Need Writing Help 9/5/2023
Law101
HSE350COMPS-12455.pdf
1
Cybersecurity Enhancement Act of 2014
[Public Law 113–274]
[As Amended Through P.L. 117–167, Enacted August 9, 2022]
øCurrency: This publication is a compilation of the text of Public Law 113-274. It was last amended by the public law listed in the As Amended Through note above and below at the bottom of each page of the pdf version and reflects current law through the date of the enactment of the public law listed at https:// www.govinfo.gov/app/collection/comps/¿
øNote: While this publication does not represent an official version of any Federal statute, substantial efforts have been made to ensure the accuracy of its contents. The official version of Federal law is found in the United States Statutes at Large and in the United States Code. The legal effect to be given to the Statutes at Large and the United States Code is established by statute (1 U.S.C. 112, 204).¿
AN ACT To provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, work- force development and education, and public awareness and preparedness, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) ø15 U.S.C. 7421 note¿ SHORT TITLE.—This Act may be cited as the ‘‘Cybersecurity Enhancement Act of 2014’’.
(b) TABLE OF CONTENTS.—The table of contents of this Act is as follows: Sec. 1. Short title; table of contents. Sec. 2. Definitions. Sec. 3. No regulatory authority. Sec. 4. No additional funds authorized.
TITLE I—PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY Sec. 101. Public-private collaboration on cybersecurity.
TITLE II—CYBERSECURITY RESEARCH AND DEVELOPMENT Sec. 201. Federal cybersecurity research and development. Sec. 202. Computer and network security research centers. Sec. 203. Cybersecurity automation and checklists for government systems. Sec. 204. National Institute of Standards and Technology cybersecurity research
and development. Sec. 205. National cybersecurity challenges.
TITLE III—EDUCATION AND WORKFORCE DEVELOPMENT Sec. 301. Cybersecurity competitions and challenges. Sec. 302. Federal cyber scholarship-for-service program. Sec. 303. National cybersecurity awareness and education program. øThe items re-
lating to title IV were repealed by section 9401(g)(3)(A) of Public Law 116–283.¿
TITLE V—ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS Sec. 501. Definitions.
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00001 Fmt 9001 Sfmt 6611 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
2 Sec. 2 Cybersecurity Enhancement Act of 2014
Sec. 502. International cybersecurity technical standards. Sec. 503. Cloud computing strategy. Sec. 504. Identity management research and development.
SEC. 2. ø15 U.S.C. 7421¿ DEFINITIONS. In this Act:
(1) CYBERSECURITY MISSION.—The term ‘‘cybersecurity mis- sion’’ means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, international en- gagement, incident response, resiliency, and recovery policies and activities, including computer network operations, infor- mation assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace.
(2) INFORMATION SYSTEM.—The term ‘‘information system’’ has the meaning given that term in section 3502 of title 44, United States Code.
SEC. 3. ø15 U.S.C. 7422¿ NO REGULATORY AUTHORITY. Nothing in this Act shall be construed to confer any regulatory
authority on any Federal, State, tribal, or local department or agency. SEC. 4. ø15 U.S.C. 7423¿ NO ADDITIONAL FUNDS AUTHORIZED.
No additional funds are authorized to carry out this Act, and the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise au- thorized or appropriated.
TITLE I—PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY. (a) CYBERSECURITY.—Section 2(c) of the National Institute of
Standards and Technology Act (15 U.S.C. 272(c)) is amended— (1) by redesignating paragraphs (15) through (22) as para-
graphs (16) through (23), respectively; and (2) by inserting after paragraph (14) the following: ‘‘(15) on an ongoing basis, facilitate and support the devel-
opment of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, proce- dures, and processes to cost-effectively reduce cyber risks to critical infrastructure (as defined under subsection (e));’’. (b) SCOPE AND LIMITATIONS.—Section 2 of the National Insti-
tute of Standards and Technology Act (15 U.S.C. 272) is amended by adding at the end the following:
‘‘(e) CYBER RISKS.— ‘‘(1) IN GENERAL.—In carrying out the activities under sub-
section (c)(15), the Director— ‘‘(A) shall—
‘‘(i) coordinate closely and regularly with relevant private sector personnel and entities, critical infra- structure owners and operators, and other relevant in- dustry organizations, including Sector Coordinating
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00002 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
3 Sec. 101 Cybersecurity Enhancement Act of 2014
Councils and Information Sharing and Analysis Cen- ters, and incorporate industry expertise;
‘‘(ii) consult with the heads of agencies with na- tional security responsibilities, sector-specific agencies and other appropriate agencies, State and local gov- ernments, the governments of other nations, and international organizations;
‘‘(iii) identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, in- cluding information security measures and controls, that may be voluntarily adopted by owners and opera- tors of critical infrastructure to help them identify, as- sess, and manage cyber risks;
‘‘(iv) include methodologies— ‘‘(I) to identify and mitigate impacts of the cy-
bersecurity measures or controls on business con- fidentiality; and
‘‘(II) to protect individual privacy and civil lib- erties; ‘‘(v) incorporate voluntary consensus standards
and industry best practices; ‘‘(vi) align with voluntary international standards
to the fullest extent possible; ‘‘(vii) prevent duplication of regulatory processes
and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related proc- esses; and
‘‘(viii) include such other similar and consistent elements as the Director considers necessary; and ‘‘(B) shall not prescribe or otherwise require—
‘‘(i) the use of specific solutions; ‘‘(ii) the use of specific information or communica-
tions technology products or services; or ‘‘(iii) that information or communications tech-
nology products or services be designed, developed, or manufactured in a particular manner.
‘‘(2) LIMITATION.—Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, trib- al, or local department or agency to regulate the activity of any entity. Nothing in this paragraph shall be construed to modify any regulatory requirement to report or submit information to a Federal, State, tribal, or local department or agency.
‘‘(3) DEFINITIONS.—In this subsection: ‘‘(A) CRITICAL INFRASTRUCTURE.—The term ‘critical in-
frastructure’ has the meaning given the term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
‘‘(B) SECTOR-SPECIFIC AGENCY.—The term ‘sector-spe- cific agency’ means the Federal department or agency re- sponsible for providing institutional knowledge and spe- cialized expertise as well as leading, facilitating, or sup- porting the security and resilience programs and associ-
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00003 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
4 Sec. 201 Cybersecurity Enhancement Act of 2014
ated activities of its designated critical infrastructure sec- tor in the all-hazards environment.’’.
