[Senate Report 107-239] [From the U.S. Government Publishing Office] Calendar No. 549 107th Congress Report SENATE 2d Session 107-239 _______________________________________________________________________ CYBER SECURITY RESEARCH AND DEVELOPMENT ACT __________ R E P O R T OF THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION on S. 2182
August 1, 2002.--Ordered to be printed __________ U.S. GOVERNMENT PRINTING OFFICE 99-010 WASHINGTON : 2002 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION one hundred seventh congress second session ERNEST F. HOLLINGS, South Carolina, Chairman DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska Virginia CONRAD BURNS, Montana JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine RON WYDEN, Oregon SAM BROWNBACK, Kansas MAX CLELAND, Georgia GORDON SMITH, Oregon BARBARA BOXER, California PETER G. FITZGERALD, Illinois JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia BILL NELSON, Florida Kevin D. Kayes, Staff Director Moses Boyd, Chief Counsel Gregg Elias, General Counsel Jeanne Bumpus, Republican Staff Director and General Counsel Ann Begeman, Republican Deputy Staff Director Calendar No. 549 107th Congress Report SENATE 2d Session 107-239 ====================================================================== CYBER SECURITY RESEARCH AND DEVELOPMENT ACT _______ August 1, 2002.--Ordered to be printed _______ Mr. Hollings, from the Committee on Commerce, Science, and Transportation, submitted the following R E P O R T [To accompany S. 2182] The Committee on Commerce, Science, and Transportation, to which was referred the bill (S. 2182) to authorize funding for computer and network security research and development and research fellowship programs, and for other purposes, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends that the bill, as amended, do pass. Purpose of the Bill The purpose of the bill, as reported, is to establish and authorize funding for programs at the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) and to better coordinate information technology security research among government, industry and academia. Background and Needs With the advent of high-speed access to the Internet, computer networks are growing in size and complexity, creating new opportunities for those who would mount malicious computer attacks. At the same time, computer hacking is no longer the sole realm of computer geniuses. Instructions (known as scripts) for exploiting vulnerabilities of computer systems are widely available to anyone with access to the Internet. In some cases, all that is needed to launch an attack is a website address. Moreover, while some vulnerabilities are well known, the companies and individuals who own computers connected to the Internet do not always fix (or ``patch'') obvious security holes, even when the ``patch'' is free and easy to install. Computer attacks not only threaten the integrity of systems and data connected to the Internet, but also have the effect of undermining public trust in Internet-based electronic commerce, potentially hindering its further development and adoption. If Internet usage is to continue its growth, businesses and consumers must have confidence in the security of their information and the identity of the person or company with whom they are engaging in commerce or conversation. The threat of malicious hacking--and media coverage of high profile computer attacks--has the potential to disturb that trust and the future growth of the Internet and electronic commerce. It is not just our economic security that is vulnerable to cyber attack. Critical infrastructures, which are increasingly reliant on the Internet for exchange of data and control functions, also are highly susceptible. For example, the systems that control floodgates for dams or distribution of power are accessible via the Internet. Additionally, the potential threat from terrorist hackers (cyber terrorists) to the Federal government's strategic military systems is real. Security experts note that Department of Defense systems face daily attacks, many of which originate on foreign-based computers. Despite these enormous challenges, however, the United States has failed to conduct an adequate program of world- class, basic research needed to address cyber security needs. While a number of information technology companies support research and development (R&D) on network security, inadequacies in our security arsenal cannot be addressed solely through short-term industry-based applied research. Industry relies heavily on the fundamental research supported by the Federal government and the training of future researchers, including computer scientists, mathematicians, and many others, that Federally funded research programs support. Unfortunately, with the possible exception of encryption- related research, cyber security research is under-funded, and basic research into the fundamental technological cyber security challenges is not sufficient to support the Nation's needs. Many experts believe that because of these historic funding patterns, there is a severe shortage of researchers in the country with the experience and expertise needed to conduct cutting-edge research in cyber security. For example, experts estimate that there are currently only a total of 45 to 75 cyber security researchers nationwide, compared to 60 or more faculty members per computer science department at typical United States research universities. This shortage of personnel is not merely a problem for the academic and research community. Federal agencies are finding it increasingly difficult to recruit and hire professional staff with the knowledge and experience needed to analyze risks and manage and secure their own computer networks. S. 2182 would substantially increase the government's commitment to cyber security research and development by creating a broad program of cyber security R&D at NSF and NIST. The program would support R&D, student scholarships, improved faculty development, and upgrades of networks and facilities. A broad range of institutions would be able to participate, including institutions of higher education (as well as, consortia thereof and community colleges), non-profits, governmental laboratories, and private industry. Legislative History On July 16, 2001, and April 24, 2002, the Subcommittee on Science, Technology, and Space conducted hearings on cyber security. At the July 16, 2001, hearing entitled ``Holes in the Net: Security Risk and the E-Consumer,'' witnesses included: Dr. Vinton G. Cerf, Senior Vice President, Internet Architecture and Technology, WorldCom; Mr. Harris N. Miller, President, Information Technology Association of America; and Mr. Bruce Schneier, Chief Technical Officer, Counterpane Internet Security, Inc. At the April 24, 2002, hearing, entitled ``Homeland Security and the Technology Sector,''which focused on both S. 2182 and S. 2037, witnesses included: The Honorable Sherwood Boehlert, Chairman of the House Science Committee; Dr. George Strawn, Acting Assistant Director for Computer Information Science and Engineering at the National Science Foundation; Dr. Lance Hoffman, Department of Computer Science, George Washington University; Mr. W. Wyatt Starnes, President and Chief Executive Officer, Tripwire, Inc.; and Mr. Ronil Hira, Chairman of the Research and Development Policy Committee of the Institute of Electrical and Electronics Engineers. On April 17, 2002, Senator Wyden, Chairman of the Subcommittee on Science, Technology, and Space, introduced S. 2182, the Cyber Security Research and Development Act. On May 17, 2002, the Committee met in open executive session and, by a voice vote, ordered S. 2182 to be reported with a substitute amendment offered by Senator Wyden and Senator Edwards. The substitute included provisions from Senator Edwards's cyber security bills, S. 1900 and S. 1901, dealing