Collapse to view only § 7408. National Academy of Sciences study on computer and network security in critical infrastructures

§ 7401. FindingsThe Congress finds the following:
(1) Revolutionary advancements in computing and communications technology have interconnected government, commercial, scientific, and educational infrastructures—including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services—in a vast, interdependent physical and electronic network.
(2) Exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure.
(3) A Department of Defense Joint Task Force concluded after a 1997 United States information warfare exercise that the results “clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure”.
(4) Computer security technology and systems implementation lack—
(A) sufficient long term research funding;
(B) adequate coordination across Federal and State government agencies and among government, academia, and industry; and
(C) sufficient numbers of outstanding researchers in the field.
(5) Accordingly, Federal investment in computer and network security research and development must be significantly increased to—
(A) improve vulnerability assessment and technological and systems solutions;
(B) expand and improve the pool of information security professionals, including researchers, in the United States workforce; and
(C) better coordinate information sharing and collaboration among industry, government, and academic research projects.
(6) While African-Americans, Hispanics, and Native Americans constitute 25 percent of the total United States workforce and 30 percent of the college-age population, members of these minorities comprise less than 7 percent of the United States computer and information science workforce.
(Pub. L. 107–305, § 2, Nov. 27, 2002, 116 Stat. 2367.)
§ 7402. Definitions
In this chapter:
(1) Director
(2) Institution of higher education
(Pub. L. 107–305, § 3, Nov. 27, 2002, 116 Stat. 2368.)
§ 7403. National Science Foundation research
(a) Computer and network security research grants
(1) In generalThe Director shall award grants for basic research on innovative approaches to the structure of computer and network hardware and software that are aimed at enhancing computer security. Research areas may include—
(A) authentication, cryptography, and other secure data communications technology;
(B) computer forensics and intrusion detection;
(C) reliability of computer and network applications, middleware, operating systems, control systems, and communications infrastructure;
(D) privacy and confidentiality;
(E) network security architecture, including tools for security administration and analysis;
(F) emerging threats;
(G) vulnerability assessments and techniques for quantifying risk;
(H) remote access and wireless security;
(I) enhancement of law enforcement ability to detect, investigate, and prosecute cyber-crimes, including those that involve piracy of intellectual property;
(J) secure fundamental protocols that are integral to inter-network communications and data exchange;
(K) secure software engineering and software assurance, including—
(i) programming languages and systems that include fundamental security features;
(ii) portable or reusable code that remains secure when deployed in various environments;
(iii) verification and validation technologies to ensure that requirements and specifications have been implemented; and
(iv) models for comparison and metrics to assure that required standards have been met;
(L) holistic system security that—
(i) addresses the building of secure systems from trusted and untrusted components;
(ii) proactively reduces vulnerabilities;
(iii) addresses insider threats; and
(iv) supports privacy in conjunction with improved security;
(M) monitoring and detection;
(N) mitigation and rapid recovery methods;
(O) security of wireless networks and mobile devices;
(P) security of cloud infrastructure and services;
(Q) security of election-dedicated voting system software and hardware; and
(R) role of the human factor in cybersecurity and the interplay of computers and humans and the physical world.
(2) Merit review; competition
(3) Authorization of appropriationsThere are authorized to be appropriated to the National Science Foundation to carry out this subsection—
(A) $35,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $46,000,000 for fiscal year 2005;
(D) $52,000,000 for fiscal year 2006; and
(E) $60,000,000 for fiscal year 2007.
(b) Computer and network security research centers
(1) In general
(2) Merit review; competition
(3) Purpose
(4) ApplicationsAn institution of higher education, nonprofit research institution, or consortia thereof seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of—
(A) the research projects that will be undertaken by the Center and the contributions of each of the participating entities;
(B) how the Center will promote active collaboration among scientists and engineers from different disciplines, such as computer scientists, engineers, mathematicians, and social science researchers;
(C) how the Center will contribute to increasing the number and quality of computer and network security researchers and other professionals, including individuals from groups historically underrepresented in these fields; and
(D) how the Center will disseminate research results quickly and widely to improve cyber security in information technology networks, products, and services.
(5) CriteriaIn evaluating the applications submitted under paragraph (4), the Director shall consider, at a minimum—
