§ 7401. Findings

The Congress finds the following:

• (1) Revolutionary advancements in computing and communications technology have interconnected government, commercial, scientific, and educational infrastructures—including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services—in a vast, interdependent physical and electronic network.
• (2) Exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure.
• (3) A Department of Defense Joint Task Force concluded after a 1997 United States information warfare exercise that the results “clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure”.
• (4) Computer security technology and systems implementation lack—
  • (A) sufficient long term research funding;
  • (B) adequate coordination across Federal and State government agencies and among government, academia, and industry; and
  • (C) sufficient numbers of outstanding researchers in the field.
• (5) Accordingly, Federal investment in computer and network security research and development must be significantly increased to—
  • (A) improve vulnerability assessment and technological and systems solutions;
  • (B) expand and improve the pool of information security professionals, including researchers, in the United States workforce; and
  • (C) better coordinate information sharing and collaboration among industry, government, and academic research projects.
• (6) While African-Americans, Hispanics, and Native Americans constitute 25 percent of the total United States workforce and 30 percent of the college-age population, members of these minorities comprise less than 7 percent of the United States computer and information science workforce.

§ 7402. Definitions

In this chapter:

• (1) The term “Director” means the Director of the National Science Foundation.
• (2) The term “institution of higher education” has the meaning given that term in section 1001(a) of title 20 .

§ 7403. National Science Foundation research

• (a)
  • (1) The Director shall award grants for basic research on innovative approaches to the structure of computer and network hardware and software that are aimed at enhancing computer security. Research areas may include—
    • (A) authentication, cryptography, and other secure data communications technology;
    • (B) computer forensics and intrusion detection;
    • (C) reliability of computer and network applications, middleware, operating systems, control systems, and communications infrastructure;
    • (D) privacy and confidentiality;
    • (E) network security architecture, including tools for security administration and analysis;
    • (F) emerging threats;
    • (G) vulnerability assessments and techniques for quantifying risk;
    • (H) remote access and wireless security;
    • (I) enhancement of law enforcement ability to detect, investigate, and prosecute cyber-crimes, including those that involve piracy of intellectual property;
    • (J) secure fundamental protocols that are integral to inter-network communications and data exchange;
    • (K) secure software engineering and software assurance, including—
      • (i) programming languages and systems that include fundamental security features;
      • (ii) portable or reusable code that remains secure when deployed in various environments;
      • (iii) verification and validation technologies to ensure that requirements and specifications have been implemented; and
      • (iv) models for comparison and metrics to assure that required standards have been met;
    • (L) holistic system security that—
      • (i) addresses the building of secure systems from trusted and untrusted components;
      • (ii) proactively reduces vulnerabilities;
      • (iii) addresses insider threats; and
      • (iv) supports privacy in conjunction with improved security;
    • (M) monitoring and detection;
    • (N) mitigation and rapid recovery methods;
    • (O) security of wireless networks and mobile devices;
    • (P) security of cloud infrastructure and services;
    • (Q) security of election-dedicated voting system software and hardware; and
    • (R) role of the human factor in cybersecurity and the interplay of computers and humans and the physical world.
  • (2) Grants shall be awarded under this section on a merit-reviewed competitive basis.
  • (3) There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
    • (A) $35,000,000 for fiscal year 2003;
    • (B) $40,000,000 for fiscal year 2004;
    • (C) $46,000,000 for fiscal year 2005;
    • (D) $52,000,000 for fiscal year 2006; and
    • (E) $60,000,000 for fiscal year 2007.
• (b)
  • (1) The Director shall award multiyear grants, subject to the availability of appropriations, to institutions of higher education, nonprofit research institutions, or consortia thereof to establish multidisciplinary Centers for Computer and Network Security Research. Institutions of higher education, nonprofit research institutions, or consortia thereof receiving such grants may partner with 1 or more government laboratories or for-profit institutions, or other institutions of higher education or nonprofit research institutions.
  • (2) Grants shall be awarded under this subsection on a merit-reviewed competitive basis.
  • (3) The purpose of the Centers shall be to generate innovative approaches to computer and network security by conducting cutting-edge, multidisciplinary research in computer and network security, including improving the security and resiliency of information technology, reducing cyber vulnerabilities, and anticipating and mitigating consequences of cyber attacks on critical infrastructure, by conducting research in the areas described in subsection (a)(1).
  • (4) An institution of higher education, nonprofit research institution, or consortia thereof seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of—
    • (A) the research projects that will be undertaken by the Center and the contributions of each of the participating entities;
    • (B) how the Center will promote active collaboration among scientists and engineers from different disciplines, such as computer scientists, engineers, mathematicians, and social science researchers;
    • (C) how the Center will contribute to increasing the number and quality of computer and network security researchers and other professionals, including individuals from groups historically underrepresented in these fields; and
    • (D) how the Center will disseminate research results quickly and widely to improve cyber security in information technology networks, products, and services.
  • (5) In evaluating the applications submitted under paragraph (4), the Director shall consider, at a minimum—
    • (A) the ability of the applicant to generate innovative approaches to computer and network security and effectively carry out the research program;
    • (B) the experience of the applicant in conducting research on computer and network security and the capacity of the applicant to foster new multidisciplinary collaborations;
    • (C) the capacity of the applicant to attract and provide adequate support for a diverse group of undergraduate and graduate students and postdoctoral fellows to pursue computer and network security research;
    • (D) the extent to which the applicant will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions, and the role the partners will play in the research undertaken by the Center;
    • (E) the demonstrated capability of the applicant to conduct high performance computation integral to complex computer and network security research, through on-site or off-site computing;
    • (F) the applicant’s affiliation with private sector entities involved with industrial research described in subsection (a)(1);
    • (G) the capability of the applicant to conduct research in a secure environment;
    • (H) the applicant’s affiliation with existing research programs of the Federal Government;
    • (I) the applicant’s experience managing public-private partnerships to transition new technologies into a commercial setting or the government user community;
    • (J) the capability of the applicant to conduct interdisciplinary cybersecurity research, basic and applied, such as in law, economics, or behavioral sciences; and
    • (K) the capability of the applicant to conduct research in areas such as systems security, wireless security, networking and protocols, formal methods and networking and information technology, nanotechnology, or industrial control systems.
  • (6) The Director shall convene an annual meeting of the Centers in order to foster collaboration and communication between Center participants.
  • (7) There are authorized to be appropriated for the National Science Foundation to carry out this subsection—
    • (A) $12,000,000 for fiscal year 2003;
    • (B) $24,000,000 for fiscal year 2004;
    • (C) $36,000,000 for fiscal year 2005;
    • (D) $36,000,000 for fiscal year 2006; and
    • (E) $36,000,000 for fiscal year 2007.

