CHAPTER 100A—CYBERSECURITY ENHANCEMENT

        

SUBCHAPTER I—CYBERSECURITY RESEARCH AND DEVELOPMENT

        

SUBCHAPTER II—EDUCATION AND WORKFORCE DEVELOPMENT

        

SUBCHAPTER III—CYBERSECURITY AWARENESS AND PREPAREDNESS

        

SUBCHAPTER IV—ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

        

§7421. Definitions

In this chapter:

(1) Cybersecurity mission

The term "cybersecurity mission" means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace.

(2) Information system

The term "information system" has the meaning given that term in section 3502 of title 44.

(Pub. L. 113–274, §2, Dec. 18, 2014, 128 Stat. 2971.)

Editorial Notes

References in Text

This chapter, referred to in text, was in the original "this Act", meaning Pub. L. 113–274, Dec. 18, 2014, 128 Stat. 2971, which is classified principally to this chapter. For complete classification of this Act to the Code, see Short Title note set out below and Tables.

Statutory Notes and Related Subsidiaries

Short Title

Pub. L. 113–274, §1(a), Dec. 18, 2014, 128 Stat. 2971, provided that: "This Act [enacting this chapter and amending sections 272, 278g–3, 7403, and 7406 of this title] may be cited as the 'Cybersecurity Enhancement Act of 2014'."

Executive Documents

Ex. Ord. No. 13984. Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities

Ex. Ord. No. 13984, Jan. 19, 2021, 86 F.R. 6837, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code:

I, DONALD J. TRUMP, President of the United States of America, find that additional steps must be taken to deal with the national emergency related to significant malicious cyber-enabled activities declared in Executive Order 13694 of April 1, 2015 (Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities), as amended [50 U.S.C. 1701 note], to address the use of United States Infrastructure as a Service (IaaS) products by foreign malicious cyber actors. IaaS products provide persons the ability to run software and store data on servers offered for rent or lease without responsibility for the maintenance and operating costs of those servers. Foreign malicious cyber actors aim to harm the United States economy through the theft of intellectual property and sensitive data and to threaten national security by targeting United States critical infrastructure for malicious cyber-enabled activities. Foreign actors use United States IaaS products for a variety of tasks in carrying out malicious cyber-enabled activities, which makes it extremely difficult for United States officials to track and obtain information through legal process before these foreign actors transition to replacement infrastructure and destroy evidence of their prior activities; foreign resellers of United States IaaS products make it easier for foreign actors to access these products and evade detection. This order provides authority to impose record-keeping obligations with respect to foreign transactions. To address these threats, to deter foreign malicious cyber actors' use of United States IaaS products, and to assist in the investigation of transactions involving foreign malicious cyber actors, the United States must ensure that providers offering United States IaaS products verify the identity of persons obtaining an IaaS account ("Account") for the provision of these products and maintain records of those transactions. In appropriate circumstances, to further protect against malicious cyber-enabled activities, the United States must also limit certain foreign actors' access to United States IaaS products. Further, the United States must encourage more robust cooperation among United States IaaS providers, including by increasing voluntary information sharing, to bolster efforts to thwart the actions of foreign malicious cyber actors.

Accordingly, I hereby order:

Section 1. Verification of Identity. Within 180 days of the date of this order [Jan. 19, 2021], the Secretary of Commerce (Secretary) shall propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account. These regulations shall, at a minimum:

(a) set forth the minimum standards that United States IaaS providers must adopt to verify the identity of a foreign person in connection with the opening of an Account or the maintenance of an existing Account, including:

(i) the types of documentation and procedures required to verify the identity of any foreign person acting as a lessee or sub-lessee of these products or services;

(ii) records that United States IaaS providers must securely maintain regarding a foreign person that obtains an Account, including information establishing:

(A) the identity of such foreign person and the person's information, including name, national identification number, and address;

(B) means and source of payment (including any associated financial institution and other identifiers such as credit card number, account number, customer identifier, transaction identifiers, or virtual currency wallet or wallet address identifier);

(C) electronic mail address and telephonic contact information, used to verify a foreign person's identity; and

(D) internet Protocol addresses used for access or administration and the date and time of each such access or administrative action, related to ongoing verification of such foreign person's ownership of such an Account; and

(iii) methods for limiting all third-party access to the information described in this subsection, except insofar as such access is otherwise consistent with this order and allowed under applicable law;

(b) take into consideration the type of Account maintained by United States IaaS providers, methods of opening an Account, and types of identifying information available to accomplish the objectives of identifying foreign malicious cyber actors using any such products and avoiding the imposition of an undue burden on such providers; and

(c) permit the Secretary, in accordance with such standards and procedures as the Secretary may delineate and in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, to exempt any United States IaaS provider, or any specific type of Account or lessee, from the requirements of any regulation issued pursuant to this section. Such standards and procedures may include a finding by the Secretary that a provider, Account, or lessee complies with security best practices to otherwise deter abuse of IaaS products.

Sec. 2. Special Measures for Certain Foreign Jurisdictions or Foreign Persons. (a) Within 180 days of the date of this order, the Secretary shall propose for notice and comment regulations that require United States IaaS providers to take any of the special measures described in subsection (d) of this section if the Secretary, in consultation with the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of National Intelligence and, as the Secretary deems appropriate, the heads of other executive departments and agencies (agencies), finds:

(i) that reasonable grounds exist for concluding that a foreign jurisdiction has any significant number of foreign persons offering United States IaaS products that are used for malicious cyber-enabled activities or any significant number of foreign persons directly obtaining United States IaaS products for use in malicious cyber-enabled activities, in accordance with subsection (b) of this section; or

(ii) that reasonable grounds exist for concluding that a foreign person has established a pattern of conduct of offering United States IaaS products that are used for malicious cyber-enabled activities or directly obtaining United States IaaS products for use in malicious cyber-enabled activities.

(b) In making findings under subsection (a) of this section on the use of United States IaaS products in malicious cyber-enabled activities, the Secretary shall consider any information the Secretary determines to be relevant, as well as information pertaining to the following factors:

(i) Factors related to a particular foreign jurisdiction, including:

(A) evidence that foreign malicious cyber actors have obtained United States IaaS products from persons offering United States IaaS products in that foreign jurisdiction, including whether such actors obtained such IaaS products through Reseller Accounts;

(B) the extent to which that foreign jurisdiction is a source of malicious cyber-enabled activities; and

(C) Whether [sic] the United States has a mutual legal assistance treaty with that foreign jurisdiction, and the experience of United States law enforcement officials and regulatory officials in obtaining information about activities involving United States IaaS products originating in or routed through such foreign jurisdiction; and

(ii) Factors related to a particular foreign person, including:

(A) the extent to which a foreign person uses United States IaaS products to conduct, facilitate, or promote malicious cyber-enabled activities;

(B) the extent to which United States IaaS products offered by a foreign person are used to facilitate or promote malicious cyber-enabled activities;

(C) the extent to which United States IaaS products offered by a foreign person are used for legitimate business purposes in the jurisdiction; and

(D) the extent to which actions short of the imposition of special measures pursuant to subsection (d) of this section are sufficient, with respect to transactions involving the foreign person offering United States IaaS products, to guard against malicious cyber-enabled activities.