(c) STUDY AND REPORTS.— (1) STUDY.—The Comptroller General of the United States
shall conduct a study that assesses— (A) the progress made by the Director of the National
Institute of Standards and Technology in facilitating the development of standards and procedures to reduce cyber risks to critical infrastructure in accordance with section 2(c)(15) of the National Institute of Standards and Tech- nology Act, as added by this section;
(B) the extent to which the Director’s facilitation ef- forts are consistent with the directive in such section that the development of such standards and procedures be vol- untary and led by industry representatives;
(C) the extent to which other Federal agencies have promoted and sectors of critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e))) have adopted a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure in accordance with such section 2(c)(15);
(D) the reasons behind the decisions of sectors of crit- ical infrastructure (as defined in subparagraph (C)) to adopt or to not adopt the voluntary standards described in subparagraph (C); and
(E) the extent to which such voluntary standards have proved successful in protecting critical infrastructure from cyber threats. (2) REPORTS.—Not later than 1 year after the date of the
enactment of this Act, and every 2 years thereafter for the fol- lowing 6 years, the Comptroller General shall submit a report, which summarizes the findings of the study conducted under paragraph (1), to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.
TITLE II—CYBERSECURITY RESEARCH AND DEVELOPMENT
SEC. 201. ø15 U.S.C. 7431¿ FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) FUNDAMENTAL CYBERSECURITY RESEARCH.— (1) FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT
STRATEGIC PLAN.—The heads of the applicable agencies and de- partments, working through the National Science and Tech- nology Council and the Networking and Information Tech- nology Research and Development Program, shall develop and update every 4 years a Federal cybersecurity research and de- velopment strategic plan (referred to in this subsection as the ‘‘strategic plan’’) based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and in- formation assurance research and development for information
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00004 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
5 Sec. 201 Cybersecurity Enhancement Act of 2014
technology and networking systems. The heads of the applica- ble agencies and departments shall build upon existing pro- grams and plans to develop the strategic plan to meet objec- tives in cybersecurity, such as—
(A) how to design and build complex software-inten- sive systems that are secure and reliable when first de- ployed;
(B) how to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws;
(C) how to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality;
(D) how to guarantee the privacy of an individual, in- cluding that individual’s identity, information, and lawful transactions when stored in distributed systems or trans- mitted over networks;
(E) how to build new protocols to enable the Internet to have robust security as one of the key capabilities of the Internet;
(F) how to determine the origin of a message trans- mitted over the Internet;
(G) how to support privacy in conjunction with im- proved security;
(H) how to address the problem of insider threats; (I) how improved consumer education and digital lit-
eracy initiatives can address human factors that contribute to cybersecurity;
(J) how to protect information processed, transmitted, or stored using cloud computing or transmitted through wireless services;
(K) implementation of section 205 through research and development on the topics identified under subsection (a) of such section; and
(L) any additional objectives the heads of the applica- ble agencies and departments, in coordination with the head of any relevant Federal agency and with input from stakeholders, including appropriate national laboratories, industry, and academia, determine appropriate. (2) REQUIREMENTS.—
(A) CONTENTS OF PLAN.—The strategic plan shall— (i) specify and prioritize near-term, mid-term, and
long-term research objectives, including objectives as- sociated with the research identified in section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1));
(ii) specify how the near-term objectives described in clause (i) complement research and development areas in which the private sector is actively engaged;
(iii) describe how the heads of the applicable agen- cies and departments will focus on innovative, trans- formational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00005 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
6 Sec. 201 Cybersecurity Enhancement Act of 2014
of the digital infrastructure, and to protect consumer privacy;
(iv) describe how the heads of the applicable agen- cies and departments will foster the rapid transfer of research and development results into new cybersecu- rity technologies and applications for the timely ben- efit of society and the national interest, including through the dissemination of best practices and other outreach activities;
(v) describe how the heads of the applicable agen- cies and departments will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure net- working and information technology systems; and
(vi) describe how the heads of the applicable agen- cies and departments will facilitate access by academic researchers to the infrastructure described in clause (v), as well as to relevant data, including event data. (B) PRIVATE SECTOR EFFORTS.—In developing, imple-
menting, and updating the strategic plan, the heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall work in close cooperation with industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector ef- forts.
(C) RECOMMENDATIONS.—In developing and updating the strategic plan the heads of the applicable agencies and departments shall solicit recommendations and advice from—
(i) the advisory committee established under sec- tion 101(b)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(b)(1)); and
(ii) a wide range of stakeholders, including indus- try, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and in- stitutions. (D) IMPLEMENTATION ROADMAP.—The heads of the ap-
plicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall develop and annually update an implemen- tation roadmap for the strategic plan. The implementation roadmap shall—
(i) specify the role of each Federal agency in car- rying out or sponsoring research and development to meet the research objectives of the strategic plan, in- cluding a description of how progress toward the re- search objectives will be evaluated;
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00006 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
7 Sec. 201 Cybersecurity Enhancement Act of 2014
(ii) specify the funding allocated to each major re- search objective of the strategic plan and the source of funding by agency for the current fiscal year;
(iii) estimate the funding required for each major research objective of the strategic plan for the fol- lowing 3 fiscal years; and
(iv) track ongoing and completed Federal cyberse- curity research and development projects.
(3) REPORTS TO CONGRESS.—The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Informa- tion Technology Research and Development Program, shall submit to the Committee on Commerce, Science, and Transpor- tation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives—
(A) the strategic plan not later than 1 year after the date of enactment of this Act;
(B) each quadrennial update to the strategic plan; and (C) the implementation roadmap under subparagraph
(D), and its annual updates, which shall be appended to the annual report required under section 101(a)(2)(D) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(2)(D)). (4) DEFINITION OF APPLICABLE AGENCIES AND DEPART-
MENTS.—In this subsection, the term ‘‘applicable agencies and departments’’ means the agencies and departments identified in clauses (i) through (xi) of section 101(a)(3)(B) of the High- Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)) or designated under clause (xii) of that section. (b) CYBERSECURITY PRACTICES RESEARCH.—The Director of the
National Science Foundation shall support research that— (1) develops, evaluates, disseminates, and integrates new
cybersecurity practices and concepts into the core curriculum of computer science programs and of other programs where grad- uates of such programs have a substantial probability of devel- oping software after graduation, including new practices and concepts relating to secure coding education and improvement programs; and
(2) develops new models for professional development of faculty in cybersecurity education, including secure coding de- velopment. (c) CYBERSECURITY MODELING AND TEST BEDS.—
(1) REVIEW.—Not later than 1 year after the date of enact- ment of this Act, the Director of the National Science Founda- tion, in coordination with the Director of the Office of Science and Technology Policy, shall conduct a review of cybersecurity test beds in existence on the date of enactment of this Act to inform the grants under paragraph (2). The review shall in- clude an assessment of whether a sufficient number of cyberse- curity test beds are available to meet the research needs under the Federal cybersecurity research and development strategic plan. Upon completion, the Director shall submit the review to the Committee on Commerce, Science, and Transportation of
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00007 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
8 Sec. 201 Cybersecurity Enhancement Act of 2014
the Senate and the Committee on Science, Space, and Tech- nology of the House of Representatives.
