II 111TH CONGRESS 1ST SESSION S. 773 To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes. IN THE SENATE OF THE UNITED STATES APRIL 1, 2009 Mr. ROCKEFELLER (for himself, Ms. SNOWE, and Mr. NELSON of Florida) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation A BILL To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 2 S 773 IS 1 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. 2 (a) SHORT TITLE.This Act may be cited as the 3 Cybersecurity Act of 2009. 4 (b) TABLE OF CONTENTS.The table of contents for 5 this Act is as follows: Sec. 1. Short title; table of contents. Sec. 2. Findings. Sec. 3. Cybersecurity Advisory Panel. Sec. 4. Real-time cybersecurity dashboard. Sec. 5. State and regional cybersecurity enhancement program. Sec. 6. NIST standards development and compliance. Sec. 7. Licensing and certification of cybersecurity professionals. Sec. 8. Review of NTIA domain name contracts. Sec. 9. Secure domain name addressing system. Sec. 10. Promoting cybersecurity awareness. Sec. 11. Federal cybersecurity research and development. Sec. 12. Federal Cyber Scholarship-for-Service program. Sec. 13. Cybersecurity competition and challenge. Sec. 14. Publicprivate clearinghouse. Sec. 15. Cybersecurity risk management report. Sec. 16. Legal framework review and report. Sec. 17. Authentication and civil liberties report. Sec. 18. Cybersecurity responsibilities and authorities. Sec. 19. Quadrennial cyber review. Sec. 20. Joint intelligence threat assessment. Sec. 21. International norms and cybersecurity deterrence measures. Sec. 22. Federal Secure Products and Services Acquisitions Board. Sec. 23. Definitions. 6 SEC. 2. FINDINGS. 7 The Congress finds the following: 8 (1) Americas failure to protect cyberspace is 9 one of the most urgent national security problems 10 facing the country. 11 (2) Since intellectual property is now often 12 stored in digital form, industrial espionage that ex- 13 ploits weak cybersecurity dilutes our investment in 14 innovation while subsidizing the research and devel- 15 opment efforts of foreign competitors. In the new VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 3 S 773 IS 1 global competition, where economic strength and 2 technological leadership are vital components of na- 3 tional power, failing to secure cyberspace puts us at 4 a disadvantage. 5 (3) According to the 2009 Annual Threat As- 6 sessment, a successful cyber attack against a major 7 financial service provider could severely impact the 8 national economy, while cyber attacks against phys- 9 ical infrastructure computer systems such as those 10 that control power grids or oil refineries have the po- 11 tential to disrupt services for hours or weeks and 12 that Nation states and criminals target our govern- 13 ment and private sector information networks to 14 gain competitive advantage in the commercial sec- 15 tor.. 16 (4) The Director of National Intelligence testi- 17 fied before the Congress on February 19, 2009, that 18 a growing array of state and non-state adversaries 19 are increasingly targeting-for exploitation and poten- 20 tially disruption or destruction-our information in- 21 frastructure, including the Internet, telecommuni- 22 cations networks, computer systems, and embedded 23 processors and controllers in critical industries and 24 these trends are likely to continue. VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 4 S 773 IS 1 (5) John Brennan, the Assistant to the Presi- 2 dent for Homeland Security and Counterterrorism 3 wrote on March 2, 2009, that our nations security 4 and economic prosperity depend on the security, sta- 5 bility, and integrity of communications and informa- 6 tion infrastructure that are largely privately-owned 7 and globally-operated.. 8 (6) Paul Kurtz, a Partner and chief operating 9 officer of Good Harbor Consulting as well as a sen- 10 ior advisor to the Obama Transition Team for cyber- 11 security, recently stated that the United States is 12 unprepared to respond to a cyber-Katrina and 13 that a massive cyber disruption could have a cas- 14 cading, long-term impact without adequate co-ordi- 15 nation between government and the private sector.. 16 (7) The Cyber Strategic Inquiry 2008, spon- 17 sored by Business Executives for National Security 18 and executed by Booz Allen Hamilton, recommended 19 to establish a single voice for cybersecurity within 20 government concluding that the unique nature of 21 cybersecurity requires a new leadership paradigm.. 22 (8) Alan Paller, the Director of Research at the 23 SANS Institute, testified before the Congress that 24 the fight against cybercrime resembles an arms 25 race where each time the defenders build a new wall, VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 5 S 773 IS 1 the attackers create new tools to scale the wall. 2 What is particularly important in this analogy is 3 that, unlike conventional warfare where deployment 4 takes time and money and is quite visible, in the 5 cyber world, when the attackers find a new weapon, 6 they can attack millions of computers, and success- 7 fully infect hundreds of thousands, in a few hours or 8 days, and remain completely hidden.. 