§ 7404. National Science Foundation computer and network security programs

• (a)
  • (1) The Director shall establish a program to award grants to institutions of higher education (or consortia thereof) to establish or improve undergraduate and master’s degree programs in computer and network security, to increase the number of students, including the number of students from groups historically underrepresented in these fields and students who are veterans, who pursue undergraduate or master’s degrees in fields related to computer and network security, and to provide students with experience in government or industry related to their computer and network security studies.
  • (2) Grants shall be awarded under this subsection on a merit-reviewed competitive basis.
  • (3) Grants awarded under this subsection shall be used for activities that enhance the ability of an institution of higher education (or consortium thereof) to provide high-quality undergraduate and master’s degree programs in computer and network security and to recruit and retain increased numbers of students to such programs. Activities may include—
    • (A) revising curriculum to better prepare undergraduate and master’s degree students for careers in computer and network security;
    • (B) establishing degree and certificate programs in computer and network security;
    • (C) creating opportunities for undergraduate students to participate in computer and network security research projects;
    • (D) acquiring equipment necessary for student instruction in computer and network security, including the installation of testbed networks for student use;
    • (E) providing opportunities for faculty to work with local or Federal Government agencies, private industry, nonprofit research institutions, or other academic institutions to develop new expertise or to formulate new research directions in computer and network security;
    • (F) establishing collaborations with other academic institutions or academic departments that seek to establish, expand, or enhance programs in computer and network security;
    • (G) establishing student internships in computer and network security at government agencies or in private industry;
    • (H) establishing collaborations with other academic institutions to establish or enhance a web-based collection of computer and network security courseware and laboratory exercises for sharing with other institutions of higher education, including community colleges;
    • (I) establishing or enhancing bridge programs in computer and network security between community colleges and universities;
    • (J) creating opportunities for veterans to transition to careers in computer and network security; and
    • (K) any other activities the Director determines will accomplish the goals of this subsection.
  • (4)
    • (A) An institution of higher education (or a consortium thereof) seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum—
      • (i) a description of the applicant’s computer and network security research and instructional capacity, and in the case of an application from a consortium of institutions of higher education, a description of the role that each member will play in implementing the proposal;
      • (ii) a comprehensive plan by which the institution or consortium will build instructional capacity in computer and information security;
      • (iii) a description of relevant collaborations with government agencies or private industry that inform the instructional program in computer and network security;
      • (iv) a survey of the applicant’s historic student enrollment and placement data in fields related to computer and network security and a study of potential enrollment and placement for students enrolled in the proposed computer and network security program; and
      • (v) a plan to evaluate the success of the proposed computer and network security program, including post-graduation assessment of graduate school and job placement and retention rates as well as the relevance of the instructional program to graduate study and to the workplace.
    • (B)
      • (i) The Director shall ensure, to the extent practicable, that grants are awarded under this subsection in a wide range of geographic areas and categories of institutions of higher education, including minority serving institutions.
      • (ii) The Director shall award grants under this subsection for a period not to exceed 5 years.
  • (5) The Director shall evaluate the program established under this subsection no later than 6 years after the establishment of the program. At a minimum, the Director shall evaluate the extent to which the program achieved its objectives of increasing the quality and quantity of students, including students from groups historically underrepresented in computer and network security related disciplines, pursuing undergraduate or master’s degrees in computer and network security.
  • (6) There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
    • (A) $15,000,000 for fiscal year 2003;
    • (B) $20,000,000 for fiscal year 2004;
    • (C) $20,000,000 for fiscal year 2005;
    • (D) $20,000,000 for fiscal year 2006; and
    • (E) $20,000,000 for fiscal year 2007.
• (b)
  • (1) The Director shall provide grants under the Scientific and Advanced Technology Act of 1992 ( 42 U.S.C. 1862i ) [ 42 U.S.C. 1862h et seq.] for the purposes of section 3(a) and (b) of that Act [ 42 U.S.C. 1862i(a) , (b)], except that the activities supported pursuant to this subsection shall be limited to improving education in fields related to computer and network security.
  • (2) There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
    • (A) $1,000,000 for fiscal year 2003;
    • (B) $1,250,000 for fiscal year 2004;
    • (C) $1,250,000 for fiscal year 2005;
    • (D) $1,250,000 for fiscal year 2006; and
    • (E) $1,250,000 for fiscal year 2007.
