT Act of 2001 
                (42 U.S.C. 5195c(e)).</DELETED>
                <DELETED>    ``(B) Sector-specific agency.--The term 
                `sector-specific agency' means the Federal department 
                or agency responsible for providing institutional 
                knowledge and specialized expertise as well as leading, 
                facilitating, or supporting the security and resilience 
                programs and associated activities of its designated 
                critical infrastructure sector in the all-hazards 
                environment.''.</DELETED>

  <DELETED>TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT</DELETED>

<DELETED>SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND 
              DEVELOPMENT.</DELETED>

<DELETED>    (a) Fundamental Cybersecurity Research.--</DELETED>
        <DELETED>    (1) In general.--The Director of the Office of 
        Science and Technology Policy, in coordination with the head of 
        any relevant Federal agency, shall build upon programs and 
        plans in effect as of the date of enactment of this Act to 
        develop a Federal cybersecurity research and development plan 
        to meet objectives in cybersecurity, such as--</DELETED>
                <DELETED>    (A) how to design and build complex 
                software-intensive systems that are secure and reliable 
                when first deployed;</DELETED>
                <DELETED>    (B) how to test and verify that software 
                and hardware, whether developed locally or obtained 
                from a third party, is free of significant known 
                security flaws;</DELETED>
                <DELETED>    (C) how to test and verify that software 
                and hardware obtained from a third party correctly 
                implements stated functionality, and only that 
                functionality;</DELETED>
                <DELETED>    (D) how to guarantee the privacy of an 
                individual, including that individual's identity, 
                information, and lawful transactions when stored in 
                distributed systems or transmitted over 
                networks;</DELETED>
                <DELETED>    (E) how to build new protocols to enable 
                the Internet to have robust security as one of the key 
                capabilities of the Internet;</DELETED>
                <DELETED>    (F) how to determine the origin of a 
                message transmitted over the Internet;</DELETED>
                <DELETED>    (G) how to support privacy in conjunction 
                with improved security;</DELETED>
                <DELETED>    (H) how to address the growing problem of 
                insider threats;</DELETED>
                <DELETED>    (I) how improved consumer education and 
                digital literacy initiatives can address human factors 
                that contribute to cybersecurity;</DELETED>
                <DELETED>    (J) how to protect information processed, 
                transmitted, or stored using cloud computing or 
                transmitted through wireless services; and</DELETED>
                <DELETED>    (K) any additional objectives the Director 
                of the Office of Science and Technology Policy, in 
                coordination with the head of any relevant Federal 
                agency and with input from stakeholders, including 
                industry and academia, determines 
                appropriate.</DELETED>
        <DELETED>    (2) Requirements.--</DELETED>
                <DELETED>    (A) In general.--The Federal cybersecurity 
                research and development plan shall identify and 
                prioritize near-term, mid-term, and long-term research 
                in computer and information science and engineering to 
                meet the objectives under paragraph (1), including 
                research in the areas described in section 4(a)(1) of 
                the Cyber Security Research and Development Act (15 
                U.S.C. 7403(a)(1)).</DELETED>
                <DELETED>    (B) Private sector efforts.--In 
                developing, implementing, and updating the Federal 
                cybersecurity research and development plan, the 
                Director of the Office of Science and Technology Policy 
                shall work in close cooperation with industry, 
                academia, and other interested stakeholders to ensure, 
                to the extent possible, that Federal cybersecurity 
                research and development is not duplicative of private 
                sector efforts.</DELETED>
        <DELETED>    (3) Triennial updates.--</DELETED>
                <DELETED>    (A) In general.--The Federal cybersecurity 
                research and development plan shall be updated 
                triennially.</DELETED>
                <DELETED>    (B) Report to congress.--The Director of 
                the Office of Science and Technology Policy shall 
                submit the plan, not later than 1 year after the date 
                of enactment of this Act, and each updated plan under 
                this section to the Committee on Commerce, Science, and 
                Transportation of the Senate and the Committee on 
                Science, Space, and Technology of the House of 
                Representatives.</DELETED>
<DELETED>    (b) Cybersecurity Practices Research.--The Director of the 
National Science Foundation shall support research that--</DELETED>
        <DELETED>    (1) develops, evaluates, disseminates, and 
        integrates new cybersecurity practices and concepts into the 
        core curriculum of computer science programs and of other 
        programs where graduates of such programs have a substantial 
        probability of developing software after graduation, including 
        new practices and concepts relating to secure coding education 
        and improvement programs; and</DELETED>
        <DELETED>    (2) develops new models for professional 
        development of faculty in cybersecurity education, including 
        secure coding development.</DELETED>
<DELETED>    (c) Cybersecurity Modeling and Test Beds.--</DELETED>
        <DELETED>    (1) Review.--Not later than 1 year after the date 
        of enactment of this Act, the Director the National Science 
        Foundation, in coordination with the Director of the Office of 
        Science and Technology Policy, shall conduct a review of 
        cybersecurity test beds in existence on the date of enactment 
        of this Act to inform the grants under paragraph (2). The 
        review shall include an assessment of whether a sufficient 
        number of cybersecurity test beds are available to meet the 
        research needs under the Federal cybersecurity research and 
        development plan.</DELETED>
        <DELETED>    (2) Additional cybersecurity modeling and test 
        beds.--</DELETED>
                <DELETED>    (A) In general.--If the Director of the 
                National Science Foundation, after the review under 
                paragraph (1), determines that the research needs under 
                the Federal cybersecurity research and development plan 
                require the establishment of additional cybersecurity 
                test beds, the Director of the National Science 
                Foundation, in coordination with the Secretary of 
                Commerce and the Secretary of Homeland Security, may 
                award grants to institutions of higher education or 
                research and development non-profit institutions to 
                establish cybersecurity test beds.</DELETED>
                <DELETED>    (B) Requirement.--The cybersecurity test 
                beds under subparagraph (A) shall be sufficiently large 
                in order to model the scale and complexity of real-time 
                cyber attacks and defenses on real world networks and 
                environments.</DELETED>
                <DELETED>    (C) Assessment required.--The Director of 
                the National Science Foundation, in coordination with 
                the Secretary of Commerce and the Secretary of Homeland 
                Security, shall evaluate the effectiveness of any 
                grants awarded under this subsection in meeting the 
                objectives of the Federal cybersecurity research and 
                development plan under subsection (a) no later than 2 
                years after the review under paragraph (1) of this 
                subsection, and periodically thereafter.</DELETED>
<DELETED>    (d) Coordination With Other Research Initiatives.--In 
accordance with the responsibilities under section 101 of the High-
Performance Computing Act of 1991 (15 U.S.C. 5511), the Director the 
Office of Science and Technology Policy shall coordinate, to the extent 
practicable, Federal research and development activities under this 
section with other ongoing research and development security-related 
initiatives, including research being conducted by--</DELETED>
        <DELETED>    (1) the National Science Foundation;</DELETED>
        <DELETED>    (2) the National Institute of Standards and 
        Technology;</DELETED>
        <DELETED>    (3) the Department of Homeland Security;</DELETED>
        <DELETED>    (4) other Federal agencies;</DELETED>
        <DELETED>    (5) other Federal and private research 
        laboratories, research entities, and universities;</DELETED>
        <DELETED>    (6) institutions of higher education;</DELETED>
        <DELETED>    (7) relevant nonprofit organizations; 
        and</DELETED>
        <DELETED>    (8) international partners of the United 
        States.</DELETED>
<DELETED>    (e) National Science Foundation Computer and Network 
Security Research Grant Areas.--Section 4(a)(1) of the Cyber Security 
Research and Development Act (15 U.S.C. 7403(a)(1)) is amended--
</DELETED>
        <DELETED>    (1) in subparagraph (H), by striking ``and'' at 
        the end;</DELETED>
        <DELETED>    (2) in subparagraph (I), by striking the period at 
        the end and inserting a semicolon; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
                <DELETED>    ``(J) secure fundamental protocols that 
                are integral to inter-network communications and data 
                exchange;</DELETED>
                <DELETED>    ``(K) secure software engineering and 
                software assurance, including--</DELETED>
                        <DELETED>    ``(i) programming languages and 
                        systems that include fundamental security 
                        features;</DELETED>
                        <DELETED>    ``(ii) portable or reusable code 
                        that remains secure when deployed in various 
                        environments;</DELETED>
                        <DELETED>    ``(iii) verification and 
                        validation technologies to ensure that 
                        requirements and specifications have been 
                        implemented; and</DELETED>
                        <DELETED>    ``(iv) models for comparison and 
                        metrics to assure that required standards have 
                        been met;</DELETED>
                <DELETED>    ``(L) holistic system security that--
                </DELETED>
                        <DELETED>    ``(i) addresses the building of 
                        secure systems from trusted and untrusted 
                        components;</DELETED>
                        <DELETED>    ``(ii) proactively reduces 
                        vulnerabilities;</DELETED>
                        <DELETED>    ``(iii) addresses insider threats; 
                        and</DELETED>
                        <DELETED>    ``(iv) supports privacy in 
                        conjunction with improved security;</DELETED>
                <DELETED>    ``(M) monitoring and detection;</DELETED>
                <DELETED>    ``(N) mitigation and rapid recovery 
                methods;</DELETED>
                <DELETED>    ``(O) security of wireless networks and 
                mobile devices; and</DELETED>
                <DELETED>    ``(P) security of cloud infrastructure and 
                services.''.</DELETED>
<DELETED>    (f) Research on the Science of Cybersecurity.--The head of 
each agency and department identified under section 101(a)(3)(B) of the 
High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)), 
through existing programs and activities, shall support research that 
will lead to the development of a scientific foundation for the field 
of cybersecurity, including research that increases understanding of 
the underlying principles of securing complex networked systems, 
enables repeatable experimentation, and creates quantifiable security 
metrics.</DELETED>

