[Congressional Record (Bound Edition), Volume 160 (2014), Part 13]
[Senate]
[Pages 17713-17717]
[From the U.S. Government Publishing Office, www.gpo.gov]




                           CYBERSECURITY ACT

  Mr. KING. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 490, S. 1353.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The legislative clerk read as follows:

       A bill (S. 1353) to provide for an ongoing, voluntary 
     public-private partnership to improve cybersecurity, and to 
     strengthen cybersecurity research and development, workforce 
     development and education, and public awareness and 
     preparedness, and for other purposes.

  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the Committee on Commerce, Science, and 
Transportation, with an amendment to strike all after the enacting 
clause and insert in lieu thereof the following:

                                S. 1353

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the 
     ``Cybersecurity Act of 2013''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. No regulatory authority.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

Sec. 101. Public-private collaboration on cybersecurity.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

Sec. 201. Federal cybersecurity research and development.

[[Page 17714]]

Sec. 202. Computer and network security research centers.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.
Sec. 303. Study and analysis of education, accreditation, training, and 
              certification of information infrastructure and 
              cybersecurity professionals.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

Sec. 401. National cybersecurity awareness and preparedness campaign.

     SEC. 2. DEFINITIONS.

       In this Act:
       (1) Cybersecurity mission.--The term ``cybersecurity 
     mission'' means activities that encompass the full range of 
     threat reduction, vulnerability reduction, deterrence, 
     international engagement, incident response, resiliency, and 
     recovery policies and activities, including computer network 
     operations, information assurance, law enforcement, 
     diplomacy, military, and intelligence missions as such 
     activities relate to the security and stability of 
     cyberspace.
       (2) Information infrastructure.--The term ``information 
     infrastructure'' means the underlying framework that 
     information systems and assets rely on to process, transmit, 
     receive, or store information electronically, including 
     programmable electronic devices, communications networks, and 
     industrial or supervisory control systems and any associated 
     hardware, software, or data.
       (3) Information system.--The term ``information system'' 
     has the meaning given that term in section 3502 of title 44, 
     United States Code.

     SEC. 3. NO REGULATORY AUTHORITY.

       Nothing in this Act shall be construed to confer any 
     regulatory authority on any Federal, State, tribal, or local 
     department or agency.

         TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

     SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY.

       (a) Cybersecurity.--Section 2(c) of the National Institute 
     of Standards and Technology Act (15 U.S.C. 272(c)) is 
     amended--
       (1) by redesignating paragraphs (15) through (22) as 
     paragraphs (16) through (23), respectively; and
       (2) by inserting after paragraph (14) the following:
       ``(15) on an ongoing basis, facilitate and support the 
     development of a voluntary, industry-led set of standards, 
     guidelines, best practices, methodologies, procedures, and 
     processes to reduce cyber risks to critical infrastructure 
     (as defined under subsection (e));''.
       (b) Scope and Limitations.--Section 2 of the National 
     Institute of Standards and Technology Act (15 U.S.C. 272) is 
     amended by adding at the end the following:
       ``(e) Cyber Risks.--
       ``(1) In general.--In carrying out the activities under 
     subsection (c)(15), the Director--
       ``(A) shall--
       ``(i) coordinate closely and continuously with relevant 
     private sector personnel and entities, critical 
     infrastructure owners and operators, sector coordinating 
     councils, Information Sharing and Analysis Centers, and other 
     relevant industry organizations, and incorporate industry 
     expertise;
       ``(ii) consult with the heads of agencies with national 
     security responsibilities, sector-specific agencies, State 
     and local governments, the governments of other nations, and 
     international organizations;
       ``(iii) identify a prioritized, flexible, repeatable, 
     performance-based, and cost-effective approach, including 
     information security measures and controls, that may be 
     voluntarily adopted by owners and operators of critical 
     infrastructure to help them identify, assess, and manage 
     cyber risks;
       ``(iv) include methodologies--

       ``(I) to identify and mitigate impacts of the cybersecurity 
     measures or controls on business confidentiality; and
       ``(II) to protect individual privacy and civil liberties;

