S1835-118

1. Short title This Act may be cited as the National Cybersecurity Awareness Act.

2. Findings Congress finds the following: The presence of ubiquitous internet-connected devices in the everyday lives of citizens of the United States has created opportunities for constant connection and modernization. A connected society is subject to cybersecurity threats that can compromise even the most personal and sensitive of information. Connected critical infrastructure is subject to cybersecurity threats that can compromise fundamental economic and health and safety functions. The Government of the United States plays an important role in safeguarding the nation from malicious cyber activity. A citizenry that is knowledgeable regarding cybersecurity is critical to building a robust cybersecurity posture and reducing the threat of cyber attackers stealing sensitive information and causing public harm. While Cybersecurity Awareness Month is critical to supporting national cybersecurity awareness, it cannot be a once-a-year activity and must be a sustained, constant effort.

3. Cybersecurity awareness Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following: In this section, the term Campaign Program means the campaign program established under subsection (b). Not later than 90 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall establish a program for planning and coordinating Federal cybersecurity awareness campaigns. In carrying out the Campaign Program, the Director shall— inform non-Federal entities of voluntary cyber hygiene best practices, including information on how to— prevent cyberattacks; and mitigate cybersecurity risks; and consult with private sector entities, State, local, Tribal, and territorial governments, academia, and civil society— to promote cyber hygiene best practices, including by focusing on tactics that are cost effective and result in significant cybersecurity improvement, such as— maintaining strong passwords and the use of password managers; enabling multi-factor authentication, including phishing-resistant multi-factor authentication; regularly installing software updates; using caution with email attachments and website links; and other cyber hygienic considerations, as appropriate; to promote awareness of cybersecurity risks and mitigation with respect to malicious applications on internet-connected devices, including applications to control those devices or use devices for unauthorized surveillance of users; to help consumers identify products that are designed to support user and product security, such as products designed using the Secure-by-Design and Secure-by-Default principles of the Agency; to coordinate with other Federal agencies and departments, as determined appropriate by the Director, to— promote relevant cybersecurity-related awareness activities; and ensure the Federal Government is coordinated in communicating accurate and timely cybersecurity information; and to expand nontraditional outreach mechanisms to ensure that entities including low-income and rural communities, small and medium sized businesses and institutions, and State, local, Tribal, and territorial partners receive cybersecurity awareness outreach in an equitable manner. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, and annually thereafter, the Director shall, in consultation with the heads of appropriate Federal agencies, submit to the appropriate congressional committees a report regarding the Campaign Program. Each report submitted pursuant to subparagraph (A) shall include— a summary of the activities of the Agency that support promoting cybersecurity awareness under the Campaign Program, including consultations made under paragraph (2)(B); an assessment of the effectiveness of techniques and methods used to promote national cybersecurity awareness under the Campaign Program; and recommendations on how to best promote cybersecurity awareness nationally. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall develop and maintain a central repository for the resources, tools, and public communications of the Agency that promote cybersecurity awareness. The resources described in paragraph (1) shall be— made publicly available online; and regularly updated to ensure the public has access to relevant and timely cybersecurity awareness information. Section 2202(c) of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended— in paragraph (13), by striking ; and and inserting a semicolon; by redesignating paragraph (14) as paragraph (15); and by inserting after paragraph (13) the following: lead and coordinate Federal efforts to promote national cybersecurity awareness; and The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2220E the following: 2220F.Cybersecurity Awareness Campaigns(a)DefinitionIn this section, the term Campaign Program means the campaign program established under subsection (b).(b)Awareness Campaign Program(1)In generalNot later than 90 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall establish a program for planning and coordinating Federal cybersecurity awareness campaigns.(2)ActivitiesIn carrying out the Campaign Program, the Director shall—(A)inform non-Federal entities of voluntary cyber hygiene best practices, including information on how to—(i)prevent cyberattacks; and(ii)mitigate cybersecurity risks; and(B)consult with private sector entities, State, local, Tribal, and territorial governments, academia, and civil society—(i)to promote cyber hygiene best practices, including by focusing on tactics that are cost effective and result in significant cybersecurity improvement, such as—(I)maintaining strong passwords and the use of password managers;(II)enabling multi-factor authentication, including phishing-resistant multi-factor authentication;(III)regularly installing software updates;(IV)using caution with email attachments and website links; and(V)other cyber hygienic considerations, as appropriate;(ii)to promote awareness of cybersecurity risks and mitigation with respect to malicious applications on internet-connected devices, including applications to control those devices or use devices for unauthorized surveillance of users; (iii)to help consumers identify products that are designed to support user and product security, such as products designed using the Secure-by-Design and Secure-by-Default principles of the Agency; (iv)to coordinate with other Federal agencies and departments, as determined appropriate by the Director, to—(I)promote relevant cybersecurity-related awareness activities; and(II)ensure the Federal Government is coordinated in communicating accurate and timely cybersecurity information; and(v)to expand nontraditional outreach mechanisms to ensure that entities including low-income and rural communities, small and medium sized businesses and institutions, and State, local, Tribal, and territorial partners receive cybersecurity awareness outreach in an equitable manner.(3)Reporting(A)In generalNot later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, and annually thereafter, the Director shall, in consultation with the heads of appropriate Federal agencies, submit to the appropriate congressional committees a report regarding the Campaign Program. (B)ContentsEach report submitted pursuant to subparagraph (A) shall include—(i)a summary of the activities of the Agency that support promoting cybersecurity awareness under the Campaign Program, including consultations made under paragraph (2)(B);(ii)an assessment of the effectiveness of techniques and methods used to promote national cybersecurity awareness under the Campaign Program; and(iii)recommendations on how to best promote cybersecurity awareness nationally.(c)Cybersecurity campaign resources(1)In generalNot later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall develop and maintain a central repository for the resources, tools, and public communications of the Agency that promote cybersecurity awareness.(2)RequirementsThe resources described in paragraph (1) shall be—(A)made publicly available online; and(B)regularly updated to ensure the public has access to relevant and timely cybersecurity awareness information.. (14)lead and coordinate Federal efforts to promote national cybersecurity awareness; and. Sec. 2220F. Cybersecurity awareness campaigns.

