[Senate Report 116-254]
[From the U.S. Government Publishing Office]
Calendar No. 515
116th Congress } { Report
SENATE
2d Session } { 116-254
_______________________________________________________________________
HARVESTING AMERICAN CYBERSECURITY KNOWLEDGE THROUGH EDUCATION ACT OF
2019
__________
R E P O R T
of the
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 2775
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
August 12, 2020.--Ordered to be printed
________
U.S. GOVERNMENT PUBLISHING OFFICE
99-010 WASHINGTON : 2020
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred sixteenth congress
second session
ROGER F. WICKER, Mississippi, Chairman
JOHN THUNE, South Dakota MARIA CANTWELL, Washington
ROY BLUNT, Missouri AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas EDWARD J. MARKEY, Massachusetts
DAN SULLIVAN, Alaska TOM UDALL, New Mexico
CORY GARDNER, Colorado GARY C. PETERS, Michigan
MARSHA BLACKBURN, Tennessee TAMMY BALDWIN, Wisconsin
SHELLEY MOORE CAPITO, West Virginia TAMMY DUCKWORTH, Illinois
MIKE LEE, Utah JON TESTER, Montana
RON JOHNSON, Wisconsin KYRSTEN SINEMA, Arizona
TODD C. YOUNG, Indiana JACKY ROSEN, Nevada
RICK SCOTT, Florida
John Keast, Staff Director
David Strickland, Minority Staff Director
Calendar No. 515
116th Congress } { Report
SENATE
2d Session } { 116-254
======================================================================
HARVESTING AMERICAN CYBERSECURITY KNOWLEDGE THROUGH EDUCATION ACT OF
2019
_______
August 12, 2020.--Ordered to be printed
_______
Mr. Wicker, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 2775]
[Including cost estimate of the Congressional Budget Office]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 2775) to improve the cyber
workforce of the United States, and for other purposes, having
considered the same, reports favorably thereon with amendments
and recommends that the bill (as amended) do pass.
Purpose of the Bill
The Harvesting American Cybersecurity Knowledge through
Education (HACKED) Act of 2019 is intended to improve the
cybersecurity workforce of public and private sectors.
Background and Needs
Cybersecurity risks impact the United States' economic and
national security. The cost of malicious cyber activity to the
U.S. economy in 2016 is estimated at $57 billion to $109
billion.\1\ In addition, the U.S. Government Accountability
Office declared cybersecurity as a ``high risk issue'' given
the threats to Federal networks, the Nation's critical
infrastructure, and personal information of individuals.\2\
Despite the growing cybersecurity risks facing the United
States, the government and private sector are facing a shortage
of cybersecurity workers. According to CyberSeek, a project
supported by the National Initiative for Cybersecurity
Education (NICE), as of 2018, there are more than 300,000
unfilled cybersecurity jobs in the United States. It is
projected there will be 500,000 total unfilled positions by
2021.\3\\4\ In addition, a recent survey by the International
Information Security Certification Consortium (ISC)\2\, a
cybersecurity professionals organization, found that 63 percent
of industry faces a shortage of cybersecurity employees.\5\
---------------------------------------------------------------------------
\1\The Council of Economic Advisers, ``The Cost of Malicious Cyber
Activity to the U.S. Economy,'' February 2018 (https://
www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-
Cyber-Activity-to-the-U.S.-Economy.pdf) (accessed Apr. 17, 2020).
\2\U.S. Government Accountability Office, ``Cybersecurity
Challenges Facing the Nation--High Risk Issue'' (https://www.gao.gov/
key_issues/ensuring_security_federal_information_systems/
issue_summary#t=0) (accessed Apr. 17, 2020).
\3\CyberSeek, ``Cybersecurity Supply/Demand Heat Map'' (https://
www.cyberseek.org/heatmap.html).
\4\U.S. Bureau of Labor Statistics, ``Employment by Detailed
Occupation'' (https://www.bls.gov/emp/tables/emp-by-detailed-
occupation.htm) (accessed Apr. 17, 2020).
\5\(ISC)\2\, ``Cybersecurity Professionals Focus on Developing New
Skills as Workforce Gap Widens,'' 2018 (www.isc2.org/-/media/ISC2/
Research/2018-ISC2-Cybersecurity-Workforce-
Study.ashx?la=en&hash=4E09681D 0FB51698D9BA6BF13EEABFA48BD17DB0)
(accessed Apr. 17, 2020).
---------------------------------------------------------------------------
In response to the 2017 Presidential Executive Order on
Strengthening the Cybersecurity of Federal Networks and
Critical Infrastructure,\6\ the Department of Commerce (DOC)
and Department of Homeland Security (DHS) issued a report\7\
with recommendations to improve the cybersecurity workforce in
the public and private sectors. The report issued a number of
findings, including the following:
\6\Executive Order 13800, 82 FR 22391 (2017).
\7\U.S. Department of Commerce and U.S. Department of Homeland
Security, ``A Report to the President on Supporting the Growth and
Sustainment of the Nation's Cybersecurity Workforce: Building the
Foundation for a More Secure American Future,'' May 10, 2018. p. 2
(https://csrc.nist.gov/publications/detail/white-paper/2018/05/30/
supporting-growth-and-sustainment-of-the-cybersecurity-workforce/final)
(accessed Apr. 17, 2020).
The United States needs immediate and sustained improvements
in its cybersecurity workforce situation.
Employers increasingly are concerned about the relevance of
cybersecurity-related education programs in meeting the needs
of their organizations.
Expanding the pool of cybersecurity candidates by retraining
those employed in non-cybersecurity fields and by increasing
the participation of women, minorities, and veterans as well as
students in primary through secondary school is needed and
represents significant opportunities.
There is an apparent shortage of knowledgeable and skilled
cybersecurity teachers at the primary and secondary levels,
faculty in higher education, and training instructors.
