[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 438 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 438
To amend the Homeland Security Act of 2002 to provide for education and
training programs and resources of the Cybersecurity and Infrastructure
Security Agency of the Department of Homeland Security, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 5, 2025
Mr. Rounds (for himself and Mr. Peters) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to provide for education and
training programs and resources of the Cybersecurity and Infrastructure
Security Agency of the Department of Homeland Security, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Providing Individuals Various
Opportunities for Technical Training to Build a Skills-Based Cyber
Workforce Act of 2025'' or the ``Cyber PIVOTT Act of 2025''.
SEC. 2. CISA EDUCATION AND TRAINING PROGRAMS AND RESOURCES.
(a) In General.--Subtitle D of title XIII of the Homeland Security
Act of 2002 (Public Law 107-296; 116 Stat. 2298 et seq.) is amended by
adding at the end the following new section:
``SEC. 1334. CISA EDUCATION AND TRAINING PROGRAMS AND RESOURCES.
``(a) Definitions.--In this section:
``(1) Armed forces.--The term `Armed Forces' has the
meaning given the term `armed forces' in section 101 of title
10, United States Code.
``(2) Community college.--The term `community college' has
the meaning given the term in section 5002 of the William M.
(Mac) Thornberry National Defense Authorization Act for Fiscal
Year 2021 (15 U.S.C. 9401).
``(3) Cyber-relevant.--The term `cyber-relevant' means an
area of national security that would impact the cyber
resiliency of the United States, including relating to
operational technology, critical infrastructure, artificial
intelligence, quantum computing, security awareness, or
computer science.
``(4) Director.--The term `Director' means the Director of
the Cybersecurity and Infrastructure Security Agency.
``(5) Executive agency.--The term `Executive agency' has
the meaning given the term in section 105 of title 5, United
States Code.
``(6) Institution of higher education.--The term
`institution of higher education' has the meaning given the
term in section 101(a) of the Higher Education Act of 1965 (20
U.S.C. 1001(a)).
``(7) NICE cybersecurity workforce framework.--The term
`NICE Cybersecurity Workforce Framework' means the National
Initiative for Cybersecurity Education (NICE) Cybersecurity
Workforce Framework (NIST Special Publication 800-181, revision
1, published November 16, 2020).
``(8) Participating institution.--The term `participating
institution' means a community college, technical school, or
other institution of higher education offering 2-year programs
with which the Director has entered into a partnership or other
arrangement as described in subsection (b)(1)(A).
``(9) Program.--The term `Program' means the `Providing
Individuals Various Opportunities for Technical Training to
Build a Skills-Based Cyber Workforce Program' or the `PIVOTT
Program' established under subsection (b)(1).
``(10) Skills-based exercise.--The term `skills-based
exercise' means a condensed program lasting not less than 1 day
that focuses on practice and application, rather than research
and study.
``(11) Technical school.--The term `technical school' has
the meaning given the term in section 411.167 of title 20, Code
of Federal Regulations.
``(12) University-level educator.--The term `university-
level educator' means an educator that teaches at the level of
an institution of higher education.
``(b) Expanding Education and Training Programs and Resources to
Community Colleges, Technical Schools, and Other Institutions of Higher
Education Offering 2-Year Programs.--
``(1) Establishment of pivott program.--Not later than 1
year after the date of enactment of this subsection, the
Director shall establish a program--
``(A) under which the Director shall seek to enter
into partnerships or other arrangements with community
colleges, technical schools, and other institutions of
higher education offering 2-year programs to establish
educational and training programs and facilitate
internship and post-graduation Federal job
opportunities at participating institutions; and
``(B) that shall be known as the `Providing
Individuals Various Opportunities for Technical
Training to Build a Skills-Based Cyber Workforce
Program' or the `PIVOTT Program'.