(2) ADDITIONAL CYBERSECURITY MODELING AND TEST BEDS.—
(A) IN GENERAL.—If the Director of the National Science Foundation, after the review under paragraph (1), determines that the research needs under the Federal cy- bersecurity research and development strategic plan re- quire the establishment of additional cybersecurity test beds, the Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Sec- retary of Homeland Security, may award grants to institu- tions of higher education or research and development non-profit institutions to establish cybersecurity test beds.
(B) REQUIREMENT.—The cybersecurity test beds under subparagraph (A) shall be sufficiently robust in order to model the scale and complexity of real-time cyber attacks and defenses on real world networks and environments.
(C) ASSESSMENT REQUIRED.—The Director of the Na- tional Science Foundation, in coordination with the Sec- retary of Commerce and the Secretary of Homeland Secu- rity, shall evaluate the effectiveness of any grants awarded under this subsection in meeting the objectives of the Fed- eral cybersecurity research and development strategic plan not later than 2 years after the review under paragraph (1) of this subsection, and periodically thereafter.
(d) COORDINATION WITH OTHER RESEARCH INITIATIVES.—In ac- cordance with the responsibilities under section 101 of the High- Performance Computing Act of 1991 (15 U.S.C. 5511), the Director of the Office of Science and Technology Policy shall coordinate, to the extent practicable, Federal research and development activities under this section with other ongoing research and development se- curity-related initiatives, including research being conducted by—
(1) the National Science Foundation; (2) the National Institute of Standards and Technology; (3) the Department of Homeland Security; (4) other Federal agencies; (5) other Federal and private research laboratories, re-
search entities, and universities; (6) institutions of higher education; (7) relevant nonprofit organizations; and (8) international partners of the United States.
(e) NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY RESEARCH GRANT AREAS.—Section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1)) is amended—
(1) in subparagraph (H), by striking ‘‘and’’ at the end; (2) in subparagraph (I), by striking the period at the end
and inserting a semicolon; and (3) by adding at the end the following:
‘‘(J) secure fundamental protocols that are integral to inter-network communications and data exchange;
‘‘(K) secure software engineering and software assur- ance, including—
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00008 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
9 Sec. 202 Cybersecurity Enhancement Act of 2014
‘‘(i) programming languages and systems that in- clude fundamental security features;
‘‘(ii) portable or reusable code that remains secure when deployed in various environments;
‘‘(iii) verification and validation technologies to en- sure that requirements and specifications have been implemented; and
‘‘(iv) models for comparison and metrics to assure that required standards have been met; ‘‘(L) holistic system security that—
‘‘(i) addresses the building of secure systems from trusted and untrusted components;
‘‘(ii) proactively reduces vulnerabilities; ‘‘(iii) addresses insider threats; and ‘‘(iv) supports privacy in conjunction with im-
proved security; ‘‘(M) monitoring and detection; ‘‘(N) mitigation and rapid recovery methods; ‘‘(O) security of wireless networks and mobile devices;
and ‘‘(P) security of cloud infrastructure and services.’’.
(f) RESEARCH ON THE SCIENCE OF CYBERSECURITY.—The head of each agency and department identified under section 101(a)(3)(B) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(a)(3)(B)), through existing programs and activities, shall support research that will lead to the development of a sci- entific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of secur- ing complex networked systems, enables repeatable experimen- tation, and creates quantifiable security metrics. SEC. 202. COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.
Section 4(b) of the Cyber Security Research and Development Act (15 U.S.C. 7403(b)) is amended—
(1) in paragraph (3), by striking ‘‘the research areas’’ and inserting the following: ‘‘improving the security and resiliency of information technology, reducing cyber vulnerabilities, and anticipating and mitigating consequences of cyber attacks on critical infrastructure, by conducting research in the areas’’;
(2) by striking ‘‘the center’’ in paragraph (4)(D) and insert- ing ‘‘the Center’’; and
(3) in paragraph (5)— (A) by striking ‘‘and’’ at the end of subparagraph (C); (B) by striking the period at the end of subparagraph
(D) and inserting a semicolon; and (C) by adding at the end the following: ‘‘(E) the demonstrated capability of the applicant to
conduct high performance computation integral to complex computer and network security research, through on-site or off-site computing;
‘‘(F) the applicant’s affiliation with private sector enti- ties involved with industrial research described in sub- section (a)(1);
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00009 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
10 Sec. 203 Cybersecurity Enhancement Act of 2014
‘‘(G) the capability of the applicant to conduct research in a secure environment;
‘‘(H) the applicant’s affiliation with existing research programs of the Federal Government;
‘‘(I) the applicant’s experience managing public-private partnerships to transition new technologies into a commer- cial setting or the government user community;
‘‘(J) the capability of the applicant to conduct inter- disciplinary cybersecurity research, basic and applied, such as in law, economics, or behavioral sciences; and
‘‘(K) the capability of the applicant to conduct research in areas such as systems security, wireless security, net- working and protocols, formal methods and high-perform- ance computing, nanotechnology, or industrial control sys- tems.’’.
SEC. 203. CYBERSECURITY AUTOMATION AND CHECKLISTS FOR GOV- ERNMENT SYSTEMS.
Section 8(c) of the Cyber Security Research and Development Act (15 U.S.C. 7406(c)) is amended to read as follows:
‘‘(c) SECURITY AUTOMATION AND CHECKLISTS FOR GOVERNMENT SYSTEMS.—
‘‘(1) IN GENERAL.—The Director of the National Institute of Standards and Technology shall, as necessary, develop and re- vise security automation standards, associated reference mate- rials (including protocols), and checklists providing settings and option selections that minimize the security risks associ- ated with each information technology hardware or software system and security tool that is, or is likely to become, widely used within the Federal Government, thereby enabling stand- ardized and interoperable technologies, architectures, and frameworks for continuous monitoring of information security within the Federal Government.
‘‘(2) PRIORITIES FOR DEVELOPMENT.—The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference mate- rials, and checklists under this subsection on the basis of—
‘‘(A) the security risks associated with the use of the system;
‘‘(B) the number of agencies that use a particular sys- tem or security tool;
‘‘(C) the usefulness of the standards, reference mate- rials, or checklists to Federal agencies that are users or po- tential users of the system;
‘‘(D) the effectiveness of the associated standard, ref- erence material, or checklist in creating or enabling contin- uous monitoring of information security; or
‘‘(E) such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate. ‘‘(3) EXCLUDED SYSTEMS.—The Director of the National In-
stitute of Standards and Technology may exclude from the ap- plication of paragraph (1) any information technology hard- ware or software system or security tool for which such Direc- tor determines that the development of a standard, reference
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00010 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
11 Sec. 204 Cybersecurity Enhancement Act of 2014
material, or checklist is inappropriate because of the infre- quency of use of the system, the obsolescence of the system, or the lack of utility or impracticability of developing a standard, reference material, or checklist for the system.