with: (1) the establishment of an NSF program of forgivable loans to doctoral students in cyber security who agree to teach for 5 years; and (2) the development of information security benchmarks by NIST which will be implemented by Federal agencies. In addition, the substitute included provisions to enhance ethnic and racial diversity as a goal in NSF's new cyber security programs. The substitute also contained provisions to raise the profile of NIST's Computer Security Division to allow for cost sharing of new NIST grants, and to allow for a discretionary Director's Fund to permit NIST to fund promising projects in a more expeditious manner. On February 7, 2002, the House of Representatives passed the companion measure to S. 2182, H.R. 3394, which was subsequently received in the Senate and referred to the Committee. Summary of Major Provisions AUTHORIZATION OF APPROPRIATIONS S. 2182, as reported, would authorize appropriations to NSF and NIST for cyber security R&D. A total of $126.56 million would be authorized to be appropriated in fiscal year (FY) 2003, increasing to $249.05 million by FY 2007, for a 5-year total of $978.65 million. NSF PROGRAMS At the NSF, S. 2182, as reported, would establish and authorize: (1) merit-based grants in cyber security that would support innovative approaches from individual researchers to enhance cyber security; (2) Centers for Computer and Network Security Research, which would generate innovative approaches to computer security by conducting cutting-edge, multi- disciplinary research; (3) capacity building grants to institutions to improve their undergraduate or master's cyber security programs; (4) grants to improve cyber security education at community colleges as part of NSF's existing program pursuant to the Scientific and Advanced Technology Act of 1992, (46 U.S.C. 1862i); (5) graduate traineeships in computer and network security, which are merit-based grants to institutions to award fellowships to students pursuing cyber security doctoral degrees; (6) the inclusion of cyber security as an approved field of specialization supported by the Graduate Research Fellowships Program established under section 10 of NSF's Organic Act (42 U.S.C. 1869); and (7) a cyber security faculty development program to award merit-based grants to institutions that would award fellowships, in the form of loans, to students pursuing cyber security doctoral degrees, where 20 percent of the loan would be forgiven for each year the fellow remains a full time faculty professor in the cyber security field upon graduation. NIST PROGRAMS At NIST, S. 2182, as reported, would establish and authorize: (1) grants to colleges and universities that partner with for-profit entities to support long-term cyber security research; (2) research fellowships for post-doctoral students in cyber security, information technology, or related fields wishing to transfer into the cyber security field; (3) development of benchmark cyber security standards for Federal agencies; and (4) establishment of an Office for Information Security Programs, headed by a Director who reports directly to the NIST Director. Estimated Costs In accordance with paragraph 11(a) of rule XXVI of the Standing Rules of the Senate and section 403 of the Congressional Budget Act of 1974, the Committee provides the following cost estimate, prepared by the Congressional Budget Office: U.S. Congress, Congressional Budget Office, Washington, DC, May 28, 2002. Hon. Ernest F. Hollings, Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S.2182, the Cyber Security Research and Development Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contracts are Kathleen Gramp and Ken Johnson. Sincerely, Barry B. Anderson (For Dan L. Crippen, Director). Enclosure. Congressional Budget Office Cost Estimate S. 2182--Cyber Security Research and Development Act Summary: S. 2182 would authorize, appropriations for several research initiatives related to computer security at two agencies--the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST). The bill would establish the terms and conditions for awarding grants, fellowships, cooperative agreements, and loans for certain doctoral fellowship related to computer security, and would authorize NIST to conduct similar research at its laboratories. It would authorize the appropriation of $978 million over the 2002-2007 period for these activities. This total would include funding for the ongoing activities of the Computer System Security and Privacy Advisory Board and a study by the National Academy of Sciences on the vulnerability of nation's computer network infrastructure. Assuming appropriation of the specified amounts, CBO estimates that implementing this bill would cost $671 million over the 2002-2007 period. the bill would not affect direct spending or receipts; therefore, pay-as-you-go procedures would not apply. S. 2182 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. Estimated cost to the Federal Government: the estimated budgetary impact of S. 2182 is shown in the following table. The costs of this legislation fall within budget functions 250 (general science, space, and technology) and 370 (commerce and housing credit). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in million of dollars-- --------------------------------------------------- 2002 2003 2004 2005 2006 2007 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION National Science Foundation: \1\ Authorization Level..................................... 0 78 110 128 134 142 Estimated Outlays....................................... 0 15 58 93 114 125 National Institute of Standards and Technology: \2\ Authorization Level..................................... 2 47 62 76 92 107 Estimated Outlays....................................... 0 23 37 53 69 84 Total Changes: Authorization Level..................................... 2 125 172 204 226 249 Estimated Outlays....................................... 0 38 95 146 183 209 ---------------------------------------------------------------------------------------------------------------- \1\ NSF has a total appropriation of $4.9 billion in 2002. \2\ Thus far, NIST has a total appropriation of $680 million in 2002. Basis of estimate: S. 2182 would authorize the appropriation of $592 million for NSF and $386 million for NIST over the 2002-2007 period for these agencies to carry out a variety of grant, fellowship, loan, and other programs related to research on computer security. Based on the spending patterns of similar NSF and NIST programs, CBO estimates that implementing the bill would cost NSF and about $405 million and NIST about $266 million over the 2002-2007 period, assuming the appropriation of the authorized amounts. For this estimate, CBO assumes that funds will be appropriated near the beginning of each fiscal year, with the exception of the $2 million authorization for NIST in 2002 (which we assume will be provided this summer). CBO expects that the doctoral fellowships authorized by this bill would be treated as direct loans and would be subject to credit reform procedures. S. 2182 would require that such fellowships be repaid but would forgive specified amounts if the recipient is employed as a full-time faculty member. For this estimate, CBO assumes that NSF would use the $5 million authorized annually for these fellowships to cover the subsidy cost of such loans. Pay-as-you-go considerations: None. Estimated impact on state, local, and tribal governments: S. 2182 contains no intergovernmental mandates as defined in UMRA and would impose no costs on state, local, or tribal governments. The bill would benefit public universities by authorizing the appropriation of $978 million, much of which would be for grant programs to institutions of higher education, including public universities, for a number of projects aimed at improving computer and network security. Any costs incurred by public universities would be voluntary. Estimated impact on the private sector: This bill contains no new private-sector mandates as defined in UMRA. Previous CBO estimate: On December 17, 2001, CBO transmitted a cost estimate for H.R. 3394, the Cyber Security Research and Development Act, as ordered reported by the House Committee on Science on December 6, 2001. H.R. 3394 is very similar to S. 2182, although H.R. 3394 would authorize the appropriation of $878 million over the 2002-2007 period. CBO estimated that implementing H.R. 3394 would cost $420 million during the 2002-2006 period, assuming the appropriation of the necessary amounts. Estimate prepared by: Federal costs: Kathleen Gramp (NSF) and Ken Johnson (NIST); impact on state, local, and tribal governments: Elyse Goldman; impact on the private sector: Cecil McPherson. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. Regulatory Impact Statement In accordance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee provides the following evaluation of the regulatory impact of the legislation, as reported: NUMBER OF PERSONS COVERED The Committee believes that the bill would not subject any individuals or businesses affected by the legislation to any additional regulation. Neither NSF nor NIST are regulatory agencies; therefore they have no regulatory authority. Section 8(c) of the bill would require NIST to adopt Federal agency benchmark security standards to be implemented by Federal civilian agencies. The standards would not directly impose any requirements on individuals or businesses to further regulation. ECONOMIC IMPACT This legislation would not have an adverse economic impact on the Nation. It would authorize significant funding for research and development in computer and information security, promoting sustained economic growth through better protection of our critical infrastructures that have become increasingly dependent on electronic networks. In addition, this legislation would significantly enhance the growth and development of the computer and information security field in this country. PRIVACY S. 2182 would not have a negative impact on the personal privacy of individuals. The purpose of this legislation is to support research and development in information security, which should lead to increased protection for personal data stored on computer networks. PAPERWORK This legislation would not increase paperwork requirements for private individuals or businesses. It would require four Federal reports: (1) within 180 days of enactment, the Director of NIST must submit a report to the Senate Committee on Commerce, Science, and Transportation, the House Committee on Science, and the House and Senate Appropriations Committees identifying specific Federal agency benchmark security standards that should be developed over the following 12 month period, and recommending, in consultation with the Office of Management and Budget any additional funding that may be necessary; (2) not later than 1 year after the date of the report referred to above, the Director of NIST, in consultation with appropriate public and private entities, must submit a follow-up report containing recommendations for specific, reasonable Federal agency benchmark security standards to the Secretary of Commerce and the Chairman of the Federal Chief Information Officers (CIOs) Council. The Director of NIST shall review the recommended standards not less than once every 6 months and update such standards or issue new standards as necessary. The Director is not prohibited from updating any portion of such recommended standards more frequently if circumstances so require. The Secretary of Commerce shall widely disseminate the report, along with any updates; (3) not later than 36 months after the date of enactment, the Chairman of the Federal CIOs Council must submit a report to Congress describing the status of, costs associated with, and barriers to implementation of the Federal agency benchmark security standards at each agency/department of the government; and (4) within 3 months after the date of enactment, NIST must arrange for the National Academy of Sciences to conduct a study to examine the impact of requiring Federal agencies to implement benchmark security standards on national cyber security preparedness. NIST would be directed to transmit the report containing the results of the study to Congress not later than 21 months after the date of enactment of this Act. S. 2182, as reported, would also require the Chairman of the Federal CIOs Council to provide to the NIST Director a classified list of current Federal government security standards not later than 90 days after the date of enactment. Section-by-Section Analysis Section 1. Short title Section 1 would give the short title of the bill, the ``Cyber Security Research and Development Act.'' Section 2. Findings Section 2 presents the findings concerning: the interdependent nature of critical infrastructures brought about by advancements in computing and communications technology; the increased consequences of failure of communications and computer systems stemming from exponential increases in interconnectivity; the Nation's lack of preparedness for a coordinated cyber and physical attack; the shortage of outstanding researchers in the field of cyber security; the lack of coordination among government, academia, and industry for computer security; the need to significantly increase the Federal investment in computer and network security research and development; and the level of minority participation in the United States computer and information science workforce. Section 3. Definitions Section 3 includes the following definitions: (1) the term ``Director'' means the Director of the National Science Foundation (NSF), except in section 8 where it refers to the Director of the National Institute for Standards and Technology (NIST); (2) the term ``institution of higher education'' is given the meaning found in the Higher Education Act of 1965; and (3) ``Federal agency benchmark security standards'' means a baseline minimum security configuration for specific computer hardware or software components, an operational procedure or practice, or organizational structure that increases the security of the information technology assets of an agency or department of the Federal government. Section 4. National Science Foundation research Section 4(a) would establish an NSF program to award merit- reviewed, competitively based grants for basic research on innovative approaches to enhance computer security. Research areas include authentication and cryptography; computer forensics and intrusion detection; reliability of computer and network applications, middleware, operating systems, and communications infrastructure; privacy and confidentiality; network security architecture, including tools for security administration and analysis such as firewall technology; emerging threats, including malicious such as viruses and worms; vulnerability assessments; operations and control systems management; management of interoperable digital certificates or digital watermarking; and remote access and wirelesssecurity. This subsection would also authorize appropriations of $35 million for FY 2003, $40 million for FY 2004, $46 million for FY 2005, $52 million for FY 2006, and $60 million for FY 2007. Section 4(b) would establish an NSF program to award multi- year grants to institutions of higher education (or consortia thereof) to establish multidisciplinary Centers for Computer and Network Security Research. Institutions (or consortia) receiving grants may partner with one or more government laboratories or for-profit institutions. Applications for these grants would be reviewed on the basis of the ability of the institution (or consortium) to generate innovative approaches to computer and network security research; the