[107th Congress Public Law 305]
[From the U.S. Government Printing Office]


<DOC>
[DOCID: f:publ305.107]


[[Page 116 STAT. 2367]]

Public Law 107-305
107th Congress

                                 An Act


 
  To authorize funding for computer and network security research and 
      development and research fellowship programs, and for other 
            purposes. <<NOTE: Nov. 27, 2002 -  [H.R. 3394]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress <<NOTE: Cyber Security Research and 
Development Act.>> assembled,

SECTION 1. <<NOTE: Communications and tele- communications.>> SHORT 
            TITLE.

    This Act may be cited as the ``Cyber Security Research and 
Development Act''.

SEC. 2. FINDINGS.

    The Congress finds the following:
            (1) Revolutionary advancements in computing and 
        communications technology have interconnected government, 
        commercial, scientific, and educational infrastructures--
        including critical infrastructures for electric power, natural 
        gas and petroleum production and distribution, 
        telecommunications, transportation, water supply, banking and 
        finance, and emergency and government services--in a vast, 
        interdependent physical and electronic network.
            (2) Exponential increases in interconnectivity have 
        facilitated enhanced communications, economic growth, and the 
        delivery of services critical to the public welfare, but have 
        also increased the consequences of temporary or prolonged 
        failure.
            (3) A Department of Defense Joint Task Force concluded after 
        a 1997 United States information warfare exercise that the 
        results ``clearly demonstrated our lack of preparation for a 
        coordinated cyber and physical attack on our critical military 
        and civilian infrastructure''.
            (4) Computer security technology and systems implementation 
        lack--
                    (A) sufficient long term research funding;
                    (B) adequate coordination across Federal and State 
                government agencies and among government, academia, and 
                industry; and
                    (C) sufficient numbers of outstanding researchers in 
                the field.
            (5) Accordingly, Federal investment in computer and network 
        security research and development must be significantly 
        increased to--
                    (A) improve vulnerability assessment and 
                technological and systems solutions;

[[Page 116 STAT. 2368]]

                    (B) expand and improve the pool of information 
                security professionals, including researchers, in the 
                United States workforce; and
                    (C) better coordinate information sharing and 
                collaboration among industry, government, and academic 
                research projects.
            (6) While African-Americans, Hispanics, and Native Americans 
        constitute 25 percent of the total United States workforce and 
        30 percent of the college-age population, members of these 
        minorities comprise less than 7 percent of the United States 
        computer and information science workforce.

SEC. 3. <<NOTE: 15 USC 7402.>> DEFINITIONS.

    In this Act:
            (1) Director.--The term ``Director'' means the Director of 
        the National Science Foundation.
            (2) Institution of higher education.--The term ``institution 
        of higher education'' has the meaning given that term in section 
        101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).

SEC. 4. <<NOTE: 15 USC 7403.>> NATIONAL SCIENCE FOUNDATION RESEARCH.

    (a) Computer and Network Security Research Grants.--
            (1) In general.--The Director shall award grants for basic 
        research on innovative approaches to the structure of computer 
        and network hardware and software that are aimed at enhancing 
        computer security. Research areas may include--
                    (A) authentication, cryptography, and other secure 
                data communications technology;
                    (B) computer forensics and intrusion detection;
                    (C) reliability of computer and network 
                applications, middleware, operating systems, control 
                systems, and communications infrastructure;
                    (D) privacy and confidentiality;
                    (E) network security architecture, including tools 
                for security administration and analysis;
                    (F) emerging threats;
                    (G) vulnerability assessments and techniques for 
                quantifying risk;
                    (H) remote access and wireless security; and
                    (I) enhancement of law enforcement ability to 
                detect, investigate, and prosecute cyber-crimes, 
                including those that involve piracy of intellectual 
                property.
            (2) Merit review; competition.--Grants shall be awarded 
        under this section on a merit-reviewed competitive basis.
            (3) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $35,000,000 for fiscal year 2003;
                    (B) $40,000,000 for fiscal year 2004;
                    (C) $46,000,000 for fiscal year 2005;
                    (D) $52,000,000 for fiscal year 2006; and
                    (E) $60,000,000 for fiscal year 2007.

