

116 HR 7998 IH: NIST COVID–19 Cybersecurity Act
U.S. House of Representatives
2020-08-11
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I116th CONGRESS2d SessionH. R. 7998IN THE HOUSE OF REPRESENTATIVESAugust 11, 2020Mr. Barr (for himself and Mr. Lucas) introduced the following bill; which was referred to the Committee on Science, Space, and TechnologyA BILLTo require the Director of the National Institute of Standards and Technology to disseminate guidance to institutions of higher education and nonprofit research institutions to help mitigate cybersecurity risks to COVID-19 related research, and for other purposes.1.Short titleThis Act may be cited as the NIST COVID–19 Cybersecurity Act.2.DefinitionsIn this Act:(1)DirectorThe term Director means the Director of the National Institute of Standards and Technology.(2)Institution of higher educationThe term institution of higher education has the meaning given such term in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001).(3)ResourcesThe term resources means guidelines, tools, best practices, standards, methodologies, and other ways of providing information.(4)Research institutionThe term research institution—(A)means a nonprofit institution (as defined in section 4(5) of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3703(5))); and(B)includes federally funded research and development centers, as identified by the National Science Foundation in accordance with the Federal Acquisition Regulation issued in accordance with section 1303(a)(1) of title 41 (or any successor regulation).3.Improving cybersecurity of institutions of higher educationSection 2(e)(1)(A) of the National Institute of Standards and Technology Act (15 U.S.C. 272(e)(1)(A)) is amended—(1)in clause (viii), by striking and after the semicolon;(2)by redesignating clause (ix) as clause (x); and(3)by inserting after clause (viii) the following:(ix)consider institutions of higher education (as defined in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001)); and.4.Dissemination of resources for research institutions(a)In generalNot later than 90 days after the date of the enactment of this Act, the Director shall, using the authorities of the Director under subsections (c)(15) and (e)(1)(A)(ix) of section 2 of the National Institute of Standards and Technology Act (15 U.S.C. 272), as amended by section 3, disseminate and make publicly available resources to help research institutions and institutions of higher education identify, assess, manage, and reduce their cybersecurity risk related to conducting research with respect to COVID–19.(b)RequirementsThe Director shall ensure that the resources disseminated pursuant to subsection (a)—(1)are generally applicable and usable by a wide range of research institutions and institutions of higher education;(2)vary with the nature and size of the implementing research institutions or institutions of higher education, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing research institutions or institutions of higher education; (3)include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist research institutions or institutions of higher education in mitigating common cybersecurity risks; (4)include case studies of practical application; (5)are technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and(6)to the extent practicable, are based on international standards. (c)National cybersecurity awareness and education programThe Director shall ensure that the resources disseminated under subsection (a) are consistent with the efforts of the Director under section 401 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).(d)UpdatesThe Director shall review periodically and update the resources under subsection (a) as the Director determines appropriate.(e)Voluntary resourcesThe use of the resources disseminated under paragraph (1) shall be considered voluntary.(f)Other Federal Cybersecurity RequirementsNothing in this section may be construed to supersede, alter, or otherwise affect any cybersecurity requirements applicable to Federal agencies.(g)FundingThis Act shall be carried out using funds made available to the Director. 