(c) In selecting which special measure or measures to take under this section, the Secretary shall consider:

(i) whether the imposition of any special measure would create a significant competitive disadvantage, including any undue cost or burden associated with compliance, for United States IaaS providers;

(ii) the extent to which the imposition of any special measure or the timing of the special measure would have a significant adverse effect on legitimate business activities involving the particular foreign jurisdiction or foreign person; and

(iii) the effect of any special measure on United States national security, law enforcement investigations, or foreign policy.

(d) The special measures referred to in subsections (a), (b), and (c) of this section are as follows:

(i) Prohibitions or Conditions on Accounts within Certain Foreign Jurisdictions: The Secretary may prohibit or impose conditions on the opening or maintaining with any United States IaaS provider of an Account, including a Reseller Account, by any foreign person located in a foreign jurisdiction found to have any significant number of foreign persons offering United States IaaS products used for malicious cyber-enabled activities, or by any United States IaaS provider for or on behalf of a foreign person; and

(ii) Prohibitions or Conditions on Certain Foreign Persons: The Secretary may prohibit or impose conditions on the opening or maintaining in the United States of an Account, including a Reseller Account, by any United States IaaS provider for or on behalf of a foreign person, if such an Account involves any such foreign person found to be offering United States IaaS products used in malicious cyber-enabled activities or directly obtaining United States IaaS products for use in malicious cyber-enabled activities.

(e) The Secretary shall not impose requirements for United States IaaS providers to take any of the special measures described in subsection (d) of this section earlier than 180 days following the issuance of final regulations described in section 1 of this order.

Sec. 3. Recommendations for Cooperative Efforts to Deter the Abuse of United States IaaS Products. (a) Within 120 days of the date of this order, the Attorney General and the Secretary of Homeland Security, in coordination with the Secretary and, as the Attorney General and the Secretary of Homeland Security deem appropriate, the heads of other agencies, shall engage and solicit feedback from industry on how to increase information sharing and collaboration among IaaS providers and between IaaS providers and the agencies to inform recommendations under subsection (b) of this section.

(b) Within 240 days of the date of this order, the Attorney General and the Secretary of Homeland Security, in coordination with the Secretary, and, as the Attorney General and Secretary of Homeland Security deem appropriate, the heads of other agencies, shall develop and submit to the President a report containing recommendations to encourage:

(i) voluntary information sharing and collaboration, among United States IaaS providers; and

(ii) information sharing between United States IaaS providers and appropriate agencies, including the reporting of incidents, crimes, and other threats to national security, for the purpose of preventing further harm to the United States.

(c) The report and recommendations provided under subsection (b) of this section shall consider existing mechanisms for such sharing and collaboration, including the Cybersecurity Information Sharing Act [of 2015] (6 U.S.C. 1503 [probably should be "1501"] et seq.), and shall identify any gaps in current law, policy, or procedures. The report shall also include:

(i) information related to the operations of foreign malicious cyber actors, the means by which such actors use IaaS products within the United States, malicious capabilities and tradecraft, and the extent to which persons in the United States are compromised or unwittingly involved in such activity;

(ii) recommendations for liability protections beyond those in existing law that may be needed to encourage United States IaaS providers to share information among each other and with the United States Government; and

(iii) recommendations for facilitating the detection and identification of Accounts and activities that involve foreign malicious cyber actors.

Sec. 4. Ensuring Sufficient Resources for Implementation. The Secretary, in consultation with the heads of such agencies as the Secretary deems appropriate, shall identify funding requirements to support the efforts described in this order and incorporate such requirements into its annual budget submissions to the Office of Management and Budget.

Sec. 5. Definitions. For the purposes of this order, the following definitions apply:

(a) The term "entity" means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization;

(b) The term "foreign jurisdiction" means any country, subnational territory, or region, other than those subject to the civil or military jurisdiction of the United States, in which any person or group of persons exercises sovereign de facto or de jure authority, including any such country, subnational territory, or region in which a person or group of persons is assuming to exercise governmental authority whether such a person or group of persons has or has not been recognized by the United States;

(c) The term "foreign person" means a person that is not a United States person;

(d) The term "Infrastructure as a Service Account" or "Account" means a formal business relationship established to provide IaaS products to a person in which details of such transactions are recorded.

(e) The term "Infrastructure as a Service Product" means any product or service offered to a consumer, including complimentary or "trial" offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications. The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of "managed" products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and "unmanaged" products or services, in which the provider is only responsible for ensuring that the product is available to the consumer. The term is also inclusive of "virtualized" products and services, in which the computing resources of a physical machine are split between virtualized computers accessible over the internet (e.g., "virtual private servers"), and "dedicated" products or services in which the total computing resources of a physical machine are provided to a single person (e.g., "bare-metal" servers);

(f) The term "malicious cyber-enabled activities" refers to activities, other than those authorized by or in accordance with United States law that seek to compromise or impair the confidentiality, integrity, or availability of computer, information, or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon;

(g) The term "person" means an individual or entity;

(h) The term "Reseller Account" means an Infrastructure as a Service Account established to provide IaaS products to a person who will then offer those products subsequently, in whole or in part, to a third party.

(i) The term "United States Infrastructure as a Service Product" means any Infrastructure as a Service Product owned by any United States person or operated within the territory of the United States of America;

(j) The term "United States Infrastructure as a Service Provider" means any United States Person that offers any Infrastructure as a Service Product;

(k) The term "United States person" means any United States citizen, lawful permanent resident of the United States as defined by the Immigration and Nationality Act, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person located in the United States;

Sec. 6. Amendment to Reporting Authorizations. [Amended Ex. Ord. No. 13694, listed in a table under section 1701 of Title 50, War and National Defense.]

Sec. 7. General Provisions. (a) The Secretary, in consultation with the heads of such other agencies as the Secretary deems appropriate, is hereby authorized to take such actions, including the promulgation of rules and regulations, and employ all powers granted to the President by IEEPA as may be necessary to carry out the purposes of this order. The Secretary may redelegate any of these functions to other officers within the Department of Commerce, consistent with applicable law. All departments and agencies of the United States Government are hereby directed to take all appropriate measures within their authority to carry out the provisions of this order.

(b) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to an executive department or agency, or the head thereof; or

(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

(c) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(d) Nothing in this order prohibits or otherwise restricts authorized intelligence, military, law enforcement, or other activities in furtherance of national security or public safety activities.

(e) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Donald J. Trump.      

§7422. No regulatory authority

Nothing in this chapter shall be construed to confer any regulatory authority on any Federal, State, tribal, or local department or agency.

(Pub. L. 113–274, §3, Dec. 18, 2014, 128 Stat. 2972.)

Editorial Notes

References in Text

This chapter, referred to in text, was in the original "this Act", meaning Pub. L. 113–274, Dec. 18, 2014, 128 Stat. 2971, which is classified principally to this chapter. For complete classification of this Act to the Code, see Short Title note set out under section 7421 of this title and Tables.

§7423. No additional funds authorized

No additional funds are authorized to carry out this Act, and the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.

(Pub. L. 113–274, §4, Dec. 18, 2014, 128 Stat. 2972.)

Editorial Notes

References in Text

This Act, and the amendments made by this Act, referred to in text, is Pub. L. 113–274, Dec. 18, 2014, 128 Stat. 2971, which enacted this chapter and amended sections 272, 278g–3, 7403, and 7406 of this title. For complete classification of this Act to the Code, see Short Title note set out under section 7421 of this title and Tables.

