Sec. 5206. Critical technology security centers
1,621 words·~7 min read·
/bill/117/hr/7900/eh/section-5206A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Title III of the Homeland Security Act of 2002 ( 6 U.S.C. 181 et seq. ) is amended by adding at the end the following new section: Not later than 180 days after the date of the enactment of this section, the Secretary, acting through the Under Secretary for Science and Technology, and in coordination with the Director, shall award grants, contracts, or cooperative agreements to covered entities for the establishment of not fewer than two cybersecurity-focused Critical Technology Security Centers to evaluate and test the security of critical technology.
In carrying out the evaluation and testing of the security of critical technology pursuant to subsection (a), the Critical Technology Security Centers referred to in such subsection shall address the following technologies: The security of information and communications technology that underpins national critical functions related to communications. The security of networked industrial equipment, such as connected programmable data logic controllers and supervisory control and data acquisition servers.
The security of open source software that underpins national critical functions. The security of critical software used by the Federal Government. The Under Secretary for Science and Technology may, in coordination with the Director, award or terminate grants, contracts, or cooperative agreements to covered entities for the establishment of additional or termination of existing Critical Technology Security Centers to address critical technologies. The authority provided under paragraph
(1)may be exercised except if such exercise would result in the operation at any time of fewer than two Critical Technology Security Centers. Before awarding a grant, contract, or cooperative agreement to a covered entity to establish a Critical Technology Security Center, the Under Secretary for Science and Technology shall coordinate with the Director, who shall provide the Under Secretary a list of critical technologies or specific guidance on such technologies that would be within the remit of any such Center. The Under Secretary for Science and Technology, in coordination with the Director, is authorized to expand or modify at any time the list of critical technologies or specific guidance on technologies referred to in paragraph
(1)that is within the remit of a proposed or established Critical Technology Security Center. In carrying out the evaluation and testing of the security of critical technology pursuant to subsection (a), the Critical Technology Security Centers referred to in such subsection shall each have the following responsibilities: Conducting rigorous security testing to identify vulnerabilities in such technologies. Utilizing the coordinated vulnerability disclosure processes established under subsection
(g)to report to the developers of such technologies and, as appropriate, to the Cybersecurity and Infrastructure Security Agency, information relating to vulnerabilities discovered and any information necessary to reproduce such vulnerabilities. Developing new capabilities for improving the security of such technologies, including vulnerability discovery, management, and mitigation. Assessing the security of software, firmware, and hardware that underpin national critical functions. Supporting existing communities of interest, including through grant making, in remediating vulnerabilities discovered within such technologies. Utilizing findings to inform and support the future work of the Cybersecurity and Infrastructure Security Agency. Unless otherwise directed pursuant to guidance issued by the Under Secretary or Director under subsection (d), to the greatest extent practicable activities carried out pursuant to the responsibilities specified in subsection
(e)shall leverage risk-based evaluations to focus on activities that have the greatest effect practicable on the security of the critical technologies within each Critical Technology Security Center’s remit, such as the following: Developing capabilities that can detect or eliminate entire classes of vulnerabilities. Testing for vulnerabilities in the most widely used technology or vulnerabilities that affect many such critical technologies. Each Critical Technology Security Center shall establish, in coordination with the Director, coordinated vulnerability disclosure processes regarding the disclosure of vulnerabilities that— are adhered to when a vulnerability is discovered or disclosed by each such Center, consistent with international standards and coordinated vulnerability disclosure best practices; and are published on the website of each such Center. To be eligible for an award of a grant, contract, or cooperative agreement as a Critical Technology Security Center pursuant to subsection (a), a covered entity shall submit to the Secretary an application at such time, in such manner, and including such information as the Secretary may require. The Under Secretary for Science and Technology shall ensure that vulnerabilities discovered by a Critical Technology Security Center are reported to the National Vulnerability Database of the National Institute of Standards and Technology, as appropriate and using the coordinated vulnerability disclosure processes established under subsection (g). The Under Secretary for Science and Technology, in coordination with the Director, shall develop, and periodically update, guidance, including eligibility and any additional requirements, relating to how Critical Technology Security Centers may award grants to communities of interest pursuant to subsection (e)(5) to remediate vulnerabilities and take other actions under such subsection and subsection (k). Any Critical Technology Security Center addressing open source software security may award grants, in consultation with the Under Secretary for Science and Technology and Director, to individual open source software developers and maintainers, nonprofit organizations, and other non-Federal entities as determined appropriate by any such Center, to fund improvements to the security of the open source software ecosystem. A grant awarded under paragraph
