There really is quite a bit in this, related to both freedom as well as more practical security aspects. It includes security standards, exploit defenition languages, security professional licensing, DNSSEC, IANA, government software acquisition, and of course the President's shutdown authority which everyone has been commenting about. You should really read the bill for yourself.
NIST and security responsibilities (pg 17) In section 6, NIST is given responsibility to develop security metrics, measuring the risk from a "prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities" (including embedded, or so they say). Section 6 goes on:
(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE
The Institute shall, establish standard
computer-readable language for completely speci-
fying the configuration of software on computer sys-
tems widely used in the Federal government, by gov-
ernment contractors and grantees, and in private
sector owned critical infrastructure information sys-
tems and networks.
(5) STANDARD SOFTWARE CONFIGURATION
The Institute shall establish standard configurations
consisting of security settings for operating system
software and software utilities widely used in the
Federal government, by government contractors and
grantees, and in private sector owned critical infra-
structure information systems and networks.
(6) VULNERABILITY SPECIFICATION LANGUAGE
The Institute shall establish standard com-
puter-readable language for specifying vulnerabilities
in software to enable software vendors to commu-
nicate vulnerability data to software users in real
(7) NATIONAL COMPLIANCE STANDARDS FOR ALL SOFTWARE
(A) Protocol.?The Institute shall establish
a standard testing and accreditation protocol
for software built by or for the Federal govern-
ment, its contractors, and grantees, and private
sector owned critical infrastructure information
systems and networks [......]
Licensing for security professionals contracting to the federal government (pg 21)
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL
Within 1 year after the date of
enactment of this Act, the Secretary of Commerce shall
develop or coordinate and integrate a national licensing,
certification, and periodic recertification program for cy-
(b) MANDATORY LICENSING
Beginning 3 years
after the date of enactment of this Act, it shall be unlawful
for any individual to engage in business in the United
States, or to be employed in the United States, as a pro-
vider of cybersecurity services to any Federal agency or
an information system or network designated by the Presi-
dent, or the President?s designee, as a critical infrastruc-
ture information system or network, who is not licensed
and certified under the program.
IANA (pg 22)
SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.
(a) IN GENERAL
No action by the Assistant Sec-
retary of Commerce for Communications and Information
after the date of enactment of this Act with respect to
the renewal or modification of a contract related to the
operation of the Internet Assigned Numbers Authority,
shall be final until the Advisory Panel?
(1) has reviewed the action;
(2) considered the commercial and national se-
curity implications of the action; and
(3) approved the action.
DNSSEC (pg 23)
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
(a) IN GENERAL
Within 3 years after the date of
enactment of this Act, the Assistant Secretary of Com-
merce for Communications and Information shall develop
a strategy to implement a secure domain name addressing
PUBLIC-PRIVATE CLEARINGHOUSE (pg 39)
SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
The Department of Commerce
shall serve as the clearinghouse of cybersecurity threat
and vulnerability information to Federal government and
private sector owned critical infrastructure information
systems and networks.
The Secretary of Commerce
(1) shall have access to all relevant data con-
cerning such networks without regard to any provi-
sion of law, regulation, rule, or policy restricting
President's authority (pg 43)
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
(1) within 1 year after the date of enactment
of this Act, shall develop and implement a com-
prehensive national cybersecurity strategy, which
(2) may declare a cybersecurity emergency and
order the limitation or shutdown of Internet traffic
to and from any compromised Federal government
or United States critical infrastructure information
system or network;
(Non) Definition of critical infrastructure network (pg 50)
(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS
The term Federal gov-
ernment and United States critical infrastructure in-
formation systems and networks includes
(A) Federal Government information sys-
tems and networks; and
(B) State, local, and nongovernmental in-
formation systems and networks in the United
States designated by the President as critical
infrastructure information systems and net-
FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD (pg 49)
SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD.
There is established a Secure
Products and Services Acquisitions Board. The Board
shall be responsible for cybersecurity review and approval
of high value products and services acquisition and, in co-
ordination with the National Institute of Standards and
Technology, for the establishment of appropriate stand-
ards for the validation of software to be acquired by the