Hiring considerations--including lengthy security clearance
delays and onboarding processes--severely affect the
sufficiency of the cybersecurity workforce.
Comprehensive and reliable data about cybersecurity
workforce position needs and education and training programs is
lacking--even though the general context and urgency of the
situation are obvious.
The report also included a number of recommended actions,
many of which are required by the May 2019 Executive Order on
America's Cybersecurity Workforce.\8\ Several recommendations,
including improvements to align education and training with
employers' cybersecurity workforce needs by applying the NICE
Workforce Framework, developing cybersecurity career model
paths, and authorizing Multistakeholder Regional Alliances are
included in this legislation.
---------------------------------------------------------------------------
\8\Executive Order 13870, 84 FR 20523 (2019).
---------------------------------------------------------------------------
NICE, led by the National Institute of Standards and
Technology (NIST), serves as the lead for working with the
government and public sectors on issues pertaining to
cybersecurity education, training, and workforce development.
NICE developed the NICE Cybersecurity Workforce Framework (NIST
Special Publication 800-181), ``a national focused resource
that categorizes and describes cybersecurity work''.\9\ Similar
to the well-known Framework for Improving Critical
Infrastructure Cybersecurity, the NICE Framework establishes
common taxonomy and definitions for cybersecurity work, which
is intended to be used by public, private, and academic
sectors. NIST also convenes Federal agencies, through the NICE
Interagency Coordinating Council, to coordinate Federal
programs related to cybersecurity workforce,\10\ which would be
enhanced under this legislation. The May 2019 Executive Order
on America's Cybersecurity Workforce encouraged the adoption of
the NICE Framework by both the private and public sectors.
---------------------------------------------------------------------------
\9\National Institute of Standards and Technology, ``NICE
Cybersecurity Workforce Framework'' (https://www.nist.gov/itl/applied-
cybersecurity/nice/resources/nice-cybersecurity-
workforce-framework) (accessed Apr. 17, 2020).
\10\National Institute of Standards and Technology, ``NICE
Interagency Coordinating Council'' (ICC) (https://www.nist.gov/itl/
applied-cybersecurity/nice/about/interagency-coordinating-council)
(accessed Apr. 17, 2020).
---------------------------------------------------------------------------
In October, the Office of Science and Technology Policy
(OSTP) reported that there are more than 100 Federal programs
for STEM education with a budget of over $3.2 billion.\11\
These programs focus broadly on STEM education, but only a few
focus on cybersecurity. The National Security Agency and the
Department of Homeland Security designate 2-year, 4-year, and
graduate-level schools as Centers of Academic Excellence (CAE)
with three types of cyber designations (cyber defense
education, cyber defense research, and cyber operations). There
are currently over 270 CAEs across 48 States, 9 of which hold
all 3 designations.\12\ The National Science Foundation (NSF)
CyberCorps Scholarship-for-Service program provides
scholarships to students in exchange for service after
graduation in a Federal, State, local, or Tribal government
organization for a period equal to the length of the
scholarship. Over 3,000 students have entered the CyberCorps
program since it began in 2011, and have been placed in more
than 140 Federal agencies and departments.\13\ The program was
last amended by the National Defense Authorization Act for
Fiscal Year 2018,\14\ which directed a pilot program to expand
the scholarships to community colleges. Despite the growing
need for cybersecurity professionals, there is a shortage of
skilled cybersecurity educators. The Computing Research
Association estimates that in 2018 only 14 of the approximately
100 Ph.D. graduates secured tenure-track jobs in academia.\15\
Further, half of 2-year CAE designated schools have current
vacancies for cybersecurity faculty.\16\
---------------------------------------------------------------------------
\11\Office of Science and Technology Policy, ``Progress Report on
the Federal Implementation of the STEM Education Strategic Plan,''
October 2019 (https://www.whitehouse.gov/wp-
content/uploads/2019/10/Progress-Report-on-the-Federal-Implementation-
of-the-STEM-
Education-Strategic-Plan.pdf) (accessed Apr. 17, 2020).
\12\CAE in Cybersecurity Community, ``CAE Institution Map''
(https://www.caecommunity.org/content/cae-institution-map) (accessed
Apr. 17, 2020).
\13\CyberCorps Scholarship for Service, ``History/Overview''
(https://www.sfs.opm.gov/
Overview-History.aspx) (accessed Apr. 17, 2020).
\14\Pub. L. 115-91.
\15\Stuart Zweben and Betsy Bizot, ``2018 Taulbee Survey, Undergrad
Enrollment Continues Upward; Doctoral Degree Production Declines but
Doctoral Enrollment Rises'' (https://cra.org/wp-content/uploads/2019/
05/2018_Taulbee_Survey.pdf) (accessed Apr. 17, 2020).
\16\Alicia Modestino and Walter McHugh, Educator Shortage Problem
Found in the 2017 CAE Cybersecurity Survey (https://
aliciasassermodestino.com/wp-content/uploads/2019/04/2018-NAS-
Cybersecurity-Survey-Report-1.pdf) (accessed May 5, 2020).
---------------------------------------------------------------------------
Summary of Provisions
The legislation would amend science education and
cybersecurity programs at NIST, NSF, the National Aeronautics
and Space Administration (NASA), and the U.S. Department of
Transportation (DOT). Specifically, it would do the following:
Incentivize recruitment of cybersecurity teachers by
expanding the NSF CyberCorps Scholarship-for-Service to
allow for students to fulfill their service obligation
as teachers. Currently the program requires government
employment. It would also support cybersecurity camps
for K-12 students and teachers.
Align education and training with cybersecurity
workforce needs by authorizing Regional Alliances and
Multistakeholder Partnerships to fund partnerships
between local employers with educational institutions
to fill local cybersecurity workforce needs and
directing the improvement of metrics to track and
measure cybersecurity workforce needs across the
Nation. It would also amend NSF, NASA, and DOT
education programs to include cybersecurity as an
explicit component.
