[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7998 Introduced in House (IH)]

<DOC>






116th CONGRESS
  2d Session
                                H. R. 7998

  To require the Director of the National Institute of Standards and 
Technology to disseminate guidance to institutions of higher education 
  and nonprofit research institutions to help mitigate cybersecurity 
      risks to COVID-19 related research, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            August 11, 2020

  Mr. Barr (for himself and Mr. Lucas) introduced the following bill; 
 which was referred to the Committee on Science, Space, and Technology

_______________________________________________________________________

                                 A BILL


 
  To require the Director of the National Institute of Standards and 
Technology to disseminate guidance to institutions of higher education 
  and nonprofit research institutions to help mitigate cybersecurity 
      risks to COVID-19 related research, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``NIST COVID-19 Cybersecurity Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Institution of higher education.--The term 
        ``institution of higher education'' has the meaning given such 
        term in section 101 of the Higher Education Act of 1965 (20 
        U.S.C. 1001).
            (3) Resources.--The term ``resources'' means guidelines, 
        tools, best practices, standards, methodologies, and other ways 
        of providing information.
            (4) Research institution.--The term ``research 
        institution''--
                    (A) means a nonprofit institution (as defined in 
                section 4(5) of the Stevenson-Wydler Technology 
                Innovation Act of 1980 (15 U.S.C. 3703(5))); and
                    (B) includes federally funded research and 
                development centers, as identified by the National 
                Science Foundation in accordance with the Federal 
                Acquisition Regulation issued in accordance with 
                section 1303(a)(1) of title 41 (or any successor 
                regulation).

SEC. 3. IMPROVING CYBERSECURITY OF INSTITUTIONS OF HIGHER EDUCATION.

    Section 2(e)(1)(A) of the National Institute of Standards and 
Technology Act (15 U.S.C. 272(e)(1)(A)) is amended--
            (1) in clause (viii), by striking ``and'' after the 
        semicolon;
            (2) by redesignating clause (ix) as clause (x); and
            (3) by inserting after clause (viii) the following:
                            ``(ix) consider institutions of higher 
                        education (as defined in section 101 of the 
                        Higher Education Act of 1965 (20 U.S.C. 1001)); 
                        and''.

SEC. 4. DISSEMINATION OF RESOURCES FOR RESEARCH INSTITUTIONS.

    (a) In General.--Not later than 90 days after the date of the 
enactment of this Act, the Director shall, using the authorities of the 
Director under subsections (c)(15) and (e)(1)(A)(ix) of section 2 of 
the National Institute of Standards and Technology Act (15 U.S.C. 272), 
as amended by section 3, disseminate and make publicly available 
resources to help research institutions and institutions of higher 
education identify, assess, manage, and reduce their cybersecurity risk 
related to conducting research with respect to COVID-19.
    (b) Requirements.--The Director shall ensure that the resources 
disseminated pursuant to subsection (a)--
            (1) are generally applicable and usable by a wide range of 
        research institutions and institutions of higher education;
            (2) vary with the nature and size of the implementing 
        research institutions or institutions of higher education, and 
        the nature and sensitivity of the data collected or stored on 
        the information systems or devices of the implementing research 
        institutions or institutions of higher education;
            (3) include elements that promote awareness of simple, 
        basic controls, a workplace cybersecurity culture, and third-
        party stakeholder relationships, to assist research 
        institutions or institutions of higher education in mitigating 
        common cybersecurity risks;
            (4) include case studies of practical application;
            (5) are technology-neutral and can be implemented using 
        technologies that are commercial and off-the-shelf; and
            (6) to the extent practicable, are based on international 
        standards.
    (c) National Cybersecurity Awareness and Education Program.--The 
Director shall ensure that the resources disseminated under subsection 
(a) are consistent with the efforts of the Director under section 401 
of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
    (d) Updates.--The Director shall review periodically and update the 
resources under subsection (a) as the Director determines appropriate.
    (e) Voluntary Resources.--The use of the resources disseminated 
under paragraph (1) shall be considered voluntary.
    (f) Other Federal Cybersecurity Requirements.--Nothing in this 
section may be construed to supersede, alter, or otherwise affect any 
cybersecurity requirements applicable to Federal agencies.
    (g) Funding.--This Act shall be carried out using funds made 
available to the Director.
                                 <all>