    (b) Computer and Network Security Research Centers.--
            (1) In general.--The Director shall award multiyear grants, 
        subject to the availability of appropriations, to institutions 
        of higher education, nonprofit research institutions, or

[[Page 116 STAT. 2369]]

        consortia thereof to establish multidisciplinary Centers for 
        Computer and Network Security Research. Institutions of higher 
        education, nonprofit research institutions, or consortia thereof 
        receiving such grants may partner with 1 or more government 
        laboratories or for-profit institutions, or other institutions 
        of higher education or nonprofit research institutions.
            (2) Merit review; competition.--Grants shall be awarded 
        under this subsection on a merit-reviewed competitive basis.
            (3) Purpose.--The purpose of the Centers shall be to 
        generate innovative approaches to computer and network security 
        by conducting cutting-edge, multidisciplinary research in 
        computer and network security, including the research areas 
        described in subsection (a)(1).
            (4) Applications.--An institution of higher education, 
        nonprofit research institution, or consortia thereof seeking 
        funding under this subsection shall submit an application to the 
        Director at such time, in such manner, and containing such 
        information as the Director may require. The application shall 
        include, at a minimum, a description of--
                    (A) the research projects that will be undertaken by 
                the Center and the contributions of each of the 
                participating entities;
                    (B) how the Center will promote active collaboration 
                among scientists and engineers from different 
                disciplines, such as computer scientists, engineers, 
                mathematicians, and social science researchers;
                    (C) how the Center will contribute to increasing the 
                number and quality of computer and network security 
                researchers and other professionals, including 
                individuals from groups historically underrepresented in 
                these fields; and
                    (D) how the center will disseminate research results 
                quickly and widely to improve cyber security in 
                information technology networks, products, and services.
            (5) Criteria.--In evaluating the applications submitted 
        under paragraph (4), the Director shall consider, at a minimum--
                    (A) the ability of the applicant to generate 
                innovative approaches to computer and network security 
                and effectively carry out the research program;
                    (B) the experience of the applicant in conducting 
                research on computer and network security and the 
                capacity of the applicant to foster new 
                multidisciplinary collaborations;
                    (C) the capacity of the applicant to attract and 
                provide adequate support for a diverse group of 
                undergraduate and graduate students and postdoctoral 
                fellows to pursue computer and network security 
                research; and
                    (D) the extent to which the applicant will partner 
                with government laboratories, for-profit entities, other 
                institutions of higher education, or nonprofit research 
                institutions, and the role the partners will play in the 
                research undertaken by the Center.
            (6) Annual meeting.--The Director shall convene an annual 
        meeting of the Centers in order to foster collaboration and 
        communication between Center participants.

[[Page 116 STAT. 2370]]

            (7) Authorization of appropriations.--There are authorized 
        to be appropriated for the National Science Foundation to carry 
        out this subsection--
                    (A) $12,000,000 for fiscal year 2003;
                    (B) $24,000,000 for fiscal year 2004;
                    (C) $36,000,000 for fiscal year 2005;
                    (D) $36,000,000 for fiscal year 2006; and
                    (E) $36,000,000 for fiscal year 2007.

SEC. 5. <<NOTE: 15 USC 7404.>> NATIONAL SCIENCE FOUNDATION COMPUTER AND 
            NETWORK SECURITY PROGRAMS.

    (a) Computer and Network Security Capacity Building Grants.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education (or consortia 
        thereof) to establish or improve undergraduate and master's 
        degree programs in computer and network security, to increase 
        the number of students, including the number of students from 
        groups historically underrepresented in these fields, who pursue 
        undergraduate or master's degrees in fields related to computer 
        and network security, and to provide students with experience in 
        government or industry related to their computer and network 
        security studies.
            (2) Merit review.--Grants shall be awarded under this 
        subsection on a merit-reviewed competitive basis.
            (3) Use of funds.--Grants awarded under this subsection 
        shall be used for activities that enhance the ability of an 
        institution of higher education (or consortium thereof) to 
        provide high-quality undergraduate and master's degree programs 
        in computer and network security and to recruit and retain 
        increased numbers of students to such programs. Activities may 
        include--
                    (A) revising curriculum to better prepare 
                undergraduate and master's degree students for careers 
                in computer and network security;
                    (B) establishing degree and certificate programs in 
                computer and network security;
                    (C) creating opportunities for undergraduate 
                students to participate in computer and network security 
                research projects;
                    (D) acquiring equipment necessary for student 
                instruction in computer and network security, including 
                the installation of testbed networks for student use;
                    (E) providing opportunities for faculty to work with 
                local or Federal Government agencies, private industry, 
                nonprofit research institutions, or other academic 
                institutions to develop new expertise or to formulate 
                new research directions in computer and network 
                security;
                    (F) establishing collaborations with other academic 
                institutions or academic departments that seek to 
                establish, expand, or enhance programs in computer and 
                network security;
                    (G) establishing student internships in computer and 
                network security at government agencies or in private 
                industry;
                    (H) establishing collaborations with other academic 
                institutions to establish or enhance a web-based 
                collection