9 (9) According to the February 2003 National 10 Strategy to Secure Cyberspace, our nations critical 11 infrastructures are composed of public and private 12 institutions in the sectors of agriculture, food, water, 13 public health, emergency services, government, de- 14 fense industrial base, information and telecommuni- 15 cations, energy, transportation, banking finance, 16 chemicals and hazardous materials, and postal and 17 shipping. Cyberspace is their nervous systemthe 18 control system of our country and that the corner- 19 stone of Americas cyberspace security strategy is 20 and will remain a public-private partnership.. 21 (10) According to the National Journal, Mike 22 McConnell, the former Director of National Intel- 23 ligence, told President Bush in May 2007 that if the 24 9/11 attackers had chosen computers instead of air- 25 planes as their weapons and had waged a massive VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 6 S 773 IS 1 assault on a U.S. bank, the economic consequences 2 would have been an order of magnitude greater 3 than those cased by the physical attack on the 4 World Trade Center. Mike McConnell has subse- 5 quently referred to cybersecurity as the soft under- 6 belly of this country.. 7 (11) The Center for Strategic and International 8 Studies report on Cybersecurity for the 44th Presi- 9 dency concluded that (A) cybersecurity is now a 10 major national security problem for the United 11 States, (B) decisions and actions must respect pri- 12 vacy and civil liberties, and (C) only a comprehen- 13 sive national security strategy that embraces both 14 the domestic and international aspects of cybersecu- 15 rity will make us more secure. The report continued 16 stating that the United States faces a long-term 17 challenge in cyberspace from foreign intelligence 18 agencies and militaries, criminals, and others, and 19 that losing this struggle will wreak serious damage 20 on the economic health and national security of the 21 United States.. 22 (12) James Lewis, Director and Senior Fellow, 23 Technology and Public Policy Program, Center for 24 Strategic and International Studies, testified on be- 25 half of the Center for Strategic and International VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 7 S 773 IS 1 Studies that the United States is not organized and 2 lacks a coherent national strategy for addressing 3 cybersecurity. 4 (13) President Obama said in a speech at Pur- 5 due University on July 16, 2008, that every Amer- 6 ican dependsdirectly or indirectlyon our system 7 of information networks. They are increasingly the 8 backbone of our economy and our infrastructure; our 9 national security and our personal well-being. But 10 its no secret that terrorists could use our computer 11 networks to deal us a crippling blow. We know that 12 cyber-espionage and common crime is already on the 13 rise. And yet while countries like China have been 14 quick to recognize this change, for the last eight 15 years we have been dragging our feet. Moreover, 16 President Obama stated that we need to build the 17 capacity to identify, isolate, and respond to any 18 cyber-attack.. 19 (14) The Presidents Information Technology 20 Advisory Committee reported in 2005 that software 21 is a major vulnerability and that software develop- 22 ment methods that have been the norm fail to pro- 23 vide the high-quality, reliable, and secure software 24 that the IT infrastructure requires. . . . Today, as 25 with cancer, vulnerable software can be invaded and VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 8 S 773 IS 1 modified to cause damage to previously healthy soft- 2 ware, and infected software can replicate itself and 3 be carried across networks to cause damage in other 4 systems.. 5 SEC. 3. CYBERSECURITY ADVISORY PANEL. 6 (a) IN GENERAL.The President shall establish or 7 designate a Cybersecurity Advisory Panel. 8 (b) QUALIFICATIONS.The President 9 (1) shall appoint as members of the panel rep- 10 resentatives of industry, academic, non-profit organi- 11 zations, interest groups and advocacy organizations, 12 and State and local governments who are qualified 13 to provide advice and information on cybersecurity 14 research, development, demonstrations, education, 15 technology transfer, commercial application, or soci- 16 etal and civil liberty concerns; and 17 (2) may seek and give consideration to rec- 18 ommendations from the Congress, industry, the cy- 19 bersecurity community, the defense community, 20 State and local governments, and other appropriate 21 organizations. 