       ``(v) incorporate voluntary consensus standards and 
     industry best practices;
       ``(vi) align with voluntary international standards to the 
     fullest extent possible;
       ``(vii) prevent duplication of regulatory processes and 
     prevent conflict with or superseding of regulatory 
     requirements, mandatory standards, and related processes; and
       ``(viii) include such other similar and consistent elements 
     as the Director considers necessary; and
       ``(B) shall not prescribe or otherwise require--
       ``(i) the use of specific solutions;
       ``(ii) the use of specific information or communications 
     technology products or services; or
       ``(iii) that information or communications technology 
     products or services be designed, developed, or manufactured 
     in a particular manner.
       ``(2) Limitation.--Information shared with or provided to 
     the Institute for the purpose of the activities described 
     under subsection (c)(15) shall not be used by any Federal, 
     State, tribal, or local department or agency to regulate the 
     activity of any entity.
       ``(3) Definitions.--In this subsection:
       ``(A) Critical infrastructure.--The term `critical 
     infrastructure' has the meaning given the term in section 
     1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
       ``(B) Sector-specific agency.--The term `sector-specific 
     agency' means the Federal department or agency responsible 
     for providing institutional knowledge and specialized 
     expertise as well as leading, facilitating, or supporting the 
     security and resilience programs and associated activities of 
     its designated critical infrastructure sector in the all-
     hazards environment.''.
       (c) Study and Report.--
       (1) Study.--The Comptroller General of the United States 
     shall conduct a study that assesses--
       (A) the progress made by the Director of the National 
     Institute of Standards and Technology in facilitating the 
     development of standards and procedures to reduce cyber risks 
     to critical infrastructure in accordance with section 
     2(c)(15) of the National Institute of Standards and 
     Technology Act, as added by this section;
       (B) the extent to which the Director's facilitation efforts 
     are consistent with the directive in such section that the 
     development of such standards and procedures be voluntary and 
     led by industry representatives;
       (C) the extent to which sectors of critical infrastructure 
     (as defined in section 1016(e) of the USA PATRIOT Act of 2001 
     (42 U.S.C. 5195c(e))) have adopted a voluntary, industry-led 
     set of standards, guidelines, best practices, methodologies, 
     procedures, and processes to reduce cyber risks to critical 
     infrastructure in accordance with such section 2(c)(15);
       (D) the reasons behind the decisions of sectors of critical 
     infrastructure (as defined in subparagraph (C)) to adopt or 
     to not adopt the voluntary standards described in 
     subparagraph (C); and
       (E) the extent to which such voluntary standards have 
     proved successful in protecting critical infrastructure from 
     cyber threats.
       (2) Reports.--Not later than 1 year after the date of the 
     enactment of this Act, and every 2 years thereafter for the 
     following 6 years, the Comptroller General shall submit a 
     report, which summarizes the findings of the study conducted 
     under paragraph (1), to--
       (A) the Committee on Commerce, Science, and Transportation 
     of the Senate;
       (B) the Committee on Energy and Commerce of the House of 
     Representatives; and
       (C) the Committee on Science, Space, and Technology of the 
     House of Representatives.

            TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT

     SEC. 201. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

       (a) Fundamental Cybersecurity Research.--
       (1) In general.--The Director of the Office of Science and 
     Technology Policy, in coordination with the head of any 
     relevant Federal agency, shall build upon programs and plans 
     in effect as of the date of enactment of this Act to develop 
     a Federal cybersecurity research and development plan to meet 
     objectives in cybersecurity, such as--
       (A) how to design and build complex software-intensive 
     systems that are secure and reliable when first deployed;
       (B) how to test and verify that software and hardware, 
     whether developed locally or obtained from a third party, is 
     free of significant known security flaws;
       (C) how to test and verify that software and hardware 
     obtained from a third party correctly implements stated 
     functionality, and only that functionality;
       (D) how to guarantee the privacy of an individual, 
     including that individual's identity, information, and lawful 
     transactions when stored in distributed systems or 
     transmitted over networks;
       (E) how to build new protocols to enable the Internet to 
     have robust security as one of the key capabilities of the 
     Internet;
       (F) how to determine the origin of a message transmitted 
     over the Internet;
       (G) how to support privacy in conjunction with improved 
     security;
       (H) how to address the growing problem of insider threats;
       (I) how improved consumer education and digital literacy 
     initiatives can address human factors that contribute to 
     cybersecurity;
       (J) how to protect information processed, transmitted, or 
     stored using cloud computing or transmitted through wireless 
     services; and
       (K) any additional objectives the Director of the Office of 
     Science and Technology Policy, in coordination with the head 
     of any relevant Federal agency and with input from 
     stakeholders, including appropriate national laboratories, 
     industry, and academia, determines appropriate.
       (2) Requirements.--
       (A) In general.--The Federal cybersecurity research and 
     development plan shall identify and prioritize near-term, 
     mid-term, and long-term research in computer and information 
     science and engineering to meet the objectives under 
     paragraph (1), including research in the areas described in 
     section 4(a)(1) of the Cyber Security Research and 
     Development Act (15 U.S.C. 7403(a)(1)).
       (B) Private sector efforts.--In developing, implementing, 
     and updating the Federal cybersecurity research and 
     development plan, the Director of the Office of Science and 
     Technology Policy shall work in close cooperation with 
     industry, academia, and other interested stakeholders to 
     ensure, to the extent possible, that Federal cybersecurity 
     research and development is not duplicative of private sector 
     efforts.
       (3) Triennial updates.--
       (A) In general.--The Federal cybersecurity research and 
     development plan shall be updated triennially.

[[Page 17715]]

       (B) Report to congress.--The Director of the Office of 
     Science and Technology Policy shall submit the plan, not 
     later than 1 year after the date of enactment of this Act, 
     and each updated plan under this section to the Committee on 
     Commerce, Science, and Transportation of the Senate and the 
     Committee on Science, Space, and Technology of the House of 
     Representatives.
       (b) Cybersecurity Practices Research.--The Director of the 
     National Science Foundation shall support research that--
       (1) develops, evaluates, disseminates, and integrates new 
     cybersecurity practices and concepts into the core curriculum 
     of computer science programs and of other programs where 
     graduates of such programs have a substantial probability of 
     developing software after graduation, including new practices 
     and concepts relating to secure coding education and 
     improvement programs; and
       (2) develops new models for professional development of 
     faculty in cybersecurity education, including secure coding 
     development.
       (c) Cybersecurity Modeling and Test Beds.--
       (1) Review.--Not later than 1 year after the date of 
     enactment of this Act, the Director the National Science 
     Foundation, in coordination with the Director of the Office 
     of Science and Technology Policy, shall conduct a review of 
     cybersecurity test beds in existence on the date of enactment 
     of this Act to inform the grants under paragraph (2). The 
     review shall include an assessment of whether a sufficient 
     number of cybersecurity test beds are available to meet the 
     research needs under the Federal cybersecurity research and 
     development plan.
       (2) Additional cybersecurity modeling and test beds.--
       (A) In general.--If the Director of the National Science 
     Foundation, after the review under paragraph (1), determines 
     that the research needs under the Federal cybersecurity 
     research and development plan require the establishment of 
     additional cybersecurity test beds, the Director of the 
     National Science Foundation, in coordination with the 
     Secretary of Commerce and the Secretary of Homeland Security, 
     may award grants to institutions of higher education or 
     research and development non-profit institutions to establish 
     cybersecurity test beds.
       (B) Requirement.--The cybersecurity test beds under 
     subparagraph (A) shall be sufficiently large in order to 
     model the scale and complexity of real-time cyber attacks and 
     defenses on real world networks and environments.
       (C) Assessment required.--The Director of the National 
     Science Foundation, in coordination with the Secretary of 
     Commerce and the Secretary of Homeland Security, shall 
     evaluate the effectiveness of any grants awarded under this 
     subsection in meeting the objectives of the Federal 
     cybersecurity research and development plan under subsection 
     (a) no later than 2 years after the review under paragraph 
     (1) of this subsection, and periodically thereafter.
       (d) Coordination With Other Research Initiatives.--In 
     accordance with the responsibilities under section 101 of the 
     High-Performance Computing Act of 1991 (15 U.S.C. 5511), the 
     Director the Office of Science and Technology Policy shall 
     coordinate, to the extent practicable, Federal research and 
     development activities under this section with other ongoing 
     research and development security-related initiatives, 
     including research being conducted by--
       (1) the National Science Foundation;
       (2) the National Institute of Standards and Technology;
       (3) the Department of Homeland Security;
       (4) other Federal agencies;
       (5) other Federal and private research laboratories, 
     research entities, and universities;
       (6) institutions of higher education;
       (7) relevant nonprofit organizations; and
       (8) international partners of the United States.
       (e) National Science Foundation Computer and Network 
     Security Research Grant Areas.--Section 4(a)(1) of the Cyber 
     Security Research and Development Act (15 U.S.C. 7403(a)(1)) 
     is amended--
       (1) in subparagraph (H), by striking ``and'' at the end;
       (2) in subparagraph (I), by striking the period at the end 
     and inserting a semicolon; and
       (3) by adding at the end the following:
       ``(J) secure fundamental protocols that are integral to 
     inter-network communications and data exchange;
       ``(K) secure software engineering and software assurance, 
     including--
       ``(i) programming languages and systems that include 
     fundamental security features;
       ``(ii) portable or reusable code that remains secure when 
     deployed in various environments;
       ``(iii) verification and validation technologies to ensure 
     that requirements and specifications have been implemented; 
     and
       ``(iv) models for comparison and metrics to assure that 
     required standards have been met;
       ``(L) holistic system security that--
       ``(i) addresses the building of secure systems from trusted 
     and untrusted components;
       ``(ii) proactively reduces vulnerabilities;
       ``(iii) addresses insider threats; and
       ``(iv) supports privacy in conjunction with improved 
     security;
       ``(M) monitoring and detection;
       ``(N) mitigation and rapid recovery methods;
       ``(O) security of wireless networks and mobile devices; and
       ``(P) security of cloud infrastructure and services.''.
       (f) Research on the Science of Cybersecurity.--The head of 
     each agency and department identified under section 
     101(a)(3)(B) of the High-Performance Computing Act of 1991 
     (15 U.S.C. 5511(a)(3)(B)), through existing programs and 
     activities, shall support research that will lead to the 
     development of a scientific foundation for the field of 
     cybersecurity, including research that increases 
     understanding of the underlying principles of securing 
     complex networked systems, enables repeatable 
     experimentation, and creates quantifiable security metrics.

     SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.

       Section 4(b) of the Cyber Security Research and Development 
     Act (15 U.S.C. 7403(b)) is amended--
       (1) in paragraph (3), by striking ``the research areas'' 
     and inserting the following: ``improving the security and 
     resiliency of information infrastructure, reducing cyber 
     vulnerabilities, and anticipating and mitigating consequences 
     of cyber attacks on critical infrastructure, by conducting 
     research in the areas'';
       (2) by striking ``the center'' in paragraph (4)(D) and 
     inserting ``the Center''; and
       (3) in paragraph (5)--
       (A) by striking ``and'' at the end of subparagraph (C);
       (B) by striking the period at the end of subparagraph (D) 
     and inserting a semicolon; and
       (C) by adding at the end the following:
       ``(E) the demonstrated capability of the applicant to 
     conduct high performance computation integral to complex 
     computer and network security research, through on-site or 
     off-site computing;
       ``(F) the applicant's affiliation with private sector 
     entities involved with industrial research described in 
     subsection (a)(1);
       ``(G) the capability of the applicant to conduct research 
     in a secure environment;
       ``(H) the applicant's affiliation with existing research 
     programs of the Federal Government;
       ``(I) the applicant's experience managing public-private 
     partnerships to transition new technologies into a commercial 
     setting or the government user community;
       ``(J) the capability of the applicant to conduct 
     interdisciplinary cybersecurity research, basic and applied, 
     such as in law, economics, or behavioral sciences; and
       ``(K) the capability of the applicant to conduct research 
     in areas such as systems security, wireless security, 
     networking and protocols, formal methods and high-performance 
     computing, nanotechnology, or industrial control systems.''.

             TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT

     SEC. 301. CYBERSECURITY COMPETITIONS AND CHALLENGES.

       (a) In General.--The Secretary of Commerce, Director of the 
     National Science Foundation, and Secretary of Homeland 
     Security, in consultation with the Director of the Office of 
     Personnel Management, shall--
       (1) support competitions and challenges under section 105 
     of the America COMPETES Reauthorization Act of 2010 (124 
     Stat. 3989) or any other provision of law, as appropriate--
       (A) to identify, develop, and recruit talented individuals 
     to perform duties relating to the security of information 
     infrastructure in Federal, State, and local government 
     agencies, and the private sector; or
       (B) to stimulate innovation in basic and applied 
     cybersecurity research, technology development, and prototype 
     demonstration that has the potential for application to the 
     information technology activities of the Federal Government; 
     and
       (2) ensure the effective operation of the competitions and 
     challenges under this section.
       (b) Participation.--Participants in the competitions and 
     challenges under subsection (a)(1) may include--
       (1) students enrolled in grades 9 through 12;
       (2) students enrolled in a postsecondary program of study 
     leading to a baccalaureate degree at an institution of higher 
     education;
       (3) students enrolled in a postbaccalaureate program of 
     study at an institution of higher education;
       (4) institutions of higher education and research 
     institutions;
       (5) veterans; and
       (6) other groups or individuals that the Secretary of 
     Commerce, Director of the National Science Foundation, and 
     Secretary of Homeland Security determine appropriate.
       (c) Affiliation and Cooperative Agreements.--Competitions 
     and challenges under this section may be carried out through 
     affiliation and cooperative agreements with--
       (1) Federal agencies;
       (2) regional, State, or school programs supporting the 
     development of cyber professionals;
       (3) State, local, and tribal governments; or
       (4) other private sector organizations.
       (d) Areas of Skill.--Competitions and challenges under 
     subsection (a)(1)(A) shall be designed to identify, develop, 
     and recruit exceptional talent relating to--
       (1) ethical hacking;
       (2) penetration testing;
       (3) vulnerability assessment;
       (4) continuity of system operations;
       (5) security in design;
       (6) cyber forensics;
       (7) offensive and defensive cyber operations; and
       (8) other areas the Secretary of Commerce, Director of the 
     National Science Foundation, and Secretary of Homeland 
     Security consider necessary to fulfill the cybersecurity 
     mission.
       (e) Topics.--In selecting topics for competitions and 
     challenges under subsection (a)(1), the

[[Page 17716]]

     Secretary of Commerce, Director of the National Science 
     Foundation, and Secretary of Homeland Security--
       (1) shall consult widely both within and outside the 
     Federal Government; and
       (2) may empanel advisory committees.
       (f) Internships.--The Director of the Office of Personnel 
     Management may support, as appropriate, internships or other 
     work experience in the Federal Government to the winners of 
     the competitions and challenges under this section.

     SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

       (a) In General.--The Director of the National Science 
     Foundation, in coordination with the Director of the Office 
     of Personnel Management and Secretary of Homeland Security, 
     shall continue a Federal Cyber Scholarship-for-Service 
     program to recruit and train the next generation of 
     information technology professionals, industrial control 
     system security professionals, and security managers to meet 
     the needs of the cybersecurity mission for Federal, State, 
     local, and tribal governments.
       (b) Program Description and Components.--The Federal Cyber 
     Scholarship-for-Service program shall--
       (1) provide scholarships to students who are enrolled in 
     programs of study at institutions of higher education leading 
     to degrees or specialized program certifications in the 
     cybersecurity field;
       (2) provide the scholarship recipients with summer 
     internship opportunities or other meaningful temporary 
     appointments in the Federal information technology workforce; 
     and
       (3) provide a procedure by which the National Science 
     Foundation or a Federal agency, consistent with regulations 
     of the Office of Personnel Management, may request and fund 
     security clearances for scholarship recipients, including 
     providing for clearances during internships or other 
     temporary appointments and after receipt of their degrees.
       (c) Scholarship Amounts.--Each scholarship under subsection 
     (b) shall be in an amount that covers the student's tuition 
     and fees at the institution under subsection (b)(1) and 
     provides the student with an additional stipend.
       (d) Scholarship Conditions.--Each scholarship recipient, as 
     a condition of receiving a scholarship under the program, 
     shall enter into an agreement under which the recipient 
     agrees to work in the cybersecurity mission of a Federal, 
     State, local, or tribal agency for a period equal to the 
     length of the scholarship following receipt of the student's 
     degree.
       (e) Hiring Authority.--
       (1) Appointment in excepted service.--Notwithstanding any 
     provision of chapter 33 of title 5, United States Code, 
     governing appointments in the competitive service, an agency 
     shall appoint in the excepted service an individual who has 
     completed the academic program for which a scholarship was 
     awarded.
       (2) Noncompetitive conversion.--Except as provided in 
     paragraph (4), upon fulfillment of the service term, an 
     employee appointed under paragraph (1) may be converted 
     noncompetitively to term, career-conditional or career 
     appointment.
       (3) Timing of conversion.--An agency may noncompetitively 
     convert a term employee appointed under paragraph (2) to a 
     career-conditional or career appointment before the term 
     appointment expires.
       (4) Authority to decline conversion.--An agency may decline 
     to make the noncompetitive conversion or appointment under 
     paragraph (2) for cause.
       (f) Eligibility.--To be eligible to receive a scholarship 
     under this section, an individual shall--
       (1) be a citizen or lawful permanent resident of the United 
     States;
       (2) demonstrate a commitment to a career in improving the 
     security of information infrastructure; and
       (3) have demonstrated a high level of proficiency in 
     mathematics, engineering, or computer sciences.
       (g) Repayment.--If a scholarship recipient does not meet 
     the terms of the program under this section, the recipient 
     shall refund the scholarship payments in accordance with 
     rules established by the Director of the National Science 
     Foundation, in coordination with the Director of the Office 
     of Personnel Management and Secretary of Homeland Security.
       (h) Evaluation and Report.--The Director of the National 
     Science Foundation shall evaluate and report periodically to 
     Congress on the success of recruiting individuals for 
     scholarships under this section and on hiring and retaining 
     those individuals in the public sector workforce.

     SEC. 303. STUDY AND ANALYSIS OF EDUCATION, ACCREDITATION, 
                   TRAINING, AND CERTIFICATION OF INFORMATION 
                   INFRASTRUCTURE AND CYBERSECURITY PROFESSIONALS.

       (a) Study.--The Director of the National Science 
     Foundation, the Director of the Office of Personnel 
     Management, and the Secretary of Homeland Security shall 
     undertake to enter into appropriate arrangements with the 
     National Academy of Sciences to conduct a comprehensive study 
     of government, academic, and private-sector education, 
     accreditation, training, and certification programs for the 
     development of professionals in information infrastructure 
     and cybersecurity. The agreement shall require the National 
     Academy of Sciences to consult with sector coordinating 
     councils and relevant governmental agencies, regulatory 
     entities, and nongovernmental organizations in the course of 
     the study.
       (b) Scope.--The study shall include--
       (1) an evaluation of the body of knowledge and various 
     skills that specific categories of professionals in 
     information infrastructure and cybersecurity should possess 
     in order to secure information systems;
       (2) an assessment of whether existing government, academic, 
     and private-sector education, accreditation, training, and 
     certification programs provide the body of knowledge and 
     various skills described in paragraph (1);
       (3) an evaluation of--
       (A) the state of cybersecurity education at institutions of 
     higher education in the United States;
       (B) the extent of professional development opportunities 
     for faculty in cybersecurity principles and practices;
       (C) the extent of the partnerships and collaborative 
     cybersecurity curriculum development activities that leverage 
     industry and government needs, resources, and tools;
       (D) the proposed metrics to assess progress toward 
     improving cybersecurity education; and
       (E) the descriptions of the content of cybersecurity 
     courses in undergraduate computer science curriculum;
       (4) an analysis of any barriers to the Federal Government 
     recruiting and hiring cybersecurity talent, including 
     barriers relating to compensation, the hiring process, job 
     classification, and hiring flexibility; and
       (5) an analysis of the sources and availability of 
     cybersecurity talent, a comparison of the skills and 
     expertise sought by the Federal Government and the private 
     sector, an examination of the current and future capacity of 
     United States institutions of higher education, including 
     community colleges, to provide current and future 
     cybersecurity professionals, through education and training 
     activities, with those skills sought by the Federal 
     Government, State and local entities, and the private sector.
       (c) Report.--Not later than 1 year after the date of 
     enactment of this Act, the National Academy of Sciences shall 
     submit to the President and Congress a report on the results 
     of the study. The report shall include--
       (1) findings regarding the state of information 
     infrastructure and cybersecurity education, accreditation, 
     training, and certification programs, including specific 
     areas of deficiency and demonstrable progress; and
       (2) recommendations for further research and the 
     improvement of information infrastructure and cybersecurity 
     education, accreditation, training, and certification 
     programs.

           TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS

     SEC. 401. NATIONAL CYBERSECURITY AWARENESS AND PREPAREDNESS 
                   CAMPAIGN.

       (a) National Cybersecurity Awareness and Preparedness 
     Campaign.--The Director of the National Institute of 
     Standards and Technology (referred to in this section as the 
     ``Director''), in consultation with appropriate Federal 
     agencies, shall continue to coordinate a national 
     cybersecurity awareness and preparedness campaign, such as--
       (1) a campaign to increase public awareness of 
     cybersecurity, cyber safety, and cyber ethics, including the 
     use of the Internet, social media, entertainment, and other 
     media to reach the public;
       (2) a campaign to increase the understanding of State and 
     local governments, institutions of higher education, and 
     private sector entities of--
       (A) the benefits of ensuring effective risk management of 
     the information infrastructure versus the costs of failure to 
     do so; and
       (B) the methods to mitigate and remediate vulnerabilities;
       (3) support for formal cybersecurity education programs at 
     all education levels to prepare skilled cybersecurity and 
     computer science workers for the private sector and Federal, 
     State, and local government; and
       (4) initiatives to evaluate and forecast future 
     cybersecurity workforce needs of the Federal government and 
     develop strategies for recruitment, training, and retention.
       (b) Considerations.--In carrying out the authority 
     described in subsection (a), the Director, in consultation 
     with appropriate Federal agencies, shall leverage existing 
     programs designed to inform the public of safety and security 
     of products or services, including self-certifications and 
     independently verified assessments regarding the 
     quantification and valuation of information security risk.
       (c) Strategic Plan.--The Director, in cooperation with 
     relevant Federal agencies and other stakeholders, shall build 
     upon programs and plans in effect as of the date of enactment 
     of this Act to develop and implement a strategic plan to 
     guide Federal programs and activities in support of the 
     national cybersecurity awareness and preparedness campaign 
     under subsection (a).
       (d) Report.--Not later than 1 year after the date of 
     enactment of this Act, and every 5 years thereafter, the 
     Director shall transmit the strategic plan under subsection 
     (c) to the Committee on Commerce, Science, and Transportation 
     of the Senate and the Committee on Science, Space, and 
     Technology of the House of Representatives.


                      IMPORTANT ASPECTS OF S. 1353

  Mr. JOHNSON of South Dakota. Mr. President, I ask consent to engage 
in a colloquy with Senator Rockefeller, Chairman of the Senate Commerce 
Committee, regarding important aspects of S. 1353, the Cybersecurity 
Enhancement Act of 2014.
  Yesterday I held a hearing on the importance of improving information

[[Page 17717]]

