The National Academies: Advisers to the Nation on Science, Engineering, and Medicine
NATIONAL ACADEMY OF SCIENCES NATIONAL ACADEMY OF ENGINEERING INSTITUTE OF MEDICINE NATIONAL RESEARCH COUNCIL
Current Operating Status

The National Academies Testimony before Congress

Public Laws Containing Studies for the National Academies

Briefings to Congress

Congressionally Mandated Reports

Policy Statements and Historical Documents

The OCGA staff

Request a Report (Congressional and Government Staff Only)


Mailing Address:
The Office of Congressional and Government Affairs
The Keck Center of the National Academies
Keck WS1008
500 Fifth Street, NW
Washington, DC 20001
Tel: (202) 334-1601
Fax: (202) 334-2419

Back to Main Page


Title of Law:Cyber Security Research and Development Act
Law #:Public Law 107-305
Passed by Congress:107th Congress (2nd Session)

The following are excerpts, highlighted in red, from the final legislation and/or conference report which contain National Academies' studies. (Pound signs [##] between passages denote the deletion of unrelated text.)

HR3394 Boehlert (R-N.Y.) 11/12/02
Enrolled (finally passed both houses)

To authorize funding for computer and network security research and development and research fellowship programs, and for other purposes.
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

#####

SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS.

(a) RESEARCH PROGRAM.-The National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is amended-

(1) by moving section 22 to the end of the Act and redesignating it as section 32; and

(2) by inserting after section 21 the following new section:

"SEC. 22. RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS

"(a) ESTABLISHMENT.-The Director shall establish a program of assistance to institutions of higher education that enter into partnerships with for-profit entities to support research to improve the security of computer systems. The partnerships may also include government laboratories and nonprofit research institutions. The program shall-

"(1) include multidisciplinary, long-term research;

"(2) include research directed toward addressing needs identified through the activities of the Computer System Security and Privacy Advisory Board under section 20(f); and

"(3) promote the development of a robust research community working at the leading edge of knowledge in subject areas relevant to the security of computer systems by providing support for graduate students, post-doctoral researchers, and senior researchers.

"(b) FELLOWSHIPS.-

"(1) POST-DOCTORAL RESEARCH FELLOWSHIPS.-The Director is authorized to establish a program to award post-doctoral research fellowships to individuals who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act.

"(2) SENIOR RESEARCH FELLOWSHIPS.-The Director is authorized to establish a program to award senior research fellowships to individuals seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act. Senior research fellowships shall be made available for established researchers at institutions of higher education who seek to change research fields and pursue studies related to the security of computer systems.

"(3) ELIGIBILITY.-

"(A) IN GENERAL.-To be eligible for an award under this subsection, an individual shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require.

"(B) STIPENDS.-Under this subsection, the Director is authorized to provide stipends for post-doctoral research fellowships at the level of the Institute´s Post Doctoral Research Fellowship Program and senior research fellowships at levels consistent with support for a faculty member in a sabbatical position.

"(c) AWARDS; APPLICATIONS.-

"(1) IN GENERAL.-The Director is authorized to award grants or cooperative agreements to institutions of higher education to carry out the program established under subsection (a). No funds made available under this section shall be made available directly to any for-profit partners.

"(2) ELIGIBILITY.-To be eligible for an award under this section, an institution of higher education shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-

"(A) the number of graduate students anticipated to participate in the research project and the level of support to be provided to each;

"(B) the number of post-doctoral research positions included under the research project and the level of support to be provided to each;

"(C) the number of individuals, if any, intending to change research fields and pursue studies related to the security of computer systems to be included under the research project and the level of support to be provided to each; and

"(D) how the for-profit entities, nonprofit research institutions, and any other partners will participate in developing and carrying out the research and education agenda of the partnership.

"(d) PROGRAM OPERATION.-

"(1) MANAGEMENT.-The program established under subsection (a) shall be managed by individuals who shall have both expertise in research related to the security of computer systems and knowledge of the vulnerabilities of existing computer systems. The Director shall designate such individuals as program managers.

"(2) MANAGERS MAY BE EMPLOYEES.-Program managers designated under paragraph (1) may be new or existing employees of the Institute or individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970, except that individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970 shall not directly manage such employees.

"(3) MANAGER RESPONSIBILITY.-Program managers designated under paragraph (1) shall be responsible for-

"(A) establishing and publicizing the broad research goals for the program;

"(B) soliciting applications for specific research projects to address the goals developed under subparagraph (A);

"(C) selecting research projects for support under the program from among applications submitted to the Institute, following consideration of-

"(i) the novelty and scientific and technical merit of the proposed projects;

"(ii) the demonstrated capabilities of the individual or individuals submitting the applications to successfully carry out the proposed research;

"(iii) the impact the proposed projects will have on increasing the number of computer security researchers;

"(iv) the nature of the participation by for-profit entities and the extent to which the proposed projects address the concerns of industry; and

"(v) other criteria determined by the Director, based on information specified for inclusion in applications under subsection (c); and

"(D) monitoring the progress of research projects supported under the program.