(1)may include improvements such as the following: Security audits. Funding for developers to patch vulnerabilities. Addressing code, infrastructure, and structural weaknesses, including rewrites of open source software components in memory-safe programming languages. Research and tools to assess and improve the overall security of the open source software ecosystem, such as improved software fault isolation techniques. Training and other tools to aid open source software developers in the secure development of open source software, including secure coding practices and secure systems architecture. In awarding grants under paragraph (1), a Critical Technology Security Center shall prioritize, to the greatest extent practicable, the following: Where applicable, open source software components identified in guidance from the Director, or if no such guidance is so provided, utilizing the risk-based evaluation described in subsection (f). Activities that most promote the long-term security of the open source software ecosystem. Not later than one year after the date of the enactment of this section and every two years thereafter, each Critical Technology Security Center shall submit to the Under Secretary for Science and Technology and Director a report that includes the following: A summary of the work performed by such Center. Information relating to the allocation of Federal funds at such Center. A description of each vulnerability that has been publicly disclosed pursuant to subsection (g), including information relating to the corresponding software weakness. An assessment of the criticality of each such vulnerability. A list of critical technologies studied by such Center. An overview of the methodologies used by such Center, such as tactics, techniques, and procedures. A description of such Center’s development of capabilities for vulnerability discovery, management, and mitigation. A summary of such Center’s support to existing communities of interest, including an accounting of dispersed grant funds. For such Center, if applicable, a summary of any grants awarded during the period covered by the report that includes the following: An identification of the entity to which each such grant was awarded. The amount of each such grant. The purpose of each such grant. The expected impact of each such grant. The coordinated vulnerability disclosure processes established by such Center. Upon receiving the reports required under subsection (l), the Under Secretary for Science and Technology shall submit to the appropriate congressional committees a report that includes, with respect to each Critical Technology Security Center, the reports received in subsection (l). Where applicable, the Under Secretary shall include an explanation for any deviations from the list of critical technologies studied by a Center from the list of critical technologies or specific guidance relating to such technologies provided by the Director before the distribution of funding to such Center. In carrying out this section, the Under Secretary shall consult with the heads of other Federal agencies conducting cybersecurity research, including the following: The National Institute of Standards and Technology. The National Science Foundation. Relevant agencies within the Department of Energy. Relevant agencies within the Department of Defense. There are authorized to be appropriated to carry out this section the following: $40,000,000 for fiscal year 2023. $42,000,000 for fiscal year 2024. $44,000,000 for fiscal year 2025. $46,000,000 for fiscal year 2026. $49,000,000 for fiscal year 2027. In this section: The term appropriate congressional committees means— the Committee on Homeland Security of the House of Representatives; and the Committee on Homeland Security and Governmental Affairs of the Senate. The term covered entity means a university or federally-funded research and development center, including a national laboratory, or a consortia thereof. The term critical technology means technology that underpins one or more national critical functions. The term critical software has the meaning given such term by the National Institute of Standards and Technology pursuant to Executive Order 14028 or any successor provision. The term open source software means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and redistribution. The term Director means the Director of the Cybersecurity and Infrastructure Security Agency. . Paragraph
(1)of section 2202(e) of the Homeland Security Act of 2002 ( 6 U.S.C. 603(e) ) is amended by adding at the end the following new subparagraph: To identify the critical technologies (as such term is defined in section 323) or develop guidance relating to such technologies within the remits of the Critical Technology Security Centers as described in such section. . The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 322 the following new item: Sec. 323. Critical Technology Security Centers. .
Connectionstraces to 3
Traces to 3 documents
Citation graph
cites case law
Cites 3Cited by 0 across 0 sources