‘‘(4) DISSEMINATION OF STANDARDS AND RELATED MATE- RIALS.—The Director of the National Institute of Standards and Technology shall ensure that Federal agencies are in- formed of the availability of any standard, reference material, checklist, or other item developed under this subsection.
‘‘(5) AGENCY USE REQUIREMENTS.—The development of standards, reference materials, and checklists under paragraph (1) for an information technology hardware or software system or tool does not—
‘‘(A) require any Federal agency to select the specific settings or options recommended by the standard, ref- erence material, or checklist for the system;
‘‘(B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system;
‘‘(C) imply an endorsement of any such system by the Director of the National Institute of Standards and Tech- nology; or
‘‘(D) preclude any Federal agency from procuring or deploying other information technology hardware or soft- ware systems for which no such standard, reference mate- rial, or checklist has been developed or identified under paragraph (1).’’.
SEC. 204. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY RESEARCH AND DEVELOPMENT.
Section 20 of the National Institute of Standards and Tech- nology Act (15 U.S.C. 278g-3) is amended—
(1) by redesignating subsection (e) as subsection (f); and (2) by inserting after subsection (d) the following:
‘‘(e) INTRAMURAL SECURITY RESEARCH.—As part of the research activities conducted in accordance with subsection (d)(3), the Insti- tute shall, to the extent practicable and appropriate—
‘‘(1) conduct a research program to develop a unifying and standardized identity, privilege, and access control manage- ment framework for the execution of a wide variety of resource protection policies and that is amenable to implementation within a wide variety of existing and emerging computing envi- ronments;
‘‘(2) carry out research associated with improving the secu- rity of information systems and networks;
‘‘(3) carry out research associated with improving the test- ing, measurement, usability, and assurance of information sys- tems and networks;
‘‘(4) carry out research associated with improving security of industrial control systems;
‘‘(5) carry out research associated with improving the secu- rity and integrity of the information technology supply chain; and
‘‘(6) carry out any additional research the Institute deter- mines appropriate.’’.
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00011 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
12 Sec. 205 Cybersecurity Enhancement Act of 2014
SEC. 205. ø15 U.S.C. 7432¿ NATIONAL CYBERSECURITY CHALLENGES. (a) ESTABLISHMENT OF NATIONAL CYBERSECURITY CHAL-
LENGES.— (1) IN GENERAL.—To achieve high-priority breakthroughs
in cybersecurity by 2028, the Secretary of Commerce shall es- tablish the following national cybersecurity challenges:
(A) ECONOMICS OF A CYBER ATTACK.—Building more resilient systems that measurably and exponentially raise adversary costs of carrying out common cyber attacks.
(B) CYBER TRAINING.— (i) Empowering the people of the United States
with an appropriate and measurably sufficient level of digital literacy to make safe and secure decisions on- line.
(ii) Developing a cybersecurity workforce with measurable skills to protect and maintain information systems. (C) EMERGING TECHNOLOGY.—Advancing cybersecurity
efforts in response to emerging technology, such as artifi- cial intelligence, quantum science, next generation commu- nications, autonomy, data science, and computational tech- nologies.
(D) REIMAGINING DIGITAL IDENTITY.—Maintaining a high sense of usability while improving the privacy, secu- rity, and safety of online activity of individuals in the United States.
(E) FEDERAL AGENCY RESILIENCE.—Reducing cyberse- curity risks to Federal networks and systems, and improv- ing the response of Federal agencies to cybersecurity inci- dents on such networks and systems. (2) COORDINATION.—In establishing the challenges under
paragraph (1), the Secretary shall coordinate with the Sec- retary of Homeland Security on the challenges under subpara- graphs (B) and (E) of such paragraph. (b) PURSUIT OF NATIONAL CYBERSECURITY CHALLENGES.—
(1) IN GENERAL.—Not later than 180 days after the date of the enactment of this section, the Secretary, acting through the Under Secretary of Commerce for Standards and Technology, shall commence efforts to pursue the national cybersecurity challenges established under subsection (a).
(2) COMPETITIONS.—The efforts required by paragraph (1) shall include carrying out programs to award prizes, including cash and noncash prizes, competitively pursuant to the au- thorities and processes established under section 24 of the Ste- venson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3719) or any other applicable provision of law.
(3) ADDITIONAL AUTHORITIES.—In carrying out paragraph (1), the Secretary may enter into and perform such other trans- actions as the Secretary considers necessary and on such terms as the Secretary considers appropriate.
(4) COORDINATION.—In pursuing national cybersecurity challenges under paragraph (1), the Secretary shall coordinate with the following:
(A) The Director of the National Science Foundation.
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00012 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
13 Sec. 301 Cybersecurity Enhancement Act of 2014
(B) The Secretary of Homeland Security. (C) The Director of the Defense Advanced Research
Projects Agency. (D) The Director of the Office of Science and Tech-
nology Policy. (E) The Director of the Office of Management and
Budget. (F) The Administrator of the General Services Admin-
istration. (G) The Federal Trade Commission. (H) The heads of such other Federal agencies as the
Secretary of Commerce considers appropriate for purposes of this section. (5) SOLICITATION OF ACCEPTANCE OF FUNDS.—
(A) IN GENERAL.—Pursuant to section 24 of the Ste- venson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3719), the Secretary shall request and accept funds from other Federal agencies, State, United States territory, local, or Tribal government agencies, private sector for- profit entities, and nonprofit entities to support efforts to pursue a national cybersecurity challenge under this sec- tion.
(B) RULE OF CONSTRUCTION.—Nothing in subpara- graph (A) may be construed to require any person or entity to provide funds or otherwise participate in an effort or competition under this section.
(c) RECOMMENDATIONS.— (1) IN GENERAL.—In carrying out this section, the Sec-
retary of Commerce shall designate an advisory council to seek recommendations.
(2) ELEMENTS.—The recommendations required by para- graph (1) shall include the following:
(A) A scope for efforts carried out under subsection (b). (B) Metrics to assess submissions for prizes under
competitions carried out under subsection (b) as the sub- missions pertain to the national cybersecurity challenges established under subsection (a). (3) NO ADDITIONAL COMPENSATION.—The Secretary may
not provide any additional compensation, except for travel ex- penses, to a member of the advisory council designated under paragraph (1) for participation in the advisory council.
TITLE III—EDUCATION AND WORKFORCE DEVELOPMENT
SEC. 301. ø15 U.S.C. 7441¿ CYBERSECURITY COMPETITIONS AND CHAL- LENGES.