"(4) REPORTS.-The Director shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science annually on the use and responsibility of individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970 who are performing duties under subsection (d).

"(e) REVIEW OF PROGRAM.-

"(1) PERIODIC REVIEW.-The Director shall periodically review the portfolio of research awards monitored by each program manager designated in accordance with subsection (d). In conducting those reviews, the Director shall seek the advice of the Computer System Security and Privacy Advisory Board, established under section 21, on the appropriateness of the research goals and on the quality and utility of research projects managed by program managers in accordance with subsection (d).

"(2) Comprehensive 5-year review.-The Director shall also contract with the National Research Council for a comprehensive review of the program established under subsection (a) during the 5th year of the program. Such review shall include an assessment of the scientific quality of the research conducted, the relevance of the research results obtained to the goals of the program established under subsection (d)(3)(A), and the progress of the program in promoting the development of a substantial academic research community working at the leading edge of knowledge in the field. The Director shall submit to Congress a report on the results of the review under this paragraph no later than 6 years after the initiation of the program.

"(f) DEFINITIONS.-In this section:

"(1) COMPUTER SYSTEM.-The term `computer system´ has the meaning given that term in section 20(d)(1).

"(2) INSTITUTION OF HIGHER EDUCATION.-The term `institution of higher education´ has the meaning given that term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).".

(b) AMENDMENT OF COMPUTER SYSTEM DEFINITION.-Section 20(d)(1)(B)(i) of National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)(1)(B)(i)) is amended to read as follows:

"(i) computers and computer networks;".

(c) CHECKLISTS FOR GOVERNMENT SYSTEMS.-

(1) IN GENERAL.-The Director of the National Institute of Standards and Technology shall develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government.

(2) PRIORITIES FOR DEVELOPMENT; EXCLUDED SYSTEMS.-The Director of the National Institute of Standards and Technology may establish priorities for the development of checklists under this paragraph on the basis of the security risks associated with the use of the system, the number of agencies that use a particular system, the usefulness of the checklist to Federal agencies that are users or potential users of the system, or such other factors as the Director determines to be appropriate. The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any computer hardware or software system for which the Director of the National Institute of Standards and Technology determines that the development of a checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the inutility or impracticability of developing a checklist for the system.

(3) DISSEMINATION OF CHECKLISTS.-The Director of the National Institute of Standards and Technology shall make any checklist developed under this paragraph for any computer hardware or software system available to each Federal agency that is a user or potential user of the system.

(4) AGENCY USE REQUIREMENTS.-The development of a checklist under paragraph (1) for a computer hardware or software system does not-

(A) require any Federal agency to select the specific settings or options recommended by the checklist for the system;

(B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system;

(C) represent an endorsement of any such system by the Director of the National Institute of Standards and Technology; nor

(D) preclude any Federal agency from procuring or deploying other computer hardware or software systems for which no such checklist has been developed.

(d) FEDERAL AGENCY INFORMATION SECURITY PROGRAMS.-

(1) IN GENERAL.-In developing the agencywide information security program required by section 3534(b) of title 44, United States Code, an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection (c) of this section-

(A) shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and

(B) may treat the explanation as if it were a portion of the agency´s annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31, United States Code).

(2) LIMITATION.-Paragraph (1) does not apply to any computer hardware or software system for which the National Institute of Standards and Technology does not have responsibility under section 20(a)(3) of the National Institute of Standards and Technology Act (15 U.S.C.278g-3(a)(3)).

######

SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK SECURITY IN CRITICAL INFRASTRUCTURES.

(a) STUDY.-Not later than 3 months after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall enter into an arrangement with the National Research Council of the National Academy of Sciences to conduct a study of the vulnerabilities of the Nation´s network infrastructure and make recommendations for appropriate improvements. The National Research Council shall-

(1) review existing studies and associated data on the architectural, hardware, and software vulnerabilities and interdependencies in United States critical infrastructure networks;

(2) identify and assess gaps in technical capability for robust critical infrastructure network security and make recommendations for research priorities and resource requirements; and

(3) review any and all other essential elements of computer and network security, including security of industrial process controls, to be determined in the conduct of the study.

(b) REPORT.-The Director of the National Institute of Standards and Technology shall transmit a report containing the results of the study and recommendations required by subsection (a) to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science not later than 21 months after the date of enactment of this Act.

(c) SECURITY.-The Director of the National Institute of Standards and Technology shall ensure that no information that is classified is included in any publicly released version of the report required by this section.

(d) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology for the purposes of carrying out this section, $700,000.

RSS News Feed | Subscribe to e-newsletters | Feedback | Back to Top