[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1835 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 382
118th CONGRESS
  2d Session
                                S. 1835

                          [Report No. 118-171]

To require the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security to develop a campaign program to raise 
   awareness regarding the importance of cybersecurity in the United 
                                States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              June 6, 2023

Mr. Peters (for himself and Mr. Cassidy) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                              May 9, 2024

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
To require the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security to develop a campaign program to raise 
   awareness regarding the importance of cybersecurity in the United 
                                States.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``National Cybersecurity 
Awareness Act''.</DELETED>

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress finds the following:</DELETED>
        <DELETED>    (1) The presence of ubiquitous internet-connected 
        devices in the everyday lives of citizens of the United States 
        has created opportunities for constant connection and 
        modernization.</DELETED>
        <DELETED>    (2) A connected society is subject to 
        cybersecurity threats that can compromise even the most 
        personal and sensitive of information.</DELETED>
        <DELETED>    (3) Connected critical infrastructure is subject 
        to cybersecurity threats that can compromise fundamental 
        economic and health and safety functions.</DELETED>
        <DELETED>    (4) The Government of the United States plays an 
        important role in safeguarding the nation from malicious cyber 
        activity.</DELETED>
        <DELETED>    (5) A citizenry that is knowledgeable regarding 
        cybersecurity is critical to building a robust cybersecurity 
        posture and reducing the threat of cyber attackers stealing 
        sensitive information and causing public harm.</DELETED>
        <DELETED>    (6) While Cybersecurity Awareness Month is 
        critical to supporting national cybersecurity awareness, it 
        cannot be a once-a-year activity and must be a sustained, 
        constant effort.</DELETED>

<DELETED>SEC. 3. CYBERSECURITY AWARENESS.</DELETED>

<DELETED>    (a) In General.--Subtitle A of title XXII of the Homeland 
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the 
end the following:</DELETED>

<DELETED>``SEC. 2220F. CYBERSECURITY AWARENESS CAMPAIGNS.</DELETED>

<DELETED>    ``(a) Definition.--In this section, the term `Campaign 
Program' means the campaign program established under subsection 
(b).</DELETED>
<DELETED>    ``(b) Awareness Campaign Program.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 90 days after 
        the date of enactment of the National Cybersecurity Awareness 
        Act, the Director shall establish a program for planning and 
        coordinating Federal cybersecurity awareness 
        campaigns.</DELETED>
        <DELETED>    ``(2) Activities.--In carrying out the Campaign 
        Program, the Director shall--</DELETED>
                <DELETED>    ``(A) inform non-Federal entities of 
                voluntary cyber hygiene best practices, including 
                information on how to--</DELETED>
                        <DELETED>    ``(i) prevent cyberattacks; 
                        and</DELETED>
                        <DELETED>    ``(ii) mitigate cybersecurity 
                        risks; and</DELETED>
                <DELETED>    ``(B) consult with private sector 
                entities, State, local, Tribal, and territorial 
                governments, academia, and civil society--</DELETED>
                        <DELETED>    ``(i) to promote cyber hygiene 
                        best practices, including by focusing on 
                        tactics that are cost effective and result in 
                        significant cybersecurity improvement, such 
                        as--</DELETED>
                                <DELETED>    ``(I) maintaining strong 
                                passwords and the use of password 
                                managers;</DELETED>
                                <DELETED>    ``(II) enabling multi-
                                factor authentication, including 
                                phishing-resistant multi-factor 
                                authentication;</DELETED>
                                <DELETED>    ``(III) regularly 
                                installing software updates;</DELETED>
                                <DELETED>    ``(IV) using caution with 
                                email attachments and website links; 
                                and</DELETED>
                                <DELETED>    ``(V) other cyber hygienic 
                                considerations, as 
                                appropriate;</DELETED>
                        <DELETED>    ``(ii) to promote awareness of 
                        cybersecurity risks and mitigation with respect 
                        to malicious applications on internet-connected 
                        devices, including applications to control 
                        those devices or use devices for unauthorized 
                        surveillance of users;</DELETED>
                        <DELETED>    ``(iii) to help consumers identify 
                        products that are designed to support user and 
                        product security, such as products designed 
                        using the Secure-by-Design and Secure-by-
                        Default principles of the Agency;</DELETED>
                        <DELETED>    ``(iv) to coordinate with other 
                        Federal agencies and departments, as determined 
                        appropriate by the Director, to--</DELETED>
                                <DELETED>    ``(I) promote relevant 
                                cybersecurity-related awareness 
                                activities; and</DELETED>
                                <DELETED>    ``(II) ensure the Federal 
                                Government is coordinated in 
                                communicating accurate and timely 
                                cybersecurity information; 
                                and</DELETED>
                        <DELETED>    ``(v) to expand nontraditional 
                        outreach mechanisms to ensure that entities 
                        including low-income and rural communities, 
                        small and medium sized businesses and 
                        institutions, and State, local, Tribal, and 
                        territorial partners receive cybersecurity 
                        awareness outreach in an equitable 
                        manner.</DELETED>
        <DELETED>    ``(3) Reporting.--</DELETED>
                <DELETED>    ``(A) In general.--Not later than 180 days 
                after the date of enactment of the National 
                Cybersecurity Awareness Act, and annually thereafter, 
                the Director shall, in consultation with the heads of 
                appropriate Federal agencies, submit to the appropriate 
                congressional committees a report regarding the 
                Campaign Program.</DELETED>
                <DELETED>    ``(B) Contents.--Each report submitted 
                pursuant to subparagraph (A) shall include--</DELETED>
                        <DELETED>    ``(i) a summary of the activities 
                        of the Agency that support promoting 
                        cybersecurity awareness under the Campaign 
                        Program, including consultations made under 
                        paragraph (2)(B);</DELETED>
                        <DELETED>    ``(ii) an assessment of the 
                        effectiveness of techniques and methods used to 
                        promote national cybersecurity awareness under 
                        the Campaign Program; and</DELETED>
                        <DELETED>    ``(iii) recommendations on how to 
                        best promote cybersecurity awareness 
                        nationally.</DELETED>
<DELETED>    ``(c) Cybersecurity Campaign Resources.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 180 days after 
        the date of enactment of the National Cybersecurity Awareness 
        Act, the Director shall develop and maintain a central 
        repository for the resources, tools, and public communications 
        of the Agency that promote cybersecurity awareness.</DELETED>
        <DELETED>    ``(2) Requirements.--The resources described in 
        paragraph (1) shall be--</DELETED>
                <DELETED>    ``(A) made publicly available online; 
                and</DELETED>
                <DELETED>    ``(B) regularly updated to ensure the 
                public has access to relevant and timely cybersecurity 
                awareness information.''.</DELETED>
<DELETED>    (b) Responsibilities of the Cybersecurity and 
Infrastructure Security Agency.--Section 2202(c) of the Homeland 
Security Act of 2002 (6 U.S.C. 652(c)) is amended--</DELETED>
        <DELETED>    (1) in paragraph (13), by striking ``; and'' and 
        inserting a semicolon;</DELETED>
        <DELETED>    (2) by redesignating paragraph (14) as paragraph 
        (15); and</DELETED>
        <DELETED>    (3) by inserting after paragraph (13) the 
        following:</DELETED>
        <DELETED>    ``(14) lead and coordinate Federal efforts to 
        promote national cybersecurity awareness; and''.</DELETED>
<DELETED>    (c) Clerical Amendment.--The table of contents in section 
1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 116 
Stat. 2135) is amended by inserting after the item relating to section 
2220E the following:</DELETED>