2220F. Cybersecurity Awareness Campaigns In this section, the term Campaign Program means the campaign program established under subsection (b). Not later than 90 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall establish a program for planning and coordinating Federal cybersecurity awareness campaigns. In carrying out the Campaign Program, the Director shall— inform non-Federal entities of voluntary cyber hygiene best practices, including information on how to— prevent cyberattacks; and mitigate cybersecurity risks; and consult with private sector entities, State, local, Tribal, and territorial governments, academia, and civil society— to promote cyber hygiene best practices, including by focusing on tactics that are cost effective and result in significant cybersecurity improvement, such as— maintaining strong passwords and the use of password managers; enabling multi-factor authentication, including phishing-resistant multi-factor authentication; regularly installing software updates; using caution with email attachments and website links; and other cyber hygienic considerations, as appropriate; to promote awareness of cybersecurity risks and mitigation with respect to malicious applications on internet-connected devices, including applications to control those devices or use devices for unauthorized surveillance of users; to help consumers identify products that are designed to support user and product security, such as products designed using the Secure-by-Design and Secure-by-Default principles of the Agency; to coordinate with other Federal agencies and departments, as determined appropriate by the Director, to— promote relevant cybersecurity-related awareness activities; and ensure the Federal Government is coordinated in communicating accurate and timely cybersecurity information; and to expand nontraditional outreach mechanisms to ensure that entities including low-income and rural communities, small and medium sized businesses and institutions, and State, local, Tribal, and territorial partners receive cybersecurity awareness outreach in an equitable manner. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, and annually thereafter, the Director shall, in consultation with the heads of appropriate Federal agencies, submit to the appropriate congressional committees a report regarding the Campaign Program. Each report submitted pursuant to subparagraph (A) shall include— a summary of the activities of the Agency that support promoting cybersecurity awareness under the Campaign Program, including consultations made under paragraph (2)(B); an assessment of the effectiveness of techniques and methods used to promote national cybersecurity awareness under the Campaign Program; and recommendations on how to best promote cybersecurity awareness nationally. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall develop and maintain a central repository for the resources, tools, and public communications of the Agency that promote cybersecurity awareness. The resources described in paragraph (1) shall be— made publicly available online; and regularly updated to ensure the public has access to relevant and timely cybersecurity awareness information.

1. Short title This Act may be cited as the National Cybersecurity Awareness Act.

2. Findings Congress finds the following: The presence of ubiquitous internet-connected devices in the everyday lives of citizens of the United States has created opportunities for constant connection and modernization. A connected society is subject to cybersecurity threats that can compromise even the most personal and sensitive of information. Connected critical infrastructure is subject to cybersecurity threats that can compromise fundamental economic, health, and safety functions. The Government of the United States plays an important role in safeguarding the nation from malicious cyber activity. A citizenry that is knowledgeable regarding cybersecurity is critical to building a robust cybersecurity posture and reducing the threat of cyber attackers stealing sensitive information and causing public harm. While Cybersecurity Awareness Month is critical to supporting national cybersecurity awareness, it cannot be a once-a-year activity, and there must be a sustained, constant effort to raise awareness about cyber hygiene, encourage individuals in the United States to learn cyber skills, and communicate the ways that cyber skills and careers in cyber advance individual and societal security, privacy, safety, and well-being.

