[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2201 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 291
118th CONGRESS
  1st Session
                                S. 2201

    To increase knowledge and awareness of best practices to reduce 
               cybersecurity risks in the United States.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 22, 2023

  Ms. Klobuchar (for herself and Mr. Thune) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

                           December 13, 2023

              Reported by Ms. Cantwell, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
    To increase knowledge and awareness of best practices to reduce 
               cybersecurity risks in the United States.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``American Cybersecurity 
Literacy Act''.</DELETED>

<DELETED>SEC. 2. CYBERSECURITY LITERACY CAMPAIGN.</DELETED>

<DELETED>    (a) In General.--The Secretary of Commerce, in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall develop and conduct a cybersecurity literacy 
campaign described in subsection (b), which the Secretary of Commerce 
shall make available in multiple languages and formats, if practicable, 
to increase the knowledge and awareness of citizens of the United 
States of best practices to reduce cybersecurity risks.</DELETED>
<DELETED>    (b) Elements.--In carrying out subsection (a), the 
Secretary of Commerce, in consultation with the Director of the 
Cybersecurity and Infrastructure Security Agency, shall--</DELETED>
        <DELETED>    (1) educate citizens of the United States with 
        respect to how to prevent and mitigate a cyberattack or 
        cybersecurity risk, including by--</DELETED>
                <DELETED>    (A) instructing citizens of the United 
                States with respect to how to identify--</DELETED>
                        <DELETED>    (i) a phishing email or message; 
                        and</DELETED>
                        <DELETED>    (ii) a secure website;</DELETED>
                <DELETED>    (B) instructing citizens of the United 
                States about the benefits of changing default passwords 
                on any hardware or software technology;</DELETED>
                <DELETED>    (C) encouraging the use of cybersecurity 
                tools, including--</DELETED>
                        <DELETED>    (i) multi-factor 
                        authentication;</DELETED>
                        <DELETED>    (ii) a complex password;</DELETED>
                        <DELETED>    (iii) anti-virus 
                        software;</DELETED>
                        <DELETED>    (iv) patching or updating software 
                        and applications; and</DELETED>
                        <DELETED>    (v) a virtual private 
                        network;</DELETED>
                <DELETED>    (D) identifying a device that could pose 
                possible cybersecurity risks, including--</DELETED>
                        <DELETED>    (i) a personal computer;</DELETED>
                        <DELETED>    (ii) a smartphone;</DELETED>
                        <DELETED>    (iii) a tablet;</DELETED>
                        <DELETED>    (iv) a Wi-Fi router;</DELETED>
                        <DELETED>    (v) a smart home 
                        appliance;</DELETED>
                        <DELETED>    (vi) a webcam;</DELETED>
                        <DELETED>    (vii) an internet-connected 
                        monitor; or</DELETED>
                        <DELETED>    (viii) any other device that can 
                        be connected to the internet, including any 
                        mobile device other than a smartphone or 
                        tablet;</DELETED>
                <DELETED>    (E) encouraging citizens of the United 
                States to--</DELETED>
                        <DELETED>    (i) regularly review mobile 
                        application permissions;</DELETED>
                        <DELETED>    (ii) decline any privilege request 
                        from a mobile application that is 
                        unnecessary;</DELETED>
                        <DELETED>    (iii) download an application only 
                        from a trusted vendor or source; and</DELETED>
                        <DELETED>    (iv) consider the life cycle of a 
                        product and the commitment of a developer to 
                        providing security updates during the expected 
                        period of use of a connected device; 
                        and</DELETED>
                <DELETED>    (F) identifying any potential 
                cybersecurity risk related to using a publicly 
                available Wi-Fi network and any method a user may use 
                to limit such risks; and</DELETED>
        <DELETED>    (2) encourage citizens of the United States to use 
        any resource to help mitigate the cybersecurity risks described 
        in this subsection.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``American Cybersecurity Literacy 
Act''.

SEC. 2. CYBERSECURITY LITERACY CAMPAIGN.

    (a) In General.--The Director of the National Institute of 
Standards and Technology shall, in consultation with the Director of 
the Cybersecurity and Infrastructure Security Agency, develop and 
conduct a cybersecurity literacy campaign described in subsection (b), 
which the Director of the National Institute of Standards and 
Technology shall make available in multiple languages and formats, if 
practicable, to increase the knowledge and awareness of citizens of the 
United States of best practices to reduce cybersecurity risks.
    (b) Elements.--In carrying out subsection (a), the Director of the 
National Institute of Science and Technology, in consultation with the 
Director of the Cybersecurity and Infrastructure Security Agency, 
shall--
            (1) educate citizens of the United States with respect to 
        how to prevent and mitigate a cyberattack or cybersecurity 
        risk, including by--
                    (A) instructing citizens of the United States with 
                respect to how to identify--
                            (i) a phishing email or message; and
                            (ii) a secure website;
                    (B) instructing citizens of the United States about 
                the benefits of changing default passwords on any 
                hardware or software technology;
                    (C) encouraging the use of cybersecurity tools, 
                including--
                            (i) multi-factor authentication;
                            (ii) a complex password;
                            (iii) anti-virus software;
                            (iv) patching or updating software and 
                        applications; and
                            (v) a virtual private network;
                    (D) identifying a device that could pose possible 
                cybersecurity risks, including--
                            (i) a personal computer;
                            (ii) a smartphone;
                            (iii) a tablet;
                            (iv) a Wi-Fi router;
                            (v) a smart home appliance;
                            (vi) a webcam;
                            (vii) an internet-connected monitor; or
                            (viii) any other device that can be 
                        connected to the internet, including any mobile 
                        device other than a smartphone or tablet;
                    (E) encouraging citizens of the United States to--
                            (i) regularly review mobile application 
                        permissions;
                            (ii) decline any privilege request from a 
                        mobile application that is unnecessary;
                            (iii) download an application only from a 
                        trusted vendor or source; and
                            (iv) consider the life cycle of a product 
                        and the commitment of a developer to providing 
                        security updates during the expected period of 
                        use of a connected device; and
                    (F) identifying any potential cybersecurity risk 
                related to using a publicly available Wi-Fi network and 
                any method a user may use to limit such risks; and
            (2) encourage citizens of the United States to use any 
        resource that is developed as a result of this literacy 
        campaign to help mitigate the cybersecurity risks described in 
        this subsection.
    (c) Existing Authorized Amounts.--No additional funds are 
authorized to be appropriated for the purpose of carrying out this Act.
                                                       Calendar No. 291

118th CONGRESS

  1st Session

                                S. 2201

_______________________________________________________________________

                                 A BILL

    To increase knowledge and awareness of best practices to reduce 
               cybersecurity risks in the United States.

_______________________________________________________________________

                           December 13, 2023

                       Reported with an amendment