22 (c) DUTIES.The panel shall advise the President on 23 matters relating to the national cybersecurity program 24 and strategy and shall assess VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 9 S 773 IS 1 (1) trends and developments in cybersecurity 2 science research and development; 3 (2) progress made in implementing the strat- 4 egy; 5 (3) the need to revise the strategy; 6 (4) the balance among the components of the 7 national strategy, including funding for program 8 components; 9 (5) whether the strategy, priorities, and goals 10 are helping to maintain United States leadership 11 and defense in cybersecurity; 12 (6) the management, coordination, implementa- 13 tion, and activities of the strategy; and 14 (7) whether societal and civil liberty concerns 15 are adequately addressed. 16 (d) REPORTS.The panel shall report, not less fre- 17 quently than once every 2 years, to the President on its 18 assessments under subsection (c) and its recommendations 19 for ways to improve the strategy. 20 (e) TRAVEL EXPENSES OF NON-FEDERAL MEM- 21 BERS.Non-Federal members of the panel, while attend- 22 ing meetings of the panel or while otherwise serving at 23 the request of the head of the panel while away from their 24 homes or regular places of business, may be allowed travel 25 expenses, including per diem in lieu of subsistence, as auVerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 10 S 773 IS 1 thorized by section 5703 of title 5, United States Code, 2 for individuals in the government serving without pay. 3 Nothing in this subsection shall be construed to prohibit 4 members of the panel who are officers or employees of the 5 United States from being allowed travel expenses, includ- 6 ing per diem in lieu of subsistence, in accordance with law. 7 (f) EXEMPTION FROM FACA SUNSET.Section 14 8 of the Federal Advisory Committee Act (5 U.S.C. App.) 9 shall not apply to the Advisory Panel. 10 SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD. 11 The Secretary of Commerce shall 12 (1) in consultation with the Office of Manage- 13 ment and Budget, develop a plan within 90 days 14 after the date of enactment of this Act to implement 15 a system to provide dynamic, comprehensive, real- 16 time cybersecurity status and vulnerability informa- 17 tion of all Federal Government information systems 18 and networks managed by the Department of Com- 19 merce; and 20 (2) implement the plan within 1 year after the 21 date of enactment of this Act. 22 SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCE- 23 MENT PROGRAM. 24 (a) CREATION AND SUPPORT OF CYBERSECURITY 25 CENTERS.The Secretary of Commerce shall provide asVerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 11 S 773 IS 1 sistance for the creation and support of Regional Cyberse- 2 curity Centers for the promotion and implementation of 3 cybersecurity standards. Each Center shall be affiliated 4 with a United States-based nonprofit institution or organi- 5 zation, or consortium thereof, that applies for and is 6 awarded financial assistance under this section. 7 (b) PURPOSE.The purpose of the Centers is to en- 8 hance the cybersecurity of small and medium sized busi- 9 nesses in United States through 10 (1) the transfer of cybersecurity standards, 11 processes, technology, and techniques developed at 12 the National Institute of Standards and Technology 13 to Centers and, through them, to small- and me- 14 dium-sized companies throughout the United States; 15 (2) the participation of individuals from indus- 16 try, universities, State governments, other Federal 17 agencies, and, when appropriate, the Institute in co- 18 operative technology transfer activities; 19 (3) efforts to make new cybersecurity tech- 20 nology, standards, and processes usable by United 21 States-based small- and medium-sized companies; 22 (4) the active dissemination of scientific, engi- 23 neering, technical, and management information 24 about cybersecurity to industrial firms, including 25 small- and medium-sized companies; and VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 12 S 773 IS 1 (5) the utilization, when appropriate, of the ex- 2 pertise and capability that exists in Federal labora- 3 tories other than the Institute. 4 (c) ACTIVITIES.The Centers shall 5 (1) disseminate cybersecurity technologies, 6 standard, and processes based on research by the In- 7 stitute for the purpose of demonstrations and tech- 8 nology transfer; 9 (2) actively transfer and disseminate cybersecu- 10 rity strategies, best practices, standards, and tech- 11 nologies to protect against and mitigate the risk of 12 cyber attacks to a wide range of companies and en- 13 terprises, particularly small- and medium-sized busi- 14 nesses; and 15 (3) make loans, on a selective, short-term basis, 16 of items of advanced cybersecurity countermeasures 17 to small businesses with less than 100 employees. 18 (c) DURATION AND AMOUNT OF SUPPORT; PROGRAM 19 DESCRIPTIONS; APPLICATIONS; MERIT REVIEW; EVALUA- 20 TIONS OF ASSISTANCE. 