§7431 — Title 15 Commerce and Trade | U.S. Code

Summary

Heads of certain federal agencies must create and update, every 4 years, a federal cybersecurity research and development strategic plan based on an assessment of cybersecurity risk. The plan must guide Federal research for information technology and networks. It must cover many topics, including designing secure systems from the start, testing and verifying software and hardware (including third‑party products), making sure third‑party products do only what they claim, protecting people’s privacy and identity, improving Internet protocols and message origin tracing, balancing privacy with security, stopping insider threats, improving user education and digital literacy, and protecting cloud and wireless systems. The plan must set near‑term, mid‑term, and long‑term priorities; show how near‑term work fits with private‑sector efforts; focus on breakthrough technologies; speed the move of research into useful tools and best practices; create and maintain a national research infrastructure for testing new secure systems; and make that infrastructure and relevant data accessible to academic researchers. Agency leaders must work with industry, academia, national labs, and other stakeholders, get advice from the advisory committee and a broad set of organizations, and avoid duplicating private work. They must also publish an annual implementation roadmap that lists each agency’s role, current funding by agency for each major objective, estimated funding needs for the next 3 fiscal years, how progress will be measured, and a tracking of projects. The strategic plan had to be first sent to Congress within 1 year after December 18, 2014, with each quadrennial update and the roadmap and its annual updates. The Director of the National Science Foundation must fund work to add cybersecurity and secure‑coding into college curricula and to train faculty. The NSF must review existing cybersecurity test beds within 1 year after December 18, 2014, tell Congress whether more are needed, and, if needed, may give grants with the Commerce and Homeland Security Departments to set up robust test beds that model real attacks and defenses. The NSF, Commerce, and DHS must evaluate grant results no later than 2 years after that review and periodically after. The Office of Science and Technology Policy must coordinate these R&D efforts with NSF, NIST, DHS, other agencies, labs, universities, nonprofits, and international partners. “Applicable agencies and departments” means the agencies listed or designated under section 5511(a)(3)(B).

Title 15, §7431

Commerce and Trade — Source: USLM XML via OLRC

(a)(1)The heads of the applicable agencies and departments, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, shall develop and update every 4 years a Federal cybersecurity research and development strategic plan (referred to in this subsection as the “strategic plan”) based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. The heads of the applicable agencies and departments shall build upon existing programs and plans to develop the strategic plan to meet objectives in cybersecurity, such as—

(A)how to design and build complex software-intensive systems that are secure and reliable when first deployed;

(B)how to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws;

(C)how to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality;

(D)how to guarantee the privacy of an individual, including that individual’s identity, information, and lawful transactions when stored in distributed systems or transmitted over networks;

(E)how to build new protocols to enable the Internet to have robust security as one of the key capabilities of the Internet;

(F)how to determine the origin of a message transmitted over the Internet;

(G)how to support privacy in conjunction with improved security;

(H)how to address the problem of insider threats;

(I)how improved consumer education and digital literacy initiatives can address human factors that contribute to cybersecurity;

(J)how to protect information processed, transmitted, or stored using cloud computing or transmitted through wireless services;

(K)implementation of section 7432 of this title through research and development on the topics identified under subsection (a) of such section; and

(L)any additional objectives the heads of the applicable agencies and departments, in coordination with the head of any relevant Federal agency and with input from stakeholders, including appropriate national laboratories, industry, and academia, determine appropriate.

(2)(A)The strategic plan shall—

(i)specify and prioritize near-term, mid-term, and long-term research objectives, including objectives associated with the research identified in section 7403(a)(1) of this title;

(ii)specify how the near-term objectives described in clause (i) complement research and development areas in which the private sector is actively engaged;

(iii)describe how the heads of the applicable agencies and departments will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;

(iv)describe how the heads of the applicable agencies and departments will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;

(v)describe how the heads of the applicable agencies and departments will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems; and

(vi)describe how the heads of the applicable agencies and departments will facilitate access by academic researchers to the infrastructure described in clause (v), as well as to relevant data, including event data.

(B)In developing, implementing, and updating the strategic plan, the heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall work in close cooperation with industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector efforts.

(C)In developing and updating the strategic plan the heads of the applicable agencies and departments shall solicit recommendations and advice from—

(i)the advisory committee established under section 5511(b)(1) of this title; and

(ii)a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions.