SUBCHAPTER I—CYBERSECURITY RESEARCH AND DEVELOPMENT

§7431. Federal cybersecurity research and development

(a) Fundamental cybersecurity research

(1) Federal cybersecurity research and development strategic plan

The heads of the applicable agencies and departments, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, shall develop and update every 4 years a Federal cybersecurity research and development strategic plan (referred to in this subsection as the "strategic plan") based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. The heads of the applicable agencies and departments shall build upon existing programs and plans to develop the strategic plan to meet objectives in cybersecurity, such as—

(A) how to design and build complex software-intensive systems that are secure and reliable when first deployed;

(B) how to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws;

(C) how to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality;

(D) how to guarantee the privacy of an individual, including that individual's identity, information, and lawful transactions when stored in distributed systems or transmitted over networks;

(E) how to build new protocols to enable the Internet to have robust security as one of the key capabilities of the Internet;

(F) how to determine the origin of a message transmitted over the Internet;

(G) how to support privacy in conjunction with improved security;

(H) how to address the problem of insider threats;

(I) how improved consumer education and digital literacy initiatives can address human factors that contribute to cybersecurity;

(J) how to protect information processed, transmitted, or stored using cloud computing or transmitted through wireless services;

(K) implementation of section 7432 of this title through research and development on the topics identified under subsection (a) of such section; and

(L) any additional objectives the heads of the applicable agencies and departments, in coordination with the head of any relevant Federal agency and with input from stakeholders, including appropriate national laboratories, industry, and academia, determine appropriate.

(2) Requirements

(A) Contents of plan

The strategic plan shall—

(i) specify and prioritize near-term, mid-term, and long-term research objectives, including objectives associated with the research identified in section 7403(a)(1) of this title;

(ii) specify how the near-term objectives described in clause (i) complement research and development areas in which the private sector is actively engaged;

(iii) describe how the heads of the applicable agencies and departments will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;

(iv) describe how the heads of the applicable agencies and departments will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;

(v) describe how the heads of the applicable agencies and departments will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems; and

(vi) describe how the heads of the applicable agencies and departments will facilitate access by academic researchers to the infrastructure described in clause (v), as well as to relevant data, including event data.

(B) Private sector efforts

In developing, implementing, and updating the strategic plan, the heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall work in close cooperation with industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector efforts.

(C) Recommendations

In developing and updating the strategic plan the heads of the applicable agencies and departments shall solicit recommendations and advice from—

(i) the advisory committee established under section 5511(b)(1) of this title; and

(ii) a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions.

(D) Implementation roadmap

The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall develop and annually update an implementation roadmap for the strategic plan. The implementation roadmap shall—

(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;

(ii) specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year;

(iii) estimate the funding required for each major research objective of the strategic plan for the following 3 fiscal years; and

(iv) track ongoing and completed Federal cybersecurity research and development projects.

(3) Reports to Congress

The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives—

(A) the strategic plan not later than 1 year after December 18, 2014;

(B) each quadrennial update to the strategic plan; and

(C) the implementation roadmap under subparagraph (D), and its annual updates, which shall be appended to the annual report required under section 5511(a)(2)(D) of this title.

(4) Definition of applicable agencies and departments

In this subsection, the term "applicable agencies and departments" means the agencies and departments identified in clauses (i) through (xi) of section 5511(a)(3)(B) ¹ of this title or designated under clause (xii) of that section.

(b) Cybersecurity practices research

The Director of the National Science Foundation shall support research that—

(1) develops, evaluates, disseminates, and integrates new cybersecurity practices and concepts into the core curriculum of computer science programs and of other programs where graduates of such programs have a substantial probability of developing software after graduation, including new practices and concepts relating to secure coding education and improvement programs; and

(2) develops new models for professional development of faculty in cybersecurity education, including secure coding development.

(c) Cybersecurity modeling and test beds

(1) Review

Not later than 1 year after December 18, 2014, the Director of the National Science Foundation, in coordination with the Director of the Office of Science and Technology Policy, shall conduct a review of cybersecurity test beds in existence on December 18, 2014, to inform the grants under paragraph (2). The review shall include an assessment of whether a sufficient number of cybersecurity test beds are available to meet the research needs under the Federal cybersecurity research and development strategic plan. Upon completion, the Director shall submit the review to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.

(2) Additional cybersecurity modeling and test beds

(A) In general

If the Director of the National Science Foundation, after the review under paragraph (1), determines that the research needs under the Federal cybersecurity research and development strategic plan require the establishment of additional cybersecurity test beds, the Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, may award grants to institutions of higher education or research and development non-profit institutions to establish cybersecurity test beds.

(B) Requirement

The cybersecurity test beds under subparagraph (A) shall be sufficiently robust in order to model the scale and complexity of real-time cyber attacks and defenses on real world networks and environments.

(C) Assessment required

The Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, shall evaluate the effectiveness of any grants awarded under this subsection in meeting the objectives of the Federal cybersecurity research and development strategic plan not later than 2 years after the review under paragraph (1) of this subsection, and periodically thereafter.

(d) Coordination with other research initiatives

In accordance with the responsibilities under section 5511 of this title, the Director of the Office of Science and Technology Policy shall coordinate, to the extent practicable, Federal research and development activities under this section with other ongoing research and development security-related initiatives, including research being conducted by—

(1) the National Science Foundation;

(2) the National Institute of Standards and Technology;

(3) the Department of Homeland Security;

(4) other Federal agencies;

(5) other Federal and private research laboratories, research entities, and universities;

(6) institutions of higher education;

(7) relevant nonprofit organizations; and

(8) international partners of the United States.

(e) Omitted

(f) Research on the science of cybersecurity

The head of each agency and department identified under section 5511(a)(3)(B) ¹ of this title, through existing programs and activities, shall support research that will lead to the development of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation, and creates quantifiable security metrics.

(Pub. L. 113–274, title II, §201, Dec. 18, 2014, 128 Stat. 2974; Pub. L. 114–329, title I, §105(t), Jan. 6, 2017, 130 Stat. 2985; Pub. L. 116–283, div. H, title XCIV, §9407(b), Jan. 1, 2021, 134 Stat. 4814.)

Editorial Notes

References in Text

Section 5511(a)(3)(B) of this title, referred to in subsecs. (a)(4) and (f), was redesignated section 5511(a)(3)(C) of this title by Pub. L. 114–329, title I, §105(f)(2)(D)(i), Jan. 6, 2017, 130 Stat. 2979.

Codification

Section is comprised of section 201 of Pub. L. 113–274. Subsec. (e) of section 201 of Pub. L. 113–274 amended section 7403 of this title.

Amendments

2021—Subsec. (a)(1)(K), (L). Pub. L. 116–283 added subpar. (K) and redesignated former subpar. (K) as (L).

2017—Subsec. (a)(4). Pub. L. 114–329 substituted "clauses (i) through (xi)" for "clauses (i) through (x)" and "under clause (xii)" for "under clause (xi)".

¹ See References in Text note below.

§7432. National cybersecurity challenges

(a) Establishment of national cybersecurity challenges

(1) In general

To achieve high-priority breakthroughs in cybersecurity by 2028, the Secretary of Commerce shall establish the following national cybersecurity challenges:

(A) Economics of a cyber attack

Building more resilient systems that measurably and exponentially raise adversary costs of carrying out common cyber attacks.