<DELETED>``Sec. 2220F. Cybersecurity awareness campaigns''.

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``National Cybersecurity Awareness 
Act''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) The presence of ubiquitous internet-connected devices 
        in the everyday lives of citizens of the United States has 
        created opportunities for constant connection and 
        modernization.
            (2) A connected society is subject to cybersecurity threats 
        that can compromise even the most personal and sensitive of 
        information.
            (3) Connected critical infrastructure is subject to 
        cybersecurity threats that can compromise fundamental economic, 
        health, and safety functions.
            (4) The Government of the United States plays an important 
        role in safeguarding the nation from malicious cyber activity.
            (5) A citizenry that is knowledgeable regarding 
        cybersecurity is critical to building a robust cybersecurity 
        posture and reducing the threat of cyber attackers stealing 
        sensitive information and causing public harm.
            (6) While Cybersecurity Awareness Month is critical to 
        supporting national cybersecurity awareness, it cannot be a 
        once-a-year activity, and there must be a sustained, constant 
        effort to raise awareness about cyber hygiene, encourage 
        individuals in the United States to learn cyber skills, and 
        communicate the ways that cyber skills and careers in cyber 
        advance individual and societal security, privacy, safety, and 
        well-being.

SEC. 3. CYBERSECURITY AWARENESS.

    (a) In General.--Subtitle A of title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the 
following:

``SEC. 2220F. CYBERSECURITY AWARENESS CAMPAIGNS.