(D)The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall develop and annually update an implementation roadmap for the strategic plan. The implementation roadmap shall—

(i)specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;

(ii)specify the funding allocated to each major research objective of the strategic plan and the source of funding by agency for the current fiscal year;

(iii)estimate the funding required for each major research objective of the strategic plan for the following 3 fiscal years; and

(iv)track ongoing and completed Federal cybersecurity research and development projects.

(3)The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives—

(A)the strategic plan not later than 1 year after December 18, 2014;

(B)each quadrennial update to the strategic plan; and

(C)the implementation roadmap under subparagraph (D), and its annual updates, which shall be appended to the annual report required under section 5511(a)(2)(D) of this title.

(4)In this subsection, the term “applicable agencies and departments” means the agencies and departments identified in clauses (i) through (xi) of section 5511(a)(3)(B) 11 See References in Text note below. of this title or designated under clause (xii) of that section.

(b)The Director of the National Science Foundation shall support research that—

(1)develops, evaluates, disseminates, and integrates new cybersecurity practices and concepts into the core curriculum of computer science programs and of other programs where graduates of such programs have a substantial probability of developing software after graduation, including new practices and concepts relating to secure coding education and improvement programs; and

(2)develops new models for professional development of faculty in cybersecurity education, including secure coding development.

(c)(1)Not later than 1 year after December 18, 2014, the Director of the National Science Foundation, in coordination with the Director of the Office of Science and Technology Policy, shall conduct a review of cybersecurity test beds in existence on December 18, 2014, to inform the grants under paragraph (2). The review shall include an assessment of whether a sufficient number of cybersecurity test beds are available to meet the research needs under the Federal cybersecurity research and development strategic plan. Upon completion, the Director shall submit the review to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.

(2)(A)If the Director of the National Science Foundation, after the review under paragraph (1), determines that the research needs under the Federal cybersecurity research and development strategic plan require the establishment of additional cybersecurity test beds, the Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, may award grants to institutions of higher education or research and development non-profit institutions to establish cybersecurity test beds.

(B)The cybersecurity test beds under subparagraph (A) shall be sufficiently robust in order to model the scale and complexity of real-time cyber attacks and defenses on real world networks and environments.

(C)The Director of the National Science Foundation, in coordination with the Secretary of Commerce and the Secretary of Homeland Security, shall evaluate the effectiveness of any grants awarded under this subsection in meeting the objectives of the Federal cybersecurity research and development strategic plan not later than 2 years after the review under paragraph (1) of this subsection, and periodically thereafter.

(d)In accordance with the responsibilities under section 5511 of this title, the Director of the Office of Science and Technology Policy shall coordinate, to the extent practicable, Federal research and development activities under this section with other ongoing research and development security-related initiatives, including research being conducted by—

(1)the National Science Foundation;

(2)the National Institute of Standards and Technology;

(3)the Department of Homeland Security;

(4)other Federal agencies;

(5)other Federal and private research laboratories, research entities, and universities;

(6)institutions of higher education;

(7)relevant nonprofit organizations; and

(8)international partners of the United States.

(e)

(f)The head of each agency and department identified under section 5511(a)(3)(B) 1 of this title, through existing programs and activities, shall support research that will lead to the development of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation, and creates quantifiable security metrics.

Notes & Related Subsidiaries

Editorial Notes

References in Text

section 5511(a)(3)(B) of this title, referred to in subsecs. (a)(4) and (f), was redesignated section 5511(a)(3)(C) of this title by Pub. L. 114–329, title I, § 105(f)(2)(D)(i), Jan. 6, 2017, 130 Stat. 2979. Codification Section is comprised of section 201 of Pub. L. 113–274. Subsec. (e) of section 201 of Pub. L. 113–274 amended section 7403 of this title.

Amendments

2021—Subsec. (a)(1)(K), (L). Pub. L. 116–283 added subpar. (K) and redesignated former subpar. (K) as (L). 2017—Subsec. (a)(4). Pub. L. 114–329 substituted “clauses (i) through (xi)” for “clauses (i) through (x)” and “under clause (xii)” for “under clause (xi)”.

§7431 Federal cybersecurity research and development