(B) Cyber training

(i) Empowering the people of the United States with an appropriate and measurably sufficient level of digital literacy to make safe and secure decisions online.

(ii) Developing a cybersecurity workforce with measurable skills to protect and maintain information systems.

(C) Emerging technology

Advancing cybersecurity efforts in response to emerging technology, such as artificial intelligence, quantum science, next generation communications, autonomy, data science, and computational technologies.

(D) Reimagining digital identity

Maintaining a high sense of usability while improving the privacy, security, and safety of online activity of individuals in the United States.

(E) Federal agency resilience

Reducing cybersecurity risks to Federal networks and systems, and improving the response of Federal agencies to cybersecurity incidents on such networks and systems.

(2) Coordination

In establishing the challenges under paragraph (1), the Secretary shall coordinate with the Secretary of Homeland Security on the challenges under subparagraphs (B) and (E) of such paragraph.

(b) Pursuit of national cybersecurity challenges

(1) In general

Not later than 180 days after January 1, 2021, the Secretary, acting through the Under Secretary of Commerce for Standards and Technology, shall commence efforts to pursue the national cybersecurity challenges established under subsection (a).

(2) Competitions

The efforts required by paragraph (1) shall include carrying out programs to award prizes, including cash and noncash prizes, competitively pursuant to the authorities and processes established under section 3719 of this title or any other applicable provision of law.

(3) Additional authorities

In carrying out paragraph (1), the Secretary may enter into and perform such other transactions as the Secretary considers necessary and on such terms as the Secretary considers appropriate.

(4) Coordination

In pursuing national cybersecurity challenges under paragraph (1), the Secretary shall coordinate with the following:

(A) The Director of the National Science Foundation.

(B) The Secretary of Homeland Security.

(C) The Director of the Defense Advanced Research Projects Agency.

(D) The Director of the Office of Science and Technology Policy.

(E) The Director of the Office of Management and Budget.

(F) The Administrator of the General Services Administration.

(G) The Federal Trade Commission.

(H) The heads of such other Federal agencies as the Secretary of Commerce considers appropriate for purposes of this section.

(5) Solicitation of acceptance of funds

(A) In general

Pursuant to section 3719 of this title, the Secretary shall request and accept funds from other Federal agencies, State, United States territory, local, or Tribal government agencies, private sector for-profit entities, and nonprofit entities to support efforts to pursue a national cybersecurity challenge under this section.

(B) Rule of construction

Nothing in subparagraph (A) may be construed to require any person or entity to provide funds or otherwise participate in an effort or competition under this section.

(c) Recommendations

(1) In general

In carrying out this section, the Secretary of Commerce shall designate an advisory council to seek recommendations.

(2) Elements

The recommendations required by paragraph (1) shall include the following:

(A) A scope for efforts carried out under subsection (b).

(B) Metrics to assess submissions for prizes under competitions carried out under subsection (b) as the submissions pertain to the national cybersecurity challenges established under subsection (a).

(3) No additional compensation

The Secretary may not provide any additional compensation, except for travel expenses, to a member of the advisory council designated under paragraph (1) for participation in the advisory council.

(Pub. L. 113–274, title II, §205, as added Pub. L. 116–283, div. H, title XCIV, §9407(a), Jan. 1, 2021, 134 Stat. 4813.)

SUBCHAPTER II—EDUCATION AND WORKFORCE DEVELOPMENT

§7441. Cybersecurity competitions and challenges

(a) In general

The Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security, in consultation with the Director of the Office of Personnel Management, shall—

(1) support competitions and challenges under section 3719 of this title (as amended by section 105 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 3989)) or any other provision of law, as appropriate—

(A) to identify, develop, and recruit talented individuals to perform duties relating to the security of information technology in Federal, State, local, and tribal government agencies, and the private sector; or

(B) to stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that has the potential for application to the information technology activities of the Federal Government; and

(2) ensure the effective operation of the competitions and challenges under this section.

(b) Participation

Participants in the competitions and challenges under subsection (a)(1) may include—

(1) students enrolled in grades 9 through 12;

(2) students enrolled in a postsecondary program of study leading to a baccalaureate degree at an institution of higher education;

(3) students enrolled in a postbaccalaureate program of study at an institution of higher education;

(4) institutions of higher education and research institutions;

(5) veterans; and

(6) other groups or individuals that the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security determine appropriate.

(c) Affiliation and cooperative agreements

Competitions and challenges under this section may be carried out through affiliation and cooperative agreements with—

(1) Federal agencies;

(2) regional, State, or school programs supporting the development of cyber professionals;

(3) State, local, and tribal governments; or

(4) other private sector organizations.

(d) Areas of skill

Competitions and challenges under subsection (a)(1)(A) shall be designed to identify, develop, and recruit exceptional talent relating to—

(1) ethical hacking;

(2) penetration testing;

(3) vulnerability assessment;

(4) continuity of system operations;

(5) security in design;

(6) cyber forensics;

(7) offensive and defensive cyber operations; and

(8) other areas the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security consider necessary to fulfill the cybersecurity mission.

(e) Topics

In selecting topics for competitions and challenges under subsection (a)(1), the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security—

(1) shall consult widely both within and outside the Federal Government; and

(2) may empanel advisory committees.

(f) Internships

The Director of the Office of Personnel Management may support, as appropriate, internships or other work experience in the Federal Government to the winners of the competitions and challenges under this section.

(Pub. L. 113–274, title III, §301, Dec. 18, 2014, 128 Stat. 2981.)

Editorial Notes

References in Text

Section 3719 of this title (as amended by section 105 of the America COMPETES Reauthorization Act of 2010 (124 Stat. 3989)), referred to in subsec. (a)(1), probably means section 3719 of this title as enacted by section 105(a) of Pub. L. 111–358.

§7442. Federal Cyber Scholarship-for-Service Program

(a) In general

The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management and Secretary of Homeland Security, shall continue a Federal cyber scholarship-for-service program to recruit and train the next generation of information technology professionals, industrial control system security professionals, and security managers to meet the needs of the cybersecurity mission for Federal, State, local, and tribal governments.

(b) Program description and components

The Federal Cyber Scholarship-for-Service Program shall—

(1) provide scholarships through qualified institutions of higher education, including community colleges, to students who are enrolled in programs of study at institutions of higher education leading to degrees or specialized program certifications in the cybersecurity field and cybersecurity-related aspects of other related fields as appropriate, including artificial intelligence, quantum computing and aerospace;

(2) provide the scholarship recipients with summer internship opportunities or other meaningful temporary appointments in the Federal information technology and cybersecurity workforce;

(3) prioritize the placement of scholarship recipients fulfilling the post-award employment obligation under this section to ensure that—

(A) not less than 70 percent of such recipients are placed in an executive agency (as defined in section 105 of title 5);

(B) not more than 10 percent of such recipients are placed as educators in the field of cybersecurity at qualified institutions of higher education that provide scholarships under this section; and

(C) not more than 20 percent of such recipients are placed in positions described in paragraphs (2) through (5) of subsection (d); and

(4) provide awards to improve cybersecurity education, including by seeking to provide awards in coordination with other relevant agencies for summer cybersecurity camp or other experiences, including teacher training, in each of the 50 States, at the kindergarten through grade 12 level—

(A) to increase interest in cybersecurity careers;

(B) to help students practice correct and safe online behavior and understand the foundational principles of cybersecurity;

(C) to improve teaching methods for delivering cybersecurity content for kindergarten through grade 12 computer science curricula; and

(D) to promote teacher recruitment in the field of cybersecurity.

