[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4258 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 4258
To establish a governmentwide approach to improving digital identity,
and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 30, 2021
Mr. Foster (for himself, Mr. Katko, Mr. Langevin, and Mr. Loudermilk)
introduced the following bill; which was referred to the Committee on
Oversight and Reform, and in addition to the Committee on Science,
Space, and Technology, for a period to be subsequently determined by
the Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To establish a governmentwide approach to improving digital identity,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Improving Digital Identity Act of
2021''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) The lack of an easy, affordable, and reliable way for
organizations, businesses, and government agencies to identify
whether an individual is who they claim to be online creates an
attack vector that is widely exploited by adversaries in
cyberspace, and precludes many high-value transactions from
being available online.
(2) Incidents of identity theft and identity fraud continue
to rise in the United States, where more than 164,000,000
consumer records containing personally identifiable information
were breached in 2019, increasing the total number of data
breaches by 17 percent from the previous year.
(3) In 2019, losses resulting from identity fraud amounted
to $16,900,000,000.
(4) In 2019, the Director of the Treasury Department
Financial Crimes Enforcement Network stated, ``The abuse of
personally identifiable information, and other building blocks
of identity, is a key enabler behind much of the fraud and
cybercrime affecting our nation today.''.
(5) Trustworthy digital identity solutions can help under-
banked and unbanked individuals better access to digital
financial services through innovative delivery channels that
promote financial inclusion.
(6) The inadequacy of current digital identity solutions
degrades security and privacy for all Americans, and next
generation solutions are needed that improve both security and
privacy.
(7) Government entities, as authoritative issuers of
identity in the United States, are uniquely positioned to
deliver critical components that address deficiencies in our
digital identity infrastructure and augment private sector
digital identity and authentication solutions.
(8) State governments are particularly well suited to play
a role in enhancing digital identity solutions used by both the
public and private sectors, given the role of State governments
as the issuers of driver's licenses and other identity
documents commonly used today.
(9) The private sector drives much of the innovation around
digital identity in the United States and has an important role
to play in delivering digital identity solutions.
(10) The 2016 bipartisan Commission on Enhancing National
Cybersecurity called for the Federal Government to ``create an
interagency task force directed to find secure, user-friendly,
privacy-centric ways in which agencies can serve as one
authoritative source to validate identity attributes in the
broader identity market. This action would enable government
agencies and the private sector to drive significant risk out
of new account openings and other high-risk, high-value online
services, and it would help all citizens more easily and
securely engage in transactions online''.
(11) The public and private sectors should collaborate to
deliver solutions that promote confidence, privacy, choice, and
innovation.
(12) It should be the policy of the Government to use the
authorities and capabilities of the Government to enhance the
security, reliability, privacy, and convenience of digital
identity solutions that support and protect transactions
between individuals, government entities, and businesses, and
that enable Americans to prove who they are online.
SEC. 3. IMPROVING DIGITAL IDENTITY TASK FORCE.
(a) Establishment.--There is established in the Executive Office of
the President a task force to be known as the ``Improving Digital
Identity Task Force'' (in this section referred to as the ``Task
Force'').
(b) Purpose.--The purpose of the Task Force is to establish a
governmentwide effort to develop secure methods for Federal, State, and
local agencies to validate identity attributes to protect the privacy
and security of individuals and support reliable, interoperable digital
identity verification in the public and private sectors.
(c) Director.--The Task Force shall have a Director who shall be
appointed by the President.
(d) Membership.--The Task Force shall include the following
individuals or the designees of such individuals:
(1) Federal government membership.--
(A) The Secretary of the Treasury.
(B) The Secretary of Homeland Security.
(C) The Secretary of State.
(D) The Secretary of Education.
(E) The Director of the Office of Management and
Budget.
(F) The Commissioner of the Social Security
Administration.
(G) The Director of the National Institute of
Standards and Technology.
(H) The Administrator of General Services.
(I) The heads of other Federal agencies and offices
who the President may designate or invite.
