S 1900 IS, the
Cyberterrorism Preparedness Act of 2002.
Introduced by Sen. John Edwards (D-NC).
Date introduced: January 28, 2002.


S. 1900

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Cyberterrorism Preparedness Act of 2002''.

SEC. 2. GRANT FOR PROGRAM FOR PROTECTION OF INFORMATION INFRASTRUCTURE AGAINST DISRUPTION.

(a) IN GENERAL.--The National Institute of Standards and Technology shall, using amounts authorized to be appropriated by section 5, award a grant to a qualifying nongovernmental entity for purposes of a program to support the development of appropriate cybersecurity best practices, support long-term cybersecurity research and development, and perform functions relating to such activities. The purpose of the program shall be to provide protection for the information infrastructure of the United States against terrorist or other disruption or attack or other unwarranted intrusion.

    (b) QUALIFYING NONGOVERNMENTAL ENTITY.--For purposes of this section, a qualifying nongovernmental entity is any entity that--

    (1) is a nonprofit, nongovernmental consortium composed of at least three academic centers of expertise in cybersecurity and at least three private sector centers of expertise in cybersecurity;

    (2) has a board of directors of at least 12 members who include senior administrators of academic centers of expertise in cybersecurity and senior managers of private sector centers of expertise in cybersecurity and of whom not more than one third are affiliated with the centers comprising the consortium;

    (3) is operated by individuals from academia, the private sector, or both who have--

    (A) a demonstrated expertise in cybersecurity; and

    (B) the capacity to carry out the program required under subsection (g);

    (4) has in place a set of rules to ensure that conflicts of interest involving officers, employees, and members of the board of directors of the entity do not undermine the activities of the entity;

    (5) has developed a detailed plan for the program required under subsection (g); and

    (6) meets any other requirements established by the National Institute of Standards and Technology for purposes of this Act.

    (c) APPLICATION.--Any entity seeking a grant under this section shall submit to the National Institute of Standards and Technology an application therefor, in such form and containing such information as the National Institute for Standards and Technology shall require.

    (d) SELECTION OF GRANTEE.--The entity awarded a grant under this section shall be selected after full and open competition among qualifying nongovernmental entities.

    (e) DISPERSAL OF GRANT AMOUNT.--Amounts available for the grant under this section pursuant to the authorization of appropriations in section 5 shall be dispersed on a fiscal year basis over the five fiscal years beginning with fiscal year 2003.

    (f) CONSULTATION.--In carrying out activities under this section, including selecting an entity for the award of a grant, dispersing grant amounts, and overseeing activities of the entity receiving the grant, the National Institute of Standards and Technology--

    (1) shall consult with an existing interagency entity, or new interagency entity, consisting of the elements of the Federal Government having a substantial interest and expertise in cybersecurity and designated by the President for purposes of this Act; and

    (2) may consult separately with any such element of the Federal Government.

    (g) PROGRAM USING GRANT AMOUNT.--

    (1) IN GENERAL.--The entity awarded a grant under this section shall carry out a national program for the purpose of protecting the information infrastructure of the United States against disruption. The program shall consist of--

    (A) multi-disciplinary research and development to identify appropriate cybersecurity best practices, to measure the effectiveness of cybersecurity best practices that are put into use, and to identify sound means to achieve widespread use of appropriate cybersecurity best practices that have proven effective;

    (B) multi-disciplinary, long-term, or high-risk research and development (including associated human resource development) to improve cybersecurity; and

    (C) the activities required under paragraphs (3) and (4).

    (2) CONDUCT OF RESEARCH AND DEVELOPMENT.--

    (A) IN GENERAL.--Except as provided in subparagraph (B), research and development under subparagraphs (A) and (B) of paragraph (1) shall be carried out using funds and other support provided by the grantee to entities selected by the grantee after full and open competition among entities determined by the grantee to be qualified to carry out such research and development.

    (B) CONDUCT BY GRANTEE.--The grantee may carry out research and development referred to in subparagraph (A) in any fiscal year using not more than 15 percent of the amount dispersed to the grantee under this Act in such fiscal year by the National Institute of Standards and Technology.

(3) RECOMMENDATIONS ON CYBERSECURITY BEST PRACTICES.--

    (A) RECOMMENDATIONS.--Not later than 18 months after the selection of the grantee under this section, the grantee shall prepare a report containing recommendations for appropriate cybersecurity best practices.