[[Page 116 STAT. 2371]]

                of computer and network security courseware and 
                laboratory exercises for sharing with other institutions 
                of higher education, including community colleges;
                    (I) establishing or enhancing bridge programs in 
                computer and network security between community colleges 
                and universities; and
                    (J) any other activities the Director determines 
                will accomplish the goals of this subsection.
            (4) Selection process.--
                    (A) Application.--An institution of higher education 
                (or a consortium thereof) seeking funding under this 
                subsection shall submit an application to the Director 
                at such time, in such manner, and containing such 
                information as the Director may require. The application 
                shall include, at a minimum--
                          (i) a description of the applicant's computer 
                      and network security research and instructional 
                      capacity, and in the case of an application from a 
                      consortium of institutions of higher education, a 
                      description of the role that each member will play 
                      in implementing the proposal;
                          (ii) a comprehensive plan by which the 
                      institution or consortium will build instructional 
                      capacity in computer and information security;
                          (iii) a description of relevant collaborations 
                      with government agencies or private industry that 
                      inform the instructional program in computer and 
                      network security;
                          (iv) a survey of the applicant's historic 
                      student enrollment and placement data in fields 
                      related to computer and network security and a 
                      study of potential enrollment and placement for 
                      students enrolled in the proposed computer and 
                      network security program; and
                          (v) a plan to evaluate the success of the 
                      proposed computer and network security program, 
                      including post-graduation assessment of graduate 
                      school and job placement and retention rates as 
                      well as the relevance of the instructional program 
                      to graduate study and to the workplace.
                    (B) Awards.--(i) The Director shall ensure, to the 
                extent practicable, that grants are awarded under this 
                subsection in a wide range of geographic areas and 
                categories of institutions of higher education, 
                including minority serving institutions.
                    (ii) The Director shall award grants under this 
                subsection for a period not to exceed 5 years.
            (5) Assessment <<NOTE: Deadline.>> required.--The Director 
        shall evaluate the program established under this subsection no 
        later than 6 years after the establishment of the program. At a 
        minimum, the Director shall evaluate the extent to which the 
        program achieved its objectives of increasing the quality and 
        quantity of students, including students from groups 
        historically underrepresented in computer and network security 
        related disciplines, pursuing undergraduate or master's degrees 
        in computer and network security.

[[Page 116 STAT. 2372]]

            (6) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $15,000,000 for fiscal year 2003;
                    (B) $20,000,000 for fiscal year 2004;
                    (C) $20,000,000 for fiscal year 2005;
                    (D) $20,000,000 for fiscal year 2006; and
                    (E) $20,000,000 for fiscal year 2007.

    (b) Scientific and Advanced Technology Act of 1992.--
            (1) Grants.--The Director shall provide grants under the 
        Scientific and Advanced Technology Act of 1992 (42 U.S.C. 1862i) 
        for the purposes of section 3(a) and (b) of that Act, except 
        that the activities supported pursuant to this subsection shall 
        be limited to improving education in fields related to computer 
        and network security.
            (2) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $1,000,000 for fiscal year 2003;
                    (B) $1,250,000 for fiscal year 2004;
                    (C) $1,250,000 for fiscal year 2005;
                    (D) $1,250,000 for fiscal year 2006; and
                    (E) $1,250,000 for fiscal year 2007.

    (c) Graduate Traineeships in Computer and Network Security 
Research.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education to establish 
        traineeship programs for graduate students who pursue computer 
        and network security research leading to a doctorate degree by 
        providing funding and other assistance, and by providing 
        graduate students with research experience in government or 
        industry related to the students' computer and network security 
        studies.
            (2) Merit review.--Grants shall be provided under this 
        subsection on a merit-reviewed competitive basis.
            (3) Use of funds.--An institution of higher education shall 
        use grant funds for the purposes of--
                    (A) providing traineeships to students who are 
                citizens, nationals, or lawfully admitted permanent 
                resident aliens of the United States and are pursuing 
                research in computer or network security leading to a 
                doctorate degree;
                    (B) paying tuition and fees for students receiving 
                traineeships under subparagraph (A);
                    (C) establishing scientific internship programs for 
                students receiving traineeships under subparagraph (A) 
                in computer and network security at for-profit 
                institutions, nonprofit research institutions, or 
                government laboratories; and
                    (D) other costs associated with the administration 
                of the program.
            (4) Traineeship amount.--Traineeships provided under 
        paragraph (3)(A) shall be in the amount of $25,000 per year, or 
        the level of the National Science Foundation Graduate Research 
        Fellowships, whichever is greater, for up to 3 years.