(A) the ability of the applicant to generate innovative approaches to computer and network security and effectively carry out the research program;
(B) the experience of the applicant in conducting research on computer and network security and the capacity of the applicant to foster new multidisciplinary collaborations;
(C) the capacity of the applicant to attract and provide adequate support for a diverse group of undergraduate and graduate students and postdoctoral fellows to pursue computer and network security research;
(D) the extent to which the applicant will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions, and the role the partners will play in the research undertaken by the Center;
(E) the demonstrated capability of the applicant to conduct high performance computation integral to complex computer and network security research, through on-site or off-site computing;
(F) the applicant’s affiliation with private sector entities involved with industrial research described in subsection (a)(1);
(G) the capability of the applicant to conduct research in a secure environment;
(H) the applicant’s affiliation with existing research programs of the Federal Government;
(I) the applicant’s experience managing public-private partnerships to transition new technologies into a commercial setting or the government user community;
(J) the capability of the applicant to conduct interdisciplinary cybersecurity research, basic and applied, such as in law, economics, or behavioral sciences; and
(K) the capability of the applicant to conduct research in areas such as systems security, wireless security, networking and protocols, formal methods and networking and information technology, nanotechnology, or industrial control systems.
(6) Annual meeting
(7) Authorization of appropriationsThere are authorized to be appropriated for the National Science Foundation to carry out this subsection—
(A) $12,000,000 for fiscal year 2003;
(B) $24,000,000 for fiscal year 2004;
(C) $36,000,000 for fiscal year 2005;
(D) $36,000,000 for fiscal year 2006; and
(E) $36,000,000 for fiscal year 2007.
(Pub. L. 107–305, § 4, Nov. 27, 2002, 116 Stat. 2368; Pub. L. 113–274, title II, §§ 201(e), 202, Dec. 18, 2014, 128 Stat. 2978; Pub. L. 114–329, title I, §§ 104(a), 105(r), Jan. 6, 2017, 130 Stat. 2975, 2984.)
§ 7404. National Science Foundation computer and network security programs
(a) Computer and network security capacity building grants
(1) In general
(2) Merit review
(3) Use of funds
Grants awarded under this subsection shall be used for activities that enhance the ability of an institution of higher education (or consortium thereof) to provide high-quality undergraduate and master’s degree programs in computer and network security and to recruit and retain increased numbers of students to such programs. Activities may include—
(A) revising curriculum to better prepare undergraduate and master’s degree students for careers in computer and network security;
(B) establishing degree and certificate programs in computer and network security;
(C) creating opportunities for undergraduate students to participate in computer and network security research projects;
(D) acquiring equipment necessary for student instruction in computer and network security, including the installation of testbed networks for student use;
(E) providing opportunities for faculty to work with local or Federal Government agencies, private industry, nonprofit research institutions, or other academic institutions to develop new expertise or to formulate new research directions in computer and network security;
(F) establishing collaborations with other academic institutions or academic departments that seek to establish, expand, or enhance programs in computer and network security;
(G) establishing student internships in computer and network security at government agencies or in private industry;
(H) establishing collaborations with other academic institutions to establish or enhance a web-based collection of computer and network security courseware and laboratory exercises for sharing with other institutions of higher education, including community colleges;
(I) establishing or enhancing bridge programs in computer and network security between community colleges and universities;
(J) creating opportunities for veterans to transition to careers in computer and network security; and
(K) any other activities the Director determines will accomplish the goals of this subsection.
(4) Selection process
(A) Application
An institution of higher education (or a consortium thereof) seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum—
(i) a description of the applicant’s computer and network security research and instructional capacity, and in the case of an application from a consortium of institutions of higher education, a description of the role that each member will play in implementing the proposal;
(ii) a comprehensive plan by which the institution or consortium will build instructional capacity in computer and information security;
(iii) a description of relevant collaborations with government agencies or private industry that inform the instructional program in computer and network security;
(iv) a survey of the applicant’s historic student enrollment and placement data in fields related to computer and network security and a study of potential enrollment and placement for students enrolled in the proposed computer and network security program; and