Design clear paths in the cybersecurity workforce
and educate Federal employees by identifying model
career paths for various cybersecurity work roles;
identifying tools for assessing skills and capabilities
of workers; conducting research on the integration of
computer science and cybersecurity; and developing
standards on cybersecurity awareness for Federal
agencies.
Increase coordination in Federal cyber workforce
programs by directing an existing OSTP interagency
working group to coordinate Federal cyber workforce
programs and codify NIST as the agency responsible for
leading interagency efforts on such coordination.
Legislative History
S. 2775 was introduced on November 5, 2019, by Senator
Wicker (for himself and Senators Cantwell, Thune, and Rosen)
and was referred to the Committee on Commerce, Science, and
Transportation of the Senate. On November 13, 2019, the
Committee met in open Executive Session and, by voice vote,
ordered S. 2775 reported favorably with an amendment. The
Committee approved an amendment from Senators Thune, Klobuchar,
and Rosen which would require the Director of NIST to establish
a voluntary cybersecurity exchange program.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
S. 2775 would require the National Institute of Standards
and Technology (NIST) to expand its efforts under the National
Initiative for Cybersecurity Education. The bill would require
the agency to coordinate federal research on the skills
cybersecurity workers need in critical infrastructure sectors
and to measure the effectiveness of federal programs directed
at expanding and advancing the cybersecurity workforce. The
bill also would require NIST to identify career pathways for
cybersecurity professionals in government and private industry.
Under S. 2775, NIST would award grants each year to entities to
form public-private partnerships to expand and advance the
cybersecurity workforce at the local level.
CBO estimates that implementing S. 2775 would cost $57
million over the 2020-2025 period, assuming appropriation of
the estimated amounts. The costs of the bill, detailed in Table
1, fall within budget function 370 (commerce and housing
credit).
For this estimate, CBO assumes that the bill will be
enacted in fiscal year 2020. Under that assumption, the agency
could incur some costs in 2020, but CBO expects that most of
the costs would be incurred in 2021 and later.
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 2775
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
------------------------------------------------------------------------
2020 2021 2022 2023 2024 2025 2020-2025
----------------------------------------------------------------------------------------------------------------
Total Changes
Estimated Authorization................ * 15 13 14 14 15 71
Estimated Outlays...................... * 6 10 13 14 14 57
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.
Using information from NIST, CBO estimates the agency would
obligate about $10 million in grants each year beginning in
2021 (the equivalent of a $200,000 grant in each state) and
that related administrative costs would be about $2 million a
year. CBO expects that the grants would outlay within a few
years of obligation. In total, CBO estimates that providing
grants and administering the new program would cost about $50
million over the 2020-2025 period. In addition, CBO estimates
that it would cost NIST about $7 million over the 2020-2025
period to hire scientists, engineers, and contractors to
fulfill other requirements under the bill related to improving
the cybersecurity workforce.
The bill would direct several other federal agencies to
advance cybersecurity research, education, and workforce
development efforts. CBO estimates that any additional costs
incurred by those agencies to fulfill the bill's requirements
would be insignificant.
The CBO staff contact for this estimate is David Hughes.
The estimate was reviewed by H. Samuel Papenfuss, Deputy
Director of Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
number of persons covered
S. 2775 would amend a number of existing programs at NIST,
NSF, NASA, and DOT, which involve grants and cooperative
agreements with academia and industry. However, the bill would
not authorize any new regulations and therefore would not
subject any individuals or organizations to new regulations.
economic impact
S. 2775 is not expected to have an adverse impact on the
Nation's economy as it is expected to improve cybersecurity
workforce-related jobs in the public and private sectors.
privacy
S. 2775 is not expected to have an impact on the personal
privacy of individuals.
paperwork
S. 2775 would require NICE to submit a report to Congress
on the scope and sufficiency of efforts to measure
cybersecurity learners capabilities to perform specific
cybersecurity tasks at all proficiency levels. The bill would
also require participants in the regional multistakeholder
alliance cooperative agreements to submit reports on efforts
under the program.
Congressionally Directed Spending
In compliance with paragraph 4(b) of rule XLIV of the
Standing Rules of the Senate, the Committee provides that no
provisions contained in the bill, as reported, meet the
definition of congressionally directed spending items under the
rule.
Section-by-Section Analysis
Section 1. Short title
This section would provide that the bill may be cited as
the ``Harvesting American Cybersecurity Knowledge through
Education Act of 2019'' or ``HACKED Act of 2019''.
Section 2. Improving national initiative for cybersecurity education
This section would make a series of amendments to NICE
within NIST. The section would direct NIST to coordinate
interagency efforts to identify cybersecurity workforce skill
gaps in public and private sectors, coordinate existing Federal
cybersecurity workforce programs, promote the National Security
Agency and DHS designated National Centers of Academic
Excellence in Cybersecurity, consider needs for cybersecurity
workforce in critical infrastructure, and develop metrics for
measuring the effectiveness of current cybersecurity workforce
programs and initiatives. This section would also establish a
voluntary talent exchange of cybersecurity employees between
NIST and private sector or research institutions, as the
Director considers feasible. In carrying out the NICE effort,
this section would direct a report identifying multiple
cybersecurity career pathways in private and public sectors,
including noncompetitive hiring pathways in the Federal
Government and evaluation of efforts to measure proficiency to
perform cybersecurity tasks.
The section would further authorize Regional Alliances and
Multistakeholder Partnerships to address the workforce needs of
local communities in order to support job driven education and
training programs. The section would define the requirements
for the cooperative agreements including outlining eligible
regional alliances, which must include at least one institution
of higher education or nonprofit training organization and at
least one local employer or owner or operator of critical
infrastructure. It would also cap each regional alliance award
at $200,000 and require awardees to provide a non-Federal
contribution. The section would require that the regional
alliances leverage the objectives of the NICE program and
encourage programs that seek to include women, minorities, or
veterans.