``(2) Student qualifications.--
``(A) Eligibility.--The following categories of
students shall be eligible to participate in the
Program:
``(i) Students who are enrolled in but who
have not yet started a 2-year cyber or cyber-
relevant associate's degree program or
comparable technical certification, as
determined by the Director, at a participating
institution.
``(ii) Students who are currently enrolled
in their first semester of a 2-year cyber or
cyber-relevant associate's degree program or
comparable technical certification, as
determined by the Director, at a participating
institution.
``(iii) Students identified by the Director
who are eligible and qualified to enroll in a
2-year degree cyber or cyber-relevant
associate's degree program or comparable
technical certification at a participating
institution, such as individuals who are
pursuing a career change, have a high school
diploma or equivalent, or would be considered
entry-level employees.
``(iv) Students enrolled in technical
certifications at participating institutions
that are less than 2 years in duration but--
``(I) align with Tasks, Knowledge,
and Skills, as described in the NICE
Cybersecurity Workforce Framework; and
``(II) prepare students to serve in
Federal, State, local, Tribal, or
territorial government cyber or cyber-
relevant roles.
``(B) Scholarships.--The Secretary, acting through
the Director, shall provide students participating in
the Program with full tuition scholarships, including
academic fees, lab fees, travel, lodging, per diem,
stipends, internship costs, costs associated with
virtual participation, certification testing fees, and
any other expenses the Director determines necessary to
complete any requirement under the Program, including
for participation in 1 in-person skills-based exercise
in accordance with paragraph (4)(B), including travel,
lodging, meals, in-person or in-laboratory post-course
assessments fees, and other necessary expenses as
determined by the Director.
``(C) Service obligation.--
``(i) In general.--Each student who
participates in and completes the Program shall
fulfill a 2-year service obligation in a cyber
or cyber-relevant role, as described in the
NICE Cybersecurity Workforce Framework or the
Department of Defense Cyber Workforce
Framework, to advance the cyber mission of an
Executive agency or a State, local, Tribal, or
territorial government.
``(ii) Exception.--The service obligation
specified in clause (i) shall not apply to any
student who--
``(I) has completed a term of
service in the Armed Forces that is
equal to the service obligation
specified in clause (i);
``(II) is currently serving in the
Armed Forces; or
``(III) pursues service in the
Armed Forces in a cyber or cyber-
relevant role during or immediately
after the date on which the student
completes the Program.
``(iii) Delayed service.--Any student who,
immediately after the date on which the student
completes the Program, enrolls in a 4-year
degree program may complete the service
obligation specified in clause (i) after
receiving such 4-year degree.
``(D) Program completion timeline.--
``(i) In general.--Each student who
participates in the Program shall complete
participation in the Program not later than 4
years after the date on which the student
begins the Program, or pursuant to rules of the
relevant participating institution if such
rules are in effect at the time the student
begins such participation.
``(ii) Process for updated completion
timeline.--
``(I) Application for waiver.--Any
student who experiences extreme
hardship during participation in the
Program may submit to the Director an
application to waive the application of
the timeline specified in clause (i).
``(II) Determination.--The
Director, in consultation with the
appropriate participating institution,
shall determine on a case-by-case basis
whether a student who submits an
application for a waiver under
subclause (I) may be granted additional
time to complete the Program.
``(3) Institutional requirements.--A community college,
technical school, or other institution of higher education is
eligible to participate in the Program if the community
college, technical school, or institution of higher education
is--
``(A) a participant in the National Centers of
Academic Excellence in Cybersecurity program; or
``(B) determined eligible by the Director, taking
into consideration--
``(i) whether the virtual or in-person
course offerings of the community college,
technical school, or institution of higher
education align with career pathways, as
described in the NICE Cybersecurity Workforce
Framework; and
``(ii) the presence of a cybersecurity
clinic on campus.
``(4) Program components.--
``(A) In general.--In accordance with subparagraph
(C), students participating in the Program shall
complete a minimum of 4 eligible skills-based exercises
described in subparagraph (B).
