[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 438 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 438
To amend the Homeland Security Act of 2002 to provide for education and
training programs and resources of the Cybersecurity and Infrastructure
Security Agency of the Department of Homeland Security, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 5, 2025
Mr. Rounds (for himself and Mr. Peters) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to provide for education and
training programs and resources of the Cybersecurity and Infrastructure
Security Agency of the Department of Homeland Security, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Providing Individuals Various
Opportunities for Technical Training to Build a Skills-Based Cyber
Workforce Act of 2025'' or the ``Cyber PIVOTT Act of 2025''.
SEC. 2. CISA EDUCATION AND TRAINING PROGRAMS AND RESOURCES.
(a) In General.--Subtitle D of title XIII of the Homeland Security
Act of 2002 (Public Law 107-296; 116 Stat. 2298 et seq.) is amended by
adding at the end the following new section:
``SEC. 1334. CISA EDUCATION AND TRAINING PROGRAMS AND RESOURCES.
``(a) Definitions.--In this section:
``(1) Armed forces.--The term `Armed Forces' has the
meaning given the term `armed forces' in section 101 of title
10, United States Code.
``(2) Community college.--The term `community college' has
the meaning given the term in section 5002 of the William M.
(Mac) Thornberry National Defense Authorization Act for Fiscal
Year 2021 (15 U.S.C. 9401).
``(3) Cyber-relevant.--The term `cyber-relevant' means an
area of national security that would impact the cyber
resiliency of the United States, including relating to
operational technology, critical infrastructure, artificial
intelligence, quantum computing, security awareness, or
computer science.
``(4) Director.--The term `Director' means the Director of
the Cybersecurity and Infrastructure Security Agency.
``(5) Executive agency.--The term `Executive agency' has
the meaning given the term in section 105 of title 5, United
States Code.
``(6) Institution of higher education.--The term
`institution of higher education' has the meaning given the
term in section 101(a) of the Higher Education Act of 1965 (20
U.S.C. 1001(a)).
``(7) NICE cybersecurity workforce framework.--The term
`NICE Cybersecurity Workforce Framework' means the National
Initiative for Cybersecurity Education (NICE) Cybersecurity
Workforce Framework (NIST Special Publication 800-181, revision
1, published November 16, 2020).
``(8) Participating institution.--The term `participating
institution' means a community college, technical school, or
other institution of higher education offering 2-year programs
with which the Director has entered into a partnership or other
arrangement as described in subsection (b)(1)(A).
``(9) Program.--The term `Program' means the `Providing
Individuals Various Opportunities for Technical Training to
Build a Skills-Based Cyber Workforce Program' or the `PIVOTT
Program' established under subsection (b)(1).
``(10) Skills-based exercise.--The term `skills-based
exercise' means a condensed program lasting not less than 1 day
that focuses on practice and application, rather than research
and study.
``(11) Technical school.--The term `technical school' has
the meaning given the term in section 411.167 of title 20, Code
of Federal Regulations.
``(12) University-level educator.--The term `university-
level educator' means an educator that teaches at the level of
an institution of higher education.
``(b) Expanding Education and Training Programs and Resources to
Community Colleges, Technical Schools, and Other Institutions of Higher
Education Offering 2-Year Programs.--
``(1) Establishment of pivott program.--Not later than 1
year after the date of enactment of this subsection, the
Director shall establish a program--
``(A) under which the Director shall seek to enter
into partnerships or other arrangements with community
colleges, technical schools, and other institutions of
higher education offering 2-year programs to establish
educational and training programs and facilitate
internship and post-graduation Federal job
opportunities at participating institutions; and
``(B) that shall be known as the `Providing
Individuals Various Opportunities for Technical
Training to Build a Skills-Based Cyber Workforce
Program' or the `PIVOTT Program'.
``(2) Student qualifications.--
``(A) Eligibility.--The following categories of
students shall be eligible to participate in the
Program:
``(i) Students who are enrolled in but who
have not yet started a 2-year cyber or cyber-
relevant associate's degree program or
comparable technical certification, as
determined by the Director, at a participating
institution.
``(ii) Students who are currently enrolled
in their first semester of a 2-year cyber or
cyber-relevant associate's degree program or
comparable technical certification, as
determined by the Director, at a participating
institution.
``(iii) Students identified by the Director
who are eligible and qualified to enroll in a
2-year degree cyber or cyber-relevant
associate's degree program or comparable
technical certification at a participating
institution, such as individuals who are
pursuing a career change, have a high school
diploma or equivalent, or would be considered
entry-level employees.
``(iv) Students enrolled in technical
certifications at participating institutions
that are less than 2 years in duration but--
``(I) align with Tasks, Knowledge,
and Skills, as described in the NICE
Cybersecurity Workforce Framework; and
``(II) prepare students to serve in
Federal, State, local, Tribal, or
territorial government cyber or cyber-
relevant roles.
``(B) Scholarships.--The Secretary, acting through
the Director, shall provide students participating in
the Program with full tuition scholarships, including
academic fees, lab fees, travel, lodging, per diem,
stipends, internship costs, costs associated with
virtual participation, certification testing fees, and
any other expenses the Director determines necessary to
complete any requirement under the Program, including
for participation in 1 in-person skills-based exercise
in accordance with paragraph (4)(B), including travel,
lodging, meals, in-person or in-laboratory post-course
assessments fees, and other necessary expenses as
determined by the Director.