Section 3. Development of standards and guidelines for improving
cybersecurity workforce of Federal agencies
This section would direct NIST to identify, develop, and
publish standards for improving the cybersecurity workforce for
Federal agencies as part of the NICE Cybersecurity Workforce
Framework. It would also direct NIST to issue cybersecurity
awareness standards and guidelines for use by Federal agencies.
Section 4. Modifications to Federal Cyber Scholarship-for-Service
program
This section would amend the NSF Scholarship-for-Service
program (also called ``CyberCorps scholarships'') to grow the
number of cybersecurity educators. It would allow up to 10
percent of the scholarship recipients to fulfill their service
obligation as an educator in a Cybercorps school. Currently,
the program requires that scholarship recipients agree to work
after graduation for a government agency for a period equal to
the length of their scholarship. The section would direct that
cybersecurity summer camps, including teacher training, be
carried out as part of the scholarship program.
Section 5. Cybersecurity in programs of the National Science Foundation
This section would ensure cybersecurity is addressed in
existing NSF STEM programs, including computer science
education research, the Advanced Technological Education
program, Low-income Scholarship Program, and the Graduate
Research Fellowship Program. It would also direct research on
the integration of cybersecurity into computer science
education and ensure that educators and mentors in fields
relating to cybersecurity be considered for Presidential Awards
for Excellence in Mathematics and Science Teaching and for
Excellence in STEM.
Section 6. Cybersecurity in STEM programs of the National Aeronautics
and Space Administration
This section would encourage cybersecurity education
opportunities in existing STEM programs at NASA.
Section 7. Cybersecurity in Department of Transportation programs
This section would amend the DOT University Transportation
Centers program to conduct research on transportation
cybersecurity, including research on cybersecurity implications
associated with autonomous vehicles, connected vehicles, and
critical infrastructure. It would also require the Secretary of
Transportation to include reducing transportation cybersecurity
risks as part of the 5-year strategic research and development
plan.
Section 8. Coordination of Federal cybersecurity workforce
This section would improve coordination of Federal
cybersecurity workforce programs by establishing or designating
a subcommittee on cybersecurity workforce within the existing
Committee on Science, Technology, Engineering, and Math
Education (otherwise referred to as the CoSTEM Committee). The
section would designate the directors of OSTP and NIST as the
co-chairs of the subcommittee.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
material is printed in italic, existing law in which no change
is proposed is shown in roman):
UNITED STATES CODE
* * * * * * *
TITLE 49--TRANSPORTATION
Subtitle III--General and Intermodal Programs
CHAPTER 55--INTERMODAL TRANSPORTATION
Subchapter I--General
* * * * * * *
Sec. 5505. University transportation centers program
(a) University Transportation Centers Program.--
(1) Establishment and operation.--The Secretary shall
make grants under this section to eligible nonprofit
institutions of higher education to establish and
operate university transportation centers.
(2) Role of centers.--The role of each university
transportation center referred to in paragraph (1)
shall be--
(A) to advance transportation expertise and
technology in the varied disciplines that
comprise the field of transportation through
education, research, and technology transfer
activities;
(B) to provide for a critical transportation
knowledge base outside of the Department of
Transportation; and
(C) to address critical workforce needs and
educate the next generation of transportation
leaders in the matters described in
subparagraphs (A) through (G) of section
6503(c)(1).
(b) * * *
(c) Grants.--
(1) * * *
(2) * * *
(3) Regional university transportation centers.--
(A) * * *
(B) * * *
(C) * * *
(D) * * *
(E) Focused research.--[The Secretary]
(i) In general.--A regional
university transportation center
receiving a grant under this paragraph
shall carry out research focusing on 1
or more of the matters described in
subparagraphs (A) through (G) of
section 6503(c)(1).
(ii) Focused objectives.--The
Secretary shall make a grant to 1 of
the 10 regional university
transportation centers established
under this paragraph for the purpose of
furthering the objectives described in
subsection (a)(2) in the field of
comprehensive transportation safety,
congestion, connected vehicles,
connected infrastructure, and
autonomous vehicles, including the
cybersecurity implications of
technologies relating to connected
vehicles, connected infrastructure, and
autonomous vehicles.
* * * * * * *
CHAPTER 65--RESEARCH PLANNING
* * * * * * *
Sec. 6503. Transportation research and development 5-year strategic
plan
(a) * * *
(b) * * *
(c) Contents.--The strategic plan developed under subsection
(a) shall--
(1) describe how the plan furthers the primary
purposes of the transportation research and development
program, which shall include--
(A) improving mobility of people and goods;
(B) reducing congestion;
(C) promoting safety;
(D) improving the durability and extending
the life of transportation infrastructure;
(E) preserving the environment; [and]
(F) preserving the existing transportation
system; and
(G) reducing transportation cybersecurity
risks;
* * * * * * *
AMERICA COMPETES REAUTHORIZATION ACT OF 2010
[42 U.S.C. 6621; as amended through Pub. L. 114-329]
SEC. 101. COORDINATION OF FEDERAL STEM EDUCATION.
(a) Establishment.--The Director shall establish a committee
under the National Science and Technology Council, including
the Office of Management and Budget, with the responsibility to
coordinate Federal programs and activities in support of STEM
education, including at the National Science Foundation, the
Department of Energy, the National Aeronautics and Space
Administration, the National Institute of Standards and
Technology, the National Oceanic and Atmospheric
Administration, the Department of Education, and all other
Federal agencies that have programs and activities in support
of STEM education.