<DELETED>SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH 
              CENTERS.</DELETED>

<DELETED>    Section 4(b) of the Cyber Security Research and 
Development Act (15 U.S.C. 7403(b)) is amended--</DELETED>
        <DELETED>    (1) by striking ``the center'' in paragraph (4)(D) 
        and inserting ``the Center''; and</DELETED>
        <DELETED>    (2) in paragraph (5)--</DELETED>
                <DELETED>    (A) by striking ``and'' at the end of 
                subparagraph (C);</DELETED>
                <DELETED>    (B) by striking the period at the end of 
                subparagraph (D) and inserting a semicolon; 
                and</DELETED>
                <DELETED>    (C) by adding at the end the 
                following:</DELETED>
                <DELETED>    ``(E) the demonstrated capability of the 
                applicant to conduct high performance computation 
                integral to complex computer and network security 
                research, through on-site or off-site 
                computing;</DELETED>
                <DELETED>    ``(F) the applicant's affiliation with 
                private sector entities involved with industrial 
                research described in subsection (a)(1);</DELETED>
                <DELETED>    ``(G) the capability of the applicant to 
                conduct research in a secure environment;</DELETED>
                <DELETED>    ``(H) the applicant's affiliation with 
                existing research programs of the Federal 
                Government;</DELETED>
                <DELETED>    ``(I) the applicant's experience managing 
                public-private partnerships to transition new 
                technologies into a commercial setting or the 
                government user community; and</DELETED>
                <DELETED>    ``(J) the capability of the applicant to 
                conduct interdisciplinary cybersecurity research, such 
                as in law, economics, or behavioral 
                sciences.''.</DELETED>