• (c)
  • (1) The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs for graduate students who pursue computer and network security research leading to a doctorate degree by providing funding and other assistance, and by providing graduate students with research experience in government or industry related to the students’ computer and network security studies.
  • (2) Grants shall be provided under this subsection on a merit-reviewed competitive basis.
  • (3) An institution of higher education shall use grant funds for the purposes of—
    • (A) providing traineeships to students who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are pursuing research in computer or network security leading to a doctorate degree;
    • (B) paying tuition and fees for students receiving traineeships under subparagraph (A);
    • (C) establishing scientific internship programs for students receiving traineeships under subparagraph (A) in computer and network security at for-profit institutions, nonprofit research institutions, or government laboratories; and
    • (D) other costs associated with the administration of the program.
  • (4) Traineeships provided under paragraph (3)(A) shall be in the amount of $25,000 per year, or the level of the National Science Foundation Graduate Research Fellowships, whichever is greater, for up to 3 years.
  • (5) An institution of higher education seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of—
    • (A) the instructional program and research opportunities in computer and network security available to graduate students at the applicant’s institution; and
    • (B) the internship program to be established, including the opportunities that will be made available to students for internships at for-profit institutions, nonprofit research institutions, and government laboratories.
  • (6) In evaluating the applications submitted under paragraph (5), the Director shall consider—
    • (A) the ability of the applicant to effectively carry out the proposed program;
    • (B) the quality of the applicant’s existing research and education programs;
    • (C) the likelihood that the program will recruit increased numbers of students, including students from groups historically underrepresented in computer and network security related disciplines or veterans, to pursue and earn doctorate degrees in computer and network security;
    • (D) the nature and quality of the internship program established through collaborations with government laboratories, nonprofit research institutions, and for-profit institutions;
    • (E) the integration of internship opportunities into graduate students’ research; and
    • (F) the relevance of the proposed program to current and future computer and network security needs.
  • (7) There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
    • (A) $10,000,000 for fiscal year 2003;
    • (B) $20,000,000 for fiscal year 2004;
    • (C) $20,000,000 for fiscal year 2005;
    • (D) $20,000,000 for fiscal year 2006; and
    • (E) $20,000,000 for fiscal year 2007.
• (d) Computer and network security shall be included among the fields of specialization supported by the National Science Foundation’s Graduate Research Fellowships program under section 1869 of title 42 .
• (e)
  • (1) The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs to enable graduate students to pursue academic careers in cyber security upon completion of doctoral degrees.
  • (2) Grants shall be awarded under this section on a merit-reviewed competitive basis.
  • (3) Each institution of higher education desiring to receive a grant under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director shall require.
  • (4) Funds received by an institution of higher education under this paragraph shall—
    • (A) be made available to individuals on a merit-reviewed competitive basis and in accordance with the requirements established in paragraph (7);
    • (B) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at an institution of higher education for the duration of the graduate traineeship, and shall include, in addition, an annual living stipend of $25,000; and
    • (C) be provided to individuals for a duration of no more than 5 years, the specific duration of each graduate traineeship to be determined by the institution of higher education, on a case-by-case basis.
  • (5) Each graduate traineeship shall—
    • (A) subject to paragraph (5)(B), be subject to full repayment upon completion of the doctoral degree according to a repayment schedule established and administered by the institution of higher education;
    • (B) be forgiven at the rate of 20 percent of the total amount of the graduate traineeship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and
    • (C) be monitored by the institution of higher education receiving a grant under this subsection to ensure compliance with this subsection.
  • (6) The Director may provide for the partial or total waiver or suspension of any service obligation or payment by an individual under this section whenever compliance by the individual is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.
  • (7) To be eligible to receive a graduate traineeship under this section, an individual shall—
    • (A) be a citizen, national, or lawfully admitted permanent resident alien of the United States; and
    • (B) demonstrate a commitment to a career in higher education.
  • (8) In making selections for graduate traineeships under this paragraph, an institution receiving a grant under this subsection shall consider, to the extent possible, a diverse pool of applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as the technical dimensions of cyber security.
  • (9) There are authorized to be appropriated to the National Science Foundation to carry out this paragraph $5,000,000 for each of fiscal years 2003 through 2007.