(c) Scholarship amounts

Each scholarship under subsection (b) shall be in an amount that covers the student's tuition and fees at the institution under subsection (b)(1) for not more than 3 years and provides the student with an additional stipend.

(d) Post-award employment obligations

Each scholarship recipient, as a condition of receiving a scholarship under the program, shall enter into an agreement under which the recipient agrees to work for a period equal to the length of the scholarship, following receipt of the student's degree, in the cybersecurity mission of—

(1) an executive agency (as defined in section 105 of title 5);

(2) Congress, including any agency, entity, office, or commission established in the legislative branch;

(3) an interstate agency;

(4) a State, local, or Tribal government;

(5) a State, local, or Tribal government-affiliated non-profit that is considered to be critical infrastructure (as defined in section 5195c(e) of title 42); or

(6) as provided by subsection (b)(3)(B), a qualified institution of higher education.

(e) Hiring authority

(1) Appointment in excepted service

Notwithstanding any provision of chapter 33 of title 5 governing appointments in the competitive service, an agency shall appoint in the excepted service an individual who has completed the eligible degree program for which a scholarship was awarded.

(2) Noncompetitive conversion

Except as provided in paragraph (4), upon fulfillment of the service term, an employee appointed under paragraph (1) may be converted noncompetitively to term, career-conditional or career appointment.

(3) Timing of conversion

An agency may noncompetitively convert a term employee appointed under paragraph (2) to a career-conditional or career appointment before the term appointment expires.

(4) Authority to decline conversion

An agency may decline to make the noncompetitive conversion or appointment under paragraph (2) for cause.

(f) Eligibility

To be eligible to receive a scholarship under this section, an individual shall—

(1) be a citizen or lawful permanent resident of the United States;

(2) demonstrate a commitment to a career in improving the security of information technology;

(3) have demonstrated a high level of competency in relevant knowledge, skills, and abilities, as defined by the national cybersecurity awareness and education program under section 7443 of this title;

(4) be a full-time student in an eligible degree program at a qualified institution of higher education, as determined by the Director of the National Science Foundation, except that in the case of a student who is enrolled in a community college, be a student pursuing a degree on a less than full-time basis, but not less than half-time basis;

(5) enter into an agreement accepting and acknowledging the post award employment obligations, pursuant to section ¹ (d);

(6) accept and acknowledge the conditions of support under section ¹ (g); and

(7) accept all terms and conditions of a scholarship under this section.

(g) Conditions of support

(1) In general

As a condition of receiving a scholarship under this section, a recipient shall agree to provide the Office of Personnel Management (in coordination with the National Science Foundation) and the qualified institution of higher education with annual verifiable documentation of post-award employment and up-to-date contact information.

(2) Terms

A scholarship recipient under this section shall be liable to the United States as provided in subsection (i) if the individual—

(A) fails to maintain an acceptable level of academic standing at the applicable institution of higher education, as determined by the Director of the National Science Foundation;

(B) is dismissed from the applicable institution of higher education for disciplinary reasons;

(C) withdraws from the eligible degree program before completing the program;

(D) declares that the individual does not intend to fulfill the post-award employment obligation under this section;

(E) fails to maintain or fulfill any of the post-graduation or post-award obligations or requirements of the individual; or

(F) fails to fulfill the requirements of paragraph (1).

(h) Monitoring compliance

As a condition of participating in the program, a qualified institution of higher education shall—

(1) enter into an agreement with the Director of the National Science Foundation, to monitor the compliance of scholarship recipients with respect to their post-award employment obligations; and

(2) provide to the Director of the National Science Foundation and the Director of the Office of Personnel Management, on an annual basis, the post-award employment documentation required under subsection (g)(1) for scholarship recipients through the completion of their post-award employment obligations.

(i) Amount of repayment

(1) Less than 1 year of service

If a circumstance described in subsection (g)(2) occurs before the completion of 1 year of a post-award employment obligation under this section, the total amount of scholarship awards received by the individual under this section shall—

(A) be repaid; or

(B) be treated as a loan to be repaid in accordance with subsection (j).

(2) 1 or more years of service

If a circumstance described in subparagraph (D) or (E) of subsection (g)(2) occurs after the completion of 1 or more years of a post-award employment obligation under this section, the total amount of scholarship awards received by the individual under this section, reduced by the ratio of the number of years of service completed divided by the number of years of service required, shall—

(A) be repaid; or

(B) be treated as a loan to be repaid in accordance with subsection (j).

(j) Repayments

A loan described subsection (i) shall—

(1) be treated as a Federal Direct Unsubsidized Stafford Loan under part D of title IV of the Higher Education Act of 1965 (20 U.S.C. 1087a et seq.); and

(2) be subject to repayment, together with interest thereon accruing from the date of the scholarship award, in accordance with terms and conditions specified by the Director of the National Science Foundation (in consultation with the Secretary of Education) in regulations promulgated to carry out this subsection.

(k) Collection of repayment

(1) In general

In the event that a scholarship recipient is required to repay the scholarship award under this section, the qualified institution of higher education providing the scholarship shall—

(A) determine the repayment amounts and notify the recipient, the Director of the National Science Foundation, and the Director of the Office of Personnel Management of the amounts owed; and

(B) collect the repayment amounts within a period of time as determined by the Director of the National Science Foundation, or the repayment amounts shall be treated as a loan in accordance with subsection (j).

(2) Returned to Treasury

Except as provided in paragraph (3), any repayment under this subsection shall be returned to the Treasury of the United States.

(3) Retain percentage

A qualified institution of higher education may retain a percentage of any repayment the institution collects under this subsection to defray administrative costs associated with the collection. The Director of the National Science Foundation shall establish a single, fixed percentage that will apply to all eligible entities.

(l) Exceptions

The Director of the National Science Foundation may provide for the partial or total waiver or suspension of any service or payment obligation by an individual under this section whenever compliance by the individual with the obligation is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable.

(m) Public information

(1) Evaluation

The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, shall periodically evaluate and make public, in a manner that protects the personally identifiable information of scholarship recipients, information on the success of recruiting individuals for scholarships under this section and on hiring and retaining those individuals in the public sector cybersecurity workforce, including information on—

(A) placement rates;

(B) where students are placed, including job titles and descriptions;

(C) salary ranges for students not released from obligations under this section;

(D) how long after graduation students are placed;

(E) how long students stay in the positions they enter upon graduation;

(F) how many students are released from obligations; and

(G) what, if any, remedial training is required.

(2) Reports

The Director of the National Science Foundation, in coordination with the Office of Personnel Management, shall submit, not less frequently than once every two years, to the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Science, Space, and Technology and the Committee on Oversight and Reform of the House of Representatives a report, including—

(A) the results of the evaluation under paragraph (1);

(B) the disparity in any reporting between scholarship recipients and their respective institutions of higher education; and

(C) any recent statistics regarding the size, composition, and educational requirements of the Federal cyber ² workforce..³

(3) Resources

The Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, shall provide consolidated and user-friendly online resources for prospective scholarship recipients, including, to the extent practicable—

(A) searchable, up-to-date, and accurate information about participating institutions of higher education and job opportunities related to the field of cybersecurity; and

(B) a modernized description of cybersecurity careers.

