[Congressional Record Volume 159, Number 107 (Wednesday, July 24, 2013)]
[Senate]
[Pages S5909-S5912]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. ROCKEFELLER (for himself and Mr. Thune):
  S. 1353. A bill to provide for an ongoing, voluntary public-private 
partnership to improve cybersecurity, and to strengthen cybersecurity 
research and development, workforce development and education, and 
public awareness and preparedness, and for other purposes; to the 
Committee on Commerce, Science, and Transportation.
  Mr. ROCKEFELLER. Mr. President, the cybersecurity legislation Senator 
Thune and I introduce today is built upon several years of bipartisan 
hard work on the Senate Commerce, Science, and Transportation 
Committee. I am proud of that fact and proud of our work product.
  I would like to sincerely thank Senator Thune for working closely 
with me on this legislation. Senator Thune appreciates the gravity of 
the cybersecurity threat to our national security and our economy--a 
genuine threat to the free flow of commerce. He has been laser focused 
in finding workable, private sector led solutions to mitigate this 
existential threat.
  Our bill will go a long way to better secure our nation from ongoing 
cyber threats by having the National Institute of Standards and 
Technology, NIST, a world-class, non-regulatory agency within the 
Department of Commerce--facilitate and support the development of 
voluntary, industry-led standards and best practices to reduce cyber 
risks to critical infrastructure and all businesses.
  Our bill will give NIST the permanent authority it needs to continue 
the standards development process initiated by the President's 
Executive Order on Improving Critical Infrastructure Cybersecurity to 
ensure such efforts remain industry led and voluntary.
  It will also make sure that the Federal Government supports cutting 
edge research, works to increase public awareness, and improves our 
workforce to better address cyber threats.
  Our country's future economic success and security demands prompt 
attention to the cyber threat. It demands we all pull together to face 
the reality of cyber intrusions into every aspect of our nation's 
business, our electric grid, our trade secrets, our water supply, and 
so much more. The stakes are great. This is about our national 
security--3 Directors of National Intelligence have said cyber attacks 
are the number 1 national security threat to our country. That is why 
we have to find a way to reach a consensus that allows us to 
responsibly legislate.
  This bill is a very good start. There is a lot more we can and should 
do to protect our critical infrastructure, including promoting more 
sharing of private sector threat information. I will certainly keep 
looking for ways to work with my colleagues to provide this nation with 
the tools and resources we need to take on this threat.
  Again, I thank Senator Thune for dedicating his time, talent, and 
energy to this legislation, and his fine staff.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 1353

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Cybersecurity Act of 2013''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. No regulatory authority.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

Sec. 101. Public-private collaboration on cybersecurity.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 201. Federal cybersecurity research and development.
Sec. 202. Computer and network security research centers.

            TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT.

Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.
Sec. 303. Study and analysis of education, accreditation, training, and 
              certification of information infrastructure and 
              cybersecurity professionals.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

Sec. 401. National cybersecurity awareness and preparedness campaign.

     SEC. 2. DEFINITIONS.

       In this Act:
       (1) Cybersecurity mission.--The term ``cybersecurity 
     mission'' means activities that encompass the full range of 
     threat reduction, vulnerability reduction, deterrence, 
     international engagement, incident response, resiliency, and 
     recovery policies and activities, including computer network 
     operations, information assurance, law enforcement, 
     diplomacy, military, and intelligence missions as such 
     activities relate to the security and stability of 
     cyberspace.
       (2) Information infrastructure.--The term ``information 
     infrastructure'' means the underlying framework that 
     information systems and assets rely on to process, transmit, 
     receive, or store information electronically, including 
     programmable electronic devices, communications networks, and 
     industrial or supervisory control systems and any associated 
     hardware, software, or data.
       (3) Information system.--The term ``information system'' 
     has the meaning given that term in section 3502 of title 44, 
     United States Code.

     SEC. 3. NO REGULATORY AUTHORITY.

       Nothing in this Act shall be construed to confer any 
     regulatory authority on any Federal, State, tribal, or local 
     department or agency.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

     SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.

