[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1835 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 1835

To require the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security to develop a campaign program to raise 
   awareness regarding the importance of cybersecurity in the United 
                                States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              June 6, 2023

Mr. Peters (for himself and Mr. Cassidy) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To require the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security to develop a campaign program to raise 
   awareness regarding the importance of cybersecurity in the United 
                                States.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Cybersecurity Awareness 
Act''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) The presence of ubiquitous internet-connected devices 
        in the everyday lives of citizens of the United States has 
        created opportunities for constant connection and 
        modernization.
            (2) A connected society is subject to cybersecurity threats 
        that can compromise even the most personal and sensitive of 
        information.
            (3) Connected critical infrastructure is subject to 
        cybersecurity threats that can compromise fundamental economic 
        and health and safety functions.
            (4) The Government of the United States plays an important 
        role in safeguarding the nation from malicious cyber activity.
            (5) A citizenry that is knowledgeable regarding 
        cybersecurity is critical to building a robust cybersecurity 
        posture and reducing the threat of cyber attackers stealing 
        sensitive information and causing public harm.
            (6) While Cybersecurity Awareness Month is critical to 
        supporting national cybersecurity awareness, it cannot be a 
        once-a-year activity and must be a sustained, constant effort.

SEC. 3. CYBERSECURITY AWARENESS.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following:

``SEC. 2220F. CYBERSECURITY AWARENESS CAMPAIGNS.

    ``(a) Definition.--In this section, the term `Campaign Program' 
means the campaign program established under subsection (b).
    ``(b) Awareness Campaign Program.--
            ``(1) In general.--Not later than 90 days after the date of 
        enactment of the National Cybersecurity Awareness Act, the 
        Director shall establish a program for planning and 
        coordinating Federal cybersecurity awareness campaigns.
            ``(2) Activities.--In carrying out the Campaign Program, 
        the Director shall--
                    ``(A) inform non-Federal entities of voluntary 
                cyber hygiene best practices, including information on 
                how to--
                            ``(i) prevent cyberattacks; and
                            ``(ii) mitigate cybersecurity risks; and
                    ``(B) consult with private sector entities, State, 
                local, Tribal, and territorial governments, academia, 
                and civil society--
                            ``(i) to promote cyber hygiene best 
                        practices, including by focusing on tactics 
                        that are cost effective and result in 
                        significant cybersecurity improvement, such 
                        as--
                                    ``(I) maintaining strong passwords 
                                and the use of password managers;
                                    ``(II) enabling multi-factor 
                                authentication, including phishing-
                                resistant multi-factor authentication;
                                    ``(III) regularly installing 
                                software updates;
                                    ``(IV) using caution with email 
                                attachments and website links; and
                                    ``(V) other cyber hygienic 
                                considerations, as appropriate;
                            ``(ii) to promote awareness of 
                        cybersecurity risks and mitigation with respect 
                        to malicious applications on internet-connected 
                        devices, including applications to control 
                        those devices or use devices for unauthorized 
                        surveillance of users;
                            ``(iii) to help consumers identify products 
                        that are designed to support user and product 
                        security, such as products designed using the 
                        Secure-by-Design and Secure-by-Default 
                        principles of the Agency;
                            ``(iv) to coordinate with other Federal 
                        agencies and departments, as determined 
                        appropriate by the Director, to--
                                    ``(I) promote relevant 
                                cybersecurity-related awareness 
                                activities; and
                                    ``(II) ensure the Federal 
                                Government is coordinated in 
                                communicating accurate and timely 
                                cybersecurity information; and
                            ``(v) to expand nontraditional outreach 
                        mechanisms to ensure that entities including 
                        low-income and rural communities, small and 
                        medium sized businesses and institutions, and 
                        State, local, Tribal, and territorial partners 
                        receive cybersecurity awareness outreach in an 
                        equitable manner.
            ``(3) Reporting.--
                    ``(A) In general.--Not later than 180 days after 
                the date of enactment of the National Cybersecurity 
                Awareness Act, and annually thereafter, the Director 
                shall, in consultation with the heads of appropriate 
                Federal agencies, submit to the appropriate 
                congressional committees a report regarding the 
                Campaign Program.
                    ``(B) Contents.--Each report submitted pursuant to 
                subparagraph (A) shall include--
                            ``(i) a summary of the activities of the 
                        Agency that support promoting cybersecurity 
                        awareness under the Campaign Program, including 
                        consultations made under paragraph (2)(B);
                            ``(ii) an assessment of the effectiveness 
                        of techniques and methods used to promote 
                        national cybersecurity awareness under the 
                        Campaign Program; and
                            ``(iii) recommendations on how to best 
                        promote cybersecurity awareness nationally.
    ``(c) Cybersecurity Campaign Resources.--
            ``(1) In general.--Not later than 180 days after the date 
        of enactment of the National Cybersecurity Awareness Act, the 
        Director shall develop and maintain a central repository for 
        the resources, tools, and public communications of the Agency 
        that promote cybersecurity awareness.
            ``(2) Requirements.--The resources described in paragraph 
        (1) shall be--
                    ``(A) made publicly available online; and
                    ``(B) regularly updated to ensure the public has 
                access to relevant and timely cybersecurity awareness 
                information.''.
    (b) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--Section 2202(c) of the Homeland Security Act of 2002 
(6 U.S.C. 652(c)) is amended--
            (1) in paragraph (13), by striking ``; and'' and inserting 
        a semicolon;
            (2) by redesignating paragraph (14) as paragraph (15); and
            (3) by inserting after paragraph (13) the following:
            ``(14) lead and coordinate Federal efforts to promote 
        national cybersecurity awareness; and''.
    (c) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135) 
is amended by inserting after the item relating to section 2220E the 
following:

``Sec. 2220F. Cybersecurity awareness campaigns''.
                                 <all>