   <DELETED>TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT</DELETED>

<DELETED>SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.</DELETED>

<DELETED>    (a) In General.--The Secretary of Commerce, Director of 
the National Science Foundation, and Secretary of Homeland Security 
shall--</DELETED>
        <DELETED>    (1) support competitions and challenges under 
        section 105 of the America COMPETES Reauthorization Act of 2010 
        (124 Stat. 3989) or any other provision of law, as 
        appropriate--</DELETED>
                <DELETED>    (A) to identify, develop, and recruit 
                talented individuals to perform duties relating to the 
                security of information infrastructure in Federal, 
                State, and local government agencies, and the private 
                sector; or</DELETED>
                <DELETED>    (B) to stimulate innovation in basic and 
                applied cybersecurity research, technology development, 
                and prototype demonstration that has the potential for 
                application to the information technology activities of 
                the Federal Government; and</DELETED>
        <DELETED>    (2) ensure the effective operation of the 
        competitions and challenges under this section.</DELETED>
<DELETED>    (b) Participation.--Participants in the competitions and 
challenges under subsection (a)(1) may include--</DELETED>
        <DELETED>    (1) students enrolled in grades 9 through 
        12;</DELETED>
        <DELETED>    (2) students enrolled in a postsecondary program 
        of study leading to a baccalaureate degree at an institution of 
        higher education;</DELETED>
        <DELETED>    (3) students enrolled in a postbaccalaureate 
        program of study at an institution of higher 
        education;</DELETED>
        <DELETED>    (4) institutions of higher education and research 
        institutions;</DELETED>
        <DELETED>    (5) veterans; and</DELETED>
        <DELETED>    (6) other groups or individuals that the Secretary 
        of Commerce, Director of the National Science Foundation, and 
        Secretary of Homeland Security determine appropriate.</DELETED>
<DELETED>    (c) Affiliation and Cooperative Agreements.--Competitions 
and challenges under this section may be carried out through 
affiliation and cooperative agreements with--</DELETED>
        <DELETED>    (1) Federal agencies;</DELETED>
        <DELETED>    (2) regional, State, or school programs supporting 
        the development of cyber professionals;</DELETED>
        <DELETED>    (3) State, local, and tribal governments; 
        or</DELETED>
        <DELETED>    (4) other private sector organizations.</DELETED>
<DELETED>    (d) Areas of Skill.--Competitions and challenges under 
subsection (a)(1)(A) shall be designed to identify, develop, and 
recruit exceptional talent relating to--</DELETED>
        <DELETED>    (1) ethical hacking;</DELETED>
        <DELETED>    (2) penetration testing;</DELETED>
        <DELETED>    (3) vulnerability assessment;</DELETED>
        <DELETED>    (4) continuity of system operations;</DELETED>
        <DELETED>    (5) security in design;</DELETED>
        <DELETED>    (6) cyber forensics;</DELETED>
        <DELETED>    (7) offensive and defensive cyber operations; 
        and</DELETED>
        <DELETED>    (8) other areas the Secretary of Commerce, 
        Director of the National Science Foundation, and Secretary of 
        Homeland Security consider necessary to fulfill the 
        cybersecurity mission.</DELETED>
<DELETED>    (e) Topics.--In selecting topics for competitions and 
challenges under subsection (a)(1), the Secretary of Commerce, Director 
of the National Science Foundation, and Secretary of Homeland 
Security--</DELETED>
        <DELETED>    (1) shall consult widely both within and outside 
        the Federal Government; and</DELETED>
        <DELETED>    (2) may empanel advisory committees.</DELETED>
<DELETED>    (f) Internships.--The Director of the Office of Personnel 
Management may support, as appropriate, internships or other work 
experience in the Federal Government to the winners of the competitions 
and challenges under this section.</DELETED>

<DELETED>SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE 
              PROGRAM.</DELETED>

<DELETED>    (a) In General.--The Director of the National Science 
Foundation, in coordination with the Director of the Office of 
Personnel Management and Secretary of Homeland Security, shall continue 
a Federal Cyber Scholarship-for-Service program to recruit and train 
the next generation of information technology professionals, industrial 
control system security professionals, and security managers to meet 
the needs of the cybersecurity mission for Federal, State, local, and 
tribal governments.</DELETED>
<DELETED>    (b) Program Description and Components.--The Federal Cyber 
Scholarship-for-Service program shall--</DELETED>
        <DELETED>    (1) provide scholarships to students who are 
        enrolled in programs of study at institutions of higher 
        education leading to degrees or specialized program 
        certifications in the cybersecurity field;</DELETED>
        <DELETED>    (2) provide the scholarship recipients with summer 
        internship opportunities or other meaningful temporary 
        appointments in the Federal information technology workforce; 
        and</DELETED>
        <DELETED>    (3) provide a procedure by which the National 
        Science Foundation or a Federal agency, consistent with 
        regulations of the Office of Personnel Management, may request 
        and fund security clearances for scholarship recipients, 
        including providing for clearances during internships or other 
        temporary appointments and after receipt of their 
        degrees.</DELETED>
<DELETED>    (c) Scholarship Amounts.--Each scholarship under 
subsection (b) shall be in an amount that covers the student's tuition 
and fees at the institution under subsection (b)(1) and provides the 
student with an additional stipend.</DELETED>
<DELETED>    (d) Scholarship Conditions.--Each scholarship recipient, 
as a condition of receiving a scholarship under the program, shall 
enter into an agreement under which the recipient agrees to work in the 
cybersecurity mission of a Federal, State, local, or tribal agency for 
a period equal to the length of the scholarship following receipt of 
the student's degree.</DELETED>
<DELETED>    (e) Hiring Authority.--</DELETED>
        <DELETED>    (1) Appointment in excepted service.--
        Notwithstanding any provision of chapter 33 of title 5, United 
        States Code, governing appointments in the competitive service, 
        an agency shall appoint in the excepted service an individual 
        who has completed the academic program for which a scholarship 
        was awarded.</DELETED>
        <DELETED>    (2) Noncompetitive conversion.--Except as provided 
        in paragraph (4), upon fulfillment of the service term, an 
        employee appointed under paragraph (1) may be converted 
        noncompetitively to term, career-conditional or career 
        appointment.</DELETED>
        <DELETED>    (3) Timing of conversion.--An agency may 
        noncompetitively convert a term employee appointed under 
        paragraph (2) to a career-conditional or career appointment 
        before the term appointment expires.</DELETED>
        <DELETED>    (4) Authority to decline conversion.--An agency 
        may decline to make the noncompetitive conversion or 
        appointment under paragraph (2) for cause.</DELETED>
<DELETED>    (f) Eligibility.--To be eligible to receive a scholarship 
under this section, an individual shall--</DELETED>
        <DELETED>    (1) be a citizen or lawful permanent resident of 
        the United States;</DELETED>
        <DELETED>    (2) demonstrate a commitment to a career in 
        improving the security of information infrastructure; 
        and</DELETED>
        <DELETED>    (3) have demonstrated a high level of proficiency 
        in mathematics, engineering, or computer sciences.</DELETED>
<DELETED>    (g) Repayment.--If a scholarship recipient does not meet 
the terms of the program under this section, the recipient shall refund 
the scholarship payments in accordance with rules established by the 
Director of the National Science Foundation, in coordination with the 
Director of the Office of Personnel Management and Secretary of 
Homeland Security.</DELETED>
<DELETED>    (h) Evaluation and Report.--The Director of the National 
Science Foundation shall evaluate and report periodically to Congress 
on the success of recruiting individuals for scholarships under this 
section and on hiring and retaining those individuals in the public 
sector workforce.</DELETED>

<DELETED>SEC. 303. STUDY AND ANALYSIS OF EDUCATION, ACCREDITATION, 
              TRAINING, AND CERTIFICATION OF INFORMATION INFRASTRUCTURE 
              AND CYBERSECURITY PROFESSIONALS.</DELETED>