    (B) UPDATES.--The grantee shall update the recommendations made under subparagraph (A) not less often than once every six months, and may update any portion of such recommendations more frequently if the grantee determines that circumstances so require.

    (C) CONSIDERATIONS.--In making recommendations under subparagraph (A), and any update of such recommendations under subparagraph (B), the grantee shall--

    (i) review the most current cybersecurity best practices identified by the National Institute of Standards and Technology under section 3(a); and

    (ii) consult with--

    (I) the entities carrying out research and development under paragraph (1)(A);

    (II) entities employing cybersecurity best practices; and

    (III) a wide range of academic, private sector, and public entities.

    (D) DISSEMINATION.--The grantee shall submit the report under subparagraph (A), and any update of the report under paragraph (B), to the bodies and officials specified in paragraph (5), and shall widely disseminate the report, and any such update, among government (including State and local government), private, and academic entities.

    (4) ACTIVITIES RELATING TO WIDESPREAD USE OF CYBERSECURITY BEST PRACTICES.--

    (A) IN GENERAL.--Not later than two years after the selection of the grantee under this section, the grantee shall submit to the bodies and officials specified in paragraph (5) a report containing--

    (i) an assessment of the advisability of requiring the contractors and grantees of the Federal Government to use appropriate cybersecurity best practices; and

    (ii) recommendations for sound means to achieve widespread use of appropriate cybersecurity best practices that have proven effective.

    (B) REPORT ELEMENTS.--The report under subparagraph (A) shall set forth--

    (i) whether or not the requirement described in subparagraph (A)(i) is advisable, including whether the requirement would impose undue or inappropriate burdens, or other inefficiencies, on contractors and grantees of the Federal Government;

    (ii) if the requirement is determined advisable--

    (I) whether, and to what extent, the requirement should be subject to exceptions or limitations for particular contractors or grantees, including the types of contractors or grantees and the nature of the exceptions or limitations; and

    (II) which cybersecurity best practices should be covered by the requirement and with what, if any, exceptions or limitations; and

    (iii) any other matters that the grantee considers appropriate.

    (5) SPECIFIED BODIES AND OFFICIALS.--The bodies and officials specified in this paragraph are as follows:

    (A) The appropriate committees of Congress.

    (B) The President.

    (C) The Director of the Office of Management and Budget.

    (D) The National Institute of Standards and Technology.

    (E) The interagency entity designated by the President under subsection (f)(1).

    (h) GRANT ADMINISTRATION.--

    (1) USE OF GRANT COMPETITION AND MANAGEMENT SYSTEMS.--The National Institute of Standards and Technology may permit the entity awarded the grant under this section to utilize the grants competition system and grants management system of the National Institute of Standards and Technology for purposes of the efficient administration of activities by the entity under subsection (g).

    (2) RULES.--The National Institute of Standards and Technology shall establish any rules and procedures that the National Institute of Standards and Technology considers appropriate to further the purposes of this section. Such rules may include provisions relating to the ownership of any intellectual property created by the entity awarded the grant under this section or funded by the entity under subsection (g).

    (i) SUPPLEMENT NOT SUPPLANT.--The National Institute of Standards and Technology shall take appropriate actions to ensure that activities under this section supplement, rather than supplant, other current governmental and nongovernmental efforts to protect the information infrastructure of the United States.

SEC. 3. APPROPRIATE CYBERSECURITY BEST PRACTICES FOR THE FEDERAL GOVERNMENT.

    (a) NIST RECOMMENDATIONS.--

    (1) IN GENERAL.--Not later than 180 days after the date of the enactment of this Act, the National Institute of Standards and Technology shall submit to the bodies and officials specified in subsection (e) a report that--

    (A) identifies appropriate cybersecurity best practices that could reasonably be adopted by the departments and agencies of the Federal Government over the 24-month period beginning on the date of the report; and

    (B) sets forth proposed demonstration projects for the adoption of such best practices by various departments and agencies of the Federal Government beginning 90 days after the date of the report.

    (2) UPDATES.--The National Institute of Standards and Technology may submit to the bodies and officials specified in subsection (e) any updates of the report under paragraph (1) that the National Institute of Standards and Technology consider appropriate due to changes in circumstances.