applicant's experience in conducting research on computer and network security and capacity to foster new multi-discipline collaborations; the applicant's support for students pursuing research in computer and network security; and the extent to which government laboratories or industry partners will participate in the Center's research activities. This subsection would require the Director to convene an annual meeting of Centers to foster greater collaboration and communication. Appropriations of $12 million for FY 2003, $24 million for FY 2004, $36 million for FY 2005, $36 million for FY 2006, and $36 million for FY 2007 would be authorized. Section 5. National Science Foundation Computer and Network Security programs Section 5(a) (capacity building) would establish a competitive, merit-based NSF program to award grants to institutions of higher education (or consortia thereof) to create or improve undergraduate and master's degree programs in computer security. Grants would be used for purposes including curriculum development, equipment acquisition, faculty enhancement, and the establishment of a student internship program in government or industry. Applicants must describe the plan for building increased capacity in computer and network security, must articulate the roles and responsibilities of each partnering institution or collaborative group, and must provide evidence of high potential for success in educating and placing students in relevant jobs or graduate programs. The Director would be required to evaluate the impact of the program on increasing the quality and quantity of computer and network security professionals not later than 5 years after establishment. The program would authorize $15 million for FY 2003 and $20 million for each of fiscal years 2004-2007. Section 5(b) would expand NSF's existing program for community colleges (established by the Scientific and Advanced Technology Act of 1992, P.L. 102-476) to include grants to improve education in fields related to computer and network security. It would authorize $1 million for FY 2003 and $1.25 million for each of fiscal years 2004-2007. Section 5(c) (Graduate Traineeships in Computer and Network Security Research) would establish a competitive, merit-based NSF program to award grants to institutions of higher education to establish traineeship programs for graduate students pursuing studies in computer and network security research leading to a doctorate degree. Grant funds would be used to support student fellowships of at least $25,000 per year to pay student tuition and fees, and to support students in scientific internship programs. Appropriations of $10 million for FY 2003, and $20 million for each of fiscal years 2004-2007 would be authorized. Section 5(d) would direct NSF to include computer and network security as an approved field of specialization under its current Graduate Research Fellowships program. Section 5(e) (Cyber Security Faculty Development Fellowship Program) would establish an NSF program to award grants to institutions of higher learning to establish traineeship programs to enable graduate students to pursue academic careers in cyber security upon completion of doctoral degrees. Funds received by an institution would be made available to fellows, in the form of loans, for up to 5 years on a merit-reviewed, competitive basis to cover tuition and fees for doctoral study and a $25,000 per year stipend. Loans would be forgiven at 20% for each year the fellow is employed as a full-time faculty member at an institution, thereby forgiving the loan in total if the fellow teaches for 5 years. Appropriations of $5 million per year for fiscal years 2003-2007 would be authorized. Section 6. Consultation Section 6 would require the NSF Director to consult with other Federal agencies in carrying out the programs described in Sections 4 and 5. Section 7. Fostering research and education in computer and network security Section 7 of the bill would amend the National Science Foundation Act of 1950 to require NSF to take a leading role in fostering and supporting research and education in computer and network security. Section 8. National Institute of Standards and Technology research program Section 8(a) would amend the National Institute of Standards and Technology Act by creating a new section 22 to establish a program that provides assistance to institutions of higher education that partner with for-profit entities to support multidisciplinary, long-term research to improve the security of computer systems. Partnerships may also include government laboratories. The new section 22(b) would authorize the NIST Director to award research fellowships to post-doctoral researchers engaged in computer security research and to senior researchers who wish to transition from other research fields to computer security research. The new section 22(c) would authorize the Director to award grants or cooperative agreements and would set forth applicant eligibility requirements. The new section 22(d) would require cost-sharing (up to 50%) by the for-profit entities pursuant to a sliding scale, with the least amount required for projects that will be broadly applicable and widely shared. The new section 22(e) would instruct the NIST Director to select program managers who are responsible for establishing the research goals for the program, soliciting applications for specific research projects to address these goals, and selecting research projects for funding. The new section 22(f) would give the NIST Director the responsibility of reviewing, periodically, the portfolio of research awards in consultation with NIST's existing Computer System Security and Privacy Advisory Board. The Director would also be instructed to contract with the National ResearchCouncil to conduct a formal review of the program during its fifth year and to submit a report of this review to Congress no later than 6 years after the initiation of the program. Section 8(b) would amend the definition of Computer System by amending Section 20(d)(1)(B)(i) of the NIST Act to read ``computers and computer networks.'' Section 8(c)(1) would require the Director of NIST to submit a report to the Senate Committee on Commerce, Science, and Transportation; the House Committee on Science; and the House and Senate Appropriations Committees, not later than 180 days after enactment of this Act, identifying specific Federal agency benchmark security standards that should be developed by NIST over the following 12 month period, and recommending (in consultation with the Office of Management and Budget (OMB)) any additional funding authorization that may be necessary. Section 8(c)(2) would require NIST to submit a follow-up report selecting and adopting Federal agency benchmark security standards. The Director of NIST, in consultation with appropriate public and private entities, must submit the report to the Secretary of Commerce and the Chairman of the Federal CIOs Council not later than 1 year after the date of the report issued in section 8(c)(1). The Director shall review these standards not less than once every 6 months, and update such standards or issue new standards as necessary. Nothing in this title shall prohibit the Director from updating any portion of such recommended standards more frequently if it is determined that circumstances so require. The Secretary of Commerce would widely disseminate the report and any updates. Section 8(c)(3) would require civilian departments and agencies to implement the standards recommended by the report not later than 90 days after the date of the report. The Committee understands civilian agencies to be those agencies not excluded under section 20 of the NIST Organic Act. Updates must be similarly implemented not later than 30 days. To facilitate NIST's duties under this section, not later than 90 days after the enactment of