    ``(a) Definition.--In this section, the term `Campaign Program' 
means the campaign program established under subsection (b)(1).
    ``(b) Awareness Campaign Program.--
            ``(1) In general.--Not later than 90 days after the date of 
        enactment of the National Cybersecurity Awareness Act, the 
        Director, in coordination with appropriate Federal agencies, 
        shall establish a program for planning and coordinating Federal 
        cybersecurity awareness campaigns.
            ``(2) Activities.--In carrying out the Campaign Program, 
        the Director shall--
                    ``(A) inform non-Federal entities of voluntary 
                cyber hygiene best practices, including information on 
                how to--
                            ``(i) prevent cyberattacks; and
                            ``(ii) mitigate cybersecurity risks; and
                    ``(B) consult with private sector entities, State, 
                local, Tribal, and territorial governments, academia, 
                nonprofit organizations, and civil society--
                            ``(i) to promote cyber hygiene best 
                        practices and the importance of cyber skills, 
                        including by focusing on tactics that are cost 
                        effective and result in significant 
                        cybersecurity improvement, such as--
                                    ``(I) maintaining strong passwords 
                                and the use of password managers;
                                    ``(II) enabling multi-factor 
                                authentication, including phishing-
                                resistant multi-factor authentication;
                                    ``(III) regularly installing 
                                software updates;
                                    ``(IV) using caution with email 
                                attachments and website links; and
                                    ``(V) other cyber hygienic 
                                considerations, as appropriate;
                            ``(ii) to promote awareness of 
                        cybersecurity risks and mitigation with respect 
                        to malicious applications on internet-connected 
                        devices, including applications to control 
                        those devices or use devices for unauthorized 
                        surveillance of users;
                            ``(iii) to help consumers identify products 
                        that are designed to support user and product 
                        security, such as products designed using the 
                        Secure-by-Design and Secure-by-Default 
                        principles of the Agency or the Recommended 
                        Criteria for Cybersecurity Labeling for 
                        Consumer Internet of Things (IoT) Products of 
                        the National Institute of Standards and 
                        Technology, published February 4, 2022 (or any 
                        subsequent version);
                            ``(iv) to coordinate with other Federal 
                        agencies, as determined appropriate by the 
                        Director, to--
                                    ``(I) develop and promote relevant 
                                cybersecurity-related and cyber skills-
                                related awareness activities and 
                                resources; and
                                    ``(II) ensure the Federal 
                                Government is coordinated in 
                                communicating accurate and timely 
                                cybersecurity information;
                            ``(v) to expand nontraditional outreach 
                        mechanisms to ensure that entities, including 
                        low-income and rural communities, small and 
                        medium sized businesses and institutions, and 
                        State, local, Tribal, and territorial partners, 
                        receive cybersecurity awareness outreach in an 
                        equitable manner; and
                            ``(vi) to encourage participation in cyber 
                        workforce development ecosystems and to expand 
                        adoption of best practices to grow the national 
                        cyber workforce.
            ``(3) Reporting.--
                    ``(A) In general.--Not later than 180 days after 
                the date of enactment of the National Cybersecurity 
                Awareness Act, and annually thereafter, the Director, 
                in consultation with the heads of appropriate Federal 
                agencies, shall submit to the appropriate congressional 
                committees a report regarding the Campaign Program.
                    ``(B) Contents.--Each report submitted pursuant to 
                subparagraph (A) shall include--
                            ``(i) a summary of the activities of the 
                        Agency that support promoting cybersecurity 
                        awareness under the Campaign Program, including 
                        consultations made under paragraph (2)(B);
                            ``(ii) an assessment of the effectiveness 
                        of techniques and methods used to promote 
                        national cybersecurity awareness under the 
                        Campaign Program; and
                            ``(iii) recommendations on how to best 
                        promote cybersecurity awareness nationally.
    ``(c) Cybersecurity Campaign Resources.--
            ``(1) In general.--Not later than 180 days after the date 
        of enactment of the National Cybersecurity Awareness Act, the 
        Director shall develop and maintain a repository for the 
        resources, tools, and public communications of the Agency that 
        promote cybersecurity awareness.
            ``(2) Requirements.--The resources described in paragraph 
        (1) shall be--
                    ``(A) made publicly available online; and
                    ``(B) regularly updated to ensure the public has 
                access to relevant and timely cybersecurity awareness 
                information.''.
    (b) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--Section 2202(c) of the Homeland Security Act of 2002 
(6 U.S.C. 652(c)) is amended--
            (1) in paragraph (13), by striking ``; and'' and inserting 
        a semicolon;
            (2) by redesignating paragraph (14) as paragraph (15); and
            (3) by inserting after paragraph (13) the following:
            ``(14) lead and coordinate Federal efforts to promote 
        national cybersecurity awareness; and''.
    (c) Clerical Amendment.--The table of contents in section 1(b) of 
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135) 
is amended by inserting after the item relating to section 2220E the 
following:

``Sec. 2220F. Cybersecurity awareness campaigns.''.
                                                       Calendar No. 382

118th CONGRESS

  2d Session

                                S. 1835

                          [Report No. 118-171]

_______________________________________________________________________

                                 A BILL

To require the Cybersecurity and Infrastructure Security Agency of the 
Department of Homeland Security to develop a campaign program to raise 
   awareness regarding the importance of cybersecurity in the United 
                                States.

_______________________________________________________________________

                              May 9, 2024

                       Reported with an amendment