(a) IN GENERAL.—The Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security, in consultation with the Director of the Office of Personnel Man- agement, shall—
(1) support competitions and challenges under section 24 of the Stevenson-Wydler Technology Innovation Act of 1980 (15
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00013 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
14 Sec. 301 Cybersecurity Enhancement Act of 2014
U.S.C. 3719) (as amended by section 105 of the America COM- PETES Reauthorization Act of 2010 (124 Stat. 3989)) or any other provision of law, as appropriate—
(A) to identify, develop, and recruit talented individ- uals to perform duties relating to the security of informa- tion technology in Federal, State, local, and tribal govern- ment agencies, and the private sector; or
(B) to stimulate innovation in basic and applied cyber- security research, technology development, and prototype demonstration that has the potential for application to the information technology activities of the Federal Govern- ment; and (2) ensure the effective operation of the competitions and
challenges under this section. (b) PARTICIPATION.—Participants in the competitions and chal-
lenges under subsection (a)(1) may include— (1) students enrolled in grades 9 through 12; (2) students enrolled in a postsecondary program of study
leading to a baccalaureate degree at an institution of higher education;
(3) students enrolled in a postbaccalaureate program of study at an institution of higher education;
(4) institutions of higher education and research institu- tions;
(5) veterans; and (6) other groups or individuals that the Secretary of Com-
merce, Director of the National Science Foundation, and Sec- retary of Homeland Security determine appropriate. (c) AFFILIATION AND COOPERATIVE AGREEMENTS.—Competitions
and challenges under this section may be carried out through affili- ation and cooperative agreements with—
(1) Federal agencies; (2) regional, State, or school programs supporting the de-
velopment of cyber professionals; (3) State, local, and tribal governments; or (4) other private sector organizations.
(d) AREAS OF SKILL.—Competitions and challenges under sub- section (a)(1)(A) shall be designed to identify, develop, and recruit exceptional talent relating to—
(1) ethical hacking; (2) penetration testing; (3) vulnerability assessment; (4) continuity of system operations; (5) security in design; (6) cyber forensics; (7) offensive and defensive cyber operations; and (8) other areas the Secretary of Commerce, Director of the
National Science Foundation, and Secretary of Homeland Secu- rity consider necessary to fulfill the cybersecurity mission. (e) TOPICS.—In selecting topics for competitions and challenges
under subsection (a)(1), the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Secu- rity—
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00014 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
15 Sec. 302 Cybersecurity Enhancement Act of 2014
(1) shall consult widely both within and outside the Fed- eral Government; and
(2) may empanel advisory committees. (f) INTERNSHIPS.—The Director of the Office of Personnel Man-
agement may support, as appropriate, internships or other work experience in the Federal Government to the winners of the com- petitions and challenges under this section. SEC. 302. ø15 U.S.C. 7442¿ FEDERAL CYBER SCHOLARSHIP-FOR-SERV-
ICE PROGRAM. (a) IN GENERAL.—The Director of the National Science Founda-
tion, in coordination with the Director of the Office of Personnel Management and Secretary of Homeland Security, shall continue a Federal cyber scholarship-for-service program to recruit and train the next generation of information technology professionals, indus- trial control system security professionals, and security managers to meet the needs of the cybersecurity mission for Federal, State, local, and tribal governments.
(b) PROGRAM DESCRIPTION AND COMPONENTS.—The Federal Cyber Scholarship-for-Service Program shall—
(1) provide scholarships through qualified institutions of higher education, including community colleges, to students who are enrolled in programs of study at institutions of higher education leading to degrees or specialized program certifi- cations in the cybersecurity fieldand cybersecurity-related as- pects of other related fields as appropriate, including artificial intelligence, quantum computing and aerospace;
(2) provide the scholarship recipients with summer intern- ship opportunities or other meaningful temporary appoint- ments in the Federal information technology and cybersecurity workforce;
(3) prioritize the placement of scholarship recipients ful- filling the post-award employment obligation under this section to ensure that—
(A) not less than 70 percent of such recipients are placed in an executive agency (as defined in section 105 of title 5, United States Code);
(B) not more than 10 percent of such recipients are placed as educators in the field of cybersecurity at quali- fied institutions of higher education that provide scholar- ships under this section; and
(C) not more than 20 percent of such recipients are placed in positions described in paragraphs (2) through (5) of subsection (d); and (4) provide awards to improve cybersecurity education, in-
cluding by seeking to provide awards in coordination with other relevant agencies for summer cybersecurity camp or other experiences, including teacher training, in each of the 50 States, at the kindergarten through grade 12 level—
(A) to increase interest in cybersecurity careers; (B) to help students practice correct and safe online
behavior and understand the foundational principles of cy- bersecurity;
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00015 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
16 Sec. 302 Cybersecurity Enhancement Act of 2014
(C) to improve teaching methods for delivering cyber- security content for kindergarten through grade 12 com- puter science curricula; and
(D) to promote teacher recruitment in the field of cy- bersecurity.
(c) SCHOLARSHIP AMOUNTS.—Each scholarship under sub- section (b) shall be in an amount that covers the student’s tuition and fees at the institution under subsection (b)(1) for not more than 3 years and provides the student with an additional stipend.
(d) POST-AWARD EMPLOYMENT OBLIGATIONS.—Each scholarship recipient, as a condition of receiving a scholarship under the pro- gram, shall enter into an agreement under which the recipient agrees to work for a period equal to the length of the scholarship, following receipt of the student’s degree, in the cybersecurity mis- sion of—
(1) an executive agency (as defined in section 105 of title 5, United States Code);
(2) Congress, including any agency, entity, office, or com- mission established in the legislative branch;
(3) an interstate agency; (4) a State, local, or Tribal government; (5) a State, local, or Tribal government-affiliated non-profit
that is considered to be critical infrastructure (as defined in section 1016(e) of the USA Patriot Act (42 U.S.C. 5195c(e)); or
(6) as provided by subsection (b)(3)(B), a qualified institu- tion of higher education. (e) HIRING AUTHORITY.—
(1) APPOINTMENT IN EXCEPTED SERVICE.—Notwithstanding any provision of chapter 33 of title 5, United States Code, gov- erning appointments in the competitive service, an agency shall appoint in the excepted service an individual who has completed the eligible degree program for which a scholarship was awarded.
(2) NONCOMPETITIVE CONVERSION.—Except as provided in paragraph (4), upon fulfillment of the service term, an em- ployee appointed under paragraph (1) may be converted non- competitively to term, career-conditional or career appoint- ment.
(3) TIMING OF CONVERSION.—An agency may noncompeti- tively convert a term employee appointed under paragraph (2) to a career-conditional or career appointment before the term appointment expires.
