House Approves Cybersecurity Enhancement Act by Overwhelming Majority

On Feb 4, the House of Representatives passed the Cybersecurity Enhancement Act (HR 4061), by a vote of 422 to 5.

This bill will improve cybersecurity within the federal government as well as the public and private sectors by: helping to develop a skilled cybersecurity workforce; coordinating and prioritizing the federal research and development (R&D) portfolio; improving the transfer of cybersecurity technologies to the marketplace; and promoting cybersecurity education and awareness for the general public. This bipartisan legislation addresses recommendations from the Administration's Cyberspace Policy Review, released May 29, 2009, and input from the four hearings on cybersecurity the House Science and Technology Committee held in 2009. HR 4061 is a combination of two Committee discussion drafts: the Cybersecurity Research and Development Act of 2009, which passed the R&SE Subcommittee on September 23, 2009, and the Cybersecurity Coordination and Awareness Act of 2009, which passed the Technology and Innovation Subcommittee on November 4, 2009.

The federal government's cybersecurity activities are divided among several agencies and programs, including the National Science Foundation (NSF), the National Institute of Standards and Technology (NIST), and the Networking and Information Technology Research and Development (NITRD) program:

• NSF is the main agency supporting non-classified cybersecurity R&D and education. Specifically, the Cybersecurity Enhancement Act reauthorizes NSF's cybersecurity research program, the Trustworthy Computing program, and formally establishes the Scholarship for Service program, which provides funding to colleges and universities to award scholarships to students in the information assurance and computer security fields in exchange for their service in the federal government after they have completed their training.
• NIST has two key cybersecurity responsibilities: developing federal information processing standards; and testing the effectiveness of security requirements. Because the vast majority of cybersecurity breaches are the result of current best practices not being followed, H.R. 4061 requires NIST to develop and implement a public cybersecurity awareness and education program to encourage the more widespread adoption of best practices (i.e. using unique passwords for different logons, not keeping passwords written next to the computer). Also, U.S. federal government representation in the development of international cybersecurity technical standards is incomplete and uncoordinated. Consistent with the recommendations made in the President's Cyberspace Policy Review, this bill requires NIST to develop a plan to ensure representation in all important international cybersecurity technical standards development initiatives and that this representation works from one coordinated U.S. federal government strategy.
• The NITRD program is the primary mechanism by which the federal government coordinates its unclassified networking and IT R&D investments. Thirteen federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program; other federal organizations also participate in NITRD activities. H.R. 4061 requires the NITRD participating federal agencies to create and implement a strategic plan to guide their cybersecurity R&D efforts.

This bill would also require the Administration to conduct an assessment of cybersecurity workforce needs across the federal government. Lastly, H.R. 4061 requires the Administration's Office of Science and Technology Policy (OSTP) Director to assemble a university-industry task force to discover new models for implementing collaborative R&D