HR4061FEB5

“information and communications technology have resulted in a globally interconnected network of government, commercial, scientific, and education infrastructures, including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services” and
“…advancements have significantly contributed to the growth of the United States economy.” But
“The President in May, 2009, concluded that our information technology and communications infrastructure is vulnerable and has `suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information.”

“The Office of Management and Budget cites that federal agencies spend $6 billion on cybersecurity to protect a $72 billion IT infrastructure. In addition, the Federal government funds approximately $350 million in cybersecurity research and development (R&D) each year. Despite this Federal spending, the Government Accountability Office testified as recently as June 2009 that the U.S. IT infrastructure is vulnerable to attack and the Federal agencies tasked with its protection are not fulfilling their responsibilities.”

“NIST is tasked with protecting the Federal information technology network by developing and promulgating cybersecurity standards for Federal non-classified network systems (Federal Information Processing Standard [FIPS]), identifying methods for assessing effectiveness of security requirements, conducting tests to validate security in information systems, and conducting outreach exercises. Experts have stated that NIST's technical standards and best practices are too highly technical for general public use, and making this information more usable to average computer users with less technical expertise will help raise the base level of cybersecurity knowledge among individuals, business, education, and government.” the bill report explains.

Under the bill federal agencies that participate in the National High-Performance Computing Program are required to transmit to Congress a cybersecurity strategic research and development plan and develop an implementation roadmap for the plan.

Grant funding is provided to the National Science Foundation (NSF) for computer security research grants for research into social and behavioral factors to include human-computer interactions and identity management.

The Director of NSF is directed to carry out a program of awarding fellowships to encourage young scientists and engineers to conduct postdoctoral research in the fields of cybersecurity and information assurance, including the research areas under which computer and network security research grants are awarded.

The bill requires that applications to establish Computer and Network Security Research Centers include how they will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions.

The Office of Science and Technology Policy (OSTP) is required to convene a cybersecurity university-industry task force to explore mechanisms for carrying out collaborative R&D activities.

Current law allows the Director of the National Institute of Standards and Technology (NIST) to establish priorities for the development of checklists of settings and options that minimize security risks associated with computer systems that are, or are likely to become, widely used within the federal government. The bill requires the Director to make those determinations. NIST is required to develop or identify and revise or adaptat checklists, configuration profiles, and deployment recommendations for products and protocols that minimize such risks and develop automated security specifications respecting checklist content and associated security related data.

NIST must ensure that any products developed under the National Checklist Program for any information systems, including the Security Content Automation Protocol, be disseminated to federal agencies.

The NIST is also directed to ensure coordination of U.S. government representation in the international development of technical standards related to cybersecurity; implement a cybersecurity awareness and education program through the Manufacturing Extension Partnership program; and establish a program to support development of technical standards, metrology, test-beds, and conformance criteria with regard to identity management research and development.

Sponsor: Rep. Daniel Lipinski (IL-3^rd)

Vote: On passage Passed by the Yeas and Nays: 422 - 5 (Roll no. 43).

Cost to the taxpayers: “CBO estimates that implementing H.R. 4061 would cost $639 million over the 2010-2014 period and $320 million after 2014. Enacting the legislation would not affect direct spending or revenues.”

Earmark Certification: H.R. 4061 does not contain any congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9 of rule XXI.

No reproduction, language translation or distribution without written permission from TheWeekInCongress.com.(TM)

MORE INFORMATION

AMENDMENTS

SECTION-BY-SECTION ANALYSIS

TITLE I--RESEARCH AND DEVELOPMENT

Sec. 101. Definitions

Defines the terms National Coordination Office and Program in the title.

Sec. 102. Findings

Describes the findings of this title.

Sec. 103. Cybersecurity strategic R&D plan

Requires the agencies to develop, update and implement a strategic plan for cybersecurity research and development (R&D). Requires that the strategic plan be based on an assessment of cybersecurity risk, that it specify and prioritize near-term, mid-term and long-term research objectives, and that it describe how the near-term objectives complement R&D occurring in the private sector.

Requires the agencies to solicit input from an advisory committee and outside stakeholders in the development of the strategic plan. Additionally, requires the agencies to describe how they will promote innovation, foster technology transfer, and maintain a national infrastructure for the development of secure, reliable, and resilient networking and information technology systems.

Requires the development of an implementation roadmap that specifies the role of each agency and the level of funding needed to meet each of the research objectives outlined in the strategic plan.

Sec. 104. Social and behavioral research in cybersecurity

Requires the National Science Foundation (NSF) to support research on the social and behavioral aspects of cybersecurity as part of its total cybersecurity research portfolio.

Sec. 105. NSF cybersecurity R&D programs

Reauthorizes the cybersecurity research program at the NSF and includes identity management as one of the research areas supported.

