2000
<PRE>[DOCID: f:s1900is.txt]






107th CONGRESS
  2d Session
                                S. 1900

    To protect against cyberterrorism and cybercrime, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 28, 2002

  Mr. Edwards introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
    To protect against cyberterrorism and cybercrime, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyberterrorism Preparedness Act of 
2002''.

SEC. 2. GRANT FOR PROGRAM FOR PROTECTION OF INFORMATION INFRASTRUCTURE 
              AGAINST DISRUPTION.

    (a) In General.--The National Institute of Standards and Technology 
shall, using amounts authorized to be appropriated by section 5, award 
a grant to a qualifying nongovernmental entity for purposes of a 
program to support the development of appropriate cybersecurity best 
practices, support long-term cybersecurity research and development, 
and perform functions relating to such activities. The purpose of the 
program shall be to provide protection for the information 
infrastructure of the United States against terrorist or other 
disruption or attack or other unwarranted intrusion.
    (b) Qualifying Nongovernmental Entity.--For purposes of this 
section, a qualifying nongovernmental entity is any entity that--
            (1) is a nonprofit, nongovernmental consortium composed of 
        at least three academic centers of expertise in cybersecurity 
        and at least three private sector centers of expertise in 
        cybersecurity;
            (2) has a board of directors of at least 12 members who 
        include senior administrators of academic centers of expertise 
        in cybersecurity and senior managers of private sector centers 
        of expertise in cybersecurity and of whom not more than one 
        third are affiliated with the centers comprising the 
        consortium;
            (3) is operated by individuals from academia, the private 
        sector, or both who have--
                    (A) a demonstrated expertise in cybersecurity; and
                    (B) the capacity to carry out the program required 
                under subsection (g);
            (4) has in place a set of rules to ensure that conflicts of 
        interest involving officers, employees, and members of the 
        board of directors of the entity do not undermine the 
        activities of the entity;
            (5) has developed a detailed plan for the program required 
        under subsection (g); and
            (6) meets any other requirements established by the 
        National Institute of Standards and Technology for purposes of 
        this Act.
    (c) Application.--Any entity seeking a grant under this section 
shall submit to the National Institute of Standards and Technology an 
application therefor, in such form and containing such information as 
the National Institute for Standards and Technology shall require.
    (d) Selection of Grantee.--The entity awarded a grant under this 
section shall be selected after full and open competition among 
qualifying nongovernmental entities.
    (e) Dispersal of Grant Amount.--Amounts available for the grant 
under this section pursuant to the authorization of appropriations in 
section 5 shall be dispersed on a fiscal year basis over the five 
fiscal years beginning with fiscal year 2003.
    (f) Consultation.--In carrying out activities under this section, 
including selecting an entity for the award of a grant, dispersing 
grant amounts, and overseeing activities of the entity receiving the 
grant, the National Institute of Standards and Technology--
            (1) shall consult with an existing interagency entity, or 
        new interagency entity, consisting of the elements of the 
        Federal Government having a substantial interest and expertise 
        in cybersecurity and designated by the President for purposes 
        of this Act; and
            (2) may consult separately with any such element of the 
        Federal Government.
    (g) Program Using Grant Amount.--
            (1) In general.--The entity awarded a grant under this 
        section shall carry out a national program for the purpose of 
        protecting the information infrastructure of the United States 
        against disruption. The program shall consist of--
                    (A) multi-disciplinary research and development to 
                identify appropriate cybersecurity best practices, to 
                measure the effectiveness of cybersecurity best 
                practices that are put into use, and to identify sound 
                means to achieve widespread use of appropriate 
                cybersecurity best practices that have proven 
                effective;
                    (B) multi-disciplinary, long-term, or high-risk 
                research and development (including associated human 
                resource development) to improve cybersecurity; and
                    (C) the activities required under paragraphs (3) 
                and (4).
            (2) Conduct of research and development.--
                    (A) In general.--Except as provided in subparagraph 
                (B), research and development under subparagraphs (A) 
                and (B) of paragraph (1) shall be carried out using 
                funds and other support provided by the grantee to 
                entities selected by the grantee after full and open 
                competition among entities determined by the grantee to 
                be qualified to carry out such research and 
                development.
                    (B) Conduct by grantee.--The grantee may carry out 
                research and development referred to in subparagraph 
                (A) in any fiscal year using not more than 15 percent 
                of the amount dispersed to the grantee under this Act 
                in such fiscal year by the National Institute of 
Standards and Technology.
            (3) Recommendations on cybersecurity best practices.--
                    (A) Recommendations.--Not later than 18 months 
                after the selection of the grantee under this section, 
                the grantee shall prepare a report containing 
                recommendations for appropriate cybersecurity best 
                practices.
                    (B) Updates.--The grantee shall update the 
                recommendations made under subparagraph (A) not less 
                often than once every six months, and may update any 
                portion of such recommendations more frequently if the 
                grantee determines that circumstances so require.
                    (C) Considerations.--In making recommendations 
                under subparagraph (A), and any update of such 
                recommendations under subparagraph (B), the grantee 
                shall--
                            (i) review the most current cybersecurity 
                        best practices identified by the National 
                        Institute of Standards and Technology under 
                        section 3(a); and
                            (ii) consult with--
                                    (I) the entities carrying out 
                                research and development under 
                                paragraph (1)(A);
                                    (II) entities employing 
                                cybersecurity best practices; and
                                    (III) a wide range of academic, 
                  