       (a) Cybersecurity.--Section 2(c) of the National Institute 
     of Standards and Technology Act (15 U.S.C. 272(c)) is 
     amended--
       (1) by redesignating paragraphs (15) through (22) as 
     paragraphs (16) through (23), respectively; and
       (2) by inserting after paragraph (14) the following:
       ``(15) on an ongoing basis, facilitate and support the 
     development of a voluntary, industry-led set of standards, 
     guidelines, best practices, methodologies, procedures, and 
     processes to reduce cyber risks to critical infrastructure 
     (as defined under subsection (e));''.
       (b) Scope and Limitations.--Section 2 of the National 
     Institute of Standards and Technology Act (15 U.S.C. 272) is 
     amended by adding at the end the following:
       ``(e) Cyber Risks.--
       ``(1) In general.--In carrying out the activities under 
     subsection (c)(15), the Director--
       ``(A) shall--
       ``(i) coordinate closely and continuously with relevant 
     private sector personnel and entities, critical 
     infrastructure owners and operators, sector coordinating 
     councils, Information Sharing and Analysis Centers, and other 
     relevant industry organizations, and incorporate industry 
     expertise;
       ``(ii) consult with the heads of agencies with national 
     security responsibilities, sector-specific agencies, State 
     and local governments, the governments of other nations, and 
     international organizations;
       ``(iii) identify a prioritized, flexible, repeatable, 
     performance-based, and cost-effective approach, including 
     information security measures and controls, that may be 
     voluntarily adopted by owners and operators of

[[Page S5910]]

     critical infrastructure to help them identify, assess, and 
     manage cyber risks;
       ``(iv) include methodologies--

       ``(I) to identify and mitigate impacts of the cybersecurity 
     measures or controls on business confidentiality; and
       ``(II) to protect individual privacy and civil liberties;