Reauthorizes programs at NSF that provide funding for capacity building grants, graduate student fellowships, graduate student traineeships and research centers in cybersecurity.

Requires NSF to establish a postdoctoral fellowship program in cybersecurity.

Sec. 106. Federal cyber scholarship for service program

Authorizes the cybersecurity scholarship for service program at NSF. The program provides grants to institutions of higher education for the award of scholarships to students pursuing undergraduate and graduate degrees in cybersecurity fields and requires an equal number of years of service as a cybersecurity professional in the federal government as a condition of the scholarship.

The program also provides capacity building grants to institutions of higher education, supporting such activities as faculty professional development and the development of cybersecurity-related curricula and courses.

Sec. 107. Cybersecurity workforce assessment

Requires the President to issue a report assessing the current and future cybersecurity workforce needs of the federal government, including a comparison of the skills sought by Federal agencies and the private sector; an examination of the supply of cybersecurity talent and the capacity of institutions of higher education to produce cybersecurity professionals; and the identification of any barriers to the recruitment and hiring of cybersecurity professionals.

Sec. 108. Cybersecurity University--Industry Task Force

Establishes a university-industry task force to explore mechanisms and models for carrying out public-private research partnerships in the area of cybersecurity.

Sec. 109. Cybersecurity checklist and dissemination

Updates NIST's authority for the National Checklist Program (NCP), which provides detailed guidance on setting the security configuration of operating systems and applications and requires NIST to develop automated security specifications with respect to checklist content.

Sec. 110. NIST Cybersecurity R&D

Amends the National Institute of Standards and Technology Act to authorize NIST, as part of its in-house research program, to continue efforts to develop a unifying and standardized identity, privilege, and access control management framework. Authorizes NIST to conduct research related to improving the security of information and networked systems, including the security of industrial control systems.

TITLE II--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

Sec. 201. Definitions

Defines the terms Director and Institute in the title.

Sec. 202. International cybersecurity technical standards

Requires NIST to develop and implement a plan to ensure a coordinated United States Government representation in international cybersecurity technical standards development. This plan is due to Congress no later than one year after enactment.

Sec. 203. Promoting cybersecurity awareness and education

Requires NIST to deliver a plan to Congress within 90 days describing how it will develop and implement a cybersecurity awareness and education program. Requires the program to be aimed at disseminating cybersecurity best practices and standards and shall include how NIST will make these usable by individuals, small business, state and local governments, and educational institutions. Requires the plan to include how NIST can utilize established Manufacturing Extension Partnership networks to have cybersecurity information readily available to small manufacturing companies.

Sec. 204. Identity management research and development

Requires NIST to engage in research and development programs to improve identity management systems.

VIII. COMMITTEE VIEWS

Cybersecurity strategic R&D plan and implementation roadmap

The Committee expects the strategic plan to be a useful guide for setting program priorities and estimating time scales for reaching program objectives. The strategic plan should not be limited to time scales of 2-3 years, but should include mid-term and long-term research objectives based on known research gaps and an assessment of cybersecurity risks to ensure that R&D objectives are informed and prioritized by the Nation's needs. Furthermore, the Committee intends for the development of the plan to be informed by the research needs of industry and academia and expects the National Coordination Office to actively solicit stakeholder input through meetings, requests for information and other appropriate means.

The Committee believes the development of an implementation roadmap is essential to the furtherance of cybersecurity and information assurance R&D. The roadmap should be aligned with the program's strategic plan and overall objectives, and should be detailed enough to clearly define the roles and responsibilities of individual Federal agencies in the achievement of the overall R&D objectives. While each Federal agency has its own mission and objectives in the area of cybersecurity and information assurance, the Committee considers the development of an implementation roadmap essential to comprehensively addressing our cybersecurity challenges.

Cybersecurity education and workforce

Over the next several years, the Bureau of Labor Statistics estimates that the number of jobs requiring a background in computer science or mathematics will average approximately 150,000 annually. However, the number of computer science undergraduate degrees granted has dropped 34 percent from 2002 to 2006. Additionally, according to the report entitled, `Cyber In-Security: Strengthening the Federal Cybersecurity Workforce,' there is a shortfall of between 500 and 1000 cybersecurity professionals each year across the Federal government. The Committee believes that the required assessment of Federal cybersecurity workforce needs, necessary skills, and the capacity of our colleges and universities to produce cybersecurity professionals is an essential first step in ensuring an adequate, well-trained workforce.

When promoting cybersecurity awareness and education for the public, NIST should fully utilize existing resources within the Federal government, private industry, academia, and independent organizations to minimize duplicative effort.