2000
              private sector, and public entities.
                    (D) Dissemination.--The grantee shall submit the 
                report under subparagraph (A), and any update of the 
                report under paragraph (B), to the bodies and officials 
                specified in paragraph (5), and shall widely 
                disseminate the report, and any such update, among 
                government (including State and local government), 
                private, and academic entities.
            (4) Activities relating to widespread use of cybersecurity 
        best practices.--
                    (A) In general.--Not later than two years after the 
                selection of the grantee under this section, the 
                grantee shall submit to the bodies and officials 
                specified in paragraph (5) a report containing--
                            (i) an assessment of the advisability of 
                        requiring the contractors and grantees of the 
                        Federal Government to use appropriate 
                        cybersecurity best practices; and
                            (ii) recommendations for sound means to 
                        achieve widespread use of appropriate 
                        cybersecurity best practices that have proven 
                        effective.
                    (B) Report elements.--The report under subparagraph 
                (A) shall set forth--
                            (i) whether or not the requirement 
                        described in subparagraph (A)(i) is advisable, 
                        including whether the requirement would impose 
                        undue or inappropriate burdens, or other 
                        inefficiencies, on contractors and grantees of 
                        the Federal Government;
                            (ii) if the requirement is determined 
                        advisable--
                                    (I) whether, and to what extent, 
                                the requirement should be subject to 
                                exceptions or limitations for 
                                particular contractors or grantees, 
                                including the types of contractors or 
                                grantees and the nature of the 
                                exceptions or limitations; and
                                    (II) which cybersecurity best 
                                practices should be covered by the 
                                requirement and with what, if any, 
                                exceptions or limitations; and
                            (iii) any other matters that the grantee 
                        considers appropriate.
            (5) Specified bodies and officials.--The bodies and 
        officials specified in this paragraph are as follows:
                    (A) The appropriate committees of Congress.
                    (B) The President.
                    (C) The Director of the Office of Management and 
                Budget.
                    (D) The National Institute of Standards and 
                Technology.
                    (E) The interagency entity designated by the 
                President under subsection (f)(1).
    (h) Grant Administration.--
            (1) Use of grant competition and management systems.--The 
        National Institute of Standards and Technology may permit the 
        entity awarded the grant under this section to utilize the 
        grants competition system and grants management system of the 
        National Institute of Standards and Technology for purposes of 
        the efficient administration of activities by the entity under 
        subsection (g).
            (2) Rules.--The National Institute of Standards and 
        Technology shall establish any rules and procedures that the 
        National Institute of Standards and Technology considers 
        appropriate to further the purposes of this section. Such rules 
        may include provisions relating to the ownership of any 
        intellectual property created by the entity awarded the grant 
        under this section or funded by the entity under subsection 
        (g).
    (i) Supplement Not Supplant.--The National Institute of Standards 
and Technology shall take appropriate actions to ensure that activities 
under this section supplement, rather than supplant, other current 
governmental and nongovernmental efforts to protect the information 
infrastructure of the United States.

SEC. 3. APPROPRIATE CYBERSECURITY BEST PRACTICES FOR THE FEDERAL 
              GOVERNMENT.