(Pub. L. 113–274, title III, §302, Dec. 18, 2014, 128 Stat. 2982; Pub. L. 115–91, div. A, title XVI, §1649B(a), Dec. 12, 2017, 131 Stat. 1754; Pub. L. 116–283, div. H, title XCIV, §§9401(g)(4)(C), 9403, 9404, Jan. 1, 2021, 134 Stat. 4810, 4811; Pub. L. 117–167, div. B, title III, §10316(b), Aug. 9, 2022, 136 Stat. 1531.)

Editorial Notes

References in Text

The Higher Education Act of 1965, referred to in subsec. (j)(1), is Pub. L. 89–329, Nov. 8, 1965, 79 Stat. 1219. Part D of title IV of the Act is classified to part D (§1087a et seq.) of subchapter IV of chapter 28 of Title 20, Education. For complete classification of this Act to the Code, see Short Title note set out under section 1001 of Title 20 and Tables.

Amendments

2022—Subsec. (b)(1). Pub. L. 117–167 substituted "and cybersecurity-related aspects of other related fields as appropriate, including artificial intelligence, quantum computing and aerospace;" for semicolon at end.

2021—Subsec. (b)(2). Pub. L. 116–283, §9403(1)(A), substituted "information technology and cybersecurity" for "information technology".

Subsec. (b)(3). Pub. L. 116–283, §9403(1)(B), amended par. (3) generally. Prior to amendment, par. (3) read as follows: "prioritize the employment placement of at least 80 percent of scholarship recipients in an executive agency (as defined in section 105 of title 5); and".

Subsec. (b)(4). Pub. L. 116–283, §9403(1)(C), inserted ", including by seeking to provide awards in coordination with other relevant agencies for summer cybersecurity camp or other experiences, including teacher training, in each of the 50 States," after "cybersecurity education" in introductory provisions.

Subsec. (d)(6). Pub. L. 116–283, §9403(2), added par. (6).

Subsec. (f)(3). Pub. L. 116–283, §9401(g)(4)(C), substituted "under section 7443" for "under section 7451".

Subsec. (f)(5) to (7). Pub. L. 116–283, §9404(1), added pars. (5) to (7) and struck out former par. (5) which read as follows: "accept the terms of a scholarship under this section."

Subsec. (g)(1). Pub. L. 116–283, §9404(2)(A), inserted "the Office of Personnel Management (in coordination with the National Science Foundation) and" before "the qualified institution".

Subsec. (g)(2)(E), (F). Pub. L. 116–283, §9404(2)(B), added subpars. (E) and (F) and struck out former subpar. (E) which read as follows: "fails to fulfill the post-award employment obligation of the individual under this section."

Subsec. (h)(2). Pub. L. 116–283, §9404(3), inserted "and the Director of the Office of Personnel Management" after "Foundation".

Subsec. (k)(1)(A). Pub. L. 116–283, §9404(4), substituted ", the Director of the National Science Foundation, and the Director of the Office of Personnel Management of the amounts owed" for "and the Director of the National Science Foundation of the amounts owed".

Subsec. (m)(1). Pub. L. 116–283, §9403(3)(A), substituted "cybersecurity" for "cyber" in introductory provisions.

Subsec. (m)(2). Pub. L. 116–283, §9404(5), substituted "once every two years, to the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Science, Space, and Technology and the Committee on Oversight and Reform of the House of Representatives a report, including—" and subpars. (A) to (C) for "once every 3 years, to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives a report, including the results of the evaluation under paragraph (1) and any recent statistics regarding the size, composition, and educational requirements of the Federal cybersecurity workforce".

Pub. L. 116–283, §9403(3)(B), substituted "cybersecurity" for "cyber". Subsequent amendment by Pub. L. 116–283, §9404(5), reenacted the word "cyber" in subsec. (m)(2)(C).

2017—Subsec. (b)(3), (4). Pub. L. 115–91, §1649B(a)(1), added pars. (3) and (4) and struck out former par. (3) which read as follows: "prioritize the employment placement of scholarship recipients in the Federal Government."

Subsec. (d). Pub. L. 115–91, §1649B(a)(2), amended subsec. (d) generally. Prior to amendment, text read as follows: "Each scholarship recipient, as a condition of receiving a scholarship under the program, shall enter into an agreement under which the recipient agrees to work in the cybersecurity mission of a Federal, State, local, or tribal agency for a period equal to the length of the scholarship following receipt of the student's degree."

Subsec. (f)(3). Pub. L. 115–91, §1649B(a)(3)(A), amended par. (3) generally. Prior to amendment, par. (3) read as follows: "have demonstrated a high level of proficiency in mathematics, engineering, or computer sciences;".

Subsec. (f)(4). Pub. L. 115–91, §1649B(a)(3)(B), amended par. (4) generally. Prior to amendment, par. (4) read as follows: "be a full-time student in an eligible degree program at a qualified institution of higher education, as determined by the Director of the National Science Foundation; and".

Subsec. (m). Pub. L. 115–91, §1649B(a)(4), amended subsec. (m) generally. Prior to amendment, text read as follows: "The Director of the National Science Foundation shall evaluate and report periodically to Congress on the success of recruiting individuals for scholarships under this section and on hiring and retaining those individuals in the public sector workforce."

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

Savings Provision

Pub. L. 115–91, div. A, title XVI, §1649B(b), Dec. 12, 2017, 131 Stat. 1755, provided that: "Nothing in this section [amending this section], or an amendment made by this section, shall affect any agreement, scholarship, loan, or repayment, under section 302 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7442), in effect on the day before the date of enactment of this subtitle [Dec. 12, 2017]."

Community College Cyber Pilot Program and Assessment

Pub. L. 115–91, div. A, title XVI, §1649A, Dec. 12, 2017, 131 Stat. 1753, provided that:

"(a) Pilot Program.—Not later than 1 year after the date of enactment of this subtitle [Dec. 12, 2017], as part of the Federal Cyber Scholarship-for-Service program established under section 302 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7442), the Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, shall develop and implement a pilot program at not more than 10, but at least 5, community colleges to provide scholarships to eligible students who—

"(1) are pursuing associate degrees or specialized program certifications in the field of cybersecurity; and

"(2)(A) have bachelor's degrees; or

"(B) are veterans of the Armed Forces.

"(b) Assessment.—Not later than 1 year after the date of enactment of this subtitle, as part of the Federal Cyber Scholarship-for-Service program established under section 302 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7442), the Director of the National Science Foundation, in coordination with the Director of the Office of Personnel Management, shall assess the potential benefits and feasibility of providing scholarships through community colleges to eligible students who are pursuing associate degrees, but do not have bachelor's degrees."

¹ So in original. Probably should be "subsection".

² So in original. Probably should be "cybersecurity". See 2021 Amendment notes below.

³ So in original.