<DELETED>    (a) Study.--The Director of the National Science 
Foundation and the Secretary of Homeland Security shall undertake to 
enter into appropriate arrangements with the National Academy of 
Sciences to conduct a comprehensive study of government, academic, and 
private-sector education, accreditation, training, and certification 
programs for the development of professionals in information 
infrastructure and cybersecurity. The agreement shall require the 
National Academy of Sciences to consult with sector coordinating 
councils and relevant governmental agencies, regulatory entities, and 
nongovernmental organizations in the course of the study.</DELETED>
<DELETED>    (b) Scope.--The study shall include--</DELETED>
        <DELETED>    (1) an evaluation of the body of knowledge and 
        various skills that specific categories of professionals in 
        information infrastructure and cybersecurity should possess in 
        order to secure information systems;</DELETED>
        <DELETED>    (2) an assessment of whether existing government, 
        academic, and private-sector education, accreditation, 
        training, and certification programs provide the body of 
        knowledge and various skills described in paragraph 
        (1);</DELETED>
        <DELETED>    (3) an evaluation of--</DELETED>
                <DELETED>    (A) the state of cybersecurity education 
                at institutions of higher education in the United 
                States;</DELETED>
                <DELETED>    (B) the extent of professional development 
                opportunities for faculty in cybersecurity principles 
                and practices;</DELETED>
                <DELETED>    (C) the extent of the partnerships and 
                collaborative cybersecurity curriculum development 
                activities that leverage industry and government needs, 
                resources, and tools;</DELETED>
                <DELETED>    (D) the proposed metrics to assess 
                progress toward improving cybersecurity education; 
                and</DELETED>
                <DELETED>    (E) the descriptions of the content of 
                cybersecurity courses in undergraduate computer science 
                curriculum;</DELETED>
        <DELETED>    (4) an analysis of any barriers to the Federal 
        Government recruiting and hiring cybersecurity talent, 
        including barriers relating to compensation, the hiring 
        process, job classification, and hiring flexibility; 
        and</DELETED>
        <DELETED>    (5) an analysis of the sources and availability of 
        cybersecurity talent, a comparison of the skills and expertise 
        sought by the Federal Government and the private sector, an 
        examination of the current and future capacity of United States 
        institutions of higher education, including community colleges, 
        to provide current and future cybersecurity professionals, 
        through education and training activities, with those skills 
        sought by the Federal Government, State and local entities, and 
        the private sector.</DELETED>
<DELETED>    (c) Report.--Not later than 1 year after the date of 
enactment of this Act, the National Academy of Sciences shall submit to 
the President and Congress a report on the results of the study. The 
report shall include--</DELETED>
        <DELETED>    (1) findings regarding the state of information 
        infrastructure and cybersecurity education, accreditation, 
        training, and certification programs, including specific areas 
        of deficiency and demonstrable progress; and</DELETED>
        <DELETED>    (2) recommendations for further research and the 
        improvement of information infrastructure and cybersecurity 
        education, accreditation, training, and certification 
        programs.</DELETED>

 <DELETED>TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS</DELETED>

<DELETED>SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND PREPAREDNESS 
              CAMPAIGN.</DELETED>

<DELETED>    (a) National Cybersecurity Awareness and Preparedness 
Campaign.--The Director of the National Institute of Standards and 
Technology (referred to in this section as the ``Director''), in 
consultation with appropriate Federal agencies, shall continue to 
coordinate a national cybersecurity awareness and preparedness 
campaign, such as--</DELETED>
        <DELETED>    (1) a campaign to increase public awareness of 
        cybersecurity, cyber safety, and cyber ethics, including the 
        use of the Internet, social media, entertainment, and other 
        media to reach the public;</DELETED>
        <DELETED>    (2) a campaign to increase the understanding of 
        State and local governments and private sector entities of--
        </DELETED>
                <DELETED>    (A) the benefits of ensuring effective 
                risk management of the information infrastructure 
                versus the costs of failure to do so; and</DELETED>
                <DELETED>    (B) the methods to mitigate and remediate 
                vulnerabilities;</DELETED>
        <DELETED>    (3) support for formal cybersecurity education 
        programs at all education levels to prepare skilled 
        cybersecurity and computer science workers for the private 
        sector and Federal, State, and local government; and</DELETED>
        <DELETED>    (4) initiatives to evaluate and forecast future 
        cybersecurity workforce needs of the Federal government and 
        develop strategies for recruitment, training, and 
        retention.</DELETED>
<DELETED>    (b) Considerations.--In carrying out the authority 
described in subsection (a), the Director, in consultation with 
appropriate Federal agencies, shall leverage existing programs designed 
to inform the public of safety and security of products or services, 
including self-certifications and independently verified assessments 
regarding the quantification and valuation of information security 
risk.</DELETED>
<DELETED>    (c) Strategic Plan.--The Director, in cooperation with 
relevant Federal agencies and other stakeholders, shall build upon 
programs and plans in effect as of the date of enactment of this Act to 
develop and implement a strategic plan to guide Federal programs and 
activities in support of the national cybersecurity awareness and 
preparedness campaign under subsection (a).</DELETED>
<DELETED>    (d) Report.--Not later than 1 year after the date of 
enactment of this Act, and every 5 years thereafter, the Director shall 
transmit the strategic plan under subsection (c) to the Committee on 
Commerce, Science, and Transportation of the Senate and the Committee 
on Science, Space, and Technology of the House of 
Representatives.</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Cybersecurity Act 
of 2013''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. No regulatory authority.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

Sec. 101. Public-private collaboration on cybersecurity.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 201. Federal cybersecurity research and development.
Sec. 202. Computer and network security research centers.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.
Sec. 303. Study and analysis of education, accreditation, training, and 
                            certification of information infrastructure 
                            and cybersecurity professionals.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

Sec. 401. National cybersecurity awareness and preparedness campaign.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Cybersecurity mission.--The term ``cybersecurity 
        mission'' means activities that encompass the full range of 
        threat reduction, vulnerability reduction, deterrence, 
        international engagement, incident response, resiliency, and 
        recovery policies and activities, including computer network 
        operations, information assurance, law enforcement, diplomacy, 
        military, and intelligence missions as such activities relate 
        to the security and stability of cyberspace.
            (2) Information infrastructure.--The term ``information 
        infrastructure'' means the underlying framework that 
        information systems and assets rely on to process, transmit, 
        receive, or store information electronically, including 
        programmable electronic devices, communications networks, and 
        industrial or supervisory control systems and any associated 
        hardware, software, or data.
            (3) Information system.--The term ``information system'' 
        has the meaning given that term in section 3502 of title 44, 
        United States Code.