Cybersecurity University--Industry Task Force

In considering options for a collaborative model for carrying out cybersecurity research and development, it is the Committee's intention that the objective of such a potential entity would be to supplement, not supplant, the traditional functions and activities of the individual participating entities. Therefore, in developing guidelines in accordance with subsection (b)(2) of section 108, it is the Committee's expectation that the task force work to identify activities that (1) would address nationally significant challenges that advance common objectives; and (2) require collaboration that could not otherwise be reasonably addressed by individual entities acting independently.

NIST's checklist development and dissemination

The Committee believes that advancements of technology have presented an opportunity to evolve security checklists into automated auditing programs capable of verifying information security policy compliance, as well as the measurement and management of vulnerabilities. NIST's Security Content Automation Protocol program is an excellent example of a public-private partnership developing interoperable security specifications to automate the assessment, documentation, and reporting of information security requirements. The Committee also believes that NIST should be more proactive in disseminating checklists to other Federal agencies.

United States Federal Government representation

The Committee intends that NIST will develop an international cybersecurity technical standards engagement strategy, in coordination with relevant Federal agencies that: addresses the needs outlined in the Cyberspace Policy Review; accounts for the constant evolution and introduction of technology; and fosters technical cybersecurity standards that maintain security without interfering with the freedom of the internet. NIST will not dictate specific agency representation in international standards development, but should ensure that there is adequate United States government representation and coordination for all appropriate development activities. Given the global nature of networked systems, it is imperative that the Federal government has a coordinated, comprehensive strategy to address international cybersecurity technical standards needs.

To Top

AMENDMENTS

Amendment offered by Mr. Hastings (FL).

An amendment numbered 1 printed in House Report 111-410 to address the lack of minority representation in the cybersecurity industry including women and African-Americans, Hispanics, and Native Americans. The amendment adds language in Sec. 107 to describe how successful programs are engaging said minorities and in Sec. 108 to include minority-serving institutions on the Cybersecurity University-Industry Task Force.

On agreeing to the Hastings (FL) amendment Agreed to by recorded vote: 417 - 5 (Roll no. 34).

Amendment offered by Mr. Gordon (TN).

An amendment numbered 2 printed in House Report 111-410 to allow participants in the Federal Cyber Scholarship for Service program to seek out opportunities for internships, or other meaningful appointments, in the private sector.

On agreeing to the Gordon (TN) amendment Agreed to by voice vote.

Amendment offered by Mr. Flake.

An amendment numbered 3 printed in House Report 111-410 to prohibit the earmarking of funds authorized for grants in the bill.

On agreeing to the Flake amendment Agreed to by recorded vote: 396 - 31 (Roll no. 35).

Amendment offered by Mr. Matheson.

An amendment numbered 4 printed in House Report 111-410 to require the National Science Foundation to study ways to improve detection, investigation, and prosecution of cyber crimes including piracy of intellectual property, crimes against children, and organized crime.

On agreeing to the Matheson amendment Agreed to by voice vote.

Amendment offered by Mr. Roskam.

An amendment numbered 5 printed in House Report 111-410 to strengthen the involvement of community colleges in the development and implementation of a national cybersecurity strategy.

On agreeing to the Roskam amendment Agreed to by voice vote.

Amendment offered by Ms. Edwards (MD).

An amendment numbered 6 printed in House Report 111-410 to direct NIST to work in cooperation with State, Federal, and private sector partners to develop a framework that States may follow in order to achieve effective cybersecurity practices in a timely and cost effective manner.

On agreeing to the Edwards (MD) amendment Agreed to by voice vote.

Amendment offered by Mr. Paulsen.

An amendment numbered 7 printed in House Report 111-410 to include international cooperation where appropriate as part of the Cybersecurity Strategic Research and Development Plan.

On agreeing to the Paulsen amendment Agreed to by voice vote.

Amendment offered by Mrs. Dahlkemper.

An amendment numbered 8 printed in House Report 111-410 to allow collaboration between and among community colleges, universities, and Manufacturing Extension Partnership Centers as an additional use for the Computer and Network Security Capacity Building Grants under the Cyber Security Research and Development Act.

On agreeing to the Dahlkemper amendment Agreed to by recorded vote: 419 - 3 (Roll no. 36).

Amendment offered by Mr. Garamendi.

An amendment numbered 9 printed in House Report 111-410 to provide for regional workshops as part of the Cybersecurity Awareness and Education program.

On agreeing to the Garamendi amendment Agreed to by voice vote.

Amendment offered by Mrs. McCarthy (NY).

An amendment numbered 10 printed in House Report 111-410 to emphasize that cybersecurity awareness and education efforts focus on novice computer users, young and elderly populations, low-income populations, and populations in areas of planned broadband expansion or deployment.

On agreeing to the McCarthy (NY) amendment Agreed to by voice vote.

Amendment offered by Ms. Sanchez, Loretta.

An amendment numbered 11 printed in House Report 111-410 to add "job security clearance and suitability requirements" to the issues that are to be considered in the cybersecurity workforce assessment.