§7443. National cybersecurity awareness and education program

(a) National cybersecurity awareness and education program

The Director of the National Institute of Standards and Technology (referred to in this section as the "Director"), in consultation with appropriate Federal agencies, industry, educational institutions, National Laboratories, the Networking and Information Technology Research and Development program, and other organizations shall continue to coordinate a national cybersecurity awareness and education program, that includes activities such as—

(1) the widespread dissemination of cybersecurity technical standards and best practices identified by the Director;

(2) efforts to make cybersecurity best practices usable by individuals, small to medium-sized businesses, educational institutions, and State, local, and tribal governments;

(3) increasing public awareness of cybersecurity, cyber safety, and cyber ethics;

(4) increasing the understanding of State, local, and tribal governments, institutions of higher education, and private sector entities of—

(A) the benefits of ensuring effective risk management of information technology versus the costs of failure to do so; and

(B) the methods to mitigate and remediate vulnerabilities;

(5) supporting formal cybersecurity education programs at all education levels to prepare and improve a skilled cybersecurity and computer science workforce for the private sector and Federal, State, local, and tribal government;

(6) supporting efforts to identify cybersecurity workforce skill gaps in public and private sectors;

(7) facilitating Federal programs to advance cybersecurity education, training, and workforce development;

(8) in coordination with the Department of Defense, the Department of Homeland Security, and other appropriate agencies, considering any specific needs of the cybersecurity workforce of critical infrastructure, including cyber physical systems and control systems;

(9) advising the Director of the Office of Management and Budget, as needed, in developing metrics to measure the effectiveness and effect of programs and initiatives to advance the cybersecurity workforce; and

(10) promoting initiatives to evaluate and forecast future cybersecurity workforce needs of the Federal Government and develop strategies for recruitment, training, and retention.

(b) Considerations

In carrying out the authority described in subsection (a), the Director, in consultation with appropriate Federal agencies, shall leverage existing programs designed to inform the public of safety and security of products or services, including self-certifications and independently verified assessments regarding the quantification and valuation of information security risk.

(c) Strategic plan

(1) In general

The Director, in cooperation with relevant Federal agencies and other stakeholders, shall build upon programs and plans in effect as of December 18, 2014, to develop and implement a strategic plan to guide Federal programs and activities in support of the national cybersecurity awareness and education program under subsection (a).

(2) Requirement

The strategic plan developed and implemented under paragraph (1) shall include an indication of how the Director will carry out this section.

(d) Report

Not later than 1 year after December 18, 2014, and every 5 years thereafter, the Director shall transmit the strategic plan under subsection (c) to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.

(e) Cybersecurity metrics

In carrying out subsection (a), the Director of the Office of Management and Budget may seek input from the Director of the National Institute of Standards and Technology, in coordination with the Department of Homeland Security, the Department of Defense, the Office of Personnel Management, and such agencies as the Director of the National Institute of Standards and Technology considers relevant, to develop quantifiable metrics for evaluating Federally funded cybersecurity workforce programs and initiatives based on the outcomes of such programs and initiatives.

(f) Regional alliances and multistakeholder partnerships

(1) In general

Pursuant to section 272(b)(4) of this title, the Director shall establish cooperative agreements between the National Initiative for Cybersecurity Education (NICE) of the Institute and regional alliances or partnerships for cybersecurity education and workforce.

(2) Agreements

The cooperative agreements established under paragraph (1) shall advance the goals of the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NIST Special Publication 800–181), or successor framework, by facilitating local and regional partnerships to—

(A) identify the workforce needs of the local economy and classify such workforce in accordance with such framework;

(B) identify the education, training, apprenticeship, and other opportunities available in the local economy; and

(C) support opportunities to meet the needs of the local economy.

(3) Financial assistance

(A) Financial assistance authorized

The Director may award financial assistance to a regional alliance or partnership with whom the Director enters into a cooperative agreement under paragraph (1) in order to assist the regional alliance or partnership in carrying out the terms of the cooperative agreement.

(B) Amount of assistance

The aggregate amount of financial assistance awarded under subparagraph (A) per cooperative agreement shall not exceed $200,000.

(C) Matching requirement

The Director may not award financial assistance to a regional alliance or partnership under subparagraph (A) unless the regional alliance or partnership agrees that, with respect to the costs to be incurred by the regional alliance or partnership in carrying out the cooperative agreement for which the assistance was awarded, the regional alliance or partnership will make available (directly or through donations from public or private entities) non-Federal contributions, including in-kind contributions, in an amount equal to 50 percent of Federal funds provided under the award.

(4) Application

(A) In general

A regional alliance or partnership seeking to enter into a cooperative agreement under paragraph (1) and receive financial assistance under paragraph (3) shall submit to the Director an application therefore at such time, in such manner, and containing such information as the Director may require.

(B) Requirements

Each application submitted under subparagraph (A) shall include the following:

(i)(I) A plan to establish (or identification of, if it already exists) a multistakeholder workforce partnership that includes—

(aa) at least one institution of higher education or nonprofit training organization; and

(bb) at least one local employer or owner or operator of critical infrastructure.

(II) Participation from academic institutions in the Federal Cyber Scholarships for Service Program, the National Centers of Academic Excellence in Cybersecurity Program, or advanced technological education programs, as well as elementary and secondary schools, training and certification providers, State and local governments, economic development organizations, or other community organizations is encouraged.

(ii) A description of how the workforce partnership would identify the workforce needs of the local economy.

(iii) A description of how the multistakeholder workforce partnership would leverage the programs and objectives of the National Initiative for Cybersecurity Education, such as the Cybersecurity Workforce Framework and the strategic plan of such initiative.

(iv) A description of how employers in the community will be recruited to support internships, externships, apprenticeships, or cooperative education programs in conjunction with providers of education and training. Inclusion of programs that seek to include veterans, Indian Tribes, and underrepresented groups, including women, minorities, persons from rural and underserved areas, and persons with disabilities is encouraged.

(v) A definition of the metrics to be used in determining the success of the efforts of the regional alliance or partnership under the agreement.

(C) Priority consideration

In awarding financial assistance under paragraph (3)(A), the Director shall give priority consideration to a regional alliance or partnership that includes an institution of higher education that is designated as a National Center of Academic Excellence in Cybersecurity or which received an award under the Federal Cyber Scholarship for Service program located in the State or region of the regional alliance or partnership.

(5) Audits

Each cooperative agreement for which financial assistance is awarded under paragraph (3) shall be subject to audit requirements under part 200 of title 2, Code of Federal Regulations (relating to uniform administrative requirements, cost principles, and audit requirements for Federal awards), or successor regulation.

(6) Reports

(A) In general

Upon completion of a cooperative agreement under paragraph (1), the regional alliance or partnership that participated in the agreement shall submit to the Director a report on the activities of the regional alliance or partnership under the agreement, which may include training and education outcomes.

(B) Contents

Each report submitted under subparagraph (A) by a regional alliance or partnership shall include the following:

(i) An assessment of efforts made by the regional alliance or partnership to carry out paragraph (2).

(ii) The metrics used by the regional alliance or partnership to measure the success of the efforts of the regional alliance or partnership under the cooperative agreement.

(Pub. L. 113–274, title III, §303, formerly title IV, §401, Dec. 18, 2014, 128 Stat. 2985; renumbered title III, §303, and amended Pub. L. 116–283, div. H, title XCIV, §9401(a), (b), (e)–(g)(1), Jan. 1, 2021, 134 Stat. 4805–4807, 4809.)

Editorial Notes

Codification

Section was classified to section 7451 of this title prior to renumbering by Pub. L. 116–283.

Amendments

2021—Subsec. (a)(6) to (10). Pub. L. 116–283, §9401(a), added pars. (6) to (9) and redesignated former par. (6) as (10).