(4) AUTHORITY TO DECLINE CONVERSION.—An agency may decline to make the noncompetitive conversion or appointment under paragraph (2) for cause. (f) ELIGIBILITY.—To be eligible to receive a scholarship under
this section, an individual shall— (1) be a citizen or lawful permanent resident of the United
States; (2) demonstrate a commitment to a career in improving
the security of information technology; (3) have demonstrated a high level of competency in rel-
evant knowledge, skills, and abilities, as defined by the na-
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00016 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
17 Sec. 302 Cybersecurity Enhancement Act of 2014
tional cybersecurity awareness and education program under section 303;
(4) be a full-time student in an eligible degree program at a qualified institution of higher education, as determined by the Director of the National Science Foundation, except that in the case of a student who is enrolled in a community college, be a student pursuing a degree on a less than full-time basis, but not less than half-time basis;
(5) enter into an agreement accepting and acknowledging the post award employment obligations, pursuant to section (d);
(6) accept and acknowledge the conditions of support under section (g); and
(7) accept all terms and conditions of a scholarship under this section. (g) CONDITIONS OF SUPPORT.—
(1) IN GENERAL.—As a condition of receiving a scholarship under this section, a recipient shall agree to provide the Office of Personnel Management (in coordination with the National Science Foundation) and the qualified institution of higher education with annual verifiable documentation of post-award employment and up-to-date contact information.
(2) TERMS.—A scholarship recipient under this section shall be liable to the United States as provided in subsection (i) if the individual—
(A) fails to maintain an acceptable level of academic standing at the applicable institution of higher education, as determined by the Director of the National Science Foundation;
(B) is dismissed from the applicable institution of higher education for disciplinary reasons;
(C) withdraws from the eligible degree program before completing the program;
(D) declares that the individual does not intend to ful- fill the post-award employment obligation under this sec- tion;
(E) fails to maintain or fulfill any of the post-gradua- tion or post-award obligations or requirements of the indi- vidual; or
(F) fails to fulfill the requirements of paragraph (1). (h) MONITORING COMPLIANCE.—As a condition of participating
in the program, a qualified institution of higher education shall— (1) enter into an agreement with the Director of the Na-
tional Science Foundation, to monitor the compliance of schol- arship recipients with respect to their post-award employment obligations; and
(2) provide to the Director of the National Science Founda- tion and the Director of the Office of Personnel Management, on an annual basis, the post-award employment documentation required under subsection (g)(1) for scholarship recipients through the completion of their post-award employment obliga- tions. (i) AMOUNT OF REPAYMENT.—
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00017 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
18 Sec. 302 Cybersecurity Enhancement Act of 2014
(1) LESS THAN 1 YEAR OF SERVICE.—If a circumstance de- scribed in subsection (g)(2) occurs before the completion of 1 year of a post-award employment obligation under this section, the total amount of scholarship awards received by the indi- vidual under this section shall—
(A) be repaid; or (B) be treated as a loan to be repaid in accordance
with subsection (j). (2) 1 OR MORE YEARS OF SERVICE.—If a circumstance de-
scribed in subparagraph (D) or (E) of subsection (g)(2) occurs after the completion of 1 or more years of a post-award employ- ment obligation under this section, the total amount of scholar- ship awards received by the individual under this section, re- duced by the ratio of the number of years of service completed divided by the number of years of service required, shall—
(A) be repaid; or (B) be treated as a loan to be repaid in accordance
with subsection (j). (j) REPAYMENTS.—A loan described subsection (i) shall—
(1) be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher Education Act of 1965 (20 U.S.C. 1087a et seq.); and
(2) be subject to repayment, together with interest thereon accruing from the date of the scholarship award, in accordance with terms and conditions specified by the Director of the Na- tional Science Foundation (in consultation with the Secretary of Education) in regulations promulgated to carry out this sub- section. (k) COLLECTION OF REPAYMENT.—
(1) IN GENERAL.—In the event that a scholarship recipient is required to repay the scholarship award under this section, the qualified institution of higher education providing the scholarship shall—
(A) determine the repayment amounts and notify the recipient, the Director of the National Science Foundation, and the Director of the Office of Personnel Management of the amounts owed; and
(B) collect the repayment amounts within a period of time as determined by the Director of the National Science Foundation, or the repayment amounts shall be treated as a loan in accordance with subsection (j). (2) RETURNED TO TREASURY.—Except as provided in para-
graph (3), any repayment under this subsection shall be re- turned to the Treasury of the United States.
(3) RETAIN PERCENTAGE.—A qualified institution of higher education may retain a percentage of any repayment the insti- tution collects under this subsection to defray administrative costs associated with the collection. The Director of the Na- tional Science Foundation shall establish a single, fixed per- centage that will apply to all eligible entities. (l) EXCEPTIONS.—The Director of the National Science Founda-
tion may provide for the partial or total waiver or suspension of any service or payment obligation by an individual under this sec- tion whenever compliance by the individual with the obligation is
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00018 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
19 Sec. 303 Cybersecurity Enhancement Act of 2014
1 Two periods are so in law. See amendment made by section 9404(5) of Public Law 116–283.
impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.
(m) PUBLIC INFORMATION.— (1) EVALUATION.—The Director of the National Science
Foundation, in coordination with the Director of the Office of Personnel Management, shall periodically evaluate and make public, in a manner that protects the personally identifiable in- formation of scholarship recipients, information on the success of recruiting individuals for scholarships under this section and on hiring and retaining those individuals in the public sector cybersecurity workforce, including information on—
(A) placement rates; (B) where students are placed, including job titles and
descriptions; (C) salary ranges for students not released from obli-
gations under this section; (D) how long after graduation students are placed; (E) how long students stay in the positions they enter
upon graduation; (F) how many students are released from obligations;
and (G) what, if any, remedial training is required.
