The IT Law Wiki


Cyber Security Research and Development Act of 2002, Pub. L. No. 107-305, 116 Stat. 2367 (Nov. 27, 2002) (full-text), codified at 15 U.S.C. §§278g, h, §7401 et seq.


The Act allocates funding to the National Institute of Standards and Technology (NIST) and the National Science Foundation (NSF) to create more secure cyber technologies, expand cybersecurity R&D, and improve the cybersecurity workforce.

The law called for significantly increased Federal investment in computer and network security R&D to improve vulnerability assessment and technology and systems solutions; expand and improve the pool of information security professionals, including researchers, in the U.S. workforce; and better coordinate information sharing and collaboration among industry, government, and academic research projects.

The Act also calls for basic research on innovative approaches to the structure of computer and network hardware and software that are aimed at enhancing computer security. Cited research areas include:

The Act established a means of enhancing basic R&D related to improving the cybersecurity of CIKR.

Application to cybersecurity[]

A commonly expressed concern about federal research and development (R&D) relating to cybersecurity has been that it is insufficiently coordinated and prioritized, and focuses too little on understanding of fundamental principles and using them to develop transformational technologies. The George W. Bush Administration attempted to address the latter gap through the "leap-ahead" technology component of the Comprehensive National Cybersecurity Initiative.[1] The Obama Administration's policy review[2] also called for expanded, transformational research.

Concerns have also been raised about the need to improve the process by which NIST creates checklists and other guidance and technical standards for federal IT systems.[3]