this Act, the Chairman of the Federal CIOs Council shall provide to the NIST Director a classified list of the current Federal government security standards. Appropriations are authorized for activities under this subsection of $15 million per year for fiscal years 2003-2007. Section 8(d) would require two reports to Congress. Within 36 months after the date of enactment, the Chairman of the Federal CIOs Council is directed to submit a report to Congress describing the status of, costs associated with, and barriers to implementation and recommendations for over-coming such barriers of the Federal agency benchmark security standards at each department and agency of the Federal government. Not later than 3 months after the date of enactment, NIST would arrange for the National Academy of Sciences to conduct a study analyzing the effect of implementation of Federal agency benchmark security standards on the state of national cyber security preparedness. Appropriations of $800,000 would be authorized for this report. Section 8(e) would amend the National Institute of Standards and Technology Act to establish an Office for Information Security Programs. The Computer Security Division already exists at NIST; this subsection renames that office and elevates Information Security Programs to be on par with NIST's other laboratories with a Director reporting to the Director of NIST. Section 9. Computer security review, public meetings, and information This section would authorize funding ($1,060,000 for FY 2003 and $1,090,000 for FY 2004) to enable NIST's Computer System Security and Privacy Advisory Board to identify emerging issues, including research needs related to computer security, privacy, and cryptography and, as appropriate, to convene public meetings on those subjects, receive presentations, and generate reports for public distribution. Section 10. Intramural security research Section 10 would amend the National Institute of Standards and Technology Act to authorize NIST to pursue, as part of the agency's in-house research program, research related to computer security, including the development of emerging technologies to ensure security of networked systems assembled from components, improved security of real-time computing and communications systems used in industrial and critical infrastructure operations, and multidisciplinary, high-risk, long-term research on ways to improve security of computer systems. Section 11. Authorization of appropriations This section would authorize appropriations for sections 8 and 10 of the bill. For the research programs in section 8, it would authorize $25 million for FY 2003, $40 million for FY 2004, $55 million for FY 2005, $70 million for FY 2006, and $85 million for FY 2007. For section 10, it would authorize $6 million for FY 2003, $6.2 million for FY 2004, $6.4 million for FY 2005, $6.6 million for FY 2006, and $6.8 million for FY 2007. Section 12. National Academy of Sciences Study on Computer and Network Security in Critical Infrastructures Section 12 would authorize the Director of NIST to enter into an agreement with the National Research Council to conduct a study of the vulnerabilities of the nation's critical infrastructure networks and make recommendations for appropriate improvements not later than 3 months after the date of enactment of the Act. The study would require the NRC to review existing data to identify gaps in the security of critical infrastructure networks, make recommendations for research priorities to address these gaps, and review the security of network-related infrastructure including industrial process controls. A report of the study results is to be submitted to Congress. For the purpose of carrying out the study, $700,000 is authorized. Section 13 This section would give the Office of Science and Technology Policy (OSTP) the responsibility to coordinate Federal cyber security R&D, and ensure consultation with the Office of Homeland Security, the President's Critical Infrastructure Protection Board, and other relevant agencies. This section also would encourage OSTP to promote cooperation between the Federal government, academia, and private industry. Changes in Existing Law In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new material is printed in italic, existing law in which no change is proposed is shown in roman): NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT COMPUTERS STANDARDS PROGRAM. [15 U.S.C. 278G-3] Sec. 20. (a) Development of Standards, Guidelines, Methods, and Techniques for Computer Systems.--The Institute shall-- (1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems; (2) except as described in paragraph (3) of this subsection (relating to security standards), develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10, United States Code, or section 3502(9) of title 44, United States Code; (3) have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines for the cost- effective security and privacy of sensitive information in Federal computer systems except-- (A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(9) of title 44, United States Code; and (B) those systems which are protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, the primary purpose of which standards and guidelines shall be to control loss and unauthorized modification or disclosure of sensitive information in such systems and to prevent computer-related fraud and misuse; (4) submit standards and guidelines developed pursuant to paragraphs (2) and (3) of this subsection, along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce for promulgation under section 5131 of the Clinger-Cohen Act of 1996; (5) develop guidelines for use by operators of Federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice, as required by section 5 of the Computer Security Act of 1987; and (6) develop validation procedures for, and evaluate the effectiveness of, standards and guidelines developed pursuant to paragraphs (1), (2), and (3) of this subsection through research and liaison with other government and private agencies. (b) Technical Assistance and Implementation of Standards Developed.--In fulfilling subsection (a) of this section, the Institute is authorized-- (1) to assist the private sector, upon request, in using and applying the results of the programs and activities under this section; (2) as requested, to provide to operators of Federal computer systems technical assistance in implementing the standards and guidelines promulgated pursuant to section 5131 of the Clinger-Cohen Act of 1996; (3) to assist, as appropriate, the Office of Personnel Management in developing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1987; (4) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of, and to devise techniques for the cost-effective security and privacy of sensitive information in Federal computer systems; and (5) to coordinate closely with other agencies and offices (including, but not limited to, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, the Office of Technology Assessment, and the Office of Management and Budget)-- (A) to assure maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and (B) to assure, to the maximum extent feasible, that standards developed pursuant to subsection (a)(3) and (5) are consistent and compatible with standards and procedures developed for the protection of information in Federal computer systems which is authorized under criteria established by Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. (c) Protection of Sensitive Information.--For the purposes of-- (1) developing standards and guidelines for the protection of sensitive information in Federal computer systems under subsections (a)(1) and (a)(3), and (2) performing research and conducting studies under subsection (b)(5), the Institute shall draw upon computer system technical security guidelines developed by the National Security Agency to the extent that the National Bureau of Standards determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems. (d) Establishment of an Office for Information Security Programs.