SEC. 3. NO REGULATORY AUTHORITY.

    Nothing in this Act shall be construed to confer any regulatory 
authority on any Federal, State, tribal, or local department or agency.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.

    (a) Cybersecurity.--Section 2(c) of the National Institute of 
Standards and Technology Act (15 U.S.C. 272(c)) is amended--
            (1) by redesignating paragraphs (15) through (22) as 
        paragraphs (16) through (23), respectively; and
            (2) by inserting after paragraph (14) the following:
            ``(15) on an ongoing basis, facilitate and support the 
        development of a voluntary, industry-led set of standards, 
        guidelines, best practices, methodologies, procedures, and 
        processes to reduce cyber risks to critical infrastructure (as 
        defined under subsection (e));''.
    (b) Scope and Limitations.--Section 2 of the National Institute of 
Standards and Technology Act (15 U.S.C. 272) is amended by adding at 
the end the following:
    ``(e) Cyber Risks.--
            ``(1) In general.--In carrying out the activities under 
        subsection (c)(15), the Director--
                    ``(A) shall--
                            ``(i) coordinate closely and continuously 
                        with relevant private sector personnel and 
                        entities, critical infrastructure owners and 
                        operators, sector coordinating councils, 
                        Information Sharing and Analysis Centers, and 
                        other relevant industry organizations, and 
                        incorporate industry expertise;
                            ``(ii) consult with the heads of agencies 
                        with national security responsibilities, 
                        sector-specific agencies, State and local 
                        governments, the governments of other nations, 
                        and international organizations;
                            ``(iii) identify a prioritized, flexible, 
                        repeatable, performance-based, and cost-
                        effective approach, including information 
                        security measures and controls, that may be 
                        voluntarily adopted by owners and operators of 
                        critical infrastructure to help them identify, 
                        assess, and manage cyber risks;
                            ``(iv) include methodologies--
                                    ``(I) to identify and mitigate 
                                impacts of the cybersecurity measures 
                                or controls on business 
                                confidentiality; and
                                    ``(II) to protect individual 
                                privacy and civil liberties;
                            ``(v) incorporate voluntary consensus 
                        standards and industry best practices;
                            ``(vi) align with voluntary international 
                        standards to the fullest extent possible;
                            ``(vii) prevent duplication of regulatory 
                        processes and prevent conflict with or 
                        superseding of regulatory requirements, 
                        mandatory standards, and related processes; and
                            ``(viii) include such other similar and 
                        consistent elements as the Director considers 
                        necessary; and
                    ``(B) shall not prescribe or otherwise require--
                            ``(i) the use of specific solutions;
                            ``(ii) the use of specific information or 
                        communications technology products or services; 
                        or
                            ``(iii) that information or communications 
                        technology products or services be designed, 
                        developed, or manufactured in a particular 
                        manner.
            ``(2) Limitation.--Information shared with or provided to 
        the Institute for the purpose of the activities described under 
        subsection (c)(15) shall not be used by any Federal, State, 
        tribal, or local department or agency to regulate the activity 
        of any entity.
            ``(3) Definitions.--In this subsection:
                    ``(A) Critical infrastructure.--The term `critical 
                infrastructure' has the meaning given the term in 
                section 1016(e) of the USA PATRIOT Act of 2001 (42 
                U.S.C. 5195c(e)).
                    ``(B) Sector-specific agency.--The term `sector-
                specific agency' means the Federal department or agency 
                responsible for providing institutional knowledge and 
                specialized expertise as well as leading, facilitating, 
                or supporting the security and resilience programs and 
                associated activities of its designated critical 
                infrastructure sector in the all-hazards 
                environment.''.
    (c) Study and Report.--
            (1) Study.--The Comptroller General of the United States 
        shall conduct a study that assesses--
                    (A) the progress made by the Director of the 
                National Institute of Standards and Technology in 
                facilitating the development of standards and 
                procedures to reduce cyber risks to critical 
                infrastructure in accordance with section 2(c)(15) of 
                the National Institute of Standards and Technology Act, 
                as added by this section;
                    (B) the extent to which the Director's facilitation 
                efforts are consistent with the directive in such 
                section that the development of such standards and 
                procedures be voluntary and led by industry 
                representatives;
                    (C) the extent to which sectors of critical 
                infrastructure (as defined in section 1016(e) of the 
                USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e))) have 
                adopted a voluntary, industry-led set of standards, 
                guidelines, best practices, methodologies, procedures, 
                and processes to reduce cyber risks to critical 
                infrastructure in accordance with such section 
                2(c)(15);
                    (D) the reasons behind the decisions of sectors of 
                critical infrastructure (as defined in subparagraph 
                (C)) to adopt or to not adopt the voluntary standards 
                described in subparagraph (C); and
                    (E) the extent to which such voluntary standards 
                have proved successful in protecting critical 
                infrastructure from cyber threats.
            (2) Reports.--Not later than 1 year after the date of the 
        enactment of this Act, and every 2 years thereafter for the 
        following 6 years, the Comptroller General shall submit a 
        report, which summarizes the findings of the study conducted 
        under paragraph (1), to--
                    (A) the Committee on Commerce, Science, and 
                Transportation of the Senate;
                    (B) the Committee on Energy and Commerce of the 
                House of Representatives; and
                    (C) the Committee on Science, Space, and Technology 
                of the House of Representatives.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