[[Page 116 STAT. 2373]]

            (5) Selection process.--An institution of higher education 
        seeking funding under this subsection shall submit an 
        application to the Director at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
                    (A) the instructional program and research 
                opportunities in computer and network security available 
                to graduate students at the applicant's institution; and
                    (B) the internship program to be established, 
                including the opportunities that will be made available 
                to students for internships at for-profit institutions, 
                nonprofit research institutions, and government 
                laboratories.
            (6) Review of applications.--In evaluating the applications 
        submitted under paragraph (5), the Director shall consider--
                    (A) the ability of the applicant to effectively 
                carry out the proposed program;
                    (B) the quality of the applicant's existing research 
                and education programs;
                    (C) the likelihood that the program will recruit 
                increased numbers of students, including students from 
                groups historically underrepresented in computer and 
                network security related disciplines, to pursue and earn 
                doctorate degrees in computer and network security;
                    (D) the nature and quality of the internship program 
                established through collaborations with government 
                laboratories, nonprofit research institutions, and for-
                profit institutions;
                    (E) the integration of internship opportunities into 
                graduate students' research; and
                    (F) the relevance of the proposed program to current 
                and future computer and network security needs.
            (7) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $10,000,000 for fiscal year 2003;
                    (B) $20,000,000 for fiscal year 2004;
                    (C) $20,000,000 for fiscal year 2005;
                    (D) $20,000,000 for fiscal year 2006; and
                    (E) $20,000,000 for fiscal year 2007.

    (d) Graduate Research Fellowships Program Support.--Computer and 
network security shall be included among the fields of specialization 
supported by the National Science Foundation's Graduate Research 
Fellowships program under section 10 of the National Science Foundation 
Act of 1950 (42 U.S.C. 1869).
    (e) Cyber Security Faculty Development Traineeship Program.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education to establish 
        traineeship programs to enable graduate students to pursue 
        academic careers in cyber security upon completion of doctoral 
        degrees.
            (2) Merit review; competition.--Grants shall be awarded 
        under this section on a merit-reviewed competitive basis.
            (3) Application.--Each institution of higher education 
        desiring to receive a grant under this subsection shall submit

[[Page 116 STAT. 2374]]

        an application to the Director at such time, in such manner, and 
        containing such information as the Director shall require.
            (4) Use of funds.--Funds received by an institution of 
        higher education under this paragraph shall--
                    (A) be made available to individuals on a merit-
                reviewed competitive basis and in accordance with the 
                requirements established in paragraph (7);
                    (B) be in an amount that is sufficient to cover 
                annual tuition and fees for doctoral study at an 
                institution of higher education for the duration of the 
                graduate traineeship, and shall include, in addition, an 
                annual living stipend of $25,000; and
                    (C) be provided to individuals for a duration of no 
                more than 5 years, the specific duration of each 
                graduate traineeship to be determined by the institution 
                of higher education, on a case-by-case basis.
            (5) Repayment.--Each graduate traineeship shall--
                    (A) subject to paragraph (5)(B), be subject to full 
                repayment upon completion of the doctoral degree 
                according to a repayment schedule established and 
                administered by the institution of higher education;
                    (B) be forgiven at the rate of 20 percent of the 
                total amount of the graduate traineeship assistance 
                received under this section for each academic year that 
                a recipient is employed as a full-time faculty member at 
                an institution of higher education for a period not to 
                exceed 5 years; and
                    (C) be monitored by the institution of higher 
                education receiving a grant under this subsection to 
                ensure compliance with this subsection.
            (6) Exceptions.--The Director may provide for the partial or 
        total waiver or suspension of any service obligation or payment 
        by an individual under this section whenever compliance by the 
        individual is impossible or would involve extreme hardship to 
        the individual, or if enforcement of such obligation with 
        respect to the individual would be unconscionable.
            (7) Eligibility.--To be eligible to receive a graduate 
        traineeship under this section, an individual shall--
                    (A) be a citizen, national, or lawfully admitted 
                permanent resident alien of the United States; and
                    (B) demonstrate a commitment to a career in higher 
                education.
            (8) Consideration.--In making selections for graduate 
        traineeships under this paragraph, an institution receiving a 
        grant under this subsection shall consider, to the extent 
        possible, a diverse pool of applicants whose interests are of an 
        interdisciplinary nature, encompassing the social scientific as 
        well as the technical dimensions of cyber security.
            (9) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this paragraph $5,000,000 for each of fiscal years 2003 
        through 2007.

SEC. 6. <<NOTE: 15 USC 7405.>> CONSULTATION.

    In carrying out sections 4 and 5, the Director shall consult with 
other Federal agencies.

[[Page 116 STAT. 2375]]

SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK 
            SECURITY.

    Section 3(a) of the National Science Foundation Act of 1950 (42 
U.S.C. 1862(a)) is amended--
            (1) by striking ``and'' at the end of paragraph (6);
            (2) by striking ``Congress.'' in paragraph (7) and inserting 
        ``Congress ; and''; and
            (3) by adding at the end the following:
            ``(8) to take a leading role in fostering and supporting 
        research and education activities to improve the security of 
        networked information systems.''.