(v) a plan to evaluate the success of the proposed computer and network security program, including post-graduation assessment of graduate school and job placement and retention rates as well as the relevance of the instructional program to graduate study and to the workplace.
(B) Awards
(i) The Director shall ensure, to the extent practicable, that grants are awarded under this subsection in a wide range of geographic areas and categories of institutions of higher education, including minority serving institutions.
(ii) The Director shall award grants under this subsection for a period not to exceed 5 years.
(5) Assessment required
(6) Authorization of appropriations
There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
(A) $15,000,000 for fiscal year 2003;
(B) $20,000,000 for fiscal year 2004;
(C) $20,000,000 for fiscal year 2005;
(D) $20,000,000 for fiscal year 2006; and
(E) $20,000,000 for fiscal year 2007.
(b) Scientific and Advanced Technology Act of 1992
(1) Grants
(2) Authorization of appropriations
There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
(A) $1,000,000 for fiscal year 2003;
(B) $1,250,000 for fiscal year 2004;
(C) $1,250,000 for fiscal year 2005;
(D) $1,250,000 for fiscal year 2006; and
(E) $1,250,000 for fiscal year 2007.
(c) Graduate traineeships in computer and network security research
(1) In general
(2) Merit review
(3) Use of funds
An institution of higher education shall use grant funds for the purposes of—
(A) providing traineeships to students who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are pursuing research in computer or network security leading to a doctorate degree;
(B) paying tuition and fees for students receiving traineeships under subparagraph (A);
(C) establishing scientific internship programs for students receiving traineeships under subparagraph (A) in computer and network security at for-profit institutions, nonprofit research institutions, or government laboratories; and
(D) other costs associated with the administration of the program.
(4) Traineeship amount
(5) Selection process
An institution of higher education seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of—
(A) the instructional program and research opportunities in computer and network security available to graduate students at the applicant’s institution; and
(B) the internship program to be established, including the opportunities that will be made available to students for internships at for-profit institutions, nonprofit research institutions, and government laboratories.
(6) Review of applications
In evaluating the applications submitted under paragraph (5), the Director shall consider—
(A) the ability of the applicant to effectively carry out the proposed program;
(B) the quality of the applicant’s existing research and education programs;
(C) the likelihood that the program will recruit increased numbers of students, including students from groups historically underrepresented in computer and network security related disciplines or veterans, to pursue and earn doctorate degrees in computer and network security;
(D) the nature and quality of the internship program established through collaborations with government laboratories, nonprofit research institutions, and for-profit institutions;
(E) the integration of internship opportunities into graduate students’ research; and
(F) the relevance of the proposed program to current and future computer and network security needs.
(7) Authorization of appropriations
There are authorized to be appropriated to the National Science Foundation to carry out this subsection—
(A) $10,000,000 for fiscal year 2003;
(B) $20,000,000 for fiscal year 2004;
(C) $20,000,000 for fiscal year 2005;
(D) $20,000,000 for fiscal year 2006; and
(E) $20,000,000 for fiscal year 2007.
(d) Graduate Research Fellowships program support
(e) Cyber security faculty development traineeship program
(1) In general
(2) Merit review; competition
(3) Application
(4) Use of funds
Funds received by an institution of higher education under this paragraph shall—
(A) be made available to individuals on a merit-reviewed competitive basis and in accordance with the requirements established in paragraph (7);
(B) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at an institution of higher education for the duration of the graduate traineeship, and shall include, in addition, an annual living stipend of $25,000; and
(C) be provided to individuals for a duration of no more than 5 years, the specific duration of each graduate traineeship to be determined by the institution of higher education, on a case-by-case basis.
(5) Repayment
Each graduate traineeship shall—
(A) subject to paragraph (5)(B), be subject to full repayment upon completion of the doctoral degree according to a repayment schedule established and administered by the institution of higher education;
(B) be forgiven at the rate of 20 percent of the total amount of the graduate traineeship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and
(C) be monitored by the institution of higher education receiving a grant under this subsection to ensure compliance with this subsection.
(6) Exceptions
(7) Eligibility
To be eligible to receive a graduate traineeship under this section, an individual shall—
(A) be a citizen, national, or lawfully admitted permanent resident alien of the United States; and
(B) demonstrate a commitment to a career in higher education.
(8) Consideration
(9) Authorization of appropriations
(Pub. L. 107–305, § 5, Nov. 27, 2002, 116 Stat. 2370; Pub. L. 116–115, § 3(f), (g), Feb. 11, 2020, 134 Stat. 107.)
§ 7405. Consultation