§ 7405. Consultation

In carrying out sections 7403 and 7404 of this title, the Director shall consult with other Federal agencies.

§ 7406. National Institute of Standards and Technology programs

• (a)
• (c)
  • (1) The Director of the National Institute of Standards and Technology shall, as necessary, develop and revise security automation standards, associated reference materials (including protocols), and checklists providing settings and option selections that minimize the security risks associated with each information technology hardware or software system and security tool that is, or is likely to become, widely used within the Federal Government, thereby enabling standardized and interoperable technologies, architectures, and frameworks for continuous monitoring of information security within the Federal Government.
  • (2) The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference materials, and checklists under this subsection on the basis of—
    • (A) the security risks associated with the use of the system;
    • (B) the number of agencies that use a particular system or security tool;
    • (C) the usefulness of the standards, reference materials, or checklists to Federal agencies that are users or potential users of the system;
    • (D) the effectiveness of the associated standard, reference material, or checklist in creating or enabling continuous monitoring of information security; or
    • (E) such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate.
  • (3) The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any information technology hardware or software system or security tool for which such Director determines that the development of a standard, reference material, or checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the lack of utility or impracticability of developing a standard, reference material, or checklist for the system.
  • (4) The Director of the National Institute of Standards and Technology shall ensure that Federal agencies are informed of the availability of any standard, reference material, checklist, or other item developed under this subsection.
  • (5) The development of standards, reference materials, and checklists under paragraph (1) for an information technology hardware or software system or tool does not—
    • (A) require any Federal agency to select the specific settings or options recommended by the standard, reference material, or checklist for the system;
    • (B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system;
    • (C) imply an endorsement of any such system by the Director of the National Institute of Standards and Technology; or
    • (D) preclude any Federal agency from procuring or deploying other information technology hardware or software systems for which no such standard, reference material, or checklist has been developed or identified under paragraph (1).
• (d)
  • (1) In developing the agencywide information security program required by section 3554(b) of title 44 , an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection (c) of this section—
    • (A) shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and
    • (B) may treat the explanation as if it were a portion of the agency’s annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31 ).
  • (2) Paragraph (1) does not apply to any computer hardware or software system for which the National Institute of Standards and Technology does not have responsibility under section 278g–3(a)(3) of this title .

§ 7407. Authorization of appropriations

There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology—

• (1) for activities under section 278h of this title —
  • (A) $25,000,000 for fiscal year 2003;
  • (B) $40,000,000 for fiscal year 2004;
  • (C) $55,000,000 for fiscal year 2005;
  • (D) $70,000,000 for fiscal year 2006;
  • (E) $85,000,000 for fiscal year 2007; and
• (2) for activities under section 278g–3(f) 1 1 See References in Text note below. of this title—
  • (A) $6,000,000 for fiscal year 2003;
  • (B) $6,200,000 for fiscal year 2004;
  • (C) $6,400,000 for fiscal year 2005;
  • (D) $6,600,000 for fiscal year 2006; and
  • (E) $6,800,000 for fiscal year 2007.

§ 7408. National Academy of Sciences study on computer and network security in critical infrastructures

• (a) Not later than 3 months after November 27, 2002 , the Director of the National Institute of Standards and Technology shall enter into an arrangement with the National Research Council of the National Academy of Sciences to conduct a study of the vulnerabilities of the Nation’s network infrastructure and make recommendations for appropriate improvements. The National Research Council shall—
  • (1) review existing studies and associated data on the architectural, hardware, and software vulnerabilities and interdependencies in United States critical infrastructure networks;
  • (2) identify and assess gaps in technical capability for robust critical infrastructure network security and make recommendations for research priorities and resource requirements; and
  • (3) review any and all other essential elements of computer and network security, including security of industrial process controls, to be determined in the conduct of the study.
• (b) The Director of the National Institute of Standards and Technology shall transmit a report containing the results of the study and recommendations required by subsection (a) to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science not later than 21 months after November 27, 2002 .
• (c) The Director of the National Institute of Standards and Technology shall ensure that no information that is classified is included in any publicly released version of the report required by this section.
• (d) There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology for the purposes of carrying out this section, $700,000.

§ 7409. Coordination of Federal cyber security research and development

The Director of the National Science Foundation and the Director of the National Institute of Standards and Technology shall coordinate the research programs authorized by this chapter or pursuant to amendments made by this chapter. The Director of the Office of Science and Technology Policy shall work with the Director of the National Science Foundation and the Director of the National Institute of Standards and Technology to ensure that programs authorized by this chapter or pursuant to amendments made by this chapter are taken into account in any government-wide cyber security research effort.