SEC. 8. <<NOTE: 15 USC 7406.>> NATIONAL INSTITUTE OF STANDARDS AND 
            TECHNOLOGY PROGRAMS.

    (a) Research Program.--The National Institute of Standards and 
Technology Act (15 U.S.C. 271 et seq.) is amended--
            (1) <<NOTE: 15 USC 278h, 278q.>> by moving section 22 to the 
        end of the Act and redesignating it as section 32; and
            (2) by inserting after section 21 the following new section:

   ``sec. 22. research <<NOTE: 15 usc 278h.>> program on security of 
computer systems

    ``(a) Establishment.--The Director shall establish a program of 
assistance to institutions of higher education that enter into 
partnerships with for-profit entities to support research to improve the 
security of computer systems. The partnerships may also include 
government laboratories and nonprofit research institutions. The program 
shall--
            ``(1) include multidisciplinary, long-term research;
            ``(2) include research directed toward addressing needs 
        identified through the activities of the Computer System 
        Security and Privacy Advisory Board under section 20(f); and
            ``(3) promote the development of a robust research community 
        working at the leading edge of knowledge in subject areas 
        relevant to the security of computer systems by providing 
        support for graduate students, post-doctoral researchers, and 
        senior researchers.

    ``(b) Fellowships.--
            ``(1) Post-doctoral research fellowships.--The Director is 
        authorized to establish a program to award post-doctoral 
        research fellowships to individuals who are citizens, nationals, 
        or lawfully admitted permanent resident aliens of the United 
        States and are seeking research positions at institutions, 
        including the Institute, engaged in research activities related 
        to the security of computer systems, including the research 
        areas described in section 4(a)(1) of the Cyber Security 
        Research and Development Act.
            ``(2) Senior research fellowships.--The Director is 
        authorized to establish a program to award senior research 
        fellowships to individuals seeking research positions at 
        institutions, including the Institute, engaged in research 
        activities related to the security of computer systems, 
        including the research areas described in section 4(a)(1) of the 
        Cyber Security Research and Development Act. Senior research 
        fellowships shall be made available for established researchers 
        at institutions of higher education who seek to change research 
        fields and pursue studies related to the security of computer 
        systems.
            ``(3) Eligibility.--

[[Page 116 STAT. 2376]]

                    ``(A) In general.--To be eligible for an award under 
                this subsection, an individual shall submit an 
                application to the Director at such time, in such 
                manner, and containing such information as the Director 
                may require.
                    ``(B) Stipends.--Under this subsection, the Director 
                is authorized to provide stipends for post-doctoral 
                research fellowships at the level of the Institute's 
                Post Doctoral Research Fellowship Program and senior 
                research fellowships at levels consistent with support 
                for a faculty member in a sabbatical position.

    ``(c) Awards; Applications.--
            ``(1) In general.--The Director is authorized to award 
        grants or cooperative agreements to institutions of higher 
        education to carry out the program established under subsection 
        (a). No funds made available under this section shall be made 
        available directly to any for-profit partners.
            ``(2) Eligibility.--To be eligible for an award under this 
        section, an institution of higher education shall submit an 
        application to the Director at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
                    ``(A) the number of graduate students anticipated to 
                participate in the research project and the level of 
                support to be provided to each;
                    ``(B) the number of post-doctoral research positions 
                included under the research project and the level of 
                support to be provided to each;
                    ``(C) the number of individuals, if any, intending 
                to change research fields and pursue studies related to 
                the security of computer systems to be included under 
                the research project and the level of support to be 
                provided to each; and
                    ``(D) how the for-profit entities, nonprofit 
                research institutions, and any other partners will 
                participate in developing and carrying out the research 
                and education agenda of the partnership.

    ``(d) Program Operation.--
            ``(1) Management.--The program established under subsection 
        (a) shall be managed by individuals who shall have both 
        expertise in research related to the security of computer 
        systems and knowledge of the vulnerabilities of existing 
        computer systems. The Director shall designate such individuals 
        as program managers.
            ``(2) Managers may be employees.--Program managers 
        designated under paragraph (1) may be new or existing employees 
        of the Institute or individuals on assignment at the Institute 
        under the Intergovernmental Personnel Act of 1970, except that 
        individuals on assignment at the Institute under the 
        Intergovernmental Personnel Act of 1970 shall not directly 
        manage such employees.
            ``(3) Manager responsibility.--Program managers designated 
        under paragraph (1) shall be responsible for--
                    ``(A) establishing and publicizing the broad 
                research goals for the program;
                    ``(B) soliciting applications for specific research 
                projects to address the goals developed under 
                subparagraph (A);