3. Cybersecurity awareness Subtitle A of title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following: In this section, the term Campaign Program means the campaign program established under subsection (b)(1). Not later than 90 days after the date of enactment of the National Cybersecurity Awareness Act, the Director, in coordination with appropriate Federal agencies, shall establish a program for planning and coordinating Federal cybersecurity awareness campaigns. In carrying out the Campaign Program, the Director shall— inform non-Federal entities of voluntary cyber hygiene best practices, including information on how to— prevent cyberattacks; and mitigate cybersecurity risks; and consult with private sector entities, State, local, Tribal, and territorial governments, academia, nonprofit organizations, and civil society— to promote cyber hygiene best practices and the importance of cyber skills, including by focusing on tactics that are cost effective and result in significant cybersecurity improvement, such as— maintaining strong passwords and the use of password managers; enabling multi-factor authentication, including phishing-resistant multi-factor authentication; regularly installing software updates; using caution with email attachments and website links; and other cyber hygienic considerations, as appropriate; to promote awareness of cybersecurity risks and mitigation with respect to malicious applications on internet-connected devices, including applications to control those devices or use devices for unauthorized surveillance of users; to help consumers identify products that are designed to support user and product security, such as products designed using the Secure-by-Design and Secure-by-Default principles of the Agency or the Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products of the National Institute of Standards and Technology, published February 4, 2022 (or any subsequent version); to coordinate with other Federal agencies, as determined appropriate by the Director, to— develop and promote relevant cybersecurity-related and cyber skills-related awareness activities and resources; and ensure the Federal Government is coordinated in communicating accurate and timely cybersecurity information; to expand nontraditional outreach mechanisms to ensure that entities, including low-income and rural communities, small and medium sized businesses and institutions, and State, local, Tribal, and territorial partners, receive cybersecurity awareness outreach in an equitable manner; and to encourage participation in cyber workforce development ecosystems and to expand adoption of best practices to grow the national cyber workforce. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, and annually thereafter, the Director, in consultation with the heads of appropriate Federal agencies, shall submit to the appropriate congressional committees a report regarding the Campaign Program. Each report submitted pursuant to subparagraph (A) shall include— a summary of the activities of the Agency that support promoting cybersecurity awareness under the Campaign Program, including consultations made under paragraph (2)(B); an assessment of the effectiveness of techniques and methods used to promote national cybersecurity awareness under the Campaign Program; and recommendations on how to best promote cybersecurity awareness nationally. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall develop and maintain a repository for the resources, tools, and public communications of the Agency that promote cybersecurity awareness. The resources described in paragraph (1) shall be— made publicly available online; and regularly updated to ensure the public has access to relevant and timely cybersecurity awareness information. Section 2202(c) of the Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended— in paragraph (13), by striking ; and and inserting a semicolon; by redesignating paragraph (14) as paragraph (15); and by inserting after paragraph (13) the following: lead and coordinate Federal efforts to promote national cybersecurity awareness; and The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2220E the following: 2220F.Cybersecurity Awareness Campaigns(a)DefinitionIn this section, the term Campaign Program means the campaign program established under subsection (b)(1).(b)Awareness Campaign Program(1)In generalNot later than 90 days after the date of enactment of the National Cybersecurity Awareness Act, the Director, in coordination with appropriate Federal agencies, shall establish a program for planning and coordinating Federal cybersecurity awareness campaigns.(2)ActivitiesIn carrying out the Campaign Program, the Director shall—(A)inform non-Federal entities of voluntary cyber hygiene best practices, including information on how to—(i)prevent cyberattacks; and(ii)mitigate cybersecurity risks; and(B)consult with private sector entities, State, local, Tribal, and territorial governments, academia, nonprofit organizations, and civil society—(i)to promote cyber hygiene best practices and the importance of cyber skills, including by focusing on tactics that are cost effective and result in significant cybersecurity improvement, such as—(I)maintaining strong passwords and the use of password managers;(II)enabling multi-factor authentication, including phishing-resistant multi-factor authentication;(III)regularly installing software updates;(IV)using caution with email attachments and website links; and(V)other cyber hygienic considerations, as appropriate;(ii)to promote awareness of cybersecurity risks and mitigation with respect to malicious applications on internet-connected devices, including applications to control those devices or use devices for unauthorized surveillance of users; (iii)to help consumers identify products that are designed to support user and product security, such as products designed using the Secure-by-Design and Secure-by-Default principles of the Agency or the Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products of the National Institute of Standards and Technology, published February 4, 2022 (or any subsequent version); (iv)to coordinate with other Federal agencies, as determined appropriate by the Director, to—(I)develop and promote relevant cybersecurity-related and cyber skills-related awareness activities and resources; and(II)ensure the Federal Government is coordinated in communicating accurate and timely cybersecurity information; (v)to expand nontraditional outreach mechanisms to ensure that entities, including low-income and rural communities, small and medium sized businesses and institutions, and State, local, Tribal, and territorial partners, receive cybersecurity awareness outreach in an equitable manner; and(vi)to encourage participation in cyber workforce development ecosystems and to expand adoption of best practices to grow the national cyber workforce. (3)Reporting(A)In generalNot later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, and annually thereafter, the Director, in consultation with the heads of appropriate Federal agencies, shall submit to the appropriate congressional committees a report regarding the Campaign Program. (B)ContentsEach report submitted pursuant to subparagraph (A) shall include—(i)a summary of the activities of the Agency that support promoting cybersecurity awareness under the Campaign Program, including consultations made under paragraph (2)(B);(ii)an assessment of the effectiveness of techniques and methods used to promote national cybersecurity awareness under the Campaign Program; and(iii)recommendations on how to best promote cybersecurity awareness nationally.(c)Cybersecurity campaign resources(1)In generalNot later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall develop and maintain a repository for the resources, tools, and public communications of the Agency that promote cybersecurity awareness.(2)RequirementsThe resources described in paragraph (1) shall be—(A)made publicly available online; and(B)regularly updated to ensure the public has access to relevant and timely cybersecurity awareness information.. (14)lead and coordinate Federal efforts to promote national cybersecurity awareness; and. Sec. 2220F. Cybersecurity awareness campaigns..