§ 7410. Grant eligibility requirements and compliance with immigration laws

• (a) No grant or fellowship may be awarded under this chapter, directly or indirectly, to any individual who is in violation of the terms of his or her status as a nonimmigrant under section 1101(a)(15)(F), (M), or (J) of title 8.
• (b) No grant or fellowship may be awarded under this chapter, directly or indirectly, to any alien from a country that is a state sponsor of international terrorism, as defined under section 1735(b) of title 8 , unless the Secretary of State determines, in consultation with the Attorney General and the heads of other appropriate agencies, that such alien does not pose a threat to the safety or national security of the United States.
• (c) No grant or fellowship may be awarded under this chapter, directly or indirectly, to any institution of higher education or non-profit institution (or consortia thereof) that has—
  • (1) materially failed to comply with the recordkeeping and reporting requirements to receive nonimmigrant students or exchange visitor program participants under section 1101(a)(15)(F), (M), or (J) of title 8, or section 1372 of title 8 , as required by section 1762 of title 8 ; or
  • (2) been suspended or terminated pursuant to section 1762(c) of title 8 .

§ 7411. Report on grant and fellowship programs

Within 24 months after November 27, 2002 , the Director, in consultation with the Assistant to the President for National Security Affairs, shall submit to Congress a report reviewing this chapter to ensure that the programs and fellowships are being awarded under this chapter to individuals and institutions of higher education who are in compliance with the Immigration and Nationality Act ( 8 U.S.C. 1101 et seq.) in order to protect our national security.

§ 7421. Definitions

In this chapter:

• (1) The term “cybersecurity mission” means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace.
• (2) The term “information system” has the meaning given that term in section 3502 of title 44 .

§ 7422. No regulatory authority

Nothing in this chapter shall be construed to confer any regulatory authority on any Federal, State, tribal, or local department or agency.

§ 7423. No additional funds authorized

No additional funds are authorized to carry out this Act, and the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.

§ 7431. Federal cybersecurity research and development

• (a)
  • (1) The heads of the applicable agencies and departments, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, shall develop and update every 4 years a Federal cybersecurity research and development strategic plan (referred to in this subsection as the “strategic plan”) based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. The heads of the applicable agencies and departments shall build upon existing programs and plans to develop the strategic plan to meet objectives in cybersecurity, such as—
    • (A) how to design and build complex software-intensive systems that are secure and reliable when first deployed;
    • (B) how to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws;
    • (C) how to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality;
    • (D) how to guarantee the privacy of an individual, including that individual’s identity, information, and lawful transactions when stored in distributed systems or transmitted over networks;
    • (E) how to build new protocols to enable the Internet to have robust security as one of the key capabilities of the Internet;
    • (F) how to determine the origin of a message transmitted over the Internet;
    • (G) how to support privacy in conjunction with improved security;
    • (H) how to address the problem of insider threats;
    • (I) how improved consumer education and digital literacy initiatives can address human factors that contribute to cybersecurity;
    • (J) how to protect information processed, transmitted, or stored using cloud computing or transmitted through wireless services; and
    • (K) any additional objectives the heads of the applicable agencies and departments, in coordination with the head of any relevant Federal agency and with input from stakeholders, including appropriate national laboratories, industry, and academia, determine appropriate.
  • (2)
    • (A) The strategic plan shall—
      • (i) specify and prioritize near-term, mid-term, and long-term research objectives, including objectives associated with the research identified in section 7403(a)(1) of this title ;
      • (ii) specify how the near-term objectives described in clause (i) complement research and development areas in which the private sector is actively engaged;
      • (iii) describe how the heads of the applicable agencies and departments will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;
      • (iv) describe how the heads of the applicable agencies and departments will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;
      • (v) describe how the heads of the applicable agencies and departments will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems; and
      • (vi) describe how the heads of the applicable agencies and departments will facilitate access by academic researchers to the infrastructure described in clause (v), as well as to relevant data, including event data.
    • (B) In developing, implementing, and updating the strategic plan, the heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall work in close cooperation with industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector efforts.
    • (C) In developing and updating the strategic plan the heads of the applicable agencies and departments shall solicit recommendations and advice from—
      • (i) the advisory committee established under section 5511(b)(1) of this title ; and
      • (ii) a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions.
    • (D) The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall develop and annually update an implementation roadmap for the strategic plan. The implementation roadmap shall—
      • (i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;
      • (ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year;
      • (iii) estimate the funding required for each major research objective of the strategic plan for the following 3 fiscal years; and
      • (iv) track ongoing and completed Federal cybersecurity research and development projects.
  • (3) The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives—
    • (A) the strategic plan not later than 1 year after December 18, 2014 ;
    • (B) each quadrennial update to the strategic plan; and
    • (C) the implementation roadmap under subparagraph (D), and its annual updates, which shall be appended to the annual report required under section 5511(a)(2)(D) of this title .
  • (4) In this subsection, the term “applicable agencies and departments” means the agencies and departments identified in clauses (i) through (xi) of section 5511(a)(3)(B) 1 1 See References in Text note below. of this title or designated under clause (xii) of that section.
• (b) The Director of the National Science Foundation shall support research that—
  • (1) develops, evaluates, disseminates, and integrates new cybersecurity practices and concepts into the core curriculum of computer science programs and of other programs where graduates of such programs have a substantial probability of developing software after graduation, including new practices and concepts relating to secure coding education and improvement programs; and
  • (2) develops new models for professional development of faculty in cybersecurity education, including secure coding development.
• (c)
  • (1) Not later than 1 year after December 18, 2014 , the Director of the National Science Foundation, in coordination with the Director of the Office of Science and Technology Policy, shall conduct a review of cybersecurity test beds in existence on December 18, 2014 , to inform the grants under paragraph (2). The review shall include an assessment of whether a sufficient number of cybersecurity test beds are available to meet the research needs under the Federal cybersecurity research and development strategic plan. Upon completion, the Director shall submit the review to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.
  • (2)
    • (A) If the Director of the National Science Foundation, after the review under paragraph (1), determines that the research needs under the Federal cybersecurity research and development strategic plan require the establishment of additional cybersecurity test beds, the Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, may award grants to institutions of higher education or research and development non-profit institutions to establish cybersecurity test beds.
    • (B) The cybersecurity test beds under subparagraph (A) shall be sufficiently robust in order to model the scale and complexity of real-time cyber attacks and defenses on real world networks and environments.
    • (C) The Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, shall evaluate the effectiveness of any grants awarded under this subsection in meeting the objectives of the Federal cybersecurity research and development strategic plan not later than 2 years after the review under paragraph (1) of this subsection, and periodically thereafter.
• (d) In accordance with the responsibilities under section 5511 of this title , the Director of the Office of Science and Technology Policy shall coordinate, to the extent practicable, Federal research and development activities under this section with other ongoing research and development security-related initiatives, including research being conducted by—
  • (1) the National Science Foundation;
  • (2) the National Institute of Standards and Technology;
  • (3) the Department of Homeland Security;
  • (4) other Federal agencies;
  • (5) other Federal and private research laboratories, research entities, and universities;
  • (6) institutions of higher education;
  • (7) relevant nonprofit organizations; and
  • (8) international partners of the United States.
• (e)
• (f) The head of each agency and department identified under section 5511(a)(3)(B) 1 of this title, through existing programs and activities, shall support research that will lead to the development of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation, and creates quantifiable security metrics.