``(B) Eligible skills-based exercises.--Eligible
skills-based exercises described in this subparagraph
may include the following:
``(i) Laboratory work.
``(ii) Competitions such as hackathons,
challenges, and capture the flag.
``(iii) Virtual programming.
``(iv) Table-top exercises.
``(v) Industry training workshops.
``(vi) Exercises in a box.
``(C) Provision.--
``(i) In general.--The Director shall
coordinate with participating institutions to
provide not fewer than 1 skills-based exercise
required under subparagraph (A) each semester.
``(ii) Student requirements.--Students
participating in the Program shall complete not
fewer than 1 of the 4 skills-based exercises
required under subparagraph (A) in person.
``(iii) Administration of exercises.--The
Director, in coordination with participating
institutions, shall offer not fewer than 1 in-
person skills-based exercise to Program
participants every 2 years.
``(iv) Coordination.--The Director shall
coordinate and may jointly offer the skills-
based exercises required under subparagraph (A)
with the following:
``(I) Other Federal agencies, such
as the Department of Defense, the
Federal Bureau of Investigation, the
National Security Agency, and the
Office of the National Cyber Director,
as appropriate.
``(II) Non-Federal entities with
cyber or cyber-relevant expertise,
including cybersecurity clinics.
``(v) Exception.--A student participating
in the Program who is unable to complete a
skills-based exercise required under
subparagraph (A) may submit to the
participating institution a proposal for a
comparable skills-based exercise, as determined
by the Director.
``(D) Internships.--
``(i) In general.--The Director and
participating institutions shall, as a core
requirement of the Program, coordinate with
appropriate entities to place students
participating in the Program in an approved
cyber or cyber-relevant internship, as
determined by the Director, with any of the
following:
``(I) A State, local, Tribal, or
territorial government entity.
``(II) A critical infrastructure
owner or operator that is located in a
rural community or is considered to be
a high-risk sector, as determined by
the Director.
``(III) A Federal department or
agency, including with the Regional
Security Advisors program of the
Cybersecurity and Infrastructure
Security Agency.
``(ii) Prioritization.--A student who has
communicated in writing to the Director or the
appropriate participating institution during
the internship placement process that the
student intends to serve in a Federal
Government position beyond the obligations of
the student under paragraph (2)(C) shall be
prioritized for Federal cyber internship
opportunities that require a security
clearance.
``(iii) Current federal employees.--The
Director shall coordinate with the heads of
appropriate Federal agencies to establish an
approved cyber or cyber-relevant internship
program for students participating in the
Program who are Federal employees.
``(iv) Security clearances.--The Director
shall take such actions as may be necessary to
begin, not later than 1 year before an
appropriate student under this subparagraph
completes participation in the Program, the
process to provide the student with an
appropriate security clearance.
``(5) Outreach initiatives.--
``(A) CISA.--
``(i) Responsibilities of director.--The
Director shall--
``(I) conduct regional outreach
initiatives, including at institutions
designated as National Centers of
Academic Excellence in Cybersecurity,
and provide informational materials
about the Program--
``(aa) at each regional
office of the Cybersecurity and
Infrastructure Security Agency;
and
``(bb) to industry partners
to promote the Program; and
``(II) seek to engage with industry
stakeholders to produce an annual
report--
``(aa) on industry-relevant
skills intended to inform the
skills-based exercises offered
under the Program; and
``(bb) that--
``(AA) may include
input from an advisory
committee, established
by the Director and
composed of university-
level educators; and
``(BB) shall be
submitted to the
Committee on Homeland
Security and
Governmental Affairs of
the Senate and the
Committee on Homeland
Security of the House
of Representatives not
later than 1 year after
the date of enactment
of this section, and
each year thereafter.
``(ii) FACA exemption.--Chapter 10 of title
5, United States Code, shall not apply to the
advisory committee established by the Director
under clause (i)(II)(bb)(AA).