(2) REPORTS.—The Director of the National Science Foun- dation, in coordination with the Office of Personnel Manage- ment, shall submit, not less frequently than once every two years, to the Committee on Commerce, Science, and Transpor- tation and the Committee on Homeland Security and Govern- mental Affairs of the Senate and the Committee on Science, Space, and Technology and the Committee on Oversight and Reform of the House of Representatives a report, including—
(A) the results of the evaluation under paragraph (1); (B) the disparity in any reporting between scholarship
recipients and their respective institutions of higher edu- cation; and
(C) any recent statistics regarding the size, composi- tion, and educational requirements of the Federal cyber workforce.. 1 (3) RESOURCES.—The Director of the National Science
Foundation, in coordination with the Director of the Office of Personnel Management, shall provide consolidated and user- friendly online resources for prospective scholarship recipients, including, to the extent practicable—
(A) searchable, up-to-date, and accurate information about participating institutions of higher education and job opportunities related to the field of cybersecurity; and
(B) a modernized description of cybersecurity careers. SEC. 303. ø15 U.S.C. 7443¿ NATIONAL CYBERSECURITY AWARENESS AND
EDUCATION PROGRAM. (a) NATIONAL CYBERSECURITY AWARENESS AND EDUCATION
PROGRAM.—The Director of the National Institute of Standards and Technology (referred to in this section as the ‘‘Director’’), in con-
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00019 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
20 Sec. 303 Cybersecurity Enhancement Act of 2014
sultation with appropriate Federal agencies, industry, educational institutions, National Laboratories, the Networking and Informa- tion Technology Research and Development program, and other or- ganizations shall continue to coordinate a national cybersecurity awareness and education program, that includes activities such as—
(1) the widespread dissemination of cybersecurity technical standards and best practices identified by the Director;
(2) efforts to make cybersecurity best practices usable by individuals, small to medium-sized businesses, educational in- stitutions, and State, local, and tribal governments;
(3) increasing public awareness of cybersecurity, cyber safety, and cyber ethics;
(4) increasing the understanding of State, local, and tribal governments, institutions of higher education, and private sec- tor entities of—
(A) the benefits of ensuring effective risk management of information technology versus the costs of failure to do so; and
(B) the methods to mitigate and remediate vulnerabilities; (5) supporting formal cybersecurity education programs at
all education levels to prepare and improve a skilled cybersecu- rity and computer science workforce for the private sector and Federal, State, local, and tribal government;
(6) supporting efforts to identify cybersecurity workforce skill gaps in public and private sectors;
(7) facilitating Federal programs to advance cybersecurity education, training, and workforce development;
(8) in coordination with the Department of Defense, the Department of Homeland Security, and other appropriate agencies, considering any specific needs of the cybersecurity workforce of critical infrastructure, including cyber physical systems and control systems;
(9) advising the Director of the Office of Management and Budget, as needed, in developing metrics to measure the effec- tiveness and effect of programs and initiatives to advance the cybersecurity workforce; and
(10) promoting initiatives to evaluate and forecast future cybersecurity workforce needs of the Federal Government and develop strategies for recruitment, training, and retention. (b) CONSIDERATIONS.—In carrying out the authority described
in subsection (a), the Director, in consultation with appropriate Federal agencies, shall leverage existing programs designed to in- form the public of safety and security of products or services, in- cluding self-certifications and independently verified assessments regarding the quantification and valuation of information security risk.
(c) STRATEGIC PLAN.— (1) IN GENERAL.—The Director, in cooperation with rel-
evant Federal agencies and other stakeholders, shall build upon programs and plans in effect as of the date of enactment of this Act to develop and implement a strategic plan to guide Federal programs and activities in support of the national cy-
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00020 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
21 Sec. 303 Cybersecurity Enhancement Act of 2014
bersecurity awareness and education program under sub- section (a).
(2) REQUIREMENT.—The strategic plan developed and im- plemented under paragraph (1) shall include an indication of how the Director will carry out this section. (d) REPORT.—Not later than 1 year after the date of enactment
of this Act, and every 5 years thereafter, the Director shall trans- mit the strategic plan under subsection (c) to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Rep- resentatives.
(e) CYBERSECURITY METRICS.—In carrying out subsection (a), the Director of the Office of Management and Budget may seek input from the Director of the National Institute of Standards and Technology, in coordination with the Department of Homeland Se- curity, the Department of Defense, the Office of Personnel Manage- ment, and such agencies as the Director of the National Institute of Standards and Technology considers relevant, to develop quan- tifiable metrics for evaluating Federally funded cybersecurity work- force programs and initiatives based on the outcomes of such pro- grams and initiatives.
(f) REGIONAL ALLIANCES AND MULTISTAKEHOLDER PARTNER- SHIPS.—
(1) IN GENERAL.—Pursuant to section 2(b)(4) of the Na- tional Institute of Standards and Technology Act (15 U.S.C. 272(b)(4)), the Director shall establish cooperative agreements between the National Initiative for Cybersecurity Education (NICE) of the Institute and regional alliances or partnerships for cybersecurity education and workforce.
(2) AGREEMENTS.—The cooperative agreements established under paragraph (1) shall advance the goals of the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NIST Special Publication 800–181), or successor framework, by facilitating local and regional partnerships to—
(A) identify the workforce needs of the local economy and classify such workforce in accordance with such frame- work;
(B) identify the education, training, apprenticeship, and other opportunities available in the local economy; and
(C) support opportunities to meet the needs of the local economy. (3) FINANCIAL ASSISTANCE.—
(A) FINANCIAL ASSISTANCE AUTHORIZED.—The Director may award financial assistance to a regional alliance or partnership with whom the Director enters into a coopera- tive agreement under paragraph (1) in order to assist the regional alliance or partnership in carrying out the terms of the cooperative agreement.
(B) AMOUNT OF ASSISTANCE.—The aggregate amount of financial assistance awarded under subparagraph (A) per cooperative agreement shall not exceed $200,000.
(C) MATCHING REQUIREMENT.—The Director may not award financial assistance to a regional alliance or part- nership under subparagraph (A) unless the regional alli-
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00021 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
22 Sec. 303 Cybersecurity Enhancement Act of 2014
2 Margins for items (aa), (bb), and subclause (II) of subparagraph (B)(i)(I), as added by section 9401(f) of Public Law 116–283, are so in law.
ance or partnership agrees that, with respect to the costs to be incurred by the regional alliance or partnership in carrying out the cooperative agreement for which the as- sistance was awarded, the regional alliance or partnership will make available (directly or through donations from public or private entities) non-Federal contributions, in- cluding in-kind contributions, in an amount equal to 50 percent of Federal funds provided under the award. (4) APPLICATION.—
(A) IN GENERAL.—A regional alliance or partnership seeking to enter into a cooperative agreement under para- graph (1) and receive financial assistance under paragraph (3) shall submit to the Director an application therefore at such time, in such manner, and containing such informa- tion as the Director may require.
(B) REQUIREMENTS.—Each application submitted under subparagraph (A) shall include the following:
(i)(I) A plan to establish (or identification of, if it already exists) a multistakeholder workforce partner- ship that includes—
(aa) 2 at least one institution of higher education or nonprofit training organization; and
(bb) at least one local employer or owner or operator of critical infrastructure. (II) Participation from academic institutions
in the Federal Cyber Scholarships for Service Pro- gram, the National Centers of Academic Excel- lence in Cybersecurity Program, or advanced tech- nological education programs, as well as elemen- tary and secondary schools, training and certifi- cation providers, State and local governments, eco- nomic development organizations, or other com- munity organizations is encouraged. (ii) A description of how the workforce partnership
would identify the workforce needs of the local econ- omy.
(iii) A description of how the multistakeholder workforce partnership would leverage the programs and objectives of the National Initiative for Cybersecu- rity Education, such as the Cybersecurity Workforce Framework and the strategic plan of such initiative.