Subsec. (c). Pub. L. 116–283, §9401(b), designated existing provisions as par. (1), inserted heading, and added par. (2).

Subsec. (e). Pub. L. 116–283, §9401(e), added subsec. (e).

Subsec. (f). Pub. L. 116–283, §9401(f), added subsec. (f).

Statutory Notes and Related Subsidiaries

Cybersecurity Career Pathways

Pub. L. 116–283, div. H, title XCIV, §9401(c), Jan. 1, 2021, 134 Stat. 4806, provided that:

"(1) Identification of multiple cybersecurity career pathways.—In carrying out subsection (a) of such section [meaning 15 U.S.C. 7451(a), now 15 U.S.C. 7443(a)] and not later than 540 days after the date of the enactment of this Act [Jan. 1, 2021], the Director of the National Institute of Standards and Technology shall, in coordination with the Secretary of Defense, the Secretary of Homeland Security, the Director of the Office of Personnel Management, and the heads of other appropriate agencies, use a consultative process with other Federal agencies, academia, and industry to identify multiple career pathways for cybersecurity work roles that can be used in the private and public sectors.

"(2) Requirements.—The Director shall ensure that the multiple cybersecurity career pathways identified under paragraph (1) indicate the knowledge, skills, and abilities, including relevant education, training, internships, apprenticeships, certifications, and other experiences, that—

"(A) align with employers' cybersecurity skill needs, including proficiency level requirements, for its workforce; and

"(B) prepare an individual to be successful in entering or advancing in a cybersecurity career.

"(3) Exchange program.—Consistent with requirements under chapter 37 of title 5, United States Code, the Director of the National Institute of Standards and Technology, in coordination with the Director of the Office of Personnel Management, may establish a voluntary program for the exchange of employees engaged in one of the cybersecurity work roles identified in the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NIST Special Publication 800–181), or successor framework, between the National Institute of Standards and Technology and private sector institutions, including nonpublic or commercial businesses, research institutions, or institutions of higher education, as the Director of the National Institute of Standards and Technology considers feasible."

Proficiency to Perform Cybersecurity Tasks

Pub. L. 116–283, div. H, title XCIV, §9401(d), Jan. 1, 2021, 134 Stat. 4806, provided that: "Not later than 540 days after the date of the enactment of this Act [Jan. 1, 2021], the Director of the National Institute of Standards and Technology shall, in coordination with the Secretary of Defense, the Secretary of Homeland Security, and the heads of other appropriate agencies—

"(1) in carrying out subsection (a) of such section [meaning 15 U.S.C. 7451(a), now 15 U.S.C. 7443(a)], assess the scope and sufficiency of efforts to measure an individual's capability to perform specific tasks found in the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NIST Special Publication 800–181) at all proficiency levels; and

"(2) submit to Congress a report—

"(A) on the findings of the Director with respect to the assessment carried out under paragraph (1); and

"(B) with recommendations for effective methods for measuring the cybersecurity proficiency of learners."

SUBCHAPTER III—CYBERSECURITY AWARENESS AND PREPAREDNESS

Editorial Notes

Codification

This subchapter was comprised of title IV of Pub. L. 113–274, Dec. 18, 2014, 128 Stat. 2985, prior to its repeal by Pub. L. 116–283, div. H, title XCIV, §9401(g)(2), Jan. 1, 2021, 134 Stat. 4809.

§7451. Transferred

Editorial Notes

Codification

Section, Pub. L. 113–274, title IV, §401, Dec. 18, 2014, 128 Stat. 2985, which related to national cybersecurity awareness and education program, was renumbered §303 of title III of Pub. L. 113–274, by Pub. L. 116–283, div. H, title XCIV, §9401(g)(1), Jan. 1, 2021, 134 Stat. 4809, and transferred to section 7443 of this title.

SUBCHAPTER IV—ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

§7461. Definitions

In this subchapter:

(1) Director

The term "Director" means the Director of the National Institute of Standards and Technology.

(2) Institute

The term "Institute" means the National Institute of Standards and Technology.

(Pub. L. 113–274, title V, §501, Dec. 18, 2014, 128 Stat. 2986.)

§7462. International cybersecurity technical standards

(a) In general

The Director, in coordination with appropriate Federal authorities, shall—

(1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and

(2) not later than 1 year after December 18, 2014, develop and transmit to Congress a plan for ensuring such Federal agency coordination.

(b) Consultation with the private sector

In carrying out the activities specified in subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders.

(Pub. L. 113–274, title V, §502, Dec. 18, 2014, 128 Stat. 2986.)

§7463. Cloud computing strategy

(a) In general

The Director, in coordination with the Office of Management and Budget, in collaboration with the Federal Chief Information Officers Council, and in consultation with other relevant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the Federal Government.

(b) Activities

In carrying out the strategy described under subsection (a), the Director shall give consideration to activities that—

(1) accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;

(2) advance the development of conformance testing performed by the private sector in support of cloud computing standardization; and

(3) support, in coordination with the Office of Management and Budget, and in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, including activities—

(A) to ensure the physical security of cloud computing data centers and the data stored in such centers;

(B) to ensure secure access to the data stored in cloud computing data centers;

(C) to develop security standards as required under section 278g–3 of this title; and

(D) to support the development of the automation of continuous monitoring systems.

(Pub. L. 113–274, title V, §503, Dec. 18, 2014, 128 Stat. 2986.)

§7464. Identity management research and development

(a) In general

The Director shall carry out a program of research to support the development of voluntary, consensus-based technical standards, best practices, benchmarks, methodologies, metrology, testbeds, and conformance criteria for identity management, taking into account appropriate user concerns to—

(1) improve interoperability and portability among identity management technologies;

(2) strengthen identity proofing and verification methods used in identity management systems commensurate with the level of risk, including identity and attribute validation services provided by Federal, State, and local governments;

(3) improve privacy protection in identity management systems; and

(4) improve the accuracy, usability, and inclusivity of identity management systems.

(b) Digital identity technical roadmap

The Director, in consultation with other relevant Federal agencies and stakeholders from the private sector, shall develop and maintain a technical roadmap for digital identity management research and development focused on enabling the voluntary use and adoption of modern digital identity solutions that align with the four criteria in subsection (a).

(c) Digital identity management guidance

(1) In general

The Director shall develop, and periodically update, in collaboration with other public and private sector organizations, common definitions and voluntary guidance for digital identity management systems, including identity and attribute validation services provided by Federal, State, and local governments.

(2) Guidance

The Guidance shall—

(A) align with the four criteria in subsection (a), as practicable;

(B) provide case studies of implementation of guidance;

(C) incorporate voluntary technical standards and industry best practices; and

(D) not prescribe or otherwise require the use of specific technology products or services.

(3) Consultation

In carrying out this subsection, the Director shall consult with—

(A) Federal and State agencies;

(B) industry;

(C) potential end-users and individuals that will use services related to digital identity verification; and

(D) experts with relevant experience in the systems that enable digital identity verification, as determined by the Director.

(Pub. L. 113–274, title V, §504, Dec. 18, 2014, 128 Stat. 2987; Pub. L. 117–167, div. B, title II, §10225, Aug. 9, 2022, 136 Stat. 1478.)

Editorial Notes

Amendments

2022—Pub. L. 117–167 amended section generally. Prior to amendment, section related to Director's continuance of program to support development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns.