[House Report 113-294] [From the U.S. Government Publishing Office] 113th Congress Report HOUSE OF REPRESENTATIVES 1st Session 113-294 ====================================================================== HOMELAND SECURITY CYBERSECURITY BOOTS-ON-THE-GROUND ACT _______ December 12, 2013.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 3107] The Committee on Homeland Security, to whom was referred the bill (H.R. 3107) to require the Secretary of Homeland Security to establish cybersecurity occupation classifications, assess the cybersecurity workforce, develop a strategy to address identified gaps in the cybersecurity workforce, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Homeland Security Cybersecurity Boots- on-the-Ground Act''. SEC. 2. CYBERSECURITY OCCUPATION CLASSIFICATIONS, WORKFORCE ASSESSMENT, AND STRATEGY. (a) Cybersecurity Occupation Classifications.-- (1) In general.--Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security shall develop and issue comprehensive occupation classifications for individuals performing activities in furtherance of the cybersecurity mission of the Department of Homeland Security. (2) Applicability.--The Secretary of Homeland Security shall ensure that the comprehensive occupation classifications issued under paragraph (1) are used throughout the Department of Homeland Security and are made available to other Federal agencies. (b) Cybersecurity Workforce Assessment.-- (1) In general.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Homeland Security, acting through the Chief Human Capital Officer and Chief Information Officer of the Department of Homeland Security, shall assess the readiness and capacity of the Department to meet its cybersecurity mission. (2) Contents.--The assessment required under paragraph (1) shall, at a minimum, include the following: (A) Information where cybersecurity positions are located within the Department of Homeland Security, specified in accordance with the cybersecurity occupation classifications issued under subsection (a). (B) Information on which cybersecurity positions are-- (i) performed by-- (I) permanent full time departmental employees, together with demographic information about such employees' race, ethnicity, gender, disability status, and veterans status; (II) individuals employed by independent contractors; and (III) individuals employed by other Federal agencies, including the National Security Agency; and (ii) vacant. (C) The number of individuals hired by the Department pursuant to the authority granted to the Secretary of Homeland Security in 2009 to permit the Secretary to fill 1,000 cybersecurity positions across the Department over a three year period, and information on what challenges, if any, were encountered with respect to the implementation of such authority. (D) Information on vacancies within the Department's cybersecurity supervisory workforce, from first line supervisory positions through senior departmental cybersecurity positions. (E) Information on the percentage of individuals within each cybersecurity occupation classification who received essential training to perform their jobs, and in cases in which such training is not received, information on what challenges, if any, were encountered with respect to the provision of such training. (F) Information on recruiting costs incurred with respect to efforts to fill cybersecurity positions across the Department in a manner that allows for tracking of overall recruiting and identifying areas for better coordination and leveraging of resources within the Department. (c) Workforce Strategy.-- (1) In general.--Not later than 180 days after the date of the enactment of this Act, the Secretary of Homeland Security shall develop a comprehensive workforce strategy that enhances the readiness, capacity, training, and recruitment and retention of the cybersecurity workforce of the Department of Homeland Security. (2) Contents.--The comprehensive workforce strategy developed under paragraph (1) shall include-- (A) a multiphased recruitment plan, including relating to experienced professionals, members of disadvantaged or underserved communities, the unemployed, and veterans; (B) a 5-year implementation plan; and (C) a 10-year projection of Federal workforce needs. (d) Information Security Training.--Not later than 270 days after the date of the enactment of this Act, the Secretary of Homeland Security shall establish and maintain a process to verify on an ongoing basis that individuals employed by independent contractors who serve in cybersecurity positions at the Department of Homeland Security receive initial and recurrent information security training comprised of general security awareness training necessary to perform their job functions, and role-based security training that is commensurate with assigned responsibilities. The Secretary shall maintain documentation to ensure that training provided to an individual under this subsection meets or exceeds requirements for such individual's job function. (e) Updates.--Together with the submission to Congress of annual budget requests, the Secretary of Homeland Security shall provide updates regarding the cybersecurity workforce assessment required under subsection (b), information on the progress of carrying out the comprehensive workforce strategy developed under subsection (c), and information on the status of the implementation of the information security training required under subsection (d). (f) GAO Study.