    (3) CONSULTATION.--In preparing the report under paragraph (1), and any updates of the report under paragraph (2), the National Institute of Standards and Technology shall consult with departments and agencies of the Federal Government having an interest in the report and such updates, and with academic centers of expertise in cybersecurity and private sector centers of expertise in cybersecurity.

    (b) DEMONSTRATION PROJECTS FOR IMPLEMENTATION OF RECOMMENDATIONS.--

    (1) IN GENERAL.--Commencing not later than 90 days after receipt of the report under subsection (a), the President shall carry out the demonstration projects set forth in the report, including any modification of any such demonstration project that the President considers appropriate.

    (2) UPDATES.--If the National Institute of Standards and Technology updates under subsection (a)(2) any recommendation under subsection (a)(1)(A) that is relevant to a demonstration project under paragraph (1), the President shall modify the demonstration project to take into account such update.

    (3) REPORT.--Not later than nine months after commencement of the demonstration projects under this subsection, the President shall submit to the appropriate committees of Congress a report on the demonstration projects. The report shall set forth the following:

    (A) An assessment of the extent to which the adoption of appropriate cybersecurity best practices by departments and agencies of the Federal Government under the demonstration projects has improved cybersecurity at such departments and agencies.

    (B) An assessment whether or not the adoption of appropriate cybersecurity best practices by departments and agencies of the Federal Government under the demonstration projects has affected the capability of such departments and agencies to carry out their missions.

    (C) A description of the cost of the adoption of appropriate cybersecurity best practices by departments and agencies of the Federal Government under the demonstration projects.

    (D) A description of a security-enhancing missions-comparable, cost-effective program, to the extent such program is feasible, for the adoption of appropriate cybersecurity best practices government-wide.

    (E) Any other matters that the President considers appropriate.

    (c) ADOPTION OF CYBERSECURITY BEST PRACTICES GOVERNMENT-WIDE.--The President shall implement a program for the adoption of appropriate cybersecurity best practices government-wide commencing not later than six months after the date of the report.

    (d) INCORPORATION OF RECOMMENDATIONS.--If during the development or implementation of the program under subsection (c) the President receives any recommendations under paragraph (3) or (4) of section 3(g), the President shall modify the program in order to take into account such recommendations.

    (e) SPECIFIED BODIES AND OFFICIALS.--The bodies and officials specified in this subsection are as follows:

    (1) The appropriate committees of Congress.

    (2) The President.

    (3) The Director of the Office of Management and Budget.

    (4) The interagency entity designated by the President under section 3(f)(1).

SEC. 4. DEFINITIONS.

    In this Act:

    (1) APPROPRIATE COMMITTEES OF CONGRESS.--The term ``appropriate committees of Congress'' means--

    (A) the Committee on Commerce, Science, and Transportation of the Senate; and

    (B) the Committee on Science of the House of Representatives.

    (2) CYBERSECURITY.--The term ``cybersecurity'' means information assurance, including information security, information technology disaster recovery, and information privacy.

    (3) CYBERSECURITY BEST PRACTICE.--The term ``cybersecurity best practice'' means a computer hardware or software configuration, information system design, operational procedure, or measure, structure, or method that most effectively protects computer hardware, software, networks, or network elements against an attack that would cause harm through the installation of unauthorized computer software, saturation of network traffic, alteration of data, disclosure of confidential information, or other means.

    (4) APPROPRIATE CYBERSECURITY BEST PRACTICE.--The term ``appropriate cybersecurity best practice'' means a cybersecurity best practice that--

    (A) permits, as needed, customization or expansion for the computer hardware, software, network, or network element to which the best practice applies;

    (B) takes into account the need for security protection that balances--

    (i) the risk and magnitude of harm threatened by potential attack; and

    (ii) the cost of imposing security protection; and

    (C) takes into account the rapidly changing nature of computer technology.

SEC. 5. AUTHORIZATION OF APPROPRIATIONS.

    There is hereby authorized to be appropriated for the National Institute of Standards and Technology for purposes of activities under this Act, amounts as follows:

    (1) For fiscal year 2003, $70,000,000.

    (2) For each of the fiscal years 2004 through 2007, such sums as may be necessary.