§ 7441. Cybersecurity competitions and challenges

• (a) The Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security, in consultation with the Director of the Office of Personnel Management, shall—
  • (1) support competitions and challenges under section 3719 of this title (as amended by section 105 of the America COMPETES Reauthorization Act of 2010 ( 124 Stat. 3989 )) or any other provision of law, as appropriate—
    • (A) to identify, develop, and recruit talented individuals to perform duties relating to the security of information technology in Federal, State, local, and tribal government agencies, and the private sector; or
    • (B) to stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that has the potential for application to the information technology activities of the Federal Government; and
  • (2) ensure the effective operation of the competitions and challenges under this section.
• (b) Participants in the competitions and challenges under subsection (a)(1) may include—
  • (1) students enrolled in grades 9 through 12;
  • (2) students enrolled in a postsecondary program of study leading to a baccalaureate degree at an institution of higher education;
  • (3) students enrolled in a postbaccalaureate program of study at an institution of higher education;
  • (4) institutions of higher education and research institutions;
  • (5) veterans; and
  • (6) other groups or individuals that the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security determine appropriate.
• (c) Competitions and challenges under this section may be carried out through affiliation and cooperative agreements with—
  • (1) Federal agencies;
  • (2) regional, State, or school programs supporting the development of cyber professionals;
  • (3) State, local, and tribal governments; or
  • (4) other private sector organizations.
• (d) Competitions and challenges under subsection (a)(1)(A) shall be designed to identify, develop, and recruit exceptional talent relating to—
  • (1) ethical hacking;
  • (2) penetration testing;
  • (3) vulnerability assessment;
  • (4) continuity of system operations;
  • (5) security in design;
  • (6) cyber forensics;
  • (7) offensive and defensive cyber operations; and
  • (8) other areas the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security consider necessary to fulfill the cybersecurity mission.
• (e) In selecting topics for competitions and challenges under subsection (a)(1), the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security—
  • (1) shall consult widely both within and outside the Federal Government; and
  • (2) may empanel advisory committees.
• (f) The Director of the Office of Personnel Management may support, as appropriate, internships or other work experience in the Federal Government to the winners of the competitions and challenges under this section.