2220F. Cybersecurity Awareness Campaigns In this section, the term Campaign Program means the campaign program established under subsection (b)(1). Not later than 90 days after the date of enactment of the National Cybersecurity Awareness Act, the Director, in coordination with appropriate Federal agencies, shall establish a program for planning and coordinating Federal cybersecurity awareness campaigns. In carrying out the Campaign Program, the Director shall— inform non-Federal entities of voluntary cyber hygiene best practices, including information on how to— prevent cyberattacks; and mitigate cybersecurity risks; and consult with private sector entities, State, local, Tribal, and territorial governments, academia, nonprofit organizations, and civil society— to promote cyber hygiene best practices and the importance of cyber skills, including by focusing on tactics that are cost effective and result in significant cybersecurity improvement, such as— maintaining strong passwords and the use of password managers; enabling multi-factor authentication, including phishing-resistant multi-factor authentication; regularly installing software updates; using caution with email attachments and website links; and other cyber hygienic considerations, as appropriate; to promote awareness of cybersecurity risks and mitigation with respect to malicious applications on internet-connected devices, including applications to control those devices or use devices for unauthorized surveillance of users; to help consumers identify products that are designed to support user and product security, such as products designed using the Secure-by-Design and Secure-by-Default principles of the Agency or the Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products of the National Institute of Standards and Technology, published February 4, 2022 (or any subsequent version); to coordinate with other Federal agencies, as determined appropriate by the Director, to— develop and promote relevant cybersecurity-related and cyber skills-related awareness activities and resources; and ensure the Federal Government is coordinated in communicating accurate and timely cybersecurity information; to expand nontraditional outreach mechanisms to ensure that entities, including low-income and rural communities, small and medium sized businesses and institutions, and State, local, Tribal, and territorial partners, receive cybersecurity awareness outreach in an equitable manner; and to encourage participation in cyber workforce development ecosystems and to expand adoption of best practices to grow the national cyber workforce. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, and annually thereafter, the Director, in consultation with the heads of appropriate Federal agencies, shall submit to the appropriate congressional committees a report regarding the Campaign Program. Each report submitted pursuant to subparagraph (A) shall include— a summary of the activities of the Agency that support promoting cybersecurity awareness under the Campaign Program, including consultations made under paragraph (2)(B); an assessment of the effectiveness of techniques and methods used to promote national cybersecurity awareness under the Campaign Program; and recommendations on how to best promote cybersecurity awareness nationally. Not later than 180 days after the date of enactment of the National Cybersecurity Awareness Act, the Director shall develop and maintain a repository for the resources, tools, and public communications of the Agency that promote cybersecurity awareness. The resources described in paragraph (1) shall be— made publicly available online; and regularly updated to ensure the public has access to relevant and timely cybersecurity awareness information.