(b) Responsibilities.--The committee established under
subsection (a) shall--
(1) coordinate the STEM education activities and
programs of the Federal agencies;
(2) coordinate STEM education activities and programs
with the Office of Management and Budget;
(3) encourage the teaching of innovation and
entrepreneurship as part of STEM education activities;
(4) review STEM education activities and programs to
ensure they are not duplicative of similar efforts
within the Federal government;
(5) develop, implement through the participating
agencies, and update once every 5 years a 5-year STEM
education strategic plan, which shall--
(A) specify and prioritize annual and long-
term objectives;
(B) specify the common metrics that will be
used to assess progress toward achieving the
objectives;
(C) describe the approaches that will be
taken by each participating agency to assess
the effectiveness of its STEM education
programs and activities; and
(D) with respect to subparagraph (A),
describe the role of each agency in supporting
programs and activities designed to achieve the
objectives;
(6) establish, periodically update, and maintain an
inventory of federally sponsored STEM education
programs and activities, including documentation of
assessments of the effectiveness of such programs and
activities and rates of participation by women,
underrepresented minorities, and persons in rural areas
in such programs and activities;
(7) collaborate with the STEM Education Advisory
Panel established under section 303 of the American
Innovation and Competitiveness Act and other outside
stakeholders to ensure the engagement of the STEM
education community;
(8) review the measures used by a Federal agency to
evaluate its STEM education activities and programs;
(9) request and review feedback from States on how
the States are utilizing Federal STEM education
programs and activities; and
(10) recommend the reform, termination, or
consolidation of Federal STEM education activities and
programs, taking into consideration the recommendations
of the STEM Education Advisory Panel.
(c) Responsibilities of OSTP.--The Director shall encourage
and monitor the efforts of the participating agencies to ensure
that the strategic plan under subsection (b)(5) is developed
and executed effectively and that the objectives of the
strategic plan are met.
(d) Subcommittees and Working Groups.--
(1) Subcommittees and working groups authorized.--
(A) In general.--The committee established
under subsection (a) may establish 1 or more
subcommittees or working groups to address
specific issues in STEM education, as the
committee considers appropriate.
(B) Composition.--A member of the committee
established under subsection (a) may serve on a
subcommittee or working group established under
subparagraph (A).
(2) Subcommittee on cybersecurity workforce
required.--
(A) In general.--The committee established
under subsection (a) shall establish or
designate a subcommittee to coordinate
cybersecurity education and workforce
activities and programs of the Federal
agencies.
(B) Chairpersons.--The chairpersons of the
subcommittee established or designated under
subsection (a) shall be--
(i) the Director;
(ii) the Director of the National
Institute of Standards and Technology;
and
(iii) the head of any Federal agency,
as the Director and the Director of the
National Institute of Standards and
Technology consider appropriate.
[(d)] (e) Reports.--The Director shall transmit a report
annually to Congress at the time of the President's budget
request describing the plan required under subsection (b)(5).
The annual report shall include--
(1) a description of the STEM education programs and
activities for the previous and current fiscal years,
and the proposed programs and activities under the
President's budget request, of each participating
Federal agency;
(2) the levels of funding for each participating
Federal agency for the programs and activities
described under paragraph (1) for the previous fiscal
year and under the President's budget request;
(3) an evaluation of the levels of duplication and
fragmentation of the programs and activities described
under paragraph (1);
(4) except for the initial annual report, a
description of the progress made in carrying out the
implementation plan, including a description of the
outcome of any program assessments completed in the
previous year, and any changes made to that plan since
the previous annual report;
(5) a description of how the participating Federal
agencies will disseminate information about federally
supported resources for STEM education practitioners,
including teacher professional development programs, to
States and to STEM education practitioners, including
to teachers and administrators in schools that meet the
criteria described in subsection (c)(1)(A) and (B) of
section 7381j of this title;
(6) a description of all consolidations and
terminations of Federal STEM education programs and
activities implemented in the previous fiscal year,
including an explanation for the consolidations and
terminations;
(7) recommendations for reforms, consolidations, and
terminations of STEM education programs or activities
in the upcoming fiscal year; and
(8) a description of any significant new STEM
education public-private partnerships.
(f) STEM Education Defined.--For purposes of this section,
the term ``STEM education'' includes cybersecurity education.
* * * * * * *
AMERICAN COMPETITIVENESS AND WORKFORCE IMPROVEMENT ACT OF 1998
[42 U.S.C. 1869c]
SEC. 414. * * *
(a) * * *
(b) * * *
(c) * * *
(d) Low-income scholarship program.--
(1) Establishment.--The Director of the National
Science Foundation (referred to in this section as the
``Director'') shall award scholarships to low-income
individuals to enable such individuals to pursue
associate, undergraduate, or graduate level degrees in
mathematics, engineering, [or computer science]
computer science, or cybersecurity.
(2) Eligibility.--
(A) In general.--To be eligible to receive a
scholarship under this section, an individual--
(i) * * *
(ii) * * *
(iii) shall certify to the Director
that the individual intends to use
amounts received under the scholarship
to enroll or continue enrollment at an
institution of higher education (as
defined in section 101(a) of the Higher
Education Act of 1965) in order to
pursue an associate, undergraduate, or
graduate level degree in mathematics,
engineering, computer science,
cybersecurity, or other technology and
science programs designated by the
Director.
* * * * * * *
AMERICAN INNOVATION AND COMPETITIVENESS ACT
[42 U.S.C. 1862s-7; Pub. L. 114-329]
SEC. 310. COMPUTER SCIENCE EDUCATION RESEARCH.
(a) Findings.--Congress finds that as the lead Federal agency
for building the research knowledge base for computer science
education, the Foundation is well positioned to make
investments that will accelerate ongoing efforts to enable
rigorous and engaging computer science throughout the Nation as
an integral part of STEM education.
(b) Grant Program.--
(1) In general.--The Director of the Foundation shall
award grants to eligible entities to research computer
science and cybersecurity education and computational
thinking.