--The Secretary of Homeland Security shall provide the Comptroller General of the United States with information on the cybersecurity workforce assessment required under subsection (a) and progress on carrying out the comprehensive workforce strategy developed under subsection (c). The Comptroller General shall submit to the Secretary, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a study on such assessment and strategy. SEC. 3. CYBERSECURITY FELLOWSHIP PROGRAM. Not later than 120 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on the feasibility of establishing a Cybersecurity Fellowship Program to offer a tuition payment plan for undergraduate and doctoral candidates who agree to work for the Department of Homeland Security for an agreed-upon period of time. SEC. 4. DEFINITION. In this Act, the term ``cybersecurity mission'' means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, incident response, resiliency, and recovery activities to foster the security and stability of cyberspace. CONTENTS Page Purpose and Summary.............................................3 Background and Need for Legislation.............................3 Hearings........................................................4 Committee Consideration.........................................6 Committee Votes.................................................6 Committee Oversight Findings....................................7 New Budget Authority, Entitlement Authority, and Tax Expenditure7 Congressional Budget Office Estimate............................7 Statement of General Performance Goals and Objectives...........7 Duplicative Federal Programs....................................8 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits........................................................8 Federal Mandates Statement......................................8 Preemption Clarification........................................8 Disclosure of Directed Rule Makings.............................8 Advisory Committee Statement....................................8 Applicability to Legislative Branch.............................8 Section-by-Section Analysis of the Legislation..................8 Purpose and Summary The purpose of H.R. 3107 is to require the Secretary of Homeland Security to establish cybersecurity occupation classifications, assess the cybersecurity workforce, develop a strategy to address identified gaps in the cybersecurity workforce, and for other purposes. Background and Need for Legislation The Department of Homeland Security (DHS) is responsible for the prevention of, and defense against threats to United States cybersecurity. Such threats come in many forms and include threats to individuals, corporations, and the Government. The events of September 11, 2001, demonstrate that terrorist attacks on the homeland can occur in unconventional ways and result in unanticipated consequences to national security posture and economic vitality. The U.S. is fortunate enough to have an extensive cybersecurity workforce, and this workforce is the first line of defense that keeps Americans safe, secure, and free from many cyber attacks. However, gaps in this workforce still expose vulnerabilities in our Nation's ability to reduce cyber threats, deter and respond to incidents, and recover from cyberattacks. The Committee notes that the Government Accountability Office reported that more than one in five jobs at a key cybersecurity component within the Department are vacant. The Committee also notes that the cadre of professionals with cyber mission-critical skills is limited and Federal agencies have to compete among themselves and private sector employers for staffing. Recognizing this challenge, the Homeland Security Advisory Committee (HSAC) `Task Force on CyberSkills' issued a series of recommendations that include the adoption and maintenance an authoritative list of mission- critical cybersecurity tasks and the adoption of a sustainable model for assessing the competency and progress of the existing and future DHS mission-critical cybersecurity workforce. It is therefore necessary that DHS develop a comprehensive workforce assessment and strategy to address gaps in the Nation's cybersecurity workforce. The Committee believes that this strategy will enhance the readiness, capacity, training, and recruitment and retention of DHS's cybersecurity workforce. Legislation is required for DHS to develop such a workforce assessment and strategy, identify gaps in the cybersecurity workforce, provide information security training, and establish and encourage necessary coordination and collaboration across the Department. H.R. 3107, the Homeland Security Cybersecurity Boots-on-the-Ground Act, is bipartisan legislation developed from valuable input from stakeholders across government and industry. This bill provides four major provisions that will help identify gaps in the cybersecurity workforce. First, the bill directs DHS to develop and issue comprehensive occupation classifications for persons performing activities in furtherance of the Department's cybersecurity missions. Second, the bill requires the Secretary, acting through the Chief Human Capital Officer and Chief Information Officer of the Department, to assess the readiness and capacity of the Department to meet its cybersecurity mission. As a part of the assessment, the Department has to identify where positions are located, whether these positions are vacant, held by full-time employees, or contractors. Additionally, it requires the Department to report on the extent to which it has exercised special hiring authority to fill cyber positions. Third, the bill requires the Secretary to develop a comprehensive workforce strategy that enhances the readiness, capacity, training, and recruitment and retention of the Department's cybersecurity workforce. Finally, the bill requires the Secretary to establish and maintain a process to verify that individuals employed by independent contractors who serve in cybsersecurity positions at the Department receive initial and recurrent information security training. Hearings No hearings were held on H.R. 3107. However, the Committee held oversight hearings on programs and threats that are directly relevant to H.R. 3107. Those hearings are listed below. 112th Congress. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing on April 15, 2011, entitled ``The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure.'' The Subcommittee received testimony from Mr.Sean McGurk, Director, National Cybersecurity and Communications Integration Center, Department of Homeland Security; Mr.Gerry Cauley, President and CEO, North American Electric Reliability Corporation; Ms.Jane Carlin, Chair, Financial Services Sector Coordinating Council; and Mr.Edward Amoroso, Senior Vice President and Chief Security Officer, AT&T. On April 24, 2012, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``America is Under Cyber Attack: Why Urgent Action is Needed.'' The Subcommittee received testimony from Mr.Shawn Henry, Former Executive Assistant Director, Criminal, Cyber, Response, and Services Branch, Federal Bureau of Investigation, Department of Justice; Mr.James Lewis, Director and Senior Fellow, Technology and Public Policy Program, Center for Strategic and International Studies; Mr.Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office; Mr.Stuart McClure, Chief Technology Officer, McAfee; and Dr. Stephen E. Flynn, Founding Co- Director, George J. Kostas Research Institute for Homeland Security, Northeastern University. 113th Congress. On March 13, 2013, the Committee held a hearing entitled ``DHS Cybersecurity: Roles and Responsibilities to Protect the Nation's Critical Infrastructure.'' The Committee received testimony from Hon. Jane Holl Lute, Deputy Secretary, U.S. Department of Homeland Security; Mr. Anish B. Bhimani, Chairman, Financial Services Information Sharing and Analysis Center; Mr. Gary W. Hayes, Chief Information Officer, Centerpoint Energy; and Ms. Michelle Richardson, Legislative Counsel, American Civil Liberties Union. On May 16, 2013, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing entitled ``Facilitating Cyber Threat Information Sharing and Partnering with the Private Sector to Protect Critical Infrastructure: An Assessment of DHS Capabilities.'' The Subcommittee received testimony from Ms. Roberta Stempfley, Acting Assistant Secretary, Office of Cybersecurity and Communications, U.S. Department of Homeland Security; Mr. Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security; and Mr. Charles K. Edwards, Acting Inspector General, U.S. Department of Homeland Security. On October 30, 2013, the Subcommittee on Emergency Preparedness, Response, and Communications and the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a joint hearing entitled ``Cyber Incident Response: Bridging the Gap Between Cybersecurity and Emergency Management.'' The Subcommittee received testimony from Ms. Roberta Stempfley, Acting Assistant Secretary, Office of Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security; Mr. Charley English, Director, Georgia Emergency Management Agency, testifying on behalf of the National Emergency Management Association; Mr. Craig Orgeron, Chief Information Officer and Executive Director, Department of Information Technology Services, State of Mississippi, testifying on behalf of the National Association of State Chief Information Officers; Mr. Mike Sena, Deputy Director, Northern California Regional Intelligence Center, testifying on behalf of the National Fusion Center Association; and Mr. Paul Molitor, Assistant Vice President, National Electrical Manufacturers Association. Committee Consideration The Committee on Homeland Security met on October 29, 2013, to consider H.R. 3107, and ordered the measure to be reported to the House with a favorable recommendation by voice vote. The Committee took the following actions: The Committee agreed to H.R. 3107, as amended, by voice vote. The following amendments were offered: An Amendment in the Nature of a Substitute to H.R. 3107 offered by Ms. Clarke (#1); was AGREED TO, as amended, by voice vote. A unanimous consent request by Mr. McCaul to consider the Amendment in the Nature of a Substitute as base text for purposes of amendment was not objected to. An amendment to the Amendment in the Nature of a Substitute to H.R. 3107 offered by Ms. Jackson Lee (#1A); was WITHDRAWN by unanimous consent. Add at the end of paragraph (2) of section 2(b) the following: (G) Information on how many senior, mid- and entry level cybersecurity positions are filled by career Federal employees and how many are filled by contractors.; was WITHDRAWN by unanimous consent. An amendment to the Amendment in the Nature of a Substitute to H.R. 3107 offered by Ms. Jackson Lee (#1B); was AGREED TO by voice vote. Add at the end of section 2 a new subsection entitled ``(g) Cybersecurity Fellowship Program.'' An amendment to the Amendment in the Nature of a Substitute to H.R. 3107 offered by Mr. Keating (#1C); was AGREED TO by voice vote. In paragraph (2) of section 2(a), strike ``may be'' and insert ``are''. An amendment to the Amendment in the Nature of a Substitute to H.R. 3107 offered by Mr. Swalwell (#1D); was AGREED TO by voice vote. In subparagraph (A) of section 2(c)(1), insert before the semicolon at the end the following: ``, including relating to mid- career employees, members of economically disadvantaged or underserved communities, the unemployed, and veterans''. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies met on September 18, 2013, to consider H.R. 3107, and reported the measure to the Full Committee with a favorable recommendation, amended, by voice vote. The Subcommittee took the following actions: The following amendments were offered: An en bloc amendment offered by Mr. Meehan (#1); was AGREED TO by voice vote. Consisting of the following amendments: In subparagraph (A) of section 2(c), strike ``and'' at the end. In section 2(c), redesignate subparagraph (B) as subparagraph (C). In section 2(c), insert after subparagraph (A) the following: (B) a five-year implementation plans; and In section 2, add at the end a new subsection entitled ``(f) GAO Study.'' Committee Votes Clause 3(b) of Rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 3107. Committee Oversight Findings Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of Rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 3107, the Homeland Security Cybersecurity Boots-on-the-Ground Act, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate Pursuant to clause 3(c)(3) of Rule XIII of the Rules of the House of Representatives, a cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974 was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of Rule XIII of the Rules of the House of Representatives, H.R. 3107 contains the following general performance goals, and objectives, including outcome related goals and objectives authorized. The performance goals and objectives of H.R. 3107 are based on the development of a workforce assessment and strategy to improve and identify gaps in the DHS cybersecurity workforce. The goal of the workforce assessment required under H.R. 3107 is to help assess the readiness and capacity of the Department to meet its cybersecurity mission. The performance objective of the assessment is to provide information on vacancies within the Department's cybersecurity workforce, the percentage of cybersecurity individuals who received essential training to perform their jobs, and recruiting costs incurred with respect to efforts to fill cybersecurity positions across the Department. The goal of the workforce strategy required under H.R. 3107 is to enhance the readiness, capacity, training, and recruitment and retention of the cybersecurity workforce of the Department. The performance objective of this strategy is to develop a multi-phased recruitment plan, an implementation plan, and projection of Federal workforce needs as well as to provide information security training for independent contractors who serve in cybersecurity positions at the Department. The Congressional reports from DHS and GAO required by this Act will allow Congress to hold the Department accountable for the success or failure of its workforce assessment and strategy implementation. Duplicative Federal Programs The Committee finds that H.R. 3107 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with Rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the Rule XXI. Federal Mandates Statement An estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act was not made available to the Committee in time for the filing of this report. The Chairman of the Committee shall cause such estimate to be printed in the Congressional Record upon its receipt by the Committee. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 3107 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 3107 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short Title. This section provides that the bill may be cited as the ``Homeland Security Cybersecurity Boots-on-the-Ground-Act.'' Sec. 2. Cybersecurity Occupation Classifications, Workforce Assessment, and Strategy. (a) Cybersecurity Occupation Classifications. This subsection requires the Secretary to develop and issue comprehensive occupation classifications for persons performing activities in furtherance of the Department's cybersecurity missions. The Secretary shall ensure that the classifications are used throughout the Department and made available to other Federal agencies. These comprehensive classifications must be made no later than 90 days after the enactment of this Act. Based on extensive oversight, the Committee has found that there currently is no comprehensive occupation classification for the Department's cybsersecurity workforce. The Committee believes that the Department needs to provide necessary occupation classifications to better assess and develop a workforce strategy. TheCommittee intends that workforce occupation classifications are at the discretion of the Secretary so long as these classifications are consistent throughout the Department and made available to other Federal agencies. The Committee strongly encourages DHS to develop workforce categorizations that are consistent with those used by the public sector and other Federal agencies. The Committee furthermore strongly encourages DHS to implement workforce categorizations that are aligned to market-based salaried positions in order to attract and retain quality cybersecurity professionals. (b) Cybersecurity Workforce Assessment. This subsection requires the Secretary, acting through the Chief Human Capital Officer and Chief Information Officer of the Department, to assess the readiness and capacity of the Department to meet its cybersecurity mission. This assessment must be conducted no later than 180 days after the enactment of this Act. The assessment shall, at a minimum, include the following: Information where cybersecurity positions are located within the Department; information on which cybersecurity positions are performed by permanent full time departmental employees, individuals employed by independent contractors, and individuals employed by other Federal agencies; the number of individuals hired by the Department pursuant to the authority granted to the Secretary in 2009 to permit the Secretary to fill 1,000 cybersecurity positions over a three year period; information on vacancies within the Department's cybersecurity supervisory workforce; information on the percentage of individuals within each cybersecurity occupation classification who received essential training to perform their jobs; and information on recruiting costs incurred with respect to efforts to fill ybersecurity positions across the Department. The contents of the assessment prescribed are the minimum contents required. However, the Committee strongly encourages DHS to include other aspects necessary for effective assessment of the cybersecurity workforce. The Committee expects that each of the prescribed elements of the assessment be developed and published in sufficient detail in order to enable DHS to create and implement a workforce strategy described in subsection (c) and identify any gaps in the cybersecurity workforce. (c) Workforce Strategy. In this subsection, the contents of the workforce strategy are prescribed. This subsection