``(B) Recruitment fair.--
``(i) In general.--Each fiscal year, the
Director, in coordination with the National
Cyber Director, shall host a voluntary Federal
Government recruitment fair that includes
Federal Government agency representatives who
seek to recruit for vacant cybersecurity
positions.
``(ii) Information regarding recruitment
fair.--The Director shall post information
regarding the recruitment fair required under
clause (i) on a dedicated website of the
Cybersecurity and Infrastructure Security
Agency.
``(iii) Hosting of recruitment fair.--Each
recruitment fair required under clause (i)--
``(I) may be hosted online or in-
person; and
``(II) shall be hosted at not fewer
than 5 participating institutions.
``(6) Program completion benefits.--
``(A) Database.--The Director, leveraging existing
educational content repositories, shall maintain an
online database that shall--
``(i) provide cyber training and education
resources, mapped to job roles set forth in the
NICE Cybersecurity Workforce Framework, and
information relating to Federal job
opportunities in cyber or cyber-relevant
fields; and
``(ii) be made available for access by, as
appropriate, students who have successfully
completed the Program.
``(B) Certification program.--
``(i) List of certification programs.--The
Director shall establish and update annually a
list of existing cyber certification programs
developed or offered by entities in the private
sector, academia, nonprofits, or other
institutions, as determined by the Director.
``(ii) Funding.--The Secretary, acting
through the Director, may fund, through
vouchers requested by a student participating
in the program, not more than 3 certifications
and associated certification examinations per
student from the list established under clause
(i), provided that any such student shall have
completed the Program and requested the voucher
not later than 10 years after the date on which
the student completed the Program.
``(C) Additional scholarship opportunities for
students who complete the program.--
``(i) In general.--The Director may select,
pursuant to an application process designed by
Director, not more than 10 students per year
who have completed the Program and have been
employed by the Federal Government for not less
than 7 years to be eligible for scholarships to
be applied to cyber or cyber-relevant degree
programs offered at institutions designated as
National Centers of Academic Excellence in
Cybersecurity.
``(ii) Amounts.--Scholarship amounts under
this subparagraph shall be determined by the
Director, subject to the availability of
appropriations for such purpose.
``(7) Terms of program scholarship.--
``(A) In general.--Except as provided in
subparagraph (B), a scholarship recipient under this
section shall be liable to the United States for
repayment of a scholarship awarded to the recipient as
provided under subsection (e) if the recipient--
``(i) fails to maintain an acceptable level
of academic standing at the participating
institution, as determined by the Director;
``(ii) is dismissed from the participating
institution for disciplinary reasons;
``(iii) withdraws from the eligible degree
program before completing the Program;
``(iv) declares that the recipient does not
intend to fulfill the post-award employment
obligation under this section; or
``(v) fails to maintain or fulfill the
post-graduation government service or post-
award obligations or requirements of such
recipient.
``(B) Exception.--The Director may, on a case-by-
case basis, exempt from liability for repayment a
scholarship awarded to a student who is participating
or has participated in the Program if the relevant
student--
``(i) enlists or commissions in the Armed
Forces prior to completion of the Program; or
``(ii) has a documented history of
demonstrated effort to secure a position with a
Federal, State, local, Tribal, or territorial
government within 2 years after the date on
which the student completes the Program but who
is not offered such a position.
``(c) Monitoring Compliance.--As a condition of participation in
the Program, a participating institution shall enter into an agreement
with the Director to monitor the compliance of recipients of
scholarships awarded under this section with respect to the post-award
employment obligations of such recipients.
``(d) Amount of Repayment.--If a circumstance described in
subsection (b)(7)(A) occurs before the completion of 1 year of a post-
scholarship employment obligation under this section, the total amount
of scholarship awards received by an individual under this section
shall--
``(1) be repaid to the Department immediately; or
``(2) be treated as a loan to be repaid in accordance with
subsection (e).
``(e) Repayments.--A loan referred to subsection (d)(2) shall--
``(1) be treated as a Federal Direct Unsubsidized Stafford
Loan under part D of title IV of the Higher Education Act of
1965 (20 U.S.C. 1087a et seq.); and
``(2) be subject to repayment, together with interest
thereon accruing from the date of the scholarship award, in
accordance with terms and conditions specified by the Secretary
(in consultation with the Secretary of Education) in
regulations promulgated to carry out this subsection.
``(f) Collection of Repayment.--
``(1) In general.--If a scholarship recipient is required
to repay a scholarship under this section--
``(A) the Secretary shall determine the repayment
amounts and notify such recipient of the amount owed;
and
``(B) the Secretary, or a participating institution
acting on behalf of the Secretary, shall collect such
amount within a period of time as determined by the
Secretary, or such amount shall be treated as a loan in
accordance with subsection (e).
``(2) Returned to the department.--Except as provided in
paragraph (3), any repayment under this subsection shall be
returned to the Department.
``(3) Retention of percentage.--
``(A) In general.--A participating institution may
retain a percentage of any repayment the participating
institution collects under this subsection to defray
administrative costs associated with the collection of
such repayment.
``(B) Percentage applicable.--The Secretary shall
establish a single, fixed percentage that participating
institutions may retain from repayments collected under
subparagraph (A) that shall be applicable to all
participating institutions.
``(g) Exceptions.--The Secretary may provide for the partial or
total waiver or suspension of any repayment obligation by a scholarship
recipient under this section if compliance by the scholarship recipient
with the repayment obligation is impossible or would involve extreme
hardship to the scholarship recipient.
``(h) Timeline for Implementation.--
``(1) In general.--The Director and participating
institutions shall seek to enroll in the Program, subject to
the availability of appropriations, not fewer than 250 students
for the first full academic year of the Program that begins 1
year after the date of the enactment of this section.
``(2) Growth of program.--Beginning with the second full
academic year of the Program, the Director and participating
institutions shall seek to enroll in the Program each full
academic year, subject to the availability of appropriations,
not fewer than double the number of students enrolled in the
immediately preceding full academic year until the number of
such students reaches 1,000 each full academic year.
``(3) Plan for 10,000 students.--
``(A) Development of plan.--Not later than 90 days
after the date of the enactment of this section, the
Director and participating institutions shall develop a
plan, subject to capacity and administrative
capabilities, to enroll by not later than 10 years
after the date of the establishment of the Program not
fewer than 10,000 students in the Program each academic
year.
``(B) Briefing.--The Director shall brief the
Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Homeland Security of
the House of Representatives regarding such plan.
``(i) Report on Enrollment Goals.--If the Director and
participating institutions fail in any academic year to meet the
minimum quota specified in paragraph (1) or (2), as the case may be, of
subsection (h), the Director shall brief the Committee on Homeland
Security and Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives not later than 30
days after the conclusion of that academic year.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135)
is amended by inserting after the item relating to section 1333 the
following new item:
``Sec. 1334. CISA education and training programs and resources.''.
(c) Review of CISA Education, Training Programs and Resources.--Not
later than 90 days after the date of enactment of this Act, the
Director of the Cybersecurity and Infrastructure Security Agency shall
submit to the Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Homeland Security of the House of
Representatives a review of the education and training programs of the
Cybersecurity and Infrastructure Security Agency, which shall evaluate
the cost, reach, and current demand of those programs, including
relating to any resource gaps in any of those programs.
(d) Promoting Cybercorps Scholarship for Service as a Gold Standard
Program.--The Secretary of Homeland Security shall submit to the
Committee on Homeland Security and Governmental Affairs and the
Committee on Commerce, Science, and Transportation of the Senate and
the Committee on Homeland Security and the Committee on Science, Space,
and Technology of the House of Representatives a report on current
support provided by the Department of Homeland Security to the
CyberCorps Scholarship for Service Program, including opportunities to
provide additional funding to the CyberCorps Scholarship for Service
Program under existing training and education programs of the
Department of Homeland Security.
<all>