(2) Research.--The research described in paragraph
(1) may include the development or adaptation, piloting
or full implementation, and testing of--
(A) models of preservice preparation for
teachers who will teach computer science and
computational thinking;
(B) scalable and sustainable models of
professional development and ongoing support
for the teachers described in subparagraph (A);
(C) tools and models for teaching and
learning aimed at supporting student success
and inclusion in computing within and across
diverse populations, particularly poor, rural,
and tribal populations and other populations
that have been historically underrepresented in
computer science and STEM fields[; and];
(D) high-quality learning opportunities for
teaching computer science and, especially in
poor, rural, or tribal schools at the
elementary school and middle school levels, for
integrating computational thinking into STEM
teaching and learning[.]; and
(E) tools and models for the integration of
cybersecurity and other interdisciplinary
efforts into computer science education and
computational thinking at secondary and
postsecondary levels of education.
(c) Collaborations.--In carrying out the grants established
in subsection (b), eligible entities may collaborate and
partner with local or remote schools to support the integration
of computing , cybersecurity, and computational thinking within
pre-kindergarten through grade 12 STEM curricula and
instruction.
* * * * * * *
CYBERSECURITY ENHANCEMENT ACT OF 2014
[15 U.S.C. 7451; Pub. L. 113-274]
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the
``Cybersecurity Enhancement Act of 2014''.
(b) Table of Contents.--The table of contents of this Act is
as follows:
* * * * * * *
TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT
Sec. 301. Cybersecurity competitions and challenges.
Sec. 302. Federal cyber scholarship-for-service program.
Sec. 303. National cybersecurity awareness and education program.
[TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS]
[Sec. 401. National cybersecurity awareness and education program.]
* * * * * * *
[15 U.S.C. 7442; as amended through Pub. L. 115-91]
TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT
SEC. 301. * * *
SEC. 302. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) * * *
(b) Program Description and Components.--The Federal Cyber
Scholarship-for-Service Program shall--
(1) provide scholarships through qualified
institutions of higher education, including community
colleges, to students who are enrolled in programs of
study at institutions of higher education leading to
degrees or specialized program certifications in the
cybersecurity field;
(2) provide the scholarship recipients with summer
internship opportunities or other meaningful temporary
appointments in the Federal [information technology]
information technology and cybersecurity workforce;
[(3) prioritize the employment placement of at least
80 percent of scholarship recipients in an executive
agency (as defined in section 105 of title 5, United
States Code); and]
(3) prioritize the placement of scholarship
recipients fulfilling the post-award employment
obligation under this section to ensure that--
(A) not less than 70 percent of such
recipients are placed in an executive agency
(as defined in section 105 of title 5, United
States Code);
(B) not more than 10 percent of such
recipients are placed as educators in the field
of cybersecurity at qualified institutions of
higher education that provide scholarships
under this section; and
(C) not more than 20 percent of such
recipients are placed in positions described in
paragraphs (2) through (5) of subsection (d);
and
(4) provide awards to improve cybersecurity education
, including by seeking to provide awards in
coordination with other relevant agencies for summer
cybersecurity camp or other experiences, including
teacher training, in each of the 50 States, at the
kindergarten through grade 12 level--
(A) to increase interest in cybersecurity
careers;
(B) to help students practice correct and
safe online behavior and understand the
foundational principles of cybersecurity;
(C) to improve teaching methods for
delivering cybersecurity content for
kindergarten through grade 12 computer science
curricula; and
(D) to promote teacher recruitment in the
field of cybersecurity.
(d) Post-award Employment Obligations.--Each scholarship
recipient, as a condition of receiving a scholarship under the
program, shall enter into an agreement under which the
recipient agrees to work for a period equal to the length of
the scholarship, following receipt of the student's degree, in
the cybersecurity mission of--
(1) an executive agency (as defined in section 105 of
title 5, United States Code);
(2) Congress, including any agency, entity, office,
or commission established in the legislative branch;
(3) an interstate agency;
(4) a State, local, or Tribal government; [or]
(5) a State, local, or Tribal government-affiliated
nonprofit that is considered to be critical
infrastructure (as defined in section 1016(e) of the
USA Patriot Act (42 U.S.C. 5195c(e))[.]; or
(6) as provided by subsection (b)(3)(B), a qualified
institution of higher education.
(e) * * *
(f) Eligibility.--To be eligible to receive a scholarship
underthis section, an individual shall--
(1) be a citizen or lawful permanent resident of the
United States;
(2) demonstrate a commitment to a career in improving
the security of information technology;
(3) have demonstrated a high level of competency in
relevant knowledge, skills, and abilities, as defined
by the national cybersecurity awareness and education
program [under section 401] under section 303;
(4) be a full-time student in an eligible degree
program at a qualified institution of higher education,
as determined by the Director of the National Science
Foundation, except that in the case of a student who is
enrolled in a community college, be a student pursuing
a degree on a less than full-time basis, but not less
than half-time basis; and
(5) accept the terms of a scholarship under this
section.
(g) * * *
(h) * * *
(i) * * *
(j) * * *
(k) * * *
(l) * * *
(m) Public Information.--
(1) Evaluation.--The Director of the National Science
Foundation, in coordination with the Director of the
Office of Personnel Management, shall periodically
evaluate and make public, in a manner that protects the
personally identifiable information of scholarship
recipients, information on the success of recruiting
individuals for scholarships under this section and on
hiring and retaining those individuals in the public
sector [cyber] cybersecurity workforce, including
information on--
(A) * * *
(1) * * *
(2) Reports.--The Director of the National Science
Foundation, in coordination with the Office of
Personnel Management, shall submit, not less frequently
than once every 3 years, to the Committee on Commerce,
Science, and Transportation of the Senate and the
Committee on Science, Space, and Technology of the
House of Representatives a report, including the
results of the evaluation under paragraph (1) and any
recent statistics regarding the size, composition, and
educational requirements of the Federal [cyber]
cybersecurity workforce.