On agreeing to the Sanchez, Loretta amendment Agreed to by voice vote.

Amendment offered by Mr. Langevin.

An amendment numbered 12 printed in House Report 111-410 to direct the Cybersecurity Workforce Assessment to examine expanding temporary assignments of private sector cybersecurity professionals to Federal agencies.

On agreeing to the Langevin amendment Agreed to by voice vote.

Amendment offered by Ms. Sanchez, Loretta.

An amendment numbered 13 printed in House Report 111-410 to facilitate access to realistic threats and vulnerabilities for academic researchers during the development of the strategic plan in section 103 Cybersecurity Strategic Research and Development Program. The amendment also amends section 108 Cybersecurity University-Industry Task Force to propose guidelines for the sharing of lessons learned of the effectiveness of new technologies from the private sector to the public sector.

On agreeing to the Sanchez, Loretta amendment Agreed to by voice vote.

Amendment offered by Mr. Cuellar.

An amendment numbered 14 printed in House Report 111-410 to add to the Cybersecurity Strategic Research and Development plan a requirement to determine how to strengthen all levels of cybersecurity education and training programs to secure an adequate, well-trained workforce.

On agreeing to the Cuellar amendment Agreed to by recorded vote: 416 - 4 (Roll no. 37).

Amendment offered by Ms. Shea-Porter.

An amendment numbered 15 printed in House Report 111-410 to extend the service obligation for recipients of cybersecurity scholarships or fellowships on a sliding scale depending on the degree program.

On agreeing to the Shea-Porter amendment Agreed to by voice vote.

Amendment offered by Ms. Clarke.

An amendment numbered 16 printed in House Report 111-410 to enhance the existing cybersecurity workforce assessment by including contractors.

On agreeing to the Clarke amendment Agreed to by voice vote.

Amendment offered by Mr. Bright.

An amendment numbered 17 printed in House Report 111-410 to require a National Academy of Sciences study on the role of community colleges in cybersecurity education. The study would also identify best practices related to cybersecurity education between community colleges and four-year educational institutions.

On agreeing to the Bright amendment Agreed to by voice vote

Amendment offered by Mr. Connolly (VA).

An amendment numbered 18 printed in House Report 111-410 to emphasize that promotion of cybersecurity education also must include "children and young adults" along with the other targeted audiences.

On agreeing to the Connolly (VA) amendment Agreed to by recorded vote: 417 - 4 (Roll no. 38).

Amendment offered by Mrs. Halvorson.

An amendment numbered 19 printed in House Report 111-410 to add veteran status as an additional item for consideration when selecting individuals for the Federal Cyber Scholarship for Service.

On agreeing to the Halvorson amendment Agreed to by recorded vote: 424 - 0 (Roll no. 39).

Amendment offered by Ms. Kilroy.

An amendment numbered 20 printed in House Report 111-410 to amend the Federal Cyber Scholarship for Service program to include support for outreach activities that will improve the recruitment of high school and community college students into cybersecurity-related fields.

On agreeing to the Kilroy amendment Agreed to by recorded vote: 419 - 4 (Roll no. 40).

Amendment offered by Mr. Kissell.

An amendment numbered 21 printed in House Report 111-410 to instruct the National Science Foundation Director to include language in its Computer and Network Security Capacity Building Grants mission statement highlighting importance of curriculum on the principles and techniques of designing secure software.

On agreeing to the Kissell amendment Agreed to by recorded vote: 423 - 6 (Roll no. 41).

Amendment offered by Mr. Kratovil.

An amendment numbered 22 printed in House Report 111-410 to instruct the Director of the National Science Foundation to establish, on a merit-reviewed and competitive basis, a National Center of Excellence for Cybersecurity as part of the Networking and Information Technology and Research Development Program.

On agreeing to the Kratovil amendment Agreed to by voice vote.

Amendment offered by Mr. Lipinski.

An amendment numbered 23 printed in House Report 111-410 to direct the Comptroller General to submit a report examining weaknesses within the current cybersecurity infrastructure.

On agreeing to the Lipinski amendment Agreed to by voice vote.

Amendment offered by Mr. Owens.

An amendment numbered 24 printed in House Report 111-410 to require the Cybersecurity Strategic Research and Development plan to include a component on technologies to secure sensitive information shared among Federal agencies.

On agreeing to the Owens amendment Agreed to by recorded vote: 430 - 0 (Roll no. 42).

Amendment offered by Mr. Heinrich.

An amendment numbered 25 printed in House Report 111-410 to allow national laboratories to be included as stakeholders in the Cybersecurity Strategic Research and Development Plan.

On agreeing to the Heinrich amendment Agreed to by voice vote

To Top

No reproduction, language translation or distribution without written permission from TheWeekInCongress.com.(TM)