``(C) Service obligation.--
``(i) In general.--Each student who
participates in and completes the Program shall
fulfill a 2-year service obligation in a cyber
or cyber-relevant role, as described in the
NICE Cybersecurity Workforce Framework or the
Department of Defense Cyber Workforce
Framework, to advance the cyber mission of an
Executive agency or a State, local, Tribal, or
territorial government.
``(ii) Exception.--The service obligation
specified in clause (i) shall not apply to any
student who--
``(I) has completed a term of
service in the Armed Forces that is
equal to the service obligation
specified in clause (i);
``(II) is currently serving in the
Armed Forces; or
``(III) pursues service in the
Armed Forces in a cyber or cyber-
relevant role during or immediately
after the date on which the student
completes the Program.
``(iii) Delayed service.--Any student who,
immediately after the date on which the student
completes the Program, enrolls in a 4-year
degree program may complete the service
obligation specified in clause (i) after
receiving such 4-year degree.
``(D) Program completion timeline.--
``(i) In general.--Each student who
participates in the Program shall complete
participation in the Program not later than 4
years after the date on which the student
begins the Program, or pursuant to rules of the
relevant participating institution if such
rules are in effect at the time the student
begins such participation.
``(ii) Process for updated completion
timeline.--
``(I) Application for waiver.--Any
student who experiences extreme
hardship during participation in the
Program may submit to the Director an
application to waive the application of
the timeline specified in clause (i).
``(II) Determination.--The
Director, in consultation with the
appropriate participating institution,
shall determine on a case-by-case basis
whether a student who submits an
application for a waiver under
subclause (I) may be granted additional
time to complete the Program.
``(3) Institutional requirements.--A community college,
technical school, or other institution of higher education is
eligible to participate in the Program if the community
college, technical school, or institution of higher education
is--
``(A) a participant in the National Centers of
Academic Excellence in Cybersecurity program; or
``(B) determined eligible by the Director, taking
into consideration--
``(i) whether the virtual or in-person
course offerings of the community college,
technical school, or institution of higher
education align with career pathways, as
described in the NICE Cybersecurity Workforce
Framework; and
``(ii) the presence of a cybersecurity
clinic on campus.
``(4) Program components.--
``(A) In general.--In accordance with subparagraph
(C), students participating in the Program shall
complete a minimum of 4 eligible skills-based exercises
described in subparagraph (B).
``(B) Eligible skills-based exercises.--Eligible
skills-based exercises described in this subparagraph
may include the following:
``(i) Laboratory work.
``(ii) Competitions such as hackathons,
challenges, and capture the flag.
``(iii) Virtual programming.
``(iv) Table-top exercises.
``(v) Industry training workshops.
``(vi) Exercises in a box.
``(C) Provision.--
``(i) In general.--The Director shall
coordinate with participating institutions to
provide not fewer than 1 skills-based exercise
required under subparagraph (A) each semester.
``(ii) Student requirements.--Students
participating in the Program shall complete not
fewer than 1 of the 4 skills-based exercises
required under subparagraph (A) in person.
``(iii) Administration of exercises.--The
Director, in coordination with participating
institutions, shall offer not fewer than 1 in-
person skills-based exercise to Program
participants every 2 years.
``(iv) Coordination.--The Director shall
coordinate and may jointly offer the skills-
based exercises required under subparagraph (A)
with the following:
``(I) Other Federal agencies, such
as the Department of Defense, the
Federal Bureau of Investigation, the
National Security Agency, and the
Office of the National Cyber Director,
as appropriate.
``(II) Non-Federal entities with
cyber or cyber-relevant expertise,
including cybersecurity clinics.
``(v) Exception.--A student participating
in the Program who is unable to complete a
skills-based exercise required under
subparagraph (A) may submit to the
participating institution a proposal for a
comparable skills-based exercise, as determined
by the Director.
``(D) Internships.--
``(i) In general.--The Director and
participating institutions shall, as a core
requirement of the Program, coordinate with
appropriate entities to place students
participating in the Program in an approved
cyber or cyber-relevant internship, as
determined by the Director, with any of the
following:
``(I) A State, local, Tribal, or
territorial government entity.
``(II) A critical infrastructure
owner or operator that is located in a
rural community or is considered to be
a high-risk sector, as determined by
the Director.
``(III) A Federal department or
agency, including with the Regional
Security Advisors program of the
Cybersecurity and Infrastructure
Security Agency.
``(ii) Prioritization.--A student who has
communicated in writing to the Director or the
appropriate participating institution during
the internship placement process that the
student intends to serve in a Federal
Government position beyond the obligations of
the student under paragraph (2)(C) shall be
prioritized for Federal cyber internship
opportunities that require a security
clearance.
``(iii) Current federal employees.--The
Director shall coordinate with the heads of
appropriate Federal agencies to establish an
approved cyber or cyber-relevant internship
program for students participating in the
Program who are Federal employees.
``(iv) Security clearances.--The Director
shall take such actions as may be necessary to
begin, not later than 1 year before an
appropriate student under this subparagraph
completes participation in the Program, the
process to provide the student with an
appropriate security clearance.
``(5) Outreach initiatives.--
``(A) CISA.--
``(i) Responsibilities of director.--The
Director shall--
``(I) conduct regional outreach
initiatives, including at institutions
designated as National Centers of
Academic Excellence in Cybersecurity,