sharing between agencies on cyber security. As I said yesterday, law 
enforcement, the intelligence community, Treasury, and financial 
regulators each may have different missions, but in addressing cyber 
security concerns they all must be united in what some call a ``whole 
government'' approach. Cyber security is one of the most important 
issues facing the financial system and I hope next Congress can work 
together to pass a comprehensive cyber security bill. I thank my 
colleague, the Senator from West Virginia, for his work on this 
important matter and for strengthening the public-private collaboration 
on cyber security with this bill.
  However, I would like to ensure that the language in this bill does 
not have unintended consequences on the abilities of financial 
regulators to effectively oversee our financial system. As chairman of 
the Banking Committee, I am mindful of the importance of strong 
regulators examining and supervising our financial institutions. This 
is particularly important in the case of the Consumer Financial 
Protection Bureau, the agency that was created in 2010 to police areas 
of the financial market that previously were not regulated at the 
federal level, as well as the prudential regulators. A provision in S. 
1353 states that information shared with the National Institute of 
Standards and Technology (known as NIST), may not be used by a 
government agency to regulate the activity of any entity. However, 
other existing statutes and regulations provide government agencies 
with the authority to require entities they regulate to provide them 
with information.
  Moreover, a regulatory agency may discover such information on its 
own, through the entity, or through other sources. For example, a bank 
regulatory agency may discover cyberthreat information during a routine 
examination of a bank and, might want to exercise its existing legal 
authority to require the bank to adjust its systems to protect against 
future cyberthreats. I seek clarification from the Senator from West 
Virginia with respect to the provision in the proposed legislation.
  Can my colleague from West Virginia confirm that this provision is 
not intended to prohibit an agency from taking regulatory action, if 
the agency independently obtains such information pursuant to other 
statutory or regulatory authority, even if a regulated entity has 
shared this information with NIST?
  Mr. ROCKEFELLER. I thank Senator Johnson for his interest and support 
for this legislation and for his shared interest in strengthening cyber 
security. I also thank my colleague from South Dakota for drawing 
attention to the potential impact of this provision on financial 
regulatory authorities under the Banking Committee's jurisdiction, 
including those of the Consumer Financial Protection Bureau and the 
prudential regulators. I would like to assure the Senator that the 
consensus-based voluntary process for developing cyber security 
standards established in Title I of this bill is not intended to alter 
or limit financial regulatory agencies' regulatory authority in any 
way. Title I, particularly new section (e)(2) of the National Institute 
of Standards and Technology Act, encourages private entities to 
participate in NIST's standards development process, but is in no way a 
``safe harbor'' for participants who are subject to the jurisdiction of 
financial regulatory agencies. An entity that participates in the 
standards development process established in Title I is still fully 
subject to the regulations, supervision, and other requirements of its 
financial regulatory agency. Sharing information with NIST as part of 
the process established in Title I is not a valid basis for withholding 
information from a regulator, including information about cyber 
threats.
  NIST is the Federal government's premier science and standards 
agency. It is not a regulatory agency, nor is it a national or homeland 
security agency. NIST's unique role is to bring together knowledgeable 
players from government and industry and to build consensus around 
common technical standards. NIST has no authority to require any 
private entity to follow standards it develops. The cybersecurity 
standards development process established in Title I is therefore not a 
rulemaking process. It in no way imposes new or duplicative regulations 
on entities that are subject to the authority of financial regulatory 
agencies, and it in no way disturbs or diminishes agencies' authority 
to exercise their important oversight duties.
  It is not intended to prohibit an agency from taking a regulatory 
action, such as an action to require an individual entity to protect 
against future cyber threats, if the agency independently obtains such 
information pursuant to other statutory or regulatory authority--even 
if an entity has shared this information with NIST. Nothing in this 
bill is intended to modify, limit, or otherwise affect the authority of 
the federal financial regulators under any other provision of law.
  Mr. JOHNSON of South Dakota. I thank the Senator from West Virginia 
for his work on this important matter and for working with me to 
clarify the scope of this bill.
  Mr. KING. I ask unanimous consent that the committee-reported 
substitute be agreed to, the Rockefeller-Thune substitute be agreed to, 
the bill, as amended, be read a third time and passed, and the motion 
to reconsider be considered made and laid upon the table.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The committee-reported amendment in the nature of a substitute was 
agreed to.
  The amendment (No. 4097) in the nature of a substitute was agreed to.
  (The amendment is printed in today's Record under ``Text of 
Amendments.'')
  The bill (S. 1353), as amended, was ordered to be engrossed for a 
third reading, was read the third time, and passed.
  Mr. KING. I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The legislative clerk proceeded to call the roll.
  Mr. SESSIONS. I ask unanimous consent that the order for the quorum 
call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.

                          ____________________