-- (1) In general.--There is established in the Institute an Office for Information Security Programs. (2) Head.--The Office for Information Security Programs shall be headed by a Director, who shall be a senior executive and shall be compensated at a level in the Senior Executive Service under section 5382 of title 5, United States Code, as determined by the Secretary of Commerce. (3) Function.--The Director of the Institute shall delegate to the Director of the Office of Information Security Programs the authority to administer all functions under this section, except that any such delegation shall not relieve the Director of the Institute of responsibility for the administration of such functions. The Director of the Office of Information Security Programs shall serve as principal adviser to the Director of the Institute on all functions under this section. [(d)] (e) Definitions.--As used in this section-- (1) the term ``computer system''-- (A) means any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception, of data or information; and (B) includes-- [(i) computers;] (i) computers and computer networks; (ii) ancillary equipment; (iii) software, firmware, and similar procedures; (iv) services, including support services; and (v) related resources; (2) the term ``Federal computer system'' means a computer system operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer system) on behalf of the Federal Government to accomplish a Federal function; (3) the term ``operator of a Federal computer system'' means a Federal agency, contractor of a Federal agency, or other organization that processes information using a computer system on behalf of the Federal Government to accomplish a Federal function; (4) the term ``sensitive information'' means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; and (5) the term ``Federal agency'' has the meaning given such term by section 3(b) of the Federal Property and Administrative Services Act of 1949 . (f) Intramural Security Research.--As part of the research activities conducted in accordance with subsection (b)(4), the Institute shall-- (1) conduct a research program to address emerging technologies associated with assembling a networked computer system from components while ensuring it maintains desired security properties; (2) carry out research associated with improving the security of real-time computing and communications systems for use in process control; and (3) carry out multidisciplinary, long-term, high-risk research on ways to improve the security of computer systems. (g) Authorization of Appropriations.--There are authorized to be appropriated to the Secretary $1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year 2004 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues, including research needs, related to computer security, privacy, and cryptography and, as appropriate, to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects. * * * * * * * RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS Sec. 22. (a) Establishment.--The Director, through the Director of the Office for Information Security Programs, shall establish a program of assistance to institutions of higher education that enter into partnerships with for-profit entities to support research to improve the security of computer systems. The partnerships may also include government laboratories. The program shall-- (1) include multidisciplinary, long-term research; (2) include research directed toward addressing needs identified through the activities of the Computer System Security and Privacy Advisory Board under section 20(f); and (3) promote the development of a robust research community working at the leading edge of knowledge in subject areas relevant to the security of computer systems by providing support for graduate students, post-doctoral researchers, and senior researchers. (b) Fellowships.-- (1) In general.--The Director is authorized to establish a program to award post-doctoral research fellowships to individuals who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act. (2) Senior research fellowships.--The Director is authorized to establish a program to award senior research fellowships to individuals seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act. Senior research fellowships shall be made available for established researchers at institutions of higher education who seek to change research fields and pursue studies related to the security of computer systems. (3) Eligibility.-- (A) In general.--To be eligible for an award under this subsection, an individual shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. (B) Stipends.--Under this subsection, the Director is authorized to provide stipends for post-doctoral research fellowships at the level of the Institute's Post Doctoral Research Fellowship Program and senior research fellowships at levels consistent with support for a faculty member in a sabbatical position. (c) Awards; Applications.-- (1) In general.--The Director is authorized to award grants or cooperative agreements to institutions of higher education to carry out the program established under subsection (a). (2) Eligibility.--To be eligible for an award under this section, an institution of higher education shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-- (A) the number of graduate students anticipated to participate in the research project and the level of support to be provided to each; (B) the number of post-doctoral research positions included under the research project and the level of support to be provided to each; (C) the number of individuals, if any, intending to change research fields and pursue studies related to the security of computer systems to be included under the research project and the level of support to be provided to each; and (D) how the for-profit entities and any other partners will participate in developing and carrying out the research and education agenda of the partnership. (d) Sliding Scale Cost-sharing.--In awarding a grant under this section, the Director shall require up to 50 percent of the costs of the project funded by the grant to be met by the for-profit entity or entities in the partnership. The Director shall base the percentage of cost-sharing required under this paragraph on a sliding scale reflecting the degree to which the results of the research undertaken by a partnership may reasonably be expected to be applied and shared, with-- (1) the smallest percentage of cost-sharing required for projects the anticipated results of which are reasonably expected to be of broadest potential application and broadly shared; and (2) the greatest percentage of cost-sharing required for projects the anticipated results of which are reasonably expected-- (A) to be of narrow or proprietary application; or (B) not to be broadly shared. (e) Program Operation.-- (1) Management.--The program established under subsection (a) shall be headed by the Director of the Office for Information Security Programs and managed by individuals who shall have both expertise in research related to the security of computer systems and knowledge of the vulnerabilities of existing computer systems. The Director shall designate such individuals, on a competitive basis, as program managers. (2) Managers may be employees.--Program managers designated under paragraph (1) may be new or existing employees of the Institute. (3) Manager responsibility.