achieved its objectives of increasing the quality and quantity of students, including students from groups historically underrepresented in computer and network security related disciplines, pursuing undergraduate or master's degrees in computer and network security. (6) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection (A) $15,000,000 for fiscal year 2003; (D) $20,000,000 for fiscal year 2006; and (b) SCIENTIFIC AND ADVANCED TECHNOLOGY ACT OF 1992. (1) GRANTS.—The Director shall provide grants under the Scientific and Advanced Technology Act of 1992 (42 U.S.C. 18621) for the purposes of section 3(a) and (b) of that Act, except that the activities supported pursuant to this subsection shall be limited to improving education in fields related to computer and network security. (2) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection (A) $1,000,000 for fiscal year 2003; (D) $1,250,000 for fiscal year 2006; and (c) GRADUATE TRAINEESHIPS IN COMPUTER AND NETWORK SECURITY RESEARCH. (1) IN GENERAL.-The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs for graduate students who pursue computer and network security research leading to a doctorate degree by providing funding and other assistance, and by providing graduate students with research experience in government or industry related to the students' computer and network security studies. (2) MERIT REVIEW.-Grants shall be provided under this subsection on a merit-reviewed competitive basis. (3) USE OF FUNDS.-An institution of higher education shall use grant funds for the purposes of— (A) providing traineeships to students who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are pursuing research in computer or network security leading to a doctorate degree; (B) paying tuition and fees for students receiving traineeships under subparagraph (A); (C) establishing scientific internship programs for students receiving traineeships under subparagraph (A) in computer and network security at for-profit institutions, nonprofit research institutions, or government laboratories; and (D) other costs associated with the administration of the program. (4) TRAINEESHIP AMOUNT.-Traineeships provided under paragraph (3)(A) shall be in the amount of $25,000 per year, or the level of the National Science Foundation Graduate Research Fellowships, whichever is greater, for up to 3 years. (5) SELECTION PROCESS.-An institution of higher education seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of— (A) the instructional program and research opportunities in computer and network security available to graduate students at the applicant's institution; and (B) the internship program to be established, including the opportunities that will be made available to students for internships at for-profit institutions, nonprofit research institutions, and government laboratories. (6) REVIEW OF APPLICATIONS.-In evaluating the applications submitted under paragraph (5), the Director shall consider (A) the ability of the applicant to effectively carry out the proposed program; (B) the quality of the applicant's existing research and education programs; (C) the likelihood that the program will recruit increased numbers of students, including students from groups historically underrepresented in computer and network security related disciplines, to pursue and earn doctorate degrees in computer and network security; (D) the nature and quality of the internship program established through collaborations with government laboratories, nonprofit research institutions, and for-profit institutions; (E) the integration of internship opportunities into graduate students' research; and (F) the relevance of the proposed program to current and future computer and network security needs. (7) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection (A) $10,000,000 for fiscal year 2003; (D) $20,000,000 for fiscal year 2006; and (d) GRADUATE RESEARCH FELLOWSHIPS PROGRAM SUPPORT.Computer and network security shall be included among the fields of specialization supported by the National Science Foundation's Graduate Research Fellowships program under section 10 of the National Science Foundation Act of 1950 (42 U.S.C. 1869). (e) CYBER SECURITY FACULTY DEVELOPMENT TRAINEESHIP PROGRAM. (1) IN GENERAL.-The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs to enable graduate students to pursue academic careers in cyber security upon completion of doctoral degrees. (2) MERIT REVIEW; COMPETITION.-Grants shall be awarded under this section on a merit-reviewed competitive basis. (3) APPLICATION.-Each institution of higher education desiring to receive a grant under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director shall require. (4) USE OF FUNDS.-Funds received by an institution of higher education under this paragraph shall (A) be made available to individuals on a merit-reviewed competitive basis and in accordance with the requirements established in paragraph (7); (B) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at an institution of higher education for the duration of the graduate traineeship, and shall include, in addition, an annual living stipend of $25,000; and (C) be provided to individuals for a duration of no more than 5 years, the specific duration of each graduate traineeship to be determined by the institution of higher education, on a case-by-case basis. (5) REPAYMENT.