The Cybersecurity Enhancement Act of 2009, also known as HR 4061, requires each agency in the US federal government to develop and implement a cybersecurity R&D plan. Each plan must specify a set of objectives to be addressed in the short, medium, and long term. Outside stakeholders must be involved, and an implementation roadmap must detail the levels of funding required to meet each objective.

Other requirements include a presidential report on the federal government's cybersecurity workforce needs, to help outline the skills needed by the government to bolster cybersecurity.

According to the Office of Management and Budget, federal agencies spend $6bn annually on cybersecurity to protect a $72billion IT infrastructure. In addition, "the Federal government funds $356 million in cybersecurity research each year," said the House Committee on Science and Technology in a statement. "Despite this spending, the Government Accountability Office continually says the U.S. IT infrastructure is vulnerable to attack and the Federal agencies tasked with its protection are not fulfilling their responsibilities."

Of particular significance is the emphasis on public/private partnership, which was a key element outlined in the Obama administration's cybersecurity review, published last year. The legislation calls for a university–industry task force to address public–private research partnerships in cybersecurity, and also demands that each agency's cybersecurity plan details how near-term objectives complement R&D in the private sector.

Under the legislation, the National Institute for Science and Technology (NIST) will develop a cybersecurity awareness and education plan, along with a plan to co-ordinate the US government's role in international cybersecurity technical standards development.