--Program managers designated under paragraph (1) shall be responsible for-- (A) establishing and publicizing the broad research goals for the program; (B) soliciting applications for specific research projects to address the goals developed under subparagraph (A); (C) selecting research projects for support under the program from among applications submitted to the Institute, following consideration of-- (i) the novelty and scientific and technical merit of the proposed projects; (ii) the demonstrated capabilities of the individual or individuals submitting the applications to successfully carry out the proposed research; (iii) the impact the proposed projects will have on increasing the number of computer security researchers; (iv) the nature of the participation by for-profit entities and the extent to which the proposed projects address the concerns of industry; and (v) other criteria determined by the Director, based on information specified for inclusion in applications under subsection (c); and (D) monitoring the progress of research projects supported under the program. (4) From amounts available for awards under subsection (c), the Director, in consultation with the Director of the Office for Information Security Programs established in section 20 of this Act, may assign up to 5 percent to a Directors Fund which may be awarded throughout the fiscal year at the discretion of the Director to promising projects designed to fulfill the goals Stated in subsection (a). Such projects should be innovative in nature and should meet emerging needs in computer security. (f) Review of Program.-- (1) Periodic review.--The Director shall periodically review the portfolio of research awards monitored by each program manager designated in accordance with subsection (e). In conducting those reviews, the Director shall seek the advice of the Computer System Security and Privacy Advisory Board, established under section 21, on the appropriateness of the research goals and on the quality and utility of research projects managed by program managers in accordance with subsection (e). (2) Comprehensive 5-year review.--The Director shall also contract with the National Research Council for a comprehensive review of the program established under subsection (a) during the 5th year of the program. Such review shall include an assessment of the scientific quality of the research conducted, the relevance of the research results obtained to the goals of the program established under subsection (e)(3)(A), and the progress of the program in promoting the development of a substantial academic research community working at the leading edge of knowledge in the field. The Director shall submit to Congress a report on the results of the review under this paragraph no later than 6 years after the initiation of the program. (g) Definitions.--In this section: (1) Computer system.--The term ``computer system'' has the meaning given that term in section 20(d)(1). (2) Institution of higher education.--The term ``institution of higher education'' has the meaning given that term in section 101 of the Higher Education Act of 1965 (20 United States Code 1001). APPROPRIATIONS; AVAILABILITY [15 U.S.C. 278H] Sec. [22.] 32. Appropriations to carry out the provisions of this Act may remain available for obligation and expenditure for such period or periods as may be specified in the Acts making such appropriations. * * * * * * * NATIONAL SCIENCE FOUNDATION ACT OF 1950 SEC. 3. FUNCTIONS. [42 U.S.C. 1862] (a) Initiation and Support of Studies and Programs; Scholarships; Current Register of Scientific and Technical Personnel.--The Foundation is authorized and directed-- (1) to initiate and support basic scientific research and programs to strengthen scientific research potential and science education programs at all levels in the mathematical, physical, medical, biological, social, and other sciences, and to initiate and support research fundamental to the engineering process and programs to strengthen engineering research potential and engineering education programs at all levels in the various fields of engineering, by making contracts or other arrangements (including grants, loans, and other forms of assistance) to support such scientific, engineering, and educational activities and to appraise the impact of research upon industrial development and upon the general welfare; (2) to award, as provided in section 10, scholarships and graduate fellowships for study and research in the sciences or in engineering; (3) to foster the interchange of scientific and engineering information among scientists and engineers in the United States and foreign countries; (4) to foster and support the development and use of computer and other scientific and engineering methods and technologies, primarily for research and education in the sciences and engineering; (5) to evaluate the status and needs of the various sciences and fields of engineering as evidenced by programs, projects, and studies undertaken by agencies of the Federal Government, by individuals, and by public and private research groups, employing by grant or contract such consulting services as it may deem necessary for the purpose of such evaluations; and to take into consideration the results of such evaluations in correlating the research and educational programs undertaken or supported by the Foundation with programs, projects, and studies undertaken by agencies of the Federal Government, by individuals, and by public and private research groups; (6) to provide a central clearinghouse for the collection, interpretation, and analysis of data on scientific and engineering resources and to provide a source of information for policy formulation by other agencies of the Federal Government; [and] (7) to initiate and maintain a program for the determination of the total amount of money for scientific and engineering research, including money allocated for the construction of the facilities wherein such research is conducted, received by each educational institution and appropriate nonprofit organization in the United States, by grant, contract, or other arrangement from agencies of the Federal Government, and to report annually thereon to the President and the [Congress.] Congress; and (8) to take a leading role in fostering and supporting research and education activities to improve the security of networked information systems. (b) Contracts, Grants, Loans, etc. for Scientific and Engineering Activities; Financing of Programs.--The Foundation is authorized to initiate and support specific scientific and engineering activities in connection with matters relating to international cooperation, national security, and the effects of scientific and engineering applications upon society by making contracts or other arrangements (including grants, loans, and other forms of assistance) for the conduct of such activities. When initiated or supported pursuant to requests made by any other Federal department or agency, including the Office of Technology Assessment, such activities shall be financed whenever feasible from funds transferred to the Foundation by the requesting official as provided in section 14(f), and any such activities shall be unclassified and shall be identified by the Foundation as being undertaken at the request of the appropriate official. (c) Scientific and Engineering Research Programs at Academic and Other Nonprofit Institutions; Applied Scientific Research and Engineering Research Programs by Presidential Directive; Employment of Consulting Services; Coordination of Activities.--In addition to the authority contained in subsections (a) and (b), the Foundation is authorized to initiate and support scientific and engineering research, including applied research, at academic and other nonprofit institutions. When so directed by the President, the Foundation is further authorized to support, through other appropriate organizations, applied scientific research and engineering research relevant to national problemsinvolving the public interest. In exercising the authority contained in this subsection, the Foundation may employ by grant or contract such consulting services as it deems necessary, and shall coordinate and correlate its activities with respect to any such problem with other agencies of the Federal Government undertaking similar programs in that field. (d) Promotion of Basic Research and Education in Science and Engineering.