requires the Secretary, not later than 180 days after the enactment of this Act, to develop a comprehensive workforce strategy that enhances the readiness, capacity, training, and recruitment and retention of the Department's cybersecurity workforce. This workforce strategy shall include a multiphased recruitment plan, a 5-year implementation plan, and a 10-year projection of Federal workforce needs. By including a specific timeframe, the Committee encourages DHS to address near-term, midterm, and long-term aspects of the plan. The workforce strategy is to be developed in a manner that is not constrained by fiscal resources to address both short-term and long-term strategies. The Committee furthermore expects DHS to write the strategy in an organized hierarchal manner structured around specified objectives, goals, and measures. The Committee also recognizes that strategies can change due to unforeseen circumstances, and encourages DHS to actively update and republish the strategy regularly as needed. (d) Information Security Training. This subsection sets forth the requirements for information security training of the cybersecurity workforce. It requires the Secretary to establish and maintain a process to verify that individuals employed by independent contractors who serve in cybsersecurity positions at the Department receive initial and recurrent information security training. The Committee believes that it is essential for the cybersecurity workforce to be properly trained in all areas necessary to protect cybersecurity. Such training is to include both general security awareness role-based security training. The Committee also believes that it is necessary for DHS to train all independent contractors so that the entire cybersecurity workforce, not just DHS employees, is adequately prepared to respond to or prevent threats and attacks. This subsection also requires that training include recurrent information training. It is the Committee's belief that recurrent training is necessary to ensure that the cybersecurity workforce is prepared to handle the continually changing nature of cyber threats and attacks. Lastly, this subsection requires that the Secretary shall maintain documentation to ensure that training provided to an individual meets or exceeds requirements for such individual's job function. (e) Updates. This subsection requires the Secretary to provide updates regarding the cybsersecurity workforce assessment, information on the progress of carrying out the comprehensive workforce strategy, and information on the status of the implementation of information security training. The Committee believes that updates are important to ensure development of the Department's cybersecurity workforce and to continually satisfy the workforce mission. The bill does not specify when updates must be given, and allows DHS flexibility in providing such information. However, the Committee believes that these updates are necessary to determine the progress and status of the implementation of the workforce assessment and strategy, as well as information security training. The Committee strongly encourages the Secretary to provide regular updates on a consistent basis. (f) GAO Study. This subsection requires the Secretary to provide the Comptroller General of the United States information on the cybersecurity workforce assessment and progress on carrying out the comprehensive workforce strategy developed. This subsection also requires the GAO to submit to the relevant Congressional committees a study on such assessment and strategies. The Committee's intent of this subsection is to direct GAO to gather data and evaluate DHS's workforce assessment and strategies. The Committee believes that the Department does not adequately meet its cybersecurity workforce needs and this independent assessment will inform the relevant Congressional committees of the Department's progress on addressing this issue. The GAO report will provide important inputs for continuing Congressional oversight and provide additional transparency for the American public. Sec. 3. Definition. In this section, the term ``cybersecurity mission'' is defined as activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, incident response, resiliency, and recovery activities to foster the security and stability of cyberspace. The Committee believes that determining the cybersecurity mission of the Department is essential to protecting critical infrastructure and developing a workforce that is able to prevent and respond to cyber threats and attacks. The purpose of defining cybsersecurity mission in this bill is to codify into statute the full range of activities necessary for the Department to fulfill when developing and assessing its cybersecurity workforce. Since this bill only addresses the workforce assessment and strategy of cybersecurity, it is the Committee's intent that the basic definition described in this section suffice for such purposes. However, the Committee recognizes that cybersecurity missions have a significantly broader role in cybersecurity protection and threat reduction and that the definition herein may not suffice for these broader purposes. Therefore, the Committee strongly encourages the Secretary to develop a set of effective and efficient Departmental processes for cybersecurity missions that define, designate, and support the broader cybersecurity and critical infrastructure protection mission. Sec. 4. Cybersecurity Fellowship Program. This section requires the Secretary to submit to the appropriate Congressional Committees a report on the feasibility of establishing a Cybersecurity Fellowship Program to offer a tuition payment plan for undergraduate and doctoral candidates who agree to work for the Department for an agreed- upon period of time. The Committee believes that, if feasible, a Cybersecurity Fellowship Program would help fill gaps in the cybersecurity workforce and provide recent graduates with career opportunities.