21 (1) FINANCIAL SUPPORT.The Secretary may 22 provide financial support, not to exceed 50 percent 23 of its annual operating and maintenance costs, to 24 any Center for a period not to exceed 6 years (ex- 25 cept as provided in paragraph (5)(D)). VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 13 S 773 IS 1 (2) PROGRAM DESCRIPTION.Within 90 days 2 after the date of enactment of this Act, the Sec- 3 retary shall publish in the Federal Register a draft 4 description of a program for establishing Centers 5 and, after a 30-day comment period, shall publish a 6 final description of the program. The description 7 shall include 8 (A) a description of the program; 9 (B) procedures to be followed by appli- 10 cants; 11 (C) criteria for determining qualified appli- 12 cants; 13 (D) criteria, including those described in 14 paragraph (4), for choosing recipients of finan- 15 cial assistance under this section from among 16 the qualified applicants; and 17 (E) maximum support levels expected to be 18 available to Centers under the program in the 19 fourth through sixth years of assistance under 20 this section. 21 (3) APPLICATIONS; SUPPORT COMMITMENT. 22 Any nonprofit institution, or consortia of nonprofit 23 institutions, may submit to the Secretary an applica- 24 tion for financial support under this section, in ac- 25 cordance with the procedures established by the SecVerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00013 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 14 S 773 IS 1 retary. In order to receive assistance under this sec- 2 tion, an applicant shall provide adequate assurances 3 that it will contribute 50 percent or more of the pro- 4 posed Centers annual operating and maintenance 5 costs for the first 3 years and an increasing share 6 for each of the next 3 years. 7 (4) AWARD CRITERIA.Awards shall be made 8 on a competitive, merit-based review. In making a 9 decision whether to approve an application and pro- 10 vide financial support under this section, the Sec- 11 retary shall consider, at a minimum 12 (A) the merits of the application, particu- 13 larly those portions of the application regarding 14 technology transfer, training and education, and 15 adaptation of cybersecurity technologies to the 16 needs of particular industrial sectors; 17 (B) the quality of service to be provided; 18 (C) geographical diversity and extent of 19 service area; and 20 (D) the percentage of funding and amount 21 of in-kind commitment from other sources. 22 (5) THIRD YEAR EVALUATION. 23 (A) IN GENERAL.Each Center which re- 24 ceives financial assistance under this section 25 shall be evaluated during its third year of operVerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00014 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 15 S 773 IS 1 ation by an evaluation panel appointed by the 2 Secretary. 3 (B) EVALUATION PANEL.Each evalua- 4 tion panel shall be composed of private experts, 5 none of whom shall be connected with the in- 6 volved Center, and Federal officials. An official 7 of the Institute shall chair the panel. Each eval- 8 uation panel shall measure the Centers per- 9 formance against the objectives specified in this 10 section. 11 (C) POSITIVE EVALUATION REQUIRED FOR 12 CONTINUED FUNDING.The Secretary may not 13 provide funding for the fourth through the sixth 14 years of a Centers operation unless the evalua- 15 tion by the evaluation panel is positive. If the 16 evaluation is positive, the Secretary may pro- 17 vide continued funding through the sixth year 18 at declining levels. 19 (D) FUNDING AFTER SIXTH YEAR.After 20 the sixth year, the Secretary may provide addi- 21 tional financial support to a Center if it has re- 22 ceived a positive evaluation through an inde- 23 pendent review, under procedures established by 24 the Institute. An additional independent review 25 shall be required at least every 2 years after the VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00015 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 16 S 773 IS 1 sixth year of operation. Funding received for a 2 fiscal year under this section after the sixth 3 year of operation may not exceed one third of 4 the annual operating and maintenance costs of 5 the Center. 6 (6) PATENT RIGHTS TO INVENTIONS.The pro- 7 visions of chapter 18 of title 35, United States Code, 8 shall (to the extent not inconsistent with this sec- 9 tion) apply to the promotion of technology from re- 10 search by Centers under this section except for con- 11 tracts for such specific technology extension or 12 transfer services as may be specified by statute or 13 by the President, or the Presidents designee. 