    (a) Fundamental Cybersecurity Research.--
            (1) In general.--The Director of the Office of Science and 
        Technology Policy, in coordination with the head of any 
        relevant Federal agency, shall build upon programs and plans in 
        effect as of the date of enactment of this Act to develop a 
        Federal cybersecurity research and development plan to meet 
        objectives in cybersecurity, such as--
                    (A) how to design and build complex software-
                intensive systems that are secure and reliable when 
                first deployed;
                    (B) how to test and verify that software and 
                hardware, whether developed locally or obtained from a 
                third party, is free of significant known security 
                flaws;
                    (C) how to test and verify that software and 
                hardware obtained from a third party correctly 
                implements stated functionality, and only that 
                functionality;
                    (D) how to guarantee the privacy of an individual, 
                including that individual's identity, information, and 
                lawful transactions when stored in distributed systems 
                or transmitted over networks;
                    (E) how to build new protocols to enable the 
                Internet to have robust security as one of the key 
                capabilities of the Internet;
                    (F) how to determine the origin of a message 
                transmitted over the Internet;
                    (G) how to support privacy in conjunction with 
                improved security;
                    (H) how to address the growing problem of insider 
                threats;
                    (I) how improved consumer education and digital 
                literacy initiatives can address human factors that 
                contribute to cybersecurity;
                    (J) how to protect information processed, 
                transmitted, or stored using cloud computing or 
                transmitted through wireless services; and
                    (K) any additional objectives the Director of the 
                Office of Science and Technology Policy, in 
                coordination with the head of any relevant Federal 
                agency and with input from stakeholders, including 
                appropriate national laboratories, industry, and 
                academia, determines appropriate.
            (2) Requirements.--
                    (A) In general.--The Federal cybersecurity research 
                and development plan shall identify and prioritize 
                near-term, mid-term, and long-term research in computer 
                and information science and engineering to meet the 
                objectives under paragraph (1), including research in 
                the areas described in section 4(a)(1) of the Cyber 
                Security Research and Development Act (15 U.S.C. 
                7403(a)(1)).
                    (B) Private sector efforts.--In developing, 
                implementing, and updating the Federal cybersecurity 
                research and development plan, the Director of the 
                Office of Science and Technology Policy shall work in 
                close cooperation with industry, academia, and other 
                interested stakeholders to ensure, to the extent 
                possible, that Federal cybersecurity research and 
                development is not duplicative of private sector 
                efforts.
            (3) Triennial updates.--
                    (A) In general.--The Federal cybersecurity research 
                and development plan shall be updated triennially.
                    (B) Report to congress.--The Director of the Office 
                of Science and Technology Policy shall submit the plan, 
                not later than 1 year after the date of enactment of 
                this Act, and each updated plan under this section to 
                the Committee on Commerce, Science, and Transportation 
                of the Senate and the Committee on Science, Space, and 
                Technology of the House of Representatives.
    (b) Cybersecurity Practices Research.--The Director of the National 
Science Foundation shall support research that--
            (1) develops, evaluates, disseminates, and integrates new 
        cybersecurity practices and concepts into the core curriculum 
        of computer science programs and of other programs where 
        graduates of such programs have a substantial probability of 
        developing software after graduation, including new practices 
        and concepts relating to secure coding education and 
        improvement programs; and
            (2) develops new models for professional development of 
        faculty in cybersecurity education, including secure coding 
        development.
    (c) Cybersecurity Modeling and Test Beds.--
            (1) Review.--Not later than 1 year after the date of 
        enactment of this Act, the Director the National Science 
        Foundation, in coordination with the Director of the Office of 
        Science and Technology Policy, shall conduct a review of 
        cybersecurity test beds in existence on the date of enactment 
        of this Act to inform the grants under paragraph (2). The 
        review shall include an assessment of whether a sufficient 
        number of cybersecurity test beds are available to meet the 
        research needs under the Federal cybersecurity research and 
        development plan.
            (2) Additional cybersecurity modeling and test beds.--
                    (A) In general.--If the Director of the National 
                Science Foundation, after the review under paragraph 
                (1), determines that the research needs under the 
                Federal cybersecurity research and development plan 
                require the establishment of additional cybersecurity 
                test beds, the Director of the National Science 
                Foundation, in coordination with the Secretary of 
                Commerce and the Secretary of Homeland Security, may 
                award grants to institutions of higher education or 
                research and development non-profit institutions to 
                establish cybersecurity test beds.
                    (B) Requirement.--The cybersecurity test beds under 
                subparagraph (A) shall be sufficiently large in order 
                to model the scale and complexity of real-time cyber 
                attacks and defenses on real world networks and 
                environments.
                    (C) Assessment required.--The Director of the 
                National Science Foundation, in coordination with the 
                Secretary of Commerce and the Secretary of Homeland 
                Security, shall evaluate the effectiveness of any 
                grants awarded under this subsection in meeting the 
                objectives of the Federal cybersecurity research and 
                development plan under subsection (a) no later than 2 
                years after the review under paragraph (1) of this 
                subsection, and periodically thereafter.
    (d) Coordination With Other Research Initiatives.--In accordance 
with the responsibilities under section 101 of the High-Performance 
Computing Act of 1991 (15 U.S.C. 5511), the Director the Office of 
Science and Technology Policy shall coordinate, to the extent 
practicable, Federal research and development activities under this 
section with other ongoing research and development security-related 
initiatives, including research being conducted by--
            (1) the National Science Foundation;
            (2) the National Institute of Standards and Technology;
            (3) the Department of Homeland Security;
            (4) other Federal agencies;
            (5) other Federal and private research laboratories, 
        research entities, and universities;
            (6) institutions of higher education;
            (7) relevant nonprofit organizations; and
            (8) international partners of the United States.
    (e) National Science Foundation Computer and Network Security 
Research Grant Areas.--Section 4(a)(1) of the Cyber Security Research 
and Development Act (15 U.S.C. 7403(a)(1)) is amended--
            (1) in subparagraph (H), by striking ``and'' at the end;
            (2) in subparagraph (I), by striking the period at the end 
        and inserting a semicolon; and
            (3) by adding at the end the following:
                    ``(J) secure fundamental protocols that are 
                integral to inter-network communications and data 
                exchange;
                    ``(K) secure software engineering and software 
                assurance, including--
                            ``(i) programming languages and systems 
                        that include fundamental security features;
                            ``(ii) portable or reusable code that 
                        remains secure when deployed in various 
                        environments;
                            ``(iii) verification and validation 
                        technologies to ensure that requirements and 
                        specifications have been implemented; and
                            ``(iv) models for comparison and metrics to 
                        assure that required standards have been met;
                    ``(L) holistic system security that--
                            ``(i) addresses the building of secure 
                        systems from trusted and untrusted components;
                            ``(ii) proactively reduces vulnerabilities;
                            ``(iii) addresses insider threats; and
                            ``(iv) supports privacy in conjunction with 
                        improved security;
                    ``(M) monitoring and detection;
                    ``(N) mitigation and rapid recovery methods;
                    ``(O) security of wireless networks and mobile 
                devices; and
                    ``(P) security of cloud infrastructure and 
                services.''.
    (f) Research on the Science of Cybersecurity.--The head of each 
agency and department identified under section 101(a)(3)(B) of the 
High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)), 
through existing programs and activities, shall support research that 
will lead to the development of a scientific foundation for the field 
of cybersecurity, including research that increases understanding of 
the underlying principles of securing complex networked systems, 
enables repeatable experimentation, and creates quantifiable security 
metrics.

SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.

    Section 4(b) of the Cyber Security Research and Development Act (15 
U.S.C. 7403(b)) is amended--
            (1) in paragraph (3), by striking ``the research areas'' 
        and inserting the following: ``improving the security and 
        resiliency of information infrastructure, reducing cyber 
        vulnerabilities, and anticipating and mitigating consequences 
        of cyber attacks on critical infrastructure, by conducting 
        research in the areas'';
            (2) by striking ``the center'' in paragraph (4)(D) and 
        inserting ``the Center''; and
            (3) in paragraph (5)--
                    (A) by striking ``and'' at the end of subparagraph 
                (C);
                    (B) by striking the period at the end of 
                subparagraph (D) and inserting a semicolon; and
                    (C) by adding at the end the following:
                    ``(E) the demonstrated capability of the applicant 
                to conduct high performance computation integral to 
                complex computer and network security research, through 
                on-site or off-site computing;
                    ``(F) the applicant's affiliation with private 
                sector entities involved with industrial research 
                described in subsection (a)(1);
                    ``(G) the capability of the applicant to conduct 
                research in a secure environment;
                    ``(H) the applicant's affiliation with existing 
                research programs of the Federal Government;
                    ``(I) the applicant's experience managing public-
                private partnerships to transition new technologies 
                into a commercial setting or the government user 
                community;
                    ``(J) the capability of the applicant to conduct 
                interdisciplinary cybersecurity research, basic and 
                applied, such as in law, economics, or behavioral 
                sciences; and
                    ``(K) the capability of the applicant to conduct 
                research in areas such as systems security, wireless 
                security, networking and protocols, formal methods and 
                high-performance computing, nanotechnology, or 
                industrial control systems.''.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.

    (a) In General.--The Secretary of Commerce, Director of the 
National Science Foundation, and Secretary of Homeland Security, in 
consultation with the Director of the Office of Personnel Management, 
shall--
            (1) support competitions and challenges under section 105 
        of the America COMPETES Reauthorization Act of 2010 (124 Stat. 
        3989) or any other provision of law, as appropriate--
                    (A) to identify, develop, and recruit talented 
                individuals to perform duties relating to the security 
                of information infrastructure in Federal, State, and 
                local government agencies, and the private sector; or
                    (B) to stimulate innovation in basic and applied 
                cybersecurity research, technology development, and 
                prototype demonstration that has the potential for 
                application to the information technology activities of 
                the Federal Government; and
            (2) ensure the effective operation of the competitions and 
        challenges under this section.
    (b) Participation.--Participants in the competitions and challenges 
under subsection (a)(1) may include--
            (1) students enrolled in grades 9 through 12;
            (2) students enrolled in a postsecondary program of study 
        leading to a baccalaureate degree at an institution of higher 
        education;
            (3) students enrolled in a postbaccalaureate program of 
        study at an institution of higher education;
            (4) institutions of higher education and research 
        institutions;
            (5) veterans; and
            (6) other groups or individuals that the Secretary of 
        Commerce, Director of the National Science Foundation, and 
        Secretary of Homeland Security determine appropriate.
    (c) Affiliation and Cooperative Agreements.--Competitions and 
challenges under this section may be carried out through affiliation 
and cooperative agreements with--
            (1) Federal agencies;
            (2) regional, State, or school programs supporting the 
        development of cyber professionals;
            (3) State, local, and tribal governments; or
            (4) other private sector organizations.
    (d) Areas of Skill.--Competitions and challenges under subsection 
(a)(1)(A) shall be designed to identify, develop, and recruit 
exceptional talent relating to--
            (1) ethical hacking;
            (2) penetration testing;
            (3) vulnerability assessment;
            (4) continuity of system operations;
            (5) security in design;
            (6) cyber forensics;
            (7) offensive and defensive cyber operations; and
            (8) other areas the Secretary of Commerce, Director of the 
        National Science Foundation, and Secretary of Homeland Security 
        consider necessary to fulfill the cybersecurity mission.
    (e) Topics.--In selecting topics for competitions and challenges 
under subsection (a)(1), the Secretary of Commerce, Director of the 
National Science Foundation, and Secretary of Homeland Security--
            (1) shall consult widely both within and outside the 
        Federal Government; and
            (2) may empanel advisory committees.
    (f) Internships.--The Director of the Office of Personnel 
Management may support, as appropriate, internships or other work 
experience in the Federal Government to the winners of the competitions 
and challenges under this section.

SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

    (a) In General.--The Director of the National Science Foundation, 
in coordination with the Director of the Office of Personnel Management 
and Secretary of Homeland Security, shall continue a Federal Cyber 
Scholarship-for-Service program to recruit and train the next 
generation of information technology professionals, industrial control 
system security professionals, and security managers to meet the needs 
of the cybersecurity mission for Federal, State, local, and tribal 
governments.
    (b) Program Description and Components.--The Federal Cyber 
Scholarship-for-Service program shall--
            (1) provide scholarships to students who are enrolled in 
        programs of study at institutions of higher education leading 
        to degrees or specialized program certifications in the 
        cybersecurity field;
            (2) provide the scholarship recipients with summer 
        internship opportunities or other meaningful temporary 
        appointments in the Federal information technology workforce; 
        and
            (3) provide a procedure by which the National Science 
        Foundation or a Federal agency, consistent with regulations of 
        the Office of Personnel Management, may request and fund 
        security clearances for scholarship recipients, including 
        providing for clearances during internships or other temporary 
        appointments and after receipt of their degrees.
    (c) Scholarship Amounts.--Each scholarship under subsection (b) 
shall be in an amount that covers the student's tuition and fees at the 
institution under subsection (b)(1) and provides the student with an 
additional stipend.
    (d) Scholarship Conditions.--Each scholarship recipient, as a 
condition of receiving a scholarship under the program, shall enter 
into an agreement under which the recipient agrees to work in the 
cybersecurity mission of a Federal, State, local, or tribal agency for 
a period equal to the length of the scholarship following receipt of 
the student's degree.
    (e) Hiring Authority.--
            (1) Appointment in excepted service.--Notwithstanding any 
        provision of chapter 33 of title 5, United States Code, 
        governing appointments in the competitive service, an agency 
        shall appoint in the excepted service an individual who has 
        completed the academic program for which a scholarship was 
        awarded.
            (2) Noncompetitive conversion.--Except as provided in 
        paragraph (4), upon fulfillment of the service term, an 
        employee appointed under paragraph (1) may be converted 
        noncompetitively to term, career-conditional or career 
        appointment.
            (3) Timing of conversion.--An agency may noncompetitively 
        convert a term employee appointed under paragraph (2) to a 
        career-conditional or career appointment before the term 
        appointment expires.
            (4) Authority to decline conversion.--An agency may decline 
        to make the noncompetitive conversion or appointment under 
        paragraph (2) for cause.
    (f) Eligibility.--To be eligible to receive a scholarship under 
this section, an individual shall--
            (1) be a citizen or lawful permanent resident of the United 
        States;
            (2) demonstrate a commitment to a career in improving the 
        security of information infrastructure; and
            (3) have demonstrated a high level of proficiency in 
        mathematics, engineering, or computer sciences.
    (g) Repayment.--If a scholarship recipient does not meet the terms 
of the program under this section, the recipient shall refund the 
scholarship payments in accordance with rules established by the 
Director of the National Science Foundation, in coordination with the 
Director of the Office of Personnel Management and Secretary of 
Homeland Security.
    (h) Evaluation and Report.--The Director of the National Science 
Foundation shall evaluate and report periodically to Congress on the 
success of recruiting individuals for scholarships under this section 
and on hiring and retaining those individuals in the public sector 
workforce.