[[Page 116 STAT. 2377]]

                    ``(C) selecting research projects for support under 
                the program from among applications submitted to the 
                Institute, following consideration of--
                          ``(i) the novelty and scientific and technical 
                      merit of the proposed projects;
                          ``(ii) the demonstrated capabilities of the 
                      individual or individuals submitting the 
                      applications to successfully carry out the 
                      proposed research;
                          ``(iii) the impact the proposed projects will 
                      have on increasing the number of computer security 
                      researchers;
                          ``(iv) the nature of the participation by for-
                      profit entities and the extent to which the 
                      proposed projects address the concerns of 
                      industry; and
                          ``(v) other criteria determined by the 
                      Director, based on information specified for 
                      inclusion in applications under subsection (c); 
                      and
                    ``(D) monitoring the progress of research projects 
                supported under the program.
            ``(4) Reports.--The Director shall report to the Senate 
        Committee on Commerce, Science, and Transportation and the House 
        of Representatives Committee on Science annually on the use and 
        responsibility of individuals on assignment at the Institute 
        under the Intergovernmental Personnel Act of 1970 who are 
        performing duties under subsection (d).

    ``(e) Review of Program.--
            ``(1) Periodic review.--The Director shall periodically 
        review the portfolio of research awards monitored by each 
        program manager designated in accordance with subsection (d). In 
        conducting those reviews, the Director shall seek the advice of 
        the Computer System Security and Privacy Advisory Board, 
        established under section 21, on the appropriateness of the 
        research goals and on the quality and utility of research 
        projects managed by program managers in accordance with 
        subsection (d).
            ``(2) Comprehensive 5-year review.--The Director shall also 
        contract with the National Research Council for a comprehensive 
        review of the program established under subsection (a) during 
        the 5th year of the program. Such review shall include an 
        assessment of the scientific quality of the research conducted, 
        the relevance of the research results obtained to the goals of 
        the program established under subsection (d)(3)(A), and the 
        progress of the program in promoting the development of a 
        substantial academic research community working at the leading 
        edge of knowledge in the field. <<NOTE: Reports. Deadline.>> The 
        Director shall submit to Congress a report on the results of the 
        review under this paragraph no later than 6 years after the 
        initiation of the program.

    ``(f) Definitions.--In this section:
            ``(1) Computer system.--The term `computer system' has the 
        meaning given that term in section 20(d)(1).
            ``(2) Institution of higher education.--The term 
        `institution of higher education' has the meaning given that 
        term in section 101(a) of the Higher Education Act of 1965 (20 
        U.S.C. 1001(a)).''.

[[Page 116 STAT. 2378]]

    (b) Amendment of Computer system Definition.--Section 20(d)(1)(B)(i) 
of National Institute of Standards and Technology Act (15 U.S.C. 278g-
3(d)(1)(B)(i)) is amended to read as follows:
                          ``(i) computers and computer networks;''.

    (c) Checklists for Government Systems.--
            (1) In general.--The Director of the National Institute of 
        Standards and Technology shall develop, and revise as necessary, 
        a checklist setting forth settings and option selections that 
        minimize the security risks associated with each computer 
        hardware or software system that is, or is likely to become, 
        widely used within the Federal Government.
            (2) Priorities for development; excluded systems.--The 
        Director of the National Institute of Standards and Technology 
        may establish priorities for the development of checklists under 
        this paragraph on the basis of the security risks associated 
        with the use of the system, the number of agencies that use a 
        particular system, the usefulness of the checklist to Federal 
        agencies that are users or potential users of the system, or 
        such other factors as the Director determines to be appropriate. 
        The Director of the National Institute of Standards and 
        Technology may exclude from the application of paragraph (1) any 
        computer hardware or software system for which the Director of 
        the National Institute of Standards and Technology determines 
        that the development of a checklist is inappropriate because of 
        the infrequency of use of the system, the obsolescence of the 
        system, or the inutility or impracticability of developing a 
        checklist for the system.
            (3) Dissemination of checklists.--The Director of the 
        National Institute of Standards and Technology shall make any 
        checklist developed under this paragraph for any computer 
        hardware or software system available to each Federal agency 
        that is a user or potential user of the system.
            (4) Agency use requirements.--The development of a checklist 
        under paragraph (1) for a computer hardware or software system 
        does not--
                    (A) require any Federal agency to select the 
                specific settings or options recommended by the 
                checklist for the system;
                    (B) establish conditions or prerequisites for 
                Federal agency procurement or deployment of any such 
                system;
                    (C) represent an endorsement of any such system by 
                the Director of the National Institute of Standards and 
                Technology; nor
                    (D) preclude any Federal agency from procuring or 
                deploying other computer hardware or software systems 
                for which no such checklist has been developed.