(iv) A description of how employers in the commu- nity will be recruited to support internships, externships, apprenticeships, or cooperative education programs in conjunction with providers of education and training. Inclusion of programs that seek to in- clude veterans, Indian Tribes, and underrepresented groups, including women, minorities, persons from rural and underserved areas, and persons with disabil- ities is encouraged.
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00022 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
23 Sec. 502 Cybersecurity Enhancement Act of 2014
(v) A definition of the metrics to be used in deter- mining the success of the efforts of the regional alli- ance or partnership under the agreement. (C) PRIORITY CONSIDERATION.—In awarding financial
assistance under paragraph (3)(A), the Director shall give priority consideration to a regional alliance or partnership that includes an institution of higher education that is des- ignated as a National Center of Academic Excellence in Cybersecurity or which received an award under the Fed- eral Cyber Scholarship for Service program located in the State or region of the regional alliance or partnership. (5) AUDITS.—Each cooperative agreement for which finan-
cial assistance is awarded under paragraph (3) shall be subject to audit requirements under part 200 of title 2, Code of Fed- eral Regulations (relating to uniform administrative require- ments, cost principles, and audit requirements for Federal awards), or successor regulation.
(6) REPORTS.— (A) IN GENERAL.—Upon completion of a cooperative
agreement under paragraph (1), the regional alliance or partnership that participated in the agreement shall sub- mit to the Director a report on the activities of the regional alliance or partnership under the agreement, which may include training and education outcomes.
(B) CONTENTS.—Each report submitted under sub- paragraph (A) by a regional alliance or partnership shall include the following:
(i) An assessment of efforts made by the regional alliance or partnership to carry out paragraph (2).
(ii) The metrics used by the regional alliance or partnership to measure the success of the efforts of the regional alliance or partnership under the coopera- tive agreement.
øTitle IV of the Cybersecurity Enhancement Act of 2014 was repealed by section 9403(g)(2) of Public Law 116-283. Prior to the repeal, section 401 of such title was amended by such section 9403(a)–(f), redesignated as section 303 and transferred to the end of title III of such Act.¿
TITLE V—ADVANCEMENT OF CYBERSE- CURITY TECHNICAL STANDARDS
SEC. 501. ø15 U.S.C. 7461¿ DEFINITIONS. In this title:
(1) DIRECTOR.—The term ‘‘Director’’ means the Director of the National Institute of Standards and Technology.
(2) INSTITUTE.—The term ‘‘Institute’’ means the National Institute of Standards and Technology.
SEC. 502. ø15 U.S.C. 7462¿ INTERNATIONAL CYBERSECURITY TECH- NICAL STANDARDS.
(a) IN GENERAL.—The Director, in coordination with appro- priate Federal authorities, shall—
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00023 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
24 Sec. 503 Cybersecurity Enhancement Act of 2014
(1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical stand- ards related to information system security; and
(2) not later than 1 year after the date of enactment of this Act, develop and transmit to Congress a plan for ensuring such Federal agency coordination. (b) CONSULTATION WITH THE PRIVATE SECTOR.—In carrying out
the activities specified in subsection (a)(1), the Director shall en- sure consultation with appropriate private sector stakeholders. SEC. 503. ø15 U.S.C. 7463¿ CLOUD COMPUTING STRATEGY.
(a) IN GENERAL.—The Director, in coordination with the Office of Management and Budget, in collaboration with the Federal Chief Information Officers Council, and in consultation with other rel- evant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud com- puting services by the Federal Government.
(b) ACTIVITIES.—In carrying out the strategy described under subsection (a), the Director shall give consideration to activities that—
(1) accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;
(2) advance the development of conformance testing per- formed by the private sector in support of cloud computing standardization; and
(3) support, in coordination with the Office of Management and Budget, and in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, in- cluding activities—
(A) to ensure the physical security of cloud computing data centers and the data stored in such centers;
(B) to ensure secure access to the data stored in cloud computing data centers;
(C) to develop security standards as required under section 20 of the National Institute of Standards and Tech- nology Act (15 U.S.C. 278g-3); and
(D) to support the development of the automation of continuous monitoring systems.
SEC. 504. ø15 U.S.C. 7464¿ IDENTITY MANAGEMENT RESEARCH AND DE- VELOPMENT.
(a) IN GENERAL.—The Director shall carry out a program of re- search to support the development of voluntary, consensus-based technical standards, best practices, benchmarks, methodologies, metrology, testbeds, and conformance criteria for identity manage- ment, taking into account appropriate user concerns to—
(1) improve interoperability and portability among identity management technologies;
(2) strengthen identity proofing and verification methods used in identity management systems commensurate with the
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00024 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
25 Sec. 504 Cybersecurity Enhancement Act of 2014
level of risk, including identity and attribute validation serv- ices provided by Federal, State, and local governments;
(3) improve privacy protection in identity management sys- tems; and
(4) improve the accuracy, usability, and inclusivity of iden- tity management systems. (b) DIGITAL IDENTITY TECHNICAL ROADMAP.—The Director, in
consultation with other relevant Federal agencies and stakeholders from the private sector, shall develop and maintain a technical roadmap for digital identity management research and develop- ment focused on enabling the voluntary use and adoption of mod- ern digital identity solutions that align with the four criteria in subsection (a).
(c) DIGITAL IDENTITY MANAGEMENT GUIDANCE.— (1) IN GENERAL.—The Director shall develop, and periodi-
cally update, in collaboration with other public and private sec- tor organizations, common definitions and voluntary guidance for digital identity management systems, including identity and attribute validation services provided by Federal, State, and local governments.
(2) GUIDANCE.—The Guidance shall— (A) align with the four criteria in subsection (a), as
practicable; (B) provide case studies of implementation of guid-
ance; (C) incorporate voluntary technical standards and in-
dustry best practices; and (D) not prescribe or otherwise require the use of spe-
cific technology products or services. (3) CONSULTATION.—In carrying out this subsection, the
Director shall consult with— (A) Federal and State agencies; (B) industry; (C) potential end-users and individuals that will use
services related to digital identity verification; and (D) experts with relevant experience in the systems
that enable digital identity verification, as determined by the Director.
VerDate Nov 24 2008 15:24 Aug 22, 2022 Jkt 000000 PO 00000 Frm 00025 Fmt 9001 Sfmt 9001 G:\COMP\113-2\CEAO2.BEL HOLC
August 22, 2022
G:\COMP\113-2\CYBERSECURITY ENHANCEMENT ACT OF 2014.XML
As Amended Through P.L. 117-167, Enacted August 9, 2022
-
- Superintendent of Documents
- 2022-08-26T08:06:32-0400
- Government Publishing Office, Washington, DC 20401
- Government Publishing Office
- Government Publishing Office attests that this document has not been altered since it was disseminated by Government Publishing Office