SEC. 303. STUDY AND ANALYSIS OF EDUCATION, ACCREDITATION, TRAINING, AND 
              CERTIFICATION OF INFORMATION INFRASTRUCTURE AND 
              CYBERSECURITY PROFESSIONALS.

    (a) Study.--The Director of the National Science Foundation, the 
Director of the Office of Personnel Management, and the Secretary of 
Homeland Security shall undertake to enter into appropriate 
arrangements with the National Academy of Sciences to conduct a 
comprehensive study of government, academic, and private-sector 
education, accreditation, training, and certification programs for the 
development of professionals in information infrastructure and 
cybersecurity. The agreement shall require the National Academy of 
Sciences to consult with sector coordinating councils and relevant 
governmental agencies, regulatory entities, and nongovernmental 
organizations in the course of the study.
    (b) Scope.--The study shall include--
            (1) an evaluation of the body of knowledge and various 
        skills that specific categories of professionals in information 
        infrastructure and cybersecurity should possess in order to 
        secure information systems;
            (2) an assessment of whether existing government, academic, 
        and private-sector education, accreditation, training, and 
        certification programs provide the body of knowledge and 
        various skills described in paragraph (1);
            (3) an evaluation of--
                    (A) the state of cybersecurity education at 
                institutions of higher education in the United States;
                    (B) the extent of professional development 
                opportunities for faculty in cybersecurity principles 
                and practices;
                    (C) the extent of the partnerships and 
                collaborative cybersecurity curriculum development 
                activities that leverage industry and government needs, 
                resources, and tools;
                    (D) the proposed metrics to assess progress toward 
                improving cybersecurity education; and
                    (E) the descriptions of the content of 
                cybersecurity courses in undergraduate computer science 
                curriculum;
            (4) an analysis of any barriers to the Federal Government 
        recruiting and hiring cybersecurity talent, including barriers 
        relating to compensation, the hiring process, job 
        classification, and hiring flexibility; and
            (5) an analysis of the sources and availability of 
        cybersecurity talent, a comparison of the skills and expertise 
        sought by the Federal Government and the private sector, an 
        examination of the current and future capacity of United States 
        institutions of higher education, including community colleges, 
        to provide current and future cybersecurity professionals, 
        through education and training activities, with those skills 
        sought by the Federal Government, State and local entities, and 
        the private sector.
    (c) Report.--Not later than 1 year after the date of enactment of 
this Act, the National Academy of Sciences shall submit to the 
President and Congress a report on the results of the study. The report 
shall include--
            (1) findings regarding the state of information 
        infrastructure and cybersecurity education, accreditation, 
        training, and certification programs, including specific areas 
        of deficiency and demonstrable progress; and
            (2) recommendations for further research and the 
        improvement of information infrastructure and cybersecurity 
        education, accreditation, training, and certification programs.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND PREPAREDNESS CAMPAIGN.

    (a) National Cybersecurity Awareness and Preparedness Campaign.--
The Director of the National Institute of Standards and Technology 
(referred to in this section as the ``Director''), in consultation with 
appropriate Federal agencies, shall continue to coordinate a national 
cybersecurity awareness and preparedness campaign, such as--
            (1) a campaign to increase public awareness of 
        cybersecurity, cyber safety, and cyber ethics, including the 
        use of the Internet, social media, entertainment, and other 
        media to reach the public;
            (2) a campaign to increase the understanding of State and 
        local governments, institutions of higher education, and 
        private sector entities of--
                    (A) the benefits of ensuring effective risk 
                management of the information infrastructure versus the 
                costs of failure to do so; and
                    (B) the methods to mitigate and remediate 
                vulnerabilities;
            (3) support for formal cybersecurity education programs at 
        all education levels to prepare skilled cybersecurity and 
        computer science workers for the private sector and Federal, 
        State, and local government; and
            (4) initiatives to evaluate and forecast future 
        cybersecurity workforce needs of the Federal government and 
        develop strategies for recruitment, training, and retention.
    (b) Considerations.--In carrying out the authority described in 
subsection (a), the Director, in consultation with appropriate Federal 
agencies, shall leverage existing programs designed to inform the 
public of safety and security of products or services, including self-
certifications and independently verified assessments regarding the 
quantification and valuation of information security risk.
    (c) Strategic Plan.--The Director, in cooperation with relevant 
Federal agencies and other stakeholders, shall build upon programs and 
plans in effect as of the date of enactment of this Act to develop and 
implement a strategic plan to guide Federal programs and activities in 
support of the national cybersecurity awareness and preparedness 
campaign under subsection (a).
    (d) Report.--Not later than 1 year after the date of enactment of 
this Act, and every 5 years thereafter, the Director shall transmit the 
strategic plan under subsection (c) to the Committee on Commerce, 
Science, and Transportation of the Senate and the Committee on Science, 
Space, and Technology of the House of Representatives.
                                                       Calendar No. 490

113th CONGRESS

  2d Session

                                S. 1353

_______________________________________________________________________

                                 A BILL

  To provide for an ongoing, voluntary public-private partnership to 
  improve cybersecurity, and to strengthen cybersecurity research and 
development, workforce development and education, and public awareness 
               and preparedness, and for other purposes.

_______________________________________________________________________

                             July 24, 2014

                       Reported with an amendment