       ``(v) incorporate voluntary consensus standards and 
     industry best practices;
       ``(vi) align with voluntary international standards to the 
     fullest extent possible;
       ``(vii) prevent duplication of regulatory processes and 
     prevent conflict with or superseding of regulatory 
     requirements, mandatory standards, and related processes; and
       ``(viii) include such other similar and consistent elements 
     as the Director considers necessary; and
       ``(B) shall not prescribe or otherwise require--
       ``(i) the use of specific solutions;
       ``(ii) the use of specific information or communications 
     technology products or services; or
       ``(iii) that information or communications technology 
     products or services be designed, developed, or manufactured 
     in a particular manner.
       ``(2) Limitation.--Information shared with or provided to 
     the Institute for the purpose of the activities described 
     under subsection (c)(15) shall not be used by any Federal, 
     State, tribal, or local department or agency to regulate the 
     activity of any entity.
       ``(3) Definitions.--In this subsection:
       ``(A) Critical infrastructure.--The term `critical 
     infrastructure' has the meaning given the term in section 
     1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
       ``(B) Sector-specific agency.--The term `sector-specific 
     agency' means the Federal department or agency responsible 
     for providing institutional knowledge and specialized 
     expertise as well as leading, facilitating, or supporting the 
     security and resilience programs and associated activities of 
     its designated critical infrastructure sector in the all-
     hazards environment.''.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) Fundamental Cybersecurity Research.--
       (1) In general.--The Director of the Office of Science and 
     Technology Policy, in coordination with the head of any 
     relevant Federal agency, shall build upon programs and plans 
     in effect as of the date of enactment of this Act to develop 
     a Federal cybersecurity research and development plan to meet 
     objectives in cybersecurity, such as--
       (A) how to design and build complex software-intensive 
     systems that are secure and reliable when first deployed;
       (B) how to test and verify that software and hardware, 
     whether developed locally or obtained from a third party, is 
     free of significant known security flaws;
       (C) how to test and verify that software and hardware 
     obtained from a third party correctly implements stated 
     functionality, and only that functionality;
       (D) how to guarantee the privacy of an individual, 
     including that individual's identity, information, and lawful 
     transactions when stored in distributed systems or 
     transmitted over networks;
       (E) how to build new protocols to enable the Internet to 
     have robust security as one of the key capabilities of the 
     Internet;
       (F) how to determine the origin of a message transmitted 
     over the Internet;
       (G) how to support privacy in conjunction with improved 
     security;
       (H) how to address the growing problem of insider threats;
       (I) how improved consumer education and digital literacy 
     initiatives can address human factors that contribute to 
     cybersecurity;
       (J) how to protect information processed, transmitted, or 
     stored using cloud computing or transmitted through wireless 
     services; and
       (K) any additional objectives the Director of the Office of 
     Science and Technology Policy, in coordination with the head 
     of any relevant Federal agency and with input from 
     stakeholders, including industry and academia, determines 
     appropriate.
       (2) Requirements.--
       (A) In general.--The Federal cybersecurity research and 
     development plan shall identify and prioritize near-term, 
     mid-term, and long-term research in computer and information 
     science and engineering to meet the objectives under 
     paragraph (1), including research in the areas described in 
     section 4(a)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7403(a)(1)).
       (B) Private sector efforts.--In developing, implementing, 
     and updating the Federal cybersecurity research and 
     development plan, the Director of the Office of Science and 
     Technology Policy shall work in close cooperation with 
     industry, academia, and other interested stakeholders to 
     ensure, to the extent possible, that Federal cybersecurity 
     research and development is not duplicative of private sector 
     efforts.
       (3) Triennial updates.--
       (A) In general.--The Federal cybersecurity research and 
     development plan shall be updated triennially.
       (B) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall submit the plan, not 
     later than 1 year after the date of enactment of this Act, 
     and each updated plan under this section to the Committee on 
     Commerce, Science, and Transportation of the Senate and the 
     Committee on Science, Space, and Technology of the House of 
     Representatives.
       (b) Cybersecurity Practices Research.--The Director of the 
     National Science Foundation shall support research that--
       (1) develops, evaluates, disseminates, and integrates new 
     cybersecurity practices and concepts into the core curriculum 
     of computer science programs and of other programs where 
     graduates of such programs have a substantial probability of 
     developing software after graduation, including new practices 
     and concepts relating to secure coding education and 
     improvement programs; and
       (2) develops new models for professional development of 
     faculty in cybersecurity education, including secure coding 
     development.
       (c) Cybersecurity Modeling and Test Beds.--
       (1) Review.--Not later than 1 year after the date of 
     enactment of this Act, the Director the National Science 
     Foundation, in coordination with the Director of the Office 
     of Science and Technology Policy, shall conduct a review of 
     cybersecurity test beds in existence on the date of enactment 
     of this Act to inform the grants under paragraph (2). The 
     review shall include an assessment of whether a sufficient 
     number of cybersecurity test beds are available to meet the 
     research needs under the Federal cybersecurity research and 
     development plan.
       (2) Additional cybersecurity modeling and test beds.--
       (A) In general.--If the Director of the National Science 
     Foundation, after the review under paragraph (1), determines 
     that the research needs under the Federal cybersecurity 
     research and development plan require the establishment of 
     additional cybersecurity test beds, the Director of the 
     National Science Foundation, in coordination with the 
     Secretary of Commerce and the Secretary of Homeland Security, 
     may award grants to institutions of higher education or 
     research and development non-profit institutions to establish 
     cybersecurity test beds.
       (B) Requirement.--The cybersecurity test beds under 
     subparagraph (A) shall be sufficiently large in order to 
     model the scale and complexity of real-time cyber attacks and 
     defenses on real world networks and environments.
       (C) Assessment required.--The Director of the National 
     Science Foundation, in coordination with the Secretary of 
     Commerce and the Secretary of Homeland Security, shall 
     evaluate the effectiveness of any grants awarded under this 
     subsection in meeting the objectives of the Federal 
     cybersecurity research and development plan under subsection 
     (a) no later than 2 years after the review under paragraph 
     (1) of this subsection, and periodically thereafter.
       (d) Coordination With Other Research Initiatives.--In 
     accordance with the responsibilities under section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511), the 
     Director the Office of Science and Technology Policy shall 
     coordinate, to the extent practicable, Federal research and 
     development activities under this section with other ongoing 
     research and development security-related initiatives, 
     including research being conducted by--
       (1) the National Science Foundation;
       (2) the National Institute of Standards and Technology;
       (3) the Department of Homeland Security;
       (4) other Federal agencies;
       (5) other Federal and private research laboratories, 
     research entities, and universities;
       (6) institutions of higher education;
       (7) relevant nonprofit organizations; and
       (8) international partners of the United States.
       (e) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' at the end;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are integral to 
     inter-network communications and data exchange;
       ``(K) secure software engineering and software assurance, 
     including--
       ``(i) programming languages and systems that include 
     fundamental security features;
       ``(ii) portable or reusable code that remains secure when 
     deployed in various environments;
       ``(iii) verification and validation technologies to ensure 
     that requirements and specifications have been implemented; 
     and
       ``(iv) models for comparison and metrics to assure that 
     required standards have been met;
       ``(L) holistic system security that--
       ``(i) addresses the building of secure systems from trusted 
     and untrusted components;
       ``(ii) proactively reduces vulnerabilities;
       ``(iii) addresses insider threats; and
       ``(iv) supports privacy in conjunction with improved 
     security;
       ``(M) monitoring and detection;
       ``(N) mitigation and rapid recovery methods;
       ``(O) security of wireless networks and mobile devices; and
       ``(P) security of cloud infrastructure and services.''.