§ 7442. Federal Cyber Scholarship-for-Service Program

• (a) The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management and Secretary of Homeland Security, shall continue a Federal cyber scholarship-for-service program to recruit and train the next generation of information technology professionals, industrial control system security professionals, and security managers to meet the needs of the cybersecurity mission for Federal, State, local, and tribal governments.
• (b) The Federal Cyber Scholarship-for-Service Program shall—
  • (1) provide scholarships through qualified institutions of higher education, including community colleges, to students who are enrolled in programs of study at institutions of higher education leading to degrees or specialized program certifications in the cybersecurity field;
  • (2) provide the scholarship recipients with summer internship opportunities or other meaningful temporary appointments in the Federal information technology workforce;
  • (3) prioritize the employment placement of at least 80 percent of scholarship recipients in an executive agency (as defined in section 105 of title 5 ); and
  • (4) provide awards to improve cybersecurity education at the kindergarten through grade 12 level—
    • (A) to increase interest in cybersecurity careers;
    • (B) to help students practice correct and safe online behavior and understand the foundational principles of cybersecurity;
    • (C) to improve teaching methods for delivering cybersecurity content for kindergarten through grade 12 computer science curricula; and
    • (D) to promote teacher recruitment in the field of cybersecurity.
• (c) Each scholarship under subsection (b) shall be in an amount that covers the student’s tuition and fees at the institution under subsection (b)(1) for not more than 3 years and provides the student with an additional stipend.
• (d) Each scholarship recipient, as a condition of receiving a scholarship under the program, shall enter into an agreement under which the recipient agrees to work for a period equal to the length of the scholarship, following receipt of the student’s degree, in the cybersecurity mission of—
  • (1) an executive agency (as defined in section 105 of title 5 );
  • (2) Congress, including any agency, entity, office, or commission established in the legislative branch;
  • (3) an interstate agency;
  • (4) a State, local, or Tribal government; or
  • (5) a State, local, or Tribal government-affiliated non-profit that is considered to be critical infrastructure (as defined in section 5195c(e) of title 42 ).
• (e)
  • (1) Notwithstanding any provision of chapter 33 of title 5 governing appointments in the competitive service, an agency shall appoint in the excepted service an individual who has completed the eligible degree program for which a scholarship was awarded.
  • (2) Except as provided in paragraph (4), upon fulfillment of the service term, an employee appointed under paragraph (1) may be converted noncompetitively to term, career-conditional or career appointment.
  • (3) An agency may noncompetitively convert a term employee appointed under paragraph (2) to a career-conditional or career appointment before the term appointment expires.
  • (4) An agency may decline to make the noncompetitive conversion or appointment under paragraph (2) for cause.
• (f) To be eligible to receive a scholarship under this section, an individual shall—
  • (1) be a citizen or lawful permanent resident of the United States;
  • (2) demonstrate a commitment to a career in improving the security of information technology;
  • (3) have demonstrated a high level of competency in relevant knowledge, skills, and abilities, as defined by the national cybersecurity awareness and education program under section 7451 of this title ;
  • (4) be a full-time student in an eligible degree program at a qualified institution of higher education, as determined by the Director of the National Science Foundation, except that in the case of a student who is enrolled in a community college, be a student pursuing a degree on a less than full-time basis, but not less than half-time basis; and
  • (5) accept the terms of a scholarship under this section.
• (g)
  • (1) As a condition of receiving a scholarship under this section, a recipient shall agree to provide the qualified institution of higher education with annual verifiable documentation of post-award employment and up-to-date contact information.
  • (2) A scholarship recipient under this section shall be liable to the United States as provided in subsection (i) if the individual—
    • (A) fails to maintain an acceptable level of academic standing at the applicable institution of higher education, as determined by the Director of the National Science Foundation;
    • (B) is dismissed from the applicable institution of higher education for disciplinary reasons;
    • (C) withdraws from the eligible degree program before completing the program;
    • (D) declares that the individual does not intend to fulfill the post-award employment obligation under this section; or
    • (E) fails to fulfill the post-award employment obligation of the individual under this section.
• (h) As a condition of participating in the program, a qualified institution of higher education shall—
  • (1) enter into an agreement with the Director of the National Science Foundation, to monitor the compliance of scholarship recipients with respect to their post-award employment obligations; and
  • (2) provide to the Director of the National Science Foundation, on an annual basis, the post-award employment documentation required under subsection (g)(1) for scholarship recipients through the completion of their post-award employment obligations.
• (i)
  • (1) If a circumstance described in subsection (g)(2) occurs before the completion of 1 year of a post-award employment obligation under this section, the total amount of scholarship awards received by the individual under this section shall—
    • (A) be repaid; or
    • (B) be treated as a loan to be repaid in accordance with subsection (j).
  • (2) If a circumstance described in subparagraph (D) or (E) of subsection (g)(2) occurs after the completion of 1 or more years of a post-award employment obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall—
    • (A) be repaid; or
    • (B) be treated as a loan to be repaid in accordance with subsection (j).
• (j) A loan described subsection (i) shall—
  • (1) be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher Education Act of 1965 ( 20 U.S.C. 1087a et seq.); and
  • (2) be subject to repayment, together with interest thereon accruing from the date of the scholarship award, in accordance with terms and conditions specified by the Director of the National Science Foundation (in consultation with the Secretary of Education) in regulations promulgated to carry out this subsection.
• (k)
  • (1) In the event that a scholarship recipient is required to repay the scholarship award under this section, the qualified institution of higher education providing the scholarship shall—
    • (A) determine the repayment amounts and notify the recipient and the Director of the National Science Foundation of the amounts owed; and
    • (B) collect the repayment amounts within a period of time as determined by the Director of the National Science Foundation, or the repayment amounts shall be treated as a loan in accordance with subsection (j).
  • (2) Except as provided in paragraph (3), any repayment under this subsection shall be returned to the Treasury of the United States.
  • (3) A qualified institution of higher education may retain a percentage of any repayment the institution collects under this subsection to defray administrative costs associated with the collection. The Director of the National Science Foundation shall establish a single, fixed percentage that will apply to all eligible entities.
• (l) The Director of the National Science Foundation may provide for the partial or total waiver or suspension of any service or payment obligation by an individual under this section whenever compliance by the individual with the obligation is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.
• (m)
  • (1) The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, shall periodically evaluate and make public, in a manner that protects the personally identifiable information of scholarship recipients, information on the success of recruiting individuals for scholarships under this section and on hiring and retaining those individuals in the public sector cyber workforce, including information on—
    • (A) placement rates;
    • (B) where students are placed, including job titles and descriptions;
    • (C) salary ranges for students not released from obligations under this section;
    • (D) how long after graduation students are placed;
    • (E) how long students stay in the positions they enter upon graduation;
    • (F) how many students are released from obligations; and
    • (G) what, if any, remedial training is required.
  • (2) The Director of the National Science Foundation, in coordination with the Office of Personnel Management, shall submit, not less frequently than once every 3 years, to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives a report, including the results of the evaluation under paragraph (1) and any recent statistics regarding the size, composition, and educational requirements of the Federal cyber workforce.
  • (3) The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, shall provide consolidated and user-friendly online resources for prospective scholarship recipients, including, to the extent practicable—
    • (A) searchable, up-to-date, and accurate information about participating institutions of higher education and job opportunities related to the field of cybersecurity; and
    • (B) a modernized description of cybersecurity careers.