14 (d) ACCEPTANCE OF FUNDS FROM OTHER FEDERAL 15 DEPARTMENTS AND AGENCIES.In addition to such 16 sums as may be authorized and appropriated to the Sec- 17 retary and President, or the Presidents designee, to oper- 18 ate the Centers program, the Secretary and the President, 19 or the Presidents designee, also may accept funds from 20 other Federal departments and agencies for the purpose 21 of providing Federal funds to support Centers. Any Center 22 which is supported with funds which originally came from 23 other Federal departments and agencies shall be selected 24 and operated according to the provisions of this section. VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00016 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 17 S 773 IS 1 SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLI- 2 ANCE. 3 (a) IN GENERAL.Within 1 year after the date of 4 enactment of this Act, the National Institute of Standards 5 and Technology shall establish measurable and auditable 6 cybersecurity standards for all Federal Government, gov- 7 ernment contractor, or grantee critical infrastructure in- 8 formation systems and networks in the following areas: 9 (1) CYBERSECURITY METRICS RESEARCH.The 10 Director of the National Institute of Standards and 11 Technology shall establish a research program to de- 12 velop cybersecurity metrics and benchmarks that can 13 assess the economic impact of cybersecurity. These 14 metrics should measure risk reduction and the cost 15 of defense. The research shall include the develop- 16 ment automated tools to assess vulnerability and 17 compliance. 18 (2) SECURITY CONTROLS.The Institute shall 19 establish standards for continuously measuring the 20 effectiveness of a prioritized set of security controls 21 that are known to block or mitigate known attacks. 22 (3) SOFTWARE SECURITY.The Institute shall 23 establish standards for measuring the software secu- 24 rity using a prioritized list of software weaknesses 25 known to lead to exploited and exploitable 26 vulnerabilities. The Institute will also establish a VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00017 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 18 S 773 IS 1 separate set of such standards for measuring secu- 2 rity in embedded software such as that found in in- 3 dustrial control systems. 4 (4) SOFTWARE CONFIGURATION SPECIFICATION 5 LANGUAGE.The Institute shall, establish standard 6 computer-readable language for completely speci- 7 fying the configuration of software on computer sys- 8 tems widely used in the Federal Government, by 9 government contractors and grantees, and in private 10 sector owned critical infrastructure information sys- 11 tems and networks. 12 (5) STANDARD SOFTWARE CONFIGURATION. 13 The Institute shall establish standard configurations 14 consisting of security settings for operating system 15 software and software utilities widely used in the 16 Federal Government, by government contractors and 17 grantees, and in private sector owned critical infra- 18 structure information systems and networks. 19 (6) VULNERABILITY SPECIFICATION LAN- 20 GUAGE.The Institute shall establish standard com- 21 puter-readable language for specifying vulnerabilities 22 in software to enable software vendors to commu- 23 nicate vulnerability data to software users in real 24 time. VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00018 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 19 S 773 IS 1 (7) NATIONAL COMPLIANCE STANDARDS FOR 2 ALL SOFTWARE. 3 (A) PROTOCOL.The Institute shall estab- 4 lish a standard testing and accreditation pro- 5 tocol for software built by or for the Federal 6 Government, its contractors, and grantees, and 7 private sector owned critical infrastructure in- 8 formation systems and networks. to ensure that 9 it 10 (i) meets the software security stand- 11 ards of paragraph (2); and 12 (ii) does not require or cause any 13 changes to be made in the standard con- 14 figurations described in paragraph (4). 15 (B) COMPLIANCE.The Institute shall de- 16 velop a process or procedure to verify that 17 (i) software development organizations 18 comply with the protocol established under 19 subparagraph (A) during the software de- 20 velopment process; and 21 (ii) testing results showing evidence of 22 adequate testing and defect reduction are 23 provided to the Federal Government prior 24 to deployment of software. VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00019 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 20 S 773 IS 1 (b) CRITERIA FOR STANDARDS.Notwithstanding 2 any other provision of law (including any Executive 3 Order), rule, regulation, or guideline, in establishing 4 standards under this section, the Institute shall disregard 5 the designation of an information system or network as 6 a national security system or on the basis of presence of 7 classified or confidential information, and shall establish 8 standards based on risk profiles. 9 (c) INTERNATIONAL STANDARDS.The Director, 10 through the Institute and in coordination with appropriate 11 Federal agencies, shall be responsible for United States 12 representation in all international standards development 13 related to cybersecurity, and shall develop and implement 14 a strategy to optimize the United States position with re- 15 spect to international cybersecurity standards. 16 (d) COMPLIANCE ENFORCEMENT.The Director 17 shall 18 (1) enforce compliance with the standards de- 19 veloped by the Institute under this section by soft- 20 ware manufacturers, distributors, and vendors; and 21 (2) shall require each Federal agency, and each 22 operator of an information system or network des- 23 ignated by the President as a critical infrastructure 24 information system or network, periodically to demVerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00020 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 21 S 773 IS 1 onstrate compliance with the standards established 2 under this section. 