    (d) Federal Agency Information Security Programs.--
            (1) In general.--In developing the agencywide information 
        security program required by section 3534(b) of title 44, United 
        States Code, an agency that deploys a computer hardware or 
        software system for which the Director of the National Institute 
        of Standards and Technology has developed a checklist under 
        subsection (c) of this section--
                    (A) shall include in that program an explanation of 
                how the agency has considered such checklist in 
                deploying that system; and

[[Page 116 STAT. 2379]]

                    (B) may treat the explanation as if it were a 
                portion of the agency's annual performance plan properly 
                classified under criteria established by an Executive 
                Order (within the meaning of section 1115(d) of title 
                31, United States Code).
            (2) Limitation.--Paragraph (1) does not apply to any 
        computer hardware or software system for which the National 
        Institute of Standards and Technology does not have 
        responsibility under section 20(a)(3) of the National Institute 
        of Standards and Technology Act (15 U.S.C.278g-3(a)(3)).

SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology Act 
(15 U.S.C. 278g-3) is amended by adding at the end the following new 
subsection:
    ``(e) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary $1,060,000 for fiscal year 2003 and 
$1,090,000 for fiscal year 2004 to enable the Computer System Security 
and Privacy Advisory Board, established by section 21, to identify 
emerging issues, including research needs, related to computer security, 
privacy, and cryptography and, as appropriate, to convene public 
meetings on those subjects, receive presentations, and publish reports, 
digests, and summaries for public distribution on those subjects.''.

SEC. 10. INTRAMURAL SECURITY RESEARCH.

    Section 20 of the National Institute of Standards and Technology Act 
(15 U.S.C. 278g-3), as amended by this Act, is further amended by 
redesignating subsection (e) as subsection (f), and by inserting after 
subsection (d) the following:
    ``(e) Intramural Security Research.--As part of the research 
activities conducted in accordance with subsection (b)(4), the Institute 
shall--
            ``(1) conduct a research program to address emerging 
        technologies associated with assembling a networked computer 
        system from components while ensuring it maintains desired 
        security properties;
            ``(2) carry out research associated with improving the 
        security of real-time computing and communications systems for 
        use in process control; and
            ``(3) carry out multidisciplinary, long-term, high-risk 
        research on ways to improve the security of computer systems.''.

SEC. 11. <<NOTE: 15 USC 7407.>> AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Secretary of Commerce 
for the National Institute of Standards and Technology--
            (1) for activities under section 22 of the National 
        Institute of Standards and Technology Act, as added by section 8 
        of this Act--
                    (A) $25,000,000 for fiscal year 2003;
                    (B) $40,000,000 for fiscal year 2004;
                    (C) $55,000,000 for fiscal year 2005;
                    (D) $70,000,000 for fiscal year 2006;
                    (E) $85,000,000 for fiscal year 2007; and
            (2) for activities under section 20(f) of the National 
        Institute of Standards and Technology Act, as added by section 
        10 of this Act--

[[Page 116 STAT. 2380]]

                    (A) $6,000,000 for fiscal year 2003;
                    (B) $6,200,000 for fiscal year 2004;
                    (C) $6,400,000 for fiscal year 2005;
                    (D) $6,600,000 for fiscal year 2006; and
                    (E) $6,800,000 for fiscal year 2007.

SEC. 12. <<NOTE: 15 USC 7408.>> NATIONAL ACADEMY OF SCIENCES STUDY ON 
            COMPUTER AND NETWORK SECURITY IN CRITICAL INFRASTRUCTURES.

    (a) Study.--Not <<NOTE: Deadline. Contracts.>> later than 3 months 
after the date of the enactment of this Act, the Director of the 
National Institute of Standards and Technology shall enter into an 
arrangement with the National Research Council of the National Academy 
of Sciences to conduct a study of the vulnerabilities of the Nation's 
network infrastructure and make recommendations for appropriate 
improvements. The National Research Council shall--
            (1) review existing studies and associated data on the 
        architectural, hardware, and software vulnerabilities and 
        interdependencies in United States critical infrastructure 
        networks;
            (2) identify and assess gaps in technical capability for 
        robust critical infrastructure network security and make 
        recommendations for research priorities and resource 
        requirements; and
            (3) review any and all other essential elements of computer 
        and network security, including security of industrial process 
        controls, to be determined in the conduct of the study.

    (b) Report.--The <<NOTE: Deadline.>> Director of the National 
Institute of Standards and Technology shall transmit a report containing 
the results of the study and recommendations required by subsection (a) 
to the Senate Committee on Commerce, Science, and Transportation and the 
House of Representatives Committee on Science not later than 21 months 
after the date of enactment of this Act.