-Each graduate traineeship shall (A) subject to paragraph (5)(B), be subject to full repayment upon completion of the doctoral degree according to a repayment schedule established and administered by the institution of higher education; (B) be forgiven at the rate of 20 percent of the total amount of the graduate traineeship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and (C) be monitored by the institution of higher education receiving a grant under this subsection to ensure compliance with this subsection. (6) EXCEPTIONS.-The Director may provide for the partial or total waiver or suspension of any service obligation or payment by an individual under this section whenever compliance by the individual is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable. (7) ELIGIBILITY.-To be eligible to receive a graduate traineeship under this section, an individual shall (A) be a citizen, national, or lawfully admitted permanent resident alien of the United States; and (B) demonstrate a commitment to a career in higher education. (8) CONSIDERATION.-In making selections for graduate traineeships under this paragraph, an institution receiving a grant under this subsection shall consider, to the extent possible, a diverse pool of applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as the technical dimensions of cyber security. (9) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this paragraph $5,000,000 for each of fiscal years 2003 through 2007. SEC. 6. [15 U.S.C. 7405] CONSULTATION. In carrying out sections 4 and 5, the Director shall consult with other Federal agencies. SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK SECURITY. [Section 7 provides for amendments to section 3(a) of the National Science Foundation Act of 1950 (42 U.S.C. 1862(a)), which is shown in its entirety elsewhere in this compilation.] SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS. (a) RESEARCH PROGRAM. [Subsection (a) of this section provides for amendments to the National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.), which is shown in its entirety elsewhere in this compilation.] (b) AMENDMENT OF COMPUTER SYSTEM DEFINITION.—[Subsection (b) of this section provides for an amendment to section 20(d)(1)(B)(i) of National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)(1)(B)(i)), which is shown in its entirety elsewhere in this compilation.] (c) CHECKLISTS FOR GOVERNMENT SYSTEMS.— (1) IN GENERAL.-The Director of the National Institute of Standards and Technology shall develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government. (2) PRIORITIES FOR DEVELOPMENT; EXCLUDED SYSTEMS.The Director of the National Institute of Standards and Technology may establish priorities for the development of checklists under this paragraph on the basis of the security risks associated with the use of the system, the number of agencies that use a particular system, the usefulness of the checklist to Federal agencies that are users or potential users of the system, or such other factors as the Director determines to be appropriate. The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any computer hardware or software system for which the Director of the National Institute of Standards and Technology determines that the development of a checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the inutility or impracticability of developing a checklist for the system. (3) DISSEMINATION OF CHECKLISTS.-The Director of the National Institute of Standards and Technology shall make any checklist developed under this paragraph for any computer hardware or software system available to each Federal agency that is a user or potential user of the system. (4) AGENCY USE REQUIREMENTS.-The development of a checklist under paragraph (1) for a computer hardware or software system does not (A) require any Federal agency to select the specific settings or options recommended by the checklist for the system; (B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system; (C) represent an endorsement of any such system by the Director of the National Institute of Standards and Technology; nor (D) preclude any Federal agency from procuring or deploying other computer hardware or software systems for which no such checklist has been developed. (d) FEDERAL AGENCY INFORMATION SECURITY PROGRAMS. (1) IN GENERAL.-In developing the agencywide information security program required by section 3534(b) of title 44, United States Code, an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection (c) of this section— (A) shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and (B) may treat the explanation as if it were a portion of the agency's annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31, United States Code). (2) LIMITATION.-Paragraph (1) does not apply to any computer hardware or software system for which the National Institute of Standards and Technology does not have responsibility under section 20(a)(3) of the National Institute of Standards and Technology Act (15 U.S.C.278g-3(a)(3)). SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND IN FORMATION. [Section 9 provides for an amendment to section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g3), which is shown in its entirety elsewhere in this compilation.] SEC. 10. INTRAMURAL SECURITY RESEARCH. [Section 10 provides for amendments to section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g3), which is shown in its entirety elsewhere in this compilation.] SEC. 11. [15 U.S.C. 7407] AUTHORIZATION OF APPROPRIATIONS. There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology (1) for activities under section 22 of the National Institute of Standards and Technology Act, as added by section 8 of this Act (A) $25,000,000 for fiscal year 2003; (B) $40,000,000 for fiscal year 2004; (E) $85,000,000 for fiscal year 2007; and |