3 (e) FCC NATIONAL BROADBAND PLAN.In devel- 4 oping the national broadband plan pursuant to section 5 6001(k) of the American Recovery and Reinvestment Act 6 of 2009, the Federal Communications Commission shall 7 report on the most effective and efficient means to ensure 8 the cybersecurity of commercial broadband networks, in- 9 cluding consideration of consumer education and outreach 10 programs. 11 SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECU- 12 RITY PROFESSIONALS. 13 (a) IN GENERAL.Within 1 year after the date of 14 enactment of this Act, the Secretary of Commerce shall 15 develop or coordinate and integrate a national licensing, 16 certification, and periodic recertification program for cy- 17 bersecurity professionals. 18 (b) MANDATORY LICENSING.Beginning 3 years 19 after the date of enactment of this Act, it shall be unlawful 20 for any individual to engage in business in the United 21 States, or to be employed in the United States, as a pro- 22 vider of cybersecurity services to any Federal agency or 23 an information system or network designated by the Presi- 24 dent, or the Presidents designee, as a critical infrastrucVerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00021 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 22 S 773 IS 1 ture information system or network, who is not licensed 2 and certified under the program. 3 SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS. 4 (a) IN GENERAL.No action by the Assistant Sec- 5 retary of Commerce for Communications and Information 6 after the date of enactment of this Act with respect to 7 the renewal or modification of a contract related to the 8 operation of the Internet Assigned Numbers Authority, 9 shall be final until the Advisory Panel 10 (1) has reviewed the action; 11 (2) considered the commercial and national se- 12 curity implications of the action; and 13 (3) approved the action. 14 (b) APPROVAL PROCEDURE.If the Advisory Panel 15 does not approve such an action, it shall immediately no- 16 tify the Assistant Secretary in writing of the disapproval 17 and the reasons therefor. The Advisory Panel may provide 18 recommendations to the Assistant Secretary in the notice 19 for any modifications the it deems necessary to secure ap- 20 proval of the action. 21 SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. 22 (a) IN GENERAL.Within 3 years after the date of 23 enactment of this Act, the Assistant Secretary of Com- 24 merce for Communications and Information shall develop 25 a strategy to implement a secure domain name addressing VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00022 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 23 S 773 IS 1 system. The Assistant Secretary shall publish notice of the 2 system requirements in the Federal Register together with 3 an implementation schedule for Federal agencies and in- 4 formation systems or networks designated by the Presi- 5 dent, or the Presidents designee, as critical infrastructure 6 information systems or networks. 7 (b) COMPLIANCE REQUIRED.The President shall 8 ensure that each Federal agency and each such system 9 or network implements the secure domain name address- 10 ing system in accordance with the schedule published by 11 the Assistant Secretary. 12 SEC. 10. PROMOTING CYBERSECURITY AWARENESS. 13 The Secretary of Commerce shall develop and imple- 14 ment a national cybersecurity awareness campaign that 15 (1) is designed to heighten public awareness of 16 cybersecurity issues and concerns; 17 (2) communicates the Federal Governments 18 role in securing the Internet and protecting privacy 19 and civil liberties with respect to Internet-related ac- 20 tivities; and 21 (3) utilizes public and private sector means of 22 providing information to the public, including public 23 service announcements. VerDate Nov 24 2008 03:46 Apr 03, 2009 Jkt 079200 PO 00000 Frm 00023 Fmt 6652 Sfmt 6201 E:BILLSS773.IS S773 smartinez on PROD1PC64 with BILLS 24 S 773 IS 1 SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND DE- 2 VELOPMENT. 3 (a) FUNDAMENTAL CYBERSECURITY RESEARCH. 4 The Director of the National Science Foundation shall 5 give priority to computer and information science and en- 6 gineering research to ensure substantial support is pro- 7 vided to meet the following challenges in cybersecurity: 8 (1) How to design and build complex software- 9 intensive systems that are secure and reliable when 10 first deployed. 11 (2) How to test and verify that software, 12 whether developed locally or obtained from a third 13 party, is free of significant known security flaws. 14 (3) How to test and verify that software ob- 15 tained from a third party correctly implements stat- 16 ed functionality, and only that functionality. 17 (4) How to guarantee the privacy of a