* * * * * * *
[Note: Title IV--Cybersecurity Awareness and Preparedness is repealed.
Section 401 is transferred to the end of title III of such Act and
redesignated as section 303.]
SEC. [401.] 303. NATIONAL CYBERSECURITY AWARENESS AND EDUCATION
PROGRAM.
(a) National Cybersecurity Awareness and Education Program.--
The Director of the National Institute of Standards and
Technology (referred to in this section as the ``Director''),
in consultation with appropriate Federal agencies, industry,
educational institutions, National Laboratories, the Networking
and Information Technology Research and Development program,
and other organizations shall continue to coordinate a national
cybersecurity awareness and education program, that includes
activities such as--
(1) the widespread dissemination of cybersecurity
technical standards and best practices identified by
the Director;
(2) efforts to make cybersecurity best practices
usable by individuals, small to medium-sized
businesses, educational institutions, and State, local,
and tribal governments;
(3) increasing public awareness of cybersecurity,
cyber safety, and cyber ethics;
(4) increasing the understanding of State, local, and
tribal governments, institutions of higher education,
and private sector entities of--
(A) the benefits of ensuring effective risk
management of information technology versus the
costs of failure to do so; and
(B) the methods to mitigate and remediate
vulnerabilities;
(5) supporting formal cybersecurity education
programs at all education levels to prepare and improve
a skilled cybersecurity and computer science workforce
for the private sector and Federal, State, local, and
tribal government[; and];
(6) identifying cybersecurity workforce skill gaps in
public and private sectors;
(7) leading interagency efforts to facilitate
coordination of Federal programs to advance
cybersecurity education, training, and workforce, such
as--
(A) the Federal Cyber Scholarship for Service
program of the National Science Foundation;
(B) the National Centers of Academic
Excellence in Cybersecurity program of the
National Security Agency and the Department of
Homeland Security;
(C) the GenCyber Program of the National
Science Foundation and the National Security
Agency;
(D) the apprenticeship program of the
Department of Labor;
(E) the Cybersecurity Education and Training
Assistance Program of the Department of
Homeland Security;
(F) the Cyber Center of Excellence of the
Army;
(G) the Information Operations Command
program of the Navy; and
(H) such others as the Director considers
appropriate;
(8) promoting higher education and expertise in
cybersecurity through designation by the National
Security Agency and the Department of Homeland Security
of institutions of higher education as National Centers
of Academic Excellence in Cybersecurity if such
institutions have robust degree programs that align to
specific cybersecurity-related knowledge units that are
aligned to the knowledge, skills, abilities, and tasks
from the National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework
(NIST Special Publication 800-181), or successor
framework;
(9) consideration of any specific needs of the
cybersecurity workforce of critical infrastructure;
(10) developing metrics to measure the effectiveness
and effect of programs and initiatives to advance the
cybersecurity workforce; and
[(6)] (11) promoting initiatives to evaluate and
forecast future cybersecurity workforce needs of the
Federal Government and develop strategies for
recruitment, training, and retention.
(b) * * *
(c) Strategic Plan.--[The Director]
(1) In general.--The Director, in cooperation with
relevant Federal agencies and other stakeholders, shall
build upon programs and plans in effect as of the date
of enactment of this Act to develop and implement a
strategic plan to guide Federal programs and activities
in support of the national cybersecurity awareness and
education program under subsection (a).
(2) Requirement.--The strategic plan developed and
implemented under paragraph (1) shall include an
indication of how the Director will carry out this
section.
(d) Report.--Not later than 1 year after the date of
enactment of this Act, and every 5 years thereafter, the
Director shall transmit the strategic plan under subsection (c)
to the Committee on Commerce, Science, and Transportation of
the Senate and the Committee on Science, Space, and Technology
of the House of Representatives.
(e) Cybersecurity Metrics.--In carrying out subsection (a),
the Director, in coordination with such agencies as the
Director considers relevant, shall develop repeatable measures
and reliable metrics for measuring and evaluating Federally
funded cybersecurity workforce programs and initiatives based
on the outcomes of such programs and initiatives.
(f) Regional Alliances and Multistakeholder Partnerships.--
(1) In general.--Pursuant to section 2(b)(4) of the
National Institute of Standards and Technology Act (15
U.S.C. 272(b)(4)), the Director shall establish
cooperative agreements between the National Initiative
for Cybersecurity Education (NICE) of the Institute and
regional alliances or partnerships for cybersecurity
education and workforce.
(2) Agreements.--The cooperative agreements
established under paragraph (1) shall advance the goals
of the National Initiative for Cybersecurity Education
Cybersecurity Workforce Framework (NIST Special
Publication 800-181), or successor framework, by
facilitating local and regional partnerships--
(A) to identify the workforce needs of the
local economy and classify such workforce in
accordance with such framework;
(B) to identify the education, training,
apprenticeship, and other opportunities
available in the local economy; and
(C) to support opportunities to meet the
needs of the local economy.
(3) Financial assistance.--
(A) Financial assistance authorized.--The
Director may award financial assistance to a
regional alliance or partnership with whom the
Director enters into a cooperative agreement
under paragraph (1) in order to assist the
regional alliance or partnership in carrying
out the term of the cooperative agreement.
(B) Amount of assistance.--The aggregate
amount of financial assistance awarded under
subparagraph (A) per cooperative agreement
shall not exceed $200,000.
(C) Matching requirement.--The Director may
not award financial assistance to a regional
alliance or partnership under subparagraph (A)
unless the regional alliance or partnership
agrees that, with respect to the costs to be
incurred by the regional alliance or
partnership in carrying out the cooperative
agreement for which the assistance was awarded,
the regional alliance or partnership will make
available (directly or through donations from
public or private entities) non-Federal
contributions in an amount equal to 50 percent
of Federal funds provided under the award.
(4) Application.--
(A) In general.--A regional alliance or
partnership seeking to enter into a cooperative
agreement under paragraph (1) and receive
financial assistance under paragraph (3) shall
submit to the Director an application therefor
at such time, in such manner, and containing
such information as the Director may require.
(B) Requirements.--Each application submitted
under subparagraph (A) shall include the
following:
(i)(I) A plan to establish (or
identification of, if it already
exists) a multistakeholder workforce
partnership that includes--
(aa) at least one institution
of higher education or
nonprofit training
organization; and
(bb) at least one local
employer or owner or operator
of critical infrastructure.
(II) Participation from Federal Cyber
Scholarships for Service organizations,
National Centers of Academic Excellence
in Cybersecurity, advanced
technological education programs,
elementary and secondary schools,
training and certification providers,
State and local governments, economic
development organizations, or other
community organizations is encouraged.
(ii) A description of how the
workforce partnership would identify
the workforce needs of the local
economy.
(iii) A description of how the
multistakeholder workforce partnership
would leverage the programs and
objectives of the National Initiative
for Cybersecurity Education, such as
the Cybersecurity Workforce Framework
and the strategic plan of such
initiative.
(iv) A description of how employers
in the community will be recruited to
support internships, apprenticeships,
or cooperative education programs in
conjunction with providers of education
and training. Inclusion of programs
that seek to include women, minorities,
or veterans is encouraged.
(v) A definition of the metrics that
will be used to measure the success of
the efforts of the regional alliance or
partnership under the agreement.
(C) Priority consideration.--In awarding
financial assistance under paragraph (3)(A),
the Director shall give priority consideration
to a regional alliance or partnership that
includes an institution of higher education
that is designated as a National Center of
Academic Excellence in Cybersecurity or which
receives an award under the Federal Cyber
Scholarship for Service program located in the
State or region of the regional alliance or
partnership.
(5) Audits.--Each cooperative agreement for which
financial assistance is awarded under paragraph (3)
shall be subject to audit requirements under part 200
of title 2, Code of Federal Regulations (relating to
uniform administrative requirements, cost principles,
and audit requirements for Federal awards), or
successor regulation.
(6) Reports.--
(A) In general.--Upon completion of a
cooperative agreement under paragraph (1), the
regional alliance or partnership that
participated in the agreement shall submit to
the Director a report on the activities of the
regional alliance or partnership under the
agreement, which may include training and
education outcomes.
(B) Contents.--Each report submitted under
subparagraph (A) by a regional alliance or
partnership shall include the following:
(i) An assessment of efforts made by
the regional alliance or partnership to
carry out paragraph (2).
(ii) The metrics used by the regional
alliance or partnership to measure the
success of the efforts of the regional
alliance or partnership under the
cooperative agreement.
* * * * * * *
FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT ACT OF 2015
[Pub. L. 114-113]
TITLE III--FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT
SEC. 301. SHORT TITLE.
This title may be cited as the ``Federal Cybersecurity
Workforce Assessment Act of 2015''.
SEC. 302. DEFINITIONS.
In this title:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Armed Services of the
Senate;
(B) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(C) the Select Committee on Intelligence of
the Senate;
(D) the Committee on Commerce, Science, and
Transportation of the Senate;
(E) the Committee on Armed Services of the
House of Representatives;
(F) the Committee on Homeland Security of the
House of Representatives;
(G) the Committee on Oversight and Government
Reform of the House of Representatives; and
(H) the Permanent Select Committee on
Intelligence of the House of Representatives.
(2) Director.--The term ``Director'' means the
Director of the Office of Personnel Management.
(3) National Initiative for Cybersecurity
Education.--The term ``National Initiative for
Cybersecurity Education'' means the initiative under
the national cybersecurity awareness and education
program, as authorized [under section 401 of the
Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451)]
under section 303 of the Cybersecurity Enhancement Act
of 2014 (Public Law 113-274).
(4) Work Roles.--The term `` work roles'' means a
specialized set of tasks and functions requiring
specific knowledge, skills, and abilities.
* * * * * * *
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
[15 U.S.C. 278g-3(a)]
Sec. 20. (a) The Institute shall--
(1) * * *
(2) * * *
(3) develop standards and guidelines, including
minimum requirements, for providing adequate
information security for all agency operations and
assets, but such standards and guidelines shall not
apply to national security systems[; and];
(4) carry out the responsibilities described in
paragraph (3) through the Computer Security
Division[.]; and
(5) identify and develop standards and guidelines for
improving the cybersecurity workforce for an agency as
part of the National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework
(NIST Special Publication 800-181), or successor
framework.
* * * * * * *
NIST SMALL BUSINESS CYBERSECURITY ACT
[Pub. L. 115-236]
SEC. 2. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.
(a) * * *
(b) * * *
(c) Dissemination of Resources for Small Businesses.--
(1) * * *
(2) * * *
(3) National Cybersecurity Awareness and Education
Program.--The Director shall ensure that the resources
disseminated under paragraph (1) are consistent with
the efforts of the Director [under section 401 of the
Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451)]
under section 303 of the Cybersecurity Enhancement Act
of 2014 (Public Law 113-274).
* * * * * * *
SCIENTIFIC AND ADVANCED-TECHNOLOGY ACT OF 1992
[42 U.S.C. 1862i(j)(9)]
SEC. 3. SCIENTIFIC AND TECHNICAL EDUCATION.
(a) * * *
(b) * * *
(c) * * *
(d) * * *
(e) * * *
(f) * * *
(g) * * *
(h) * * *
(i) * * *
(j) Definitions.--As used in this section--
(1) * * *
(2) * * *
(3) * * *
(4) * * *
(5) * * *
(6) * * *
(7) * * *
(8) * * *
(9) the terms ``mathematics, science, engineering, or
technology'' or ``STEM'' mean science, technology,
engineering, and mathematics, including computer
science and cybersecurity.
* * * * * * *
[all]