--The Board and the Director shall recommend and encourage the pursuit of national policies for the promotion of research and education in science and engineering. (e) Balancing of Research and Educational Activities in the Sciences and Engineering.--In exercising the authority and discharging the functions referred to in the foregoing subsections, it shall be an objective of the Foundation to strengthen research and education in the sciences and engineering, including independent research by individuals, throughout the United States, and to avoid undue concentration of such research and education. (f) Annual Report to the President and Congress.--The Foundation shall render an annual report to the President for submission on or before the 15th day of April of each year to the Congress, summarizing the activities of the Foundation and making such recommendations as it may deem appropriate. Such report shall include information as to the acquisition and disposition by the Foundation of any patents and patent rights. (g) Support of Access to Computer Networks.--In carrying out subsection (a)(4), the Foundation is authorized to foster and support access by the research and education communities to computer networks which may be used substantially for purposes in addition to research and education in the sciences and engineering, if the additional uses will tend to increase the overall capabilities of the networks to support such research and education activities. NATIONAL SCIENCE AND TECHNOLOGY POLICY ACT SEC. 205. POLICY PLANNING; ANALYSIS; ADVICE; ESTABLISHMENT OF ADVISORY PANEL. [42 U.S.C. 6614] (a) The Office shall serve as a source of scientific and technological analysis and judgment for the President with respect to major policies, plans, and programs of the Federal Government. In carrying out the provisions of this section, the Director shall-- (1) seek to define coherent approaches for applying science and technology to critical and emerging national and international problems and for promoting coordination of the scientific and technological responsibilities and programs of the Federal departments and agencies in the resolution of such problems; (2) assist and advise the President in the preparation of the Science and Technology Report, in accordance with section 209 of this Act; (3) gather timely and authoritative information concerning significant developments and trends in science, technology, and in national priorities, both current and prospective, to analyze and interpret such information for the purpose of determining whether such developments and trends are likely to affect achievement of the priority goals of the Nation as set forth in section 101(b) of this Act; (4) encourage the development and maintenance of an adequate data base for human resources in science, engineering, and technology, including the development of appropriate models to forecast future manpower requirements, and assess the impact of major governmental and public programs on human resources and their utilization; (5) initiate studies and analyses, including systems analyses and technology assessments, of alternatives available for the resolution of critical and emerging national and international problems amendable to the contributions of science and technology and, insofar as possible, determine and compare probable costs, benefits, and impacts of such alternatives; (6) advise the President on the extent to which the various scientific and technological programs, policies, and activities of the Federal Government are likely to affect the achievement of the priority goals of the Nation as set forth in section 101(b) of this Act; (7) provide the President with periodic reviews of Federal statutes and administrative regulations of the various departments and agencies which affect research and development activities, both internally and in relation to the private sector, or which may interfere with desirable technological innovation, together with recommendations for their elimination, reform, or updating as appropriate; (8) develop, review, revise, and recommend criteria for determining scientific and technological activities warranting Federal support, and recommend Federal policies designed to advance (A) the development and maintenance of broadly based scientific and technological capabilities, including human resources, at all levels of government, academia, and industry, and (B) the effective application of such capabilities to national needs; (9) assess and advise on policies for international cooperation in science and technology which will advance the national and international objectives of the United States; (10) identify and assess emerging and future areas in which science and technology can be used effectively in addressing national and international problems; (11) report at least once each year to the President and the Congress on the overall activities and accomplishments of the Office, pursuant to section 206 of this Act; (12) periodically survey the nature and needs of national science and technology policy and make recommendations to the President, for review and transmission to the Congress, for the timely and appropriate revision of such policy in accordance with section 102(a)(6) of this Act; [and] (13) develop strategies, in consultation with the Office of Homeland Security, the President's Critical Infrastructure Protection Board, and the relevant Federal departments and agencies, to foster greater coordination of Federal research and development activities and promote cooperation between the Federal Government, institutions of higher education, and private industry in the field of cyber security; and [(13)] (14) perform such other duties and functions and make and furnish such studies and reports thereon, and recommendations with respect to matters of policy and legislation as the President may request. (b)(1) The Director shall establish an Intergovernmental Science, Engineering, and Technology Advisory Panel (hereinafter referred to as the ``Panel''), whose purpose shall be to (A) identify and define civilian problems at State, regional, and local levels which science, engineering, and technology may assist in resolving or ameliorating; (B) recommend priorities for addressing such problems; and (C) advise and assist the Director in identifying and fostering policies to facilitate the transfer and utilization of research and development results so as to maximize their application to civilian needs. (2) The Panel shall be composed of (A) the Director of the Office, or his representative; (B) at least ten members representing the interests of the States, appointed by the Director of the Office after consultation with State officials; and (C) the Director of the National Science Foundation, or his representative. (3)(A) The Director of the Office, or his representative, shall serve as Chairman of the Panel. (B) The Panel shall perform such functions as the Chairman may prescribe, and shall meet at the call of the Chairman. (4) Each member of the Panel shall, while serving on business of the Panel, be entitled to receive compensation at a rate not to exceed the daily rate prescribed for GS-18 of the General Schedule under section 5332 of title 5, United States Code, including traveltime, and, while so serving away from his home or regular place of business, he may be allowed travel expenses, including per diem in lieu of subsistence in the same manner as the expenses authorized by section 5703(b) of title 5, United States Code, for persons in government service employed intermittently.