    (a) NIST Recommendations.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the National Institute of Standards 
        and Technology shall submit to the bodies and officials 
        specified in subsection (e) a report that--
                    (A) identifies appropriate cybersecurity best 
                practices that could reasonably be adopted by the 
departments and agencies of the Federal Government over the 24-month 
period beginning on the date of the report; and
                    (B) sets forth proposed demonstration projects for 
                the adoption of such best practices by various 
                departments and agencies of the Federal Government 
                beginning 90 days after the date of the report.
            (2) Updates.--The National Institute of Standards and 
        Technology may submit to the bodies and officials specified in 
        subsection (e) any updates of the report under paragraph (1) 
        that the National Institute of Standards and Technology 
        consider appropriate due to changes in circumstances.
            (3) Consultation.--In preparing the report under paragraph 
        (1), and any updates of the report under paragraph (2), the 
        National Institute of Standards and Technology shall consult 
        with departments and agencies of the Federal Government having 
        an interest in the report and such updates, and with academic 
        centers of expertise in cybersecurity and private sector 
        centers of expertise in cybersecurity.
    (b) Demonstration Projects for Implementation of Recommendations.--
            (1) In general.--Commencing not later than 90 days after 
        receipt of the report under subsection (a), the President shall 
        carry out the demonstration projects set forth in the report, 
        including any modification of any such demonstration project 
        that the President considers appropriate.
            (2) Updates.--If the National Institute of Standards and 
        Technology updates under subsection (a)(2) any recommendation 
        under subsection (a)(1)(A) that is relevant to a demonstration 
        project under paragraph (1), the President shall modify the 
        demonstration project to take into account such update.
            (3) Report.--Not later than nine months after commencement 
        of the demonstration projects under this subsection, the 
        President shall submit to the appropriate committees of 
        Congress a report on the demonstration projects. The report 
        shall set forth the following:
                    (A) An assessment of the extent to which the 
                adoption of appropriate cybersecurity best practices by 
                departments and agencies of the Federal Government 
                under the demonstration projects has improved 
                cybersecurity at such departments and agencies.
                    (B) An assessment whether or not the adoption of 
                appropriate cybersecurity best practices by departments 
                and agencies of the Federal Government under the 
                demonstration projects has affected the capability of 
                such departments and agencies to carry out their 
                missions.
                    (C) A description of the cost
f63
 of the adoption of 
                appropriate cybersecurity best practices by departments 
                and agencies of the Federal Government under the 
                demonstration projects.
                    (D) A description of a security-enhancing, 
                missions-compatible, cost-effective program, to the 
                extent such program is feasible, for the adoption of 
                appropriate cybersecurity best practices government-
                wide.
                    (E) Any other matters that the President considers 
                appropriate.
    (c) Adoption of Cybersecurity Best Practices Government-Wide.--The 
President shall implement a program for the adoption of appropriate 
cybersecurity best practices government-wide commencing not later than 
six months after the date of the report.
    (d) Incorporation of Recommendations.--If during the development or 
implementation of the program under subsection (c) the President 
receives any recommendations under paragraph (3) or (4) of section 
3(g), the President shall modify the program in order to take into 
account such recommendations.
    (e) Specified Bodies and Officials.--The bodies and officials 
specified in this subsection are as follows:
            (1) The appropriate committees of Congress.
            (2) The President.
            (3) The Director of the Office of Management and Budget.
            (4) The interagency entity designated by the President 
        under section 3(f)(1).

SEC. 4. DEFINITIONS.

    In this Act:
            (1) Appropriate committees of congress.--The term 
        ``appropriate committees of Congress'' means--
                    (A) the Committee on Commerce, Science, and 
                Transportation of the Senate; and
                    (B) the Committee on Science of the House of 
                Representatives.
            (2) Cybersecurity.--The term ``cybersecurity'' means 
        information assurance, including information security, 
        information technology disaster recovery, and information 
        privacy.
            (3) Cybersecurity best practice.--The term ``cybersecurity 
        best practice'' means a computer hardware or software 
        configuration, information system design, operational 
        procedure, or measure, structure, or method that most 
        effectively protects computer hardware, software, networks, or 
        network elements against an attack that would cause harm 
        through the installation of unauthorized computer software, 
        saturation of network traffic, alteration of data, disclosure 
        of confidential information, or other means.
            (4) Appropriate cybersecurity best practice.--The term 
        ``appropriate cybersecurity best practice'' means a 
        cybersecurity best practice that--
                    (A) permits, as needed, customization or expansion 
                for the computer hardware, software, network, or 
                network element to which the best practice applies;
                    (B) takes into account the need for security 
                protection that balances--
                            (i) the risk and magnitude of harm 
                        threatened by potential attack; and
                            (ii) the cost of imposing security 
                        protection; and
                    (C) takes into account the rapidly changing nature 
                of computer technology.

SEC. 5. AUTHORIZATION OF APPROPRIATIONS.

    There is hereby authorized to be appropriated for the National 
Institute of Standards and Technology for purposes of activities under 
this Act, amounts as follows:
            (1) For fiscal year 2003, $70,000,000.
            (2) For each of the fiscal years 2004 through 2007, such 
        sums as may be necessary.
                                 &lt;all&gt;

0