[House Report 110-829] [From the U.S. Government Publishing Office] 110th Congress Rept. 110-829 HOUSE OF REPRESENTATIVES 2d Session Part 1 ====================================================================== CYBERSECURITY EDUCATION ENHANCEMENT ACT OF 2008 _______ September 8, 2008.--Ordered to be printed _______ Mr. Thompson of Mississippi, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 263] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 263) to authorize the Secretary of Homeland Security to establish a program to award grants to institutions of higher education for the establishment or expansion of cybersecurity professional development programs, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 00 Background and Need for Legislation.............................. 00 Hearings......................................................... 00 Committee Consideration.......................................... 00 Committee Votes.................................................. 00 Committee Oversight Findings..................................... 00 New Budget Authority, Entitlement Authority, and Tax Expenditures 00 Congressional Budget Office Estimate............................. 00 Statement of General Performance Goals and Objectives............ 00 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 00 Federal Mandates Statement....................................... 00 Advisory Committee Statement..................................... 00 Constitutional Authority Statement............................... 00 Applicability to Legislative Branch.............................. 00 Section-by-Section Analysis of the Legislation................... 00 Changes in Existing Law Made by the Bill, as Reported............ 00 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Cybersecurity Education Enhancement Act of 2008''. SEC. 2. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY TRAINING PROGRAMS AND EQUIPMENT. (a) In General.--The Secretary of Homeland Security, acting through the Assistant Secretary of Cybersecurity and subject to the availability of appropriations, shall establish a program to award grants to institutions of higher education (and consortia thereof) for-- (1) the establishment or expansion of cybersecurity professional development programs; (2) the establishment or expansion (or both) of associate degree programs in cybersecurity; and (3) the purchase of equipment to provide training in cybersecurity for professional development programs and degree programs. (b) Goals and Criteria.--The Secretary, acting through the Assistant Secretary-- (1) shall establish the goals and criteria for the program established under this section and the criteria for awarding grants under such program; and (2) shall operate the program consistent with the goals and criteria established under paragraph (1), including soliciting applicants, reviewing applications, and making and administering awards. (c) Grant Awards.-- (1) Peer review.--All grant awards under this section shall be provided on a competitive, merit-reviewed basis. (2) Focus.--In awarding grants under this section, the Secretary shall, to the extent practicable, ensure geographic diversity and the participation of women and underrepresented minorities. (3) Preference.--In awarding grants under this section, the Secretary-- (A) shall give preference to applications submitted by consortia of institutions, to encourage as many students and professionals as possible to benefit from the program established under this section; and (B) shall give preference to any application submitted by a consortium of institutions that includes at least one institution of higher education that is eligible to receive funds under title III or V of the Higher Education Act of 1965. (d) Institution of Higher Education Defined.--In this section the term ``institution of higher education'' has the meaning given that term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)). (e) Authorization of Appropriations.--There is authorized to be appropriated to the Secretary for carrying out this section $5,000,000 for each of fiscal years 2009 and 2010. SEC. 3. DHS CYBERSECURITY FELLOWS PROGRAM. (a) Establishment of Program.--Subtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended by adding at the end the following: ``SEC. 226. DHS CYBERSECURITY FELLOWS PROGRAM. ``(a) Establishment.-- ``(1) In general.--The Secretary shall establish a fellowship program in accordance with this section for the purpose of bringing State, local, tribal, and private sector officials to participate in the work of the National Cybersecurity Division in order to assist with the Department's stated cybersecurity missions and capabilities, including-- ``(A) enhancing Federal, State, local, and tribal government cybersecurity; ``(B) developing partnerships with other Federal agencies, State, local, and tribal governments, and the private sector; ``(C) improving and enhancing public/private information sharing involving information regarding cyber attacks, threats, and vulnerabilities; ``(D) providing and coordinating incident response and recovery planning efforts; and ``(E) fostering training and certification. ``(2) Program name.--The program under this section shall be known as the DHS Cybersecurity Fellows Program. ``(b) Eligibility.--In order to be eligible for selection as a fellow under the program, an individual must-- ``(1) have cybersecurity-related responsibilities; ``(2) be eligible to possess an appropriate national security clearance; and ``(3) if the individual has, or is employed by a person that has, a contract with the Department or business before the Department, report to the Secretary any conflicts of interest of the individual with respect to such contract or business. ``(c) Limitations.--The Secretary-- ``(1) may conduct up to 2 iterations of the program each year, each of which shall be 180 days in duration; and ``(2) shall ensure that the number of fellows selected for each iteration does not impede the activities of the National Cybersecurity Division. ``(d) Condition.