In carrying out sections 7403 and 7404 of this title, the Director shall consult with other Federal agencies.

(Pub. L. 107–305, § 6, Nov. 27, 2002, 116 Stat. 2374.)
§ 7406. National Institute of Standards and Technology programs
(a), (b) Omitted
(c) Security automation and checklists for Government systems
(1) In general
(2) Priorities for development
The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference materials, and checklists under this subsection on the basis of—
(A) the security risks associated with the use of the system;
(B) the number of agencies that use a particular system or security tool;
(C) the usefulness of the standards, reference materials, or checklists to Federal agencies that are users or potential users of the system;
(D) the effectiveness of the associated standard, reference material, or checklist in creating or enabling continuous monitoring of information security; or
(E) such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate.
(3) Excluded systems
(4) Dissemination of standards and related materials
(5) Agency use requirements
The development of standards, reference materials, and checklists under paragraph (1) for an information technology hardware or software system or tool does not—
(A) require any Federal agency to select the specific settings or options recommended by the standard, reference material, or checklist for the system;
(B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system;
(C) imply an endorsement of any such system by the Director of the National Institute of Standards and Technology; or
(D) preclude any Federal agency from procuring or deploying other information technology hardware or software systems for which no such standard, reference material, or checklist has been developed or identified under paragraph (1).
(d) Federal agency information security programs
(1) In general
In developing the agencywide information security program required by section 3554(b) of title 44, an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection (c) of this section—
(A) shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and
(B) may treat the explanation as if it were a portion of the agency’s annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31).
(2) Limitation
(Pub. L. 107–305, § 8, Nov. 27, 2002, 116 Stat. 2375; Pub. L. 113–274, title II, § 203, Dec. 18, 2014, 128 Stat. 2979; Pub. L. 113–283, § 2(e)(2), Dec. 18, 2014, 128 Stat. 3086.)
§ 7407. Authorization of appropriationsThere are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology—
(1) for activities under section 278h of this title
(A) $25,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $55,000,000 for fiscal year 2005;
(D) $70,000,000 for fiscal year 2006;
(E) $85,000,000 for fiscal year 2007; and
(2) for activities under section 278g–3(f) 1
1 See References in Text note below.
of this title—
(A) $6,000,000 for fiscal year 2003;
(B) $6,200,000 for fiscal year 2004;
(C) $6,400,000 for fiscal year 2005;
(D) $6,600,000 for fiscal year 2006; and
(E) $6,800,000 for fiscal year 2007.
(Pub. L. 107–305, § 11, Nov. 27, 2002, 116 Stat. 2379.)
§ 7408. National Academy of Sciences study on computer and network security in critical infrastructures
(a) Study
Not later than 3 months after November 27, 2002, the Director of the National Institute of Standards and Technology shall enter into an arrangement with the National Research Council of the National Academy of Sciences to conduct a study of the vulnerabilities of the Nation’s network infrastructure and make recommendations for appropriate improvements. The National Research Council shall—
(1) review existing studies and associated data on the architectural, hardware, and software vulnerabilities and interdependencies in United States critical infrastructure networks;
(2) identify and assess gaps in technical capability for robust critical infrastructure network security and make recommendations for research priorities and resource requirements; and
(3) review any and all other essential elements of computer and network security, including security of industrial process controls, to be determined in the conduct of the study.
(b) Report
(c) Security
(d) Authorization of appropriations
(Pub. L. 107–305, § 12, Nov. 27, 2002, 116 Stat. 2380.)
§ 7409. Coordination of Federal cyber security research and development

The Director of the National Science Foundation and the Director of the National Institute of Standards and Technology shall coordinate the research programs authorized by this chapter or pursuant to amendments made by this chapter. The Director of the Office of Science and Technology Policy shall work with the Director of the National Science Foundation and the Director of the National Institute of Standards and Technology to ensure that programs authorized by this chapter or pursuant to amendments made by this chapter are taken into account in any government-wide cyber security research effort.

(Pub. L. 107–305, § 13, Nov. 27, 2002, 116 Stat. 2380.)
§ 7410. Grant eligibility requirements and compliance with immigration laws
(a) Immigration status
(b) Aliens from certain countries
(c) Non-complying institutions
No grant or fellowship may be awarded under this chapter, directly or indirectly, to any institution of higher education or non-profit institution (or consortia thereof) that has—
(1) materially failed to comply with the recordkeeping and reporting requirements to receive nonimmigrant students or exchange visitor program participants under section 1101(a)(15)(F), (M), or (J) of title 8, or section 1372 of title 8, as required by section 1762 of title 8; or
(2) been suspended or terminated pursuant to section 1762(c) of title 8.
(Pub. L. 107–305, § 16, Nov. 27, 2002, 116 Stat. 2381.)
§ 7411. Report on grant and fellowship programs

Within 24 months after November 27, 2002, the Director, in consultation with the Assistant to the President for National Security Affairs, shall submit to Congress a report reviewing this chapter to ensure that the programs and fellowships are being awarded under this chapter to individuals and institutions of higher education who are in compliance with the Immigration and Nationality Act (8 U.S.C. 1101 et seq.) in order to protect our national security.

(Pub. L. 107–305, § 17, Nov. 27, 2002, 116 Stat. 2381.)