[[Page S5911]]

       (f) Research on the Science of Cybersecurity.--The head of 
     each agency and department identified under section 
     101(a)(3)(B) of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5511(a)(3)(B)), through existing programs and 
     activities, shall support research that will lead to the 
     development of a scientific foundation for the field of 
     cybersecurity, including research that increases 
     understanding of the underlying principles of securing 
     complex networked systems, enables repeatable 
     experimentation, and creates quantifiable security metrics.

     SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.

       Section 4(b) of the Cyber Security Research and Development 
     Act (15 U.S.C. 7403(b)) is amended--
       (1) by striking ``the center'' in paragraph (4)(D) and 
     inserting ``the Center''; and
       (2) in paragraph (5)--
       (A) by striking ``and'' at the end of subparagraph (C);
       (B) by striking the period at the end of subparagraph (D) 
     and inserting a semicolon; and
       (C) by adding at the end the following:
       ``(E) the demonstrated capability of the applicant to 
     conduct high performance computation integral to complex 
     computer and network security research, through on-site or 
     off-site computing;
       ``(F) the applicant's affiliation with private sector 
     entities involved with industrial research described in 
     subsection (a)(1);
       ``(G) the capability of the applicant to conduct research 
     in a secure environment;
       ``(H) the applicant's affiliation with existing research 
     programs of the Federal Government;
       ``(I) the applicant's experience managing public-private 
     partnerships to transition new technologies into a commercial 
     setting or the government user community; and
       ``(J) the capability of the applicant to conduct 
     interdisciplinary cybersecurity research, such as in law, 
     economics, or behavioral sciences.''.

            TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT.

     SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.

       (a) In General.--The Secretary of Commerce, Director of the 
     National Science Foundation, and Secretary of Homeland 
     Security shall--
       (1) support competitions and challenges under section 105 
     of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 3989) or any other provision of law, as appropriate--
       (A) to identify, develop, and recruit talented individuals 
     to perform duties relating to the security of information 
     infrastructure in Federal, State, and local government 
     agencies, and the private sector; or
       (B) to stimulate innovation in basic and applied 
     cybersecurity research, technology development, and prototype 
     demonstration that has the potential for application to the 
     information technology activities of the Federal Government; 
     and
       (2) ensure the effective operation of the competitions and 
     challenges under this section.
       (b) Participation.--Participants in the competitions and 
     challenges under subsection (a)(1) may include--
       (1) students enrolled in grades 9 through 12;
       (2) students enrolled in a postsecondary program of study 
     leading to a baccalaureate degree at an institution of higher 
     education;
       (3) students enrolled in a postbaccalaureate program of 
     study at an institution of higher education;
       (4) institutions of higher education and research 
     institutions;
       (5) veterans; and
       (6) other groups or individuals that the Secretary of 
     Commerce, Director of the National Science Foundation, and 
     Secretary of Homeland Security determine appropriate.
       (c) Affiliation and Cooperative Agreements.--Competitions 
     and challenges under this section may be carried out through 
     affiliation and cooperative agreements with--
       (1) Federal agencies;
       (2) regional, State, or school programs supporting the 
     development of cyber professionals;
       (3) State, local, and tribal governments; or
       (4) other private sector organizations.
       (d) Areas of Skill.--Competitions and challenges under 
     subsection (a)(1)(A) shall be designed to identify, develop, 
     and recruit exceptional talent relating to--
       (1) ethical hacking;
       (2) penetration testing;
       (3) vulnerability assessment;
       (4) continuity of system operations;
       (5) security in design;
       (6) cyber forensics;
       (7) offensive and defensive cyber operations; and
       (8) other areas the Secretary of Commerce, Director of the 
     National Science Foundation, and Secretary of Homeland 
     Security consider necessary to fulfill the cybersecurity 
     mission.
       (e) Topics.--In selecting topics for competitions and 
     challenges under subsection (a)(1), the Secretary of 
     Commerce, Director of the National Science Foundation, and 
     Secretary of Homeland Security--
       (1) shall consult widely both within and outside the 
     Federal Government; and
       (2) may empanel advisory committees.
       (f) Internships.--The Director of the Office of Personnel 
     Management may support, as appropriate, internships or other 
     work experience in the Federal Government to the winners of 
     the competitions and challenges under this section.

     SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Director of the Office 
     of Personnel Management and Secretary of Homeland Security, 
     shall continue a Federal Cyber Scholarship-for-Service 
     program to recruit and train the next generation of 
     information technology professionals, industrial control 
     system security professionals, and security managers to meet 
     the needs of the cybersecurity mission for Federal, State, 
     local, and tribal governments.
       (b) Program Description and Components.--The Federal Cyber 
     Scholarship-for-Service program shall--
       (1) provide scholarships to students who are enrolled in 
     programs of study at institutions of higher education leading 
     to degrees or specialized program certifications in the 
     cybersecurity field;
       (2) provide the scholarship recipients with summer 
     internship opportunities or other meaningful temporary 
     appointments in the Federal information technology workforce; 
     and
       (3) provide a procedure by which the National Science 
     Foundation or a Federal agency, consistent with regulations 
     of the Office of Personnel Management, may request and fund 
     security clearances for scholarship recipients, including 
     providing for clearances during internships or other 
     temporary appointments and after receipt of their degrees.
       (c) Scholarship Amounts.--Each scholarship under subsection 
     (b) shall be in an amount that covers the student's tuition 
     and fees at the institution under subsection (b)(1) and 
     provides the student with an additional stipend.
       (d) Scholarship Conditions.--Each scholarship recipient, as 
     a condition of receiving a scholarship under the program, 
     shall enter into an agreement under which the recipient 
     agrees to work in the cybersecurity mission of a Federal, 
     State, local, or tribal agency for a period equal to the 
     length of the scholarship following receipt of the student's 
     degree.
       (e) Hiring Authority.--
       (1) Appointment in excepted service.--Notwithstanding any 
     provision of chapter 33 of title 5, United States Code, 
     governing appointments in the competitive service, an agency 
     shall appoint in the excepted service an individual who has 
     completed the academic program for which a scholarship was 
     awarded.
       (2) Noncompetitive conversion.--Except as provided in 
     paragraph (4), upon fulfillment of the service term, an 
     employee appointed under paragraph (1) may be converted 
     noncompetitively to term, career-conditional or career 
     appointment.
       (3) Timing of conversion.--An agency may noncompetitively 
     convert a term employee appointed under paragraph (2) to a 
     career-conditional or career appointment before the term 
     appointment expires.
       (4) Authority to decline conversion.--An agency may decline 
     to make the noncompetitive conversion or appointment under 
     paragraph (2) for cause.
       (f) Eligibility.--To be eligible to receive a scholarship 
     under this section, an individual shall--
       (1) be a citizen or lawful permanent resident of the United 
     States;
       (2) demonstrate a commitment to a career in improving the 
     security of information infrastructure; and
       (3) have demonstrated a high level of proficiency in 
     mathematics, engineering, or computer sciences.
       (g) Repayment.--If a scholarship recipient does not meet 
     the terms of the program under this section, the recipient 
     shall refund the scholarship payments in accordance with 
     rules established by the Director of the National Science 
     Foundation, in coordination with the Director of the Office 
     of Personnel Management and Secretary of Homeland Security.
       (h) Evaluation and Report.--The Director of the National 
     Science Foundation shall evaluate and report periodically to 
     Congress on the success of recruiting individuals for 
     scholarships under this section and on hiring and retaining 
     those individuals in the public sector workforce.