    (c) Security.--The Director of the National Institute of Standards 
and Technology shall ensure that no information that is classified is 
included in any publicly released version of the report required by this 
section.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce for the National Institute of 
Standards and Technology for the purposes of carrying out this section, 
$700,000.

SEC. 13. <<NOTE: 15 USC 7409.>> COORDINATION OF FEDERAL CYBER SECURITY 
            RESEARCH AND DEVELOPMENT

    The Director of the National Science Foundation and the Director of 
the National Institute of Standards and Technology shall coordinate the 
research programs authorized by this Act or pursuant to amendments made 
by this Act. The Director of the Office of Science and Technology Policy 
shall work with the Director of the National Science Foundation and the 
Director of the National Institute of Standards and Technology to ensure 
that programs authorized by this Act or pursuant to amendments made by 
this Act are taken into account in any government-wide cyber security 
research effort.

SEC. 14. OFFICE OF SPACE COMMERCIALIZATION.

    Section 8(a) of the Technology Administration Act of 1998 (15 U.S.C. 
1511e(a)) is amended by inserting ``the Technology Administration of'' 
after ``within''.

[[Page 116 STAT. 2381]]

SEC. 15. <<NOTE: 15 USC 7301.>> TECHNICAL CORRECTION OF NATIONAL 
            CONSTRUCTION SAFETY TEAM ACT.

    Section 2(c)(1)(d) of the National Construction Safety Team Act is 
amended by striking ``section 8;'' and inserting ``section 7;''.

SEC. 16. <<NOTE: 15 USC 7410.>> GRANT ELIGIBILITY REQUIREMENTS AND 
            COMPLIANCE WITH IMMIGRATION LAWS.

    (a) Immigration Status.--No grant or fellowship may be awarded under 
this Act, directly or indirectly, to any individual who is in violation 
of the terms of his or her status as a nonimmigrant under section 
101(a)(15)(F), (M), or (J) of the Immigration and Nationality Act (8 
U.S.C. 1101(a)(15)(F), (M), or (J)).
    (b) Aliens from Certain Countries.--No grant or fellowship may be 
awarded under this Act, directly or indirectly, to any alien from a 
country that is a state sponsor of international terrorism, as defined 
under section 306(b) of the Enhanced Border Security and VISA Entry 
Reform Act (8 U.S.C. 1735(b)), unless the Secretary of State determines, 
in consultation with the Attorney General and the heads of other 
appropriate agencies, that such alien does not pose a threat to the 
safety or national security of the United States.
    (c) Non-complying Institutions.--No grant or fellowship may be 
awarded under this Act, directly or indirectly, to any institution of 
higher education or non-profit institution (or consortia thereof) that 
has--
            (1) materially failed to comply with the recordkeeping and 
        reporting requirements to receive nonimmigrant students or 
        exchange visitor program participants under section 
        101(a)(15)(F), (M), or (J) of the Immigration and Nationality 
        Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)), or section 641 of 
        the Illegal Immigration Reform and Responsibility Act of 1996 (8 
        U.S.C. 1372), as required by section 502 of the Enhanced Border 
        Security and VISA Entry Reform Act (8 U.S.C. 1762); or
            (2) been suspended or terminated pursuant to section 502(c) 
        of the Enhanced Border Security and VISA Entry Reform Act (8 
        U.S.C 1762(c)).

SEC. 17. <<NOTE: 15 USC 7411.>> REPORT ON GRANT AND FELLOWSHIP PROGRAMS.

    Within 24 months after the date of enactment of this Act, the 
Director, in consultation with the Assistant to the President for 
National Security Affairs, shall submit to Congress a report reviewing 
this Act to ensure that the programs and fellowships are being awarded 
under this Act to individuals and institutions of higher education who 
are in compliance with the Immigration

[[Page 116 STAT. 2382]]

and Nationality Act (8 U.S.C. 1101 et seq.) in order to protect our 
national security.

    Approved November 27, 2002.

LEGISLATIVE HISTORY--H.R. 3394 (S. 2182):
---------------------------------------------------------------------------

HOUSE REPORTS: No. 107-355, Pt. 1 (Comm. on Science).
SENATE REPORTS: No. 107-239 accompanyinig S. 2182 (Comm. on Commerce, 
Science, and Transportation).
CONGRESSIONAL RECORD, Vol. 148 (2002):
            Feb. 7, considered and passed House.
            Oct. 16, considered and passed Senate, amended, in lieu of 
                S. 2182.
            Nov. 12, House concurred in Senate amendment.

                                  <all>