--As a condition of selecting an individual as a fellow under the program, the Secretary shall verify that the individual's employer agrees to continue to pay the individual's salary and benefits during the period of the fellowship. ``(e) Stipend.--During the period of the fellowship of an individual under the program, the Secretary may, subject to the availability of appropriations, provide to the individual a stipend to cover the individual's reasonable living expenses during the period of the fellowship.''. (b) Clerical Amendment.--The table of contents in section 1(b) of such Act is amended by adding at the end of the items relating to such subtitle the following: ``Sec. 226. DHS cybersecurity fellows program.''. SEC. 4. SENSE OF CONGRESS--CYBERSECURITY. It is the sense of the Congress that the House of Representatives should designate a committee to serve as the single, principal point of oversight and review for cybersecurity. Purpose and Summary The purpose of H.R. 263 is to authorize the Secretary of Homeland Security to establish a program to award grants to institutions of higher education for the establishment or expansion of cybersecurity professional development programs, and for other purposes. Background and Need for Legislation During the course of the 110th Congress, the Subcommittee on Emerging Threats, Cybersecurity, Science and Technology conducted dozens of hearings and investigations into cybersecurity issues affecting Federal and critical infrastructure networks, with the goal of increasing public awareness, fixing vulnerabilities, and holding individuals, agencies, and private sector entities responsible and accountable for their actions. One of the key vulnerabilities that the Committee has discovered is the lack of information security training and awareness across all levels and branches of American government and the private sector. This bill establishes a grant program to enable higher education institutions to develop or expand cybersecurity education programs. In addition, the bill provides opportunities for State, local, tribal, and private sector officials with cybersecurity expertise to work at the National Cybersecurity Division. Hearings No Committee hearings were held on H.R. 263, however the Committee held an oversight hearing on cybersecurity. On April 25, 2007, the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology held a hearing entitled ``Addressing the Nation's Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action.'' The Subcommittee received testimony from Dr. Daniel E. Geer, Jr., Principal, Geer Risk Services, LLC; Dr. James Andrew Lewis, Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies; Dr. Douglas Maughan, Program Manager, Cyber Security R&D, science and Technology Directorate, Department of Homeland Security; and Mr. O. Sami Saydjari, President, Professionals for Cyber Defense Chief Executive Officer, Cyber Defense Agency, LLC. Committee Consideration In the 109th Congress H.R. 3109, the ``Cybersecurity Education Enhancement Act of 2005'' was introduced in the House by Ms. Jackson-Lee of Texas and four original co-sponsors. H.R. 263 was introduced in the House on January 5, 2007, by Ms. Jackson-Lee of Texas and referred to the Committee on Science and Technology, and in addition to the Committee on Education and Labor and the Committee on Homeland Security. Within the Committee on Homeland Security, H.R. 263 was referred to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. On June 26, 2008, the Chairman discharged the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology from further consideration of H.R. 263. The Full Committee then proceeded to the consideration of H.R. 263 and ordered the measure reported to the House, amended, with a favorable recommendation. The Committee adopted the measure, as amended, by unanimous consent. The following amendments were offered: An Amendment in the Nature of a Substitute offered by Ms. Jackson-Lee (#1), was AGREED TO by unanimous consent. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during Committee consideration. Committee Oversight Findings Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 263, the Cybersecurity Education Enhancement Act of 2007, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, August 21, 2008. Hon. Bennie G. Thompson, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 263, the Cybersecurity Education Enhancement Act of 2008. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Peter H. Fontaine (For Peter R. Orszag, Director). Enclosure. H.R. 263--Cybersecurity Education Enhancement Act of 2008 Summary: H.R. 263 would authorize the appropriation of $5 million for each of fiscal years 2009 and 2010 for the Department of Homeland Security (DHS) to make grants to institutions of higher education to establish or expand cybersecurity programs. In addition, the bill would direct DHS to establish a fellowship program for nonfederal employees to work temporarily in the department's National Cybersecurity Division. CBO estimates that implementing the bill would cost about $11 million over the 2009-2013 period, subject to appropriation of the necessary amounts. Enacting H.R. 263 would not affect direct spending or revenues. H.R. 263 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local or tribal governments. Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 263 is shown in the following table. The costs of this legislation fall within budget function 750 (administration of justice). Basis of estimate: For this estimate, CBO assumes that the necessary amounts will be appropriated near the start of each fiscal year and that outlays will follow the historical rate of spending for similar activities. ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------------- 2009 2010 2011 2012 2013 2009-2013 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level........................... 5 5 * * * 11 Estimated Outlays....................................... 