     SEC. 303. STUDY AND ANALYSIS OF EDUCATION, ACCREDITATION, 
                   TRAINING, AND CERTIFICATION OF INFORMATION 
                   INFRASTRUCTURE AND CYBERSECURITY PROFESSIONALS.

       (a) Study.--The Director of the National Science Foundation 
     and the Secretary of Homeland Security shall undertake to 
     enter into appropriate arrangements with the National Academy 
     of Sciences to conduct a comprehensive study of government, 
     academic, and private-sector education, accreditation, 
     training, and certification programs for the development of 
     professionals in information infrastructure and 
     cybersecurity. The agreement shall require the National 
     Academy of Sciences to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of professionals in 
     information infrastructure and cybersecurity should possess 
     in order to secure information systems;

[[Page S5912]]

       (2) an assessment of whether existing government, academic, 
     and private-sector education, accreditation, training, and 
     certification programs provide the body of knowledge and 
     various skills described in paragraph (1);
       (3) an evaluation of--
       (A) the state of cybersecurity education at institutions of 
     higher education in the United States;
       (B) the extent of professional development opportunities 
     for faculty in cybersecurity principles and practices;
       (C) the extent of the partnerships and collaborative 
     cybersecurity curriculum development activities that leverage 
     industry and government needs, resources, and tools;
       (D) the proposed metrics to assess progress toward 
     improving cybersecurity education; and
       (E) the descriptions of the content of cybersecurity 
     courses in undergraduate computer science curriculum;
       (4) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (5) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academy of Sciences shall 
     submit to the President and Congress a report on the results 
     of the study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure and cybersecurity education, accreditation, 
     training, and certification programs, including specific 
     areas of deficiency and demonstrable progress; and
       (2) recommendations for further research and the 
     improvement of information infrastructure and cybersecurity 
     education, accreditation, training, and certification 
     programs.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

     SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND PREPAREDNESS 
                   CAMPAIGN.

       (a) National Cybersecurity Awareness and Preparedness 
     Campaign.--The Director of the National Institute of 
     Standards and Technology (referred to in this section as the 
     ``Director''), in consultation with appropriate Federal 
     agencies, shall continue to coordinate a national 
     cybersecurity awareness and preparedness campaign, such as--
       (1) a campaign to increase public awareness of 
     cybersecurity, cyber safety, and cyber ethics, including the 
     use of the Internet, social media, entertainment, and other 
     media to reach the public;
       (2) a campaign to increase the understanding of State and 
     local governments and private sector entities of--
       (A) the benefits of ensuring effective risk management of 
     the information infrastructure versus the costs of failure to 
     do so; and
       (B) the methods to mitigate and remediate vulnerabilities;
       (3) support for formal cybersecurity education programs at 
     all education levels to prepare skilled cybersecurity and 
     computer science workers for the private sector and Federal, 
     State, and local government; and
       (4) initiatives to evaluate and forecast future 
     cybersecurity workforce needs of the Federal government and 
     develop strategies for recruitment, training, and retention.
       (b) Considerations.--In carrying out the authority 
     described in subsection (a), the Director, in consultation 
     with appropriate Federal agencies, shall leverage existing 
     programs designed to inform the public of safety and security 
     of products or services, including self-certifications and 
     independently-verified assessments regarding the 
     quantification and valuation of information security risk.
       (c) Strategic Plan.--The Director, in cooperation with 
     relevant Federal agencies and other stakeholders, shall build 
     upon programs and plans in effect as of the date of enactment 
     of this Act to develop and implement a strategic plan to 
     guide Federal programs and activities in support of the 
     national cybersecurity awareness and preparedness campaign 
     under subsection (a).
       (d) Report.--Not later than 1 year after the date of 
     enactment of this Act, and every 5 years thereafter, the 
     Director shall transmit the strategic plan under subsection 
     (c) to the Committee on Commerce, Science, and Transportation 
     of the Senate and the Committee on Science, Space, and 
     Technology of the House of Representatives.
                                 ______