§ 7451. National cybersecurity awareness and education program

• (a) The Director of the National Institute of Standards and Technology (referred to in this section as the “Director”), in consultation with appropriate Federal agencies, industry, educational institutions, National Laboratories, the Networking and Information Technology Research and Development program, and other organizations shall continue to coordinate a national cybersecurity awareness and education program, that includes activities such as—
  • (1) the widespread dissemination of cybersecurity technical standards and best practices identified by the Director;
  • (2) efforts to make cybersecurity best practices usable by individuals, small to medium-sized businesses, educational institutions, and State, local, and tribal governments;
  • (3) increasing public awareness of cybersecurity, cyber safety, and cyber ethics;
  • (4) increasing the understanding of State, local, and tribal governments, institutions of higher education, and private sector entities of—
    • (A) the benefits of ensuring effective risk management of information technology versus the costs of failure to do so; and
    • (B) the methods to mitigate and remediate vulnerabilities;
  • (5) supporting formal cybersecurity education programs at all education levels to prepare and improve a skilled cybersecurity and computer science workforce for the private sector and Federal, State, local, and tribal government; and
  • (6) promoting initiatives to evaluate and forecast future cybersecurity workforce needs of the Federal Government and develop strategies for recruitment, training, and retention.
• (b) In carrying out the authority described in subsection (a), the Director, in consultation with appropriate Federal agencies, shall leverage existing programs designed to inform the public of safety and security of products or services, including self-certifications and independently verified assessments regarding the quantification and valuation of information security risk.
• (c) The Director, in cooperation with relevant Federal agencies and other stakeholders, shall build upon programs and plans in effect as of December 18, 2014 , to develop and implement a strategic plan to guide Federal programs and activities in support of the national cybersecurity awareness and education program under subsection (a).
• (d) Not later than 1 year after December 18, 2014 , and every 5 years thereafter, the Director shall transmit the strategic plan under subsection (c) to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.

§ 7461. Definitions

In this subchapter:

• (1) The term “Director” means the Director of the National Institute of Standards and Technology.
• (2) The term “Institute” means the National Institute of Standards and Technology.

§ 7462. International cybersecurity technical standards

• (a) The Director, in coordination with appropriate Federal authorities, shall—
  • (1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and
  • (2) not later than 1 year after December 18, 2014 , develop and transmit to Congress a plan for ensuring such Federal agency coordination.
• (b) In carrying out the activities specified in subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders.

§ 7463. Cloud computing strategy

• (a) The Director, in coordination with the Office of Management and Budget, in collaboration with the Federal Chief Information Officers Council, and in consultation with other relevant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the Federal Government.
• (b) In carrying out the strategy described under subsection (a), the Director shall give consideration to activities that—
  • (1) accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;
  • (2) advance the development of conformance testing performed by the private sector in support of cloud computing standardization; and
  • (3) support, in coordination with the Office of Management and Budget, and in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, including activities—
    • (A) to ensure the physical security of cloud computing data centers and the data stored in such centers;
    • (B) to ensure secure access to the data stored in cloud computing data centers;
    • (C) to develop security standards as required under section 278g–3 of this title ; and
    • (D) to support the development of the automation of continuous monitoring systems.

§ 7464. Identity management research and development

The Director shall continue a program to support the development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns—

• (1) to improve interoperability among identity management technologies;
• (2) to strengthen authentication methods of identity management systems;
• (3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and
• (4) to improve the usability of identity management systems.