2 3 4 1 * 11 ---------------------------------------------------------------------------------------------------------------- Note: * = less than $500,000. In addition to the specified authorizations of $5 million for each of 2009 and 2010 for grants to expand cybersecurity programs, H.R. 263 would permit DHS to provide a stipend to cover reasonable living expenses for participants in the fellowship program established by the bill. CBO expects that about 20 people would participate in the new program in Washington, D.C., each year with each individual spending no more than six months in the program. We estimate that annual costs for stipends (including housing and commuting expenses) could be a few hundred thousand dollars each year and would total about $1 million over the 2009-2013 period, subject to the availability of appropriated funds. Intergovernmental and private-sector impact: H.R. 263 contains no intergovernmental or private-sector mandates as defined in UMRA. The bill would benefit state, local and tribal governments by establishing grants for institutions of higher education and by creating a fellows program to provide training on cybersecurity issues and to foster partnerships on cybersecurity issues. Estimate prepared by: Federal Costs: Mark Grabowicz; Impact on State, Local, and Tribal Governments: Burke Doherty; Impact on the Private Sector: Paige Piper/Bach. Estimate approved by: Peter H. Fontaine, Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the House of Representatives, H.R. 263, contains the following general performance goals, and objectives, including outcome related goals and objectives authorized. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Constitutional Authority Statement Pursuant to clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee finds that the Constitutional authority for this legislation is provided in Article I, section 8, clause 1, which grants Congress the power to provide for the common Defense of the United States. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short title This section cites the measure as the ``Cybersecurity Education Enhancement Act of 2008.'' Section 2. Department of Homeland Security Cybersecurity training programs and equipment This section establishes a program to award grants to institutions of higher education (and consortia thereof) for: (1) the establishment or expansion of cybersecurity professional development programs; (2) the establishment or expansion (or both) of associate degree programs in cybersecurity; and (3) the purchase of equipment to provide training in cybersecurity for either professional development programs or degree programs. Section 3. DHS Cybersecurity Fellows Program This section establishes a fellowship program for the purpose of bringing State, local, tribal, and private sector officials to participate in the work of the National Cybersecurity Division in order to assist with the Department's stated cybersecurity missions and capabilities. In order to be eligible for selection as a fellow under the program, an individual must: (1) have cybersecurity-related responsibilities; and (2) be eligible to possess an appropriate National security clearance. Section 4. Sense of Congress This section states that it is the sense of the Congress that the House of Representatives and the Senate should designate a committee in each body to serve as the single, principal point of oversight and review for cybersecurity. Because cybersecurity is an issue of great economic and National importance, the Committee believes that the House of Representatives must reorganize and realign the committee structure to create one central body with oversight authority over the disparate aspects of the issue. Without a principal point, Congress will not be able to provide effective oversight and leadership. H.L.C. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) * * * (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * Sec. 226. DHS cybersecurity fellows program. * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle C--Information Security * * * * * * * SEC. 226. DHS CYBERSECURITY FELLOWS PROGRAM. (a) Establishment.-- (1) In general.--The Secretary shall establish a fellowship program in accordance with this section for the purpose of bringing State, local, tribal, and private sector officials to participate in the work of the National Cybersecurity Division in order to assist with the Department's stated cybersecurity missions and capabilities, including-- (A) enhancing Federal, State, local, and tribal government cybersecurity; (B) developing partnerships with other Federal agencies, State, local, and tribal governments, and the private sector; (C) improving and enhancing public/private information sharing involving information regarding cyber attacks, threats, and vulnerabilities; (D) providing and coordinating incident response and recovery planning efforts; and (E) fostering training and certification. (2) Program name.--The program under this section shall be known as the DHS Cybersecurity Fellows Program. (b) Eligibility.--In order to be eligible for selection as a fellow under the program, an individual must-- (1) have cybersecurity-related responsibilities; (2) be eligible to possess an appropriate national security clearance; and (3) if the individual has, or is employed by a person that has, a contract with the Department or business before the Department, report to the Secretary any conflicts of interest of the individual with respect to such contract or business. (c) Limitations.--The Secretary-- (1) may conduct up to 2 iterations of the program each year, each of which shall be 180 days in duration; and (2) shall ensure that the number of fellows selected for each iteration does not impede the activities of the National Cybersecurity Division. (d) Condition.--As a condition of selecting an individual as a fellow under the program, the Secretary shall verify that the individual's employer agrees to continue to pay the individual's salary and benefits during the period of the fellowship. (e) Stipend.--During the period of the fellowship of an individual under the program, the Secretary may, subject to the availability of appropriations, provide to the individual a stipend to cover the individual's reasonable living expenses during the period of the fellowship. * * * * * * *