(2) State government membership.--The Task Force shall
include 5 State government officials who represent State
agencies that issue identity credentials and who have knowledge
of the systems used to provide such credentials. Such officials
shall include the following:
(A) A member appointed by the Speaker of the House
of Representatives, in consultation with the Chairman
of the Committee on Oversight and Reform and the
Chairman of the Committee on Homeland Security of the
House of Representatives.
(B) A member appointed by the minority leader of
the House of Representatives, in consultation with the
Ranking Member of the Committee on Oversight and Reform
and the Ranking Member of the Committee on Homeland
Security of the House of Representatives.
(C) A member appointed by the majority leader of
the Senate, in consultation with the Chairman of the
Committee on Homeland Security and Governmental Affairs
of the Senate.
(D) A member appointed by the minority leader of
the Senate, in consultation with the Ranking Member of
the Committee on Homeland Security and Governmental
Affairs of the Senate.
(E) A member appointed by the President.
(3) Local government membership.--The Task Force shall
include 5 local government officials who represent local
agencies that issue identity credentials and who have knowledge
of the systems used to provide such credentials. Such officials
shall include the following:
(A) A member appointed by the Speaker of the House
of Representatives, in consultation with the Chairman
of the Committee on Oversight and Reform and Chairman
of the Committee on Homeland Security of the House of
Representatives.
(B) A member appointed by the minority leader of
the House of Representatives, in consultation with the
Chairman of the Committee on Oversight and Reform and
the Chairman of the Committee on Homeland Security of
the House of Representatives.
(C) A member appointed by the majority leader of
the Senate, in consultation with the Chairman of the
Committee on Homeland Security and Governmental Affairs
of the Senate.
(D) A member appointed by the minority leader of
the Senate, in consultation with the Ranking Member of
the Committee on Homeland Security and Governmental
Affairs of the Senate.
(E) A member appointed by the President.
(e) Meetings.--The Task Force shall convene at the call of the
Director.
(f) Duties.--The Task Force shall--
(1) identify Federal, State, and local agencies that issue
identity information or hold information related to identifying
an individual;
(2) assess restrictions with respect to the abilities of
such agencies to verify identity information for other agencies
and for nongovernmental organizations;
(3) assess any necessary changes in statute, regulation, or
policy to address any restrictions determined under paragraph
(2);
(4) recommend a standards-based architecture to enable
agencies to provide services related to digital identity
verification in a way that is secure, protects privacy, and is
rooted in consumer consent;
(5) identify funding or resources needed to support such
agencies that provide digital identity verification, including
a recommendation with respect to additional funding required
for the grant program under section 5;
(6) determine whether it would be practicable for such
agencies to use a fee-based model to provide digital identity
verification to private sector entities;
(7) determine if any additional steps are necessary with
respect to Federal, State, and local agencies to improve
digital identity verification and management processes for the
purpose of enhancing the security, reliability, privacy, and
convenience of digital identity solutions that support and
protect transactions between individuals, government entities,
and businesses;
(8) assess risks related to potential criminal exploitation
of digital identity verification services;
(9) evaluate the security, effectiveness, and benefits of a
digital identity as compared to legacy physical identity
verification; and
(10) to the extent practicable, seek input from and
collaborate with interested parties in the private sector to
carry out the purpose under subsection (b).
(g) Recommendations.--Not later than 180 days after the date of the
enactment of this Act, the Task Force shall publish a report on the
activities of the Task force, including recommendations on--
(1) priorities for research and development in the systems
that enable digital identity verification, including how such
priorities can be executed; and
(2) the standards-based architecture developed pursuant to
subsection (f)(4).
SEC. 4. DIGITAL IDENTITY FRAMEWORK.
(a) Establishment of a Framework.--Not later than 1 year after the
date of the enactment of this Act, the Director of the National
Institute of Standards and Technology (in this section referred to as
the ``Director'') shall develop and periodically update a framework of
standards, methodologies, procedures, and processes (in this section
referred to as the ``Framework'') as a guide for Federal, State, and
local governments to follow when providing services to support digital
identity verification.
(b) Consideration.--In developing the Framework, the Director shall
consider--
(1) methods to protect the privacy of individuals;
(2) security needs; and
(3) the needs of potential end-users and individuals that
will use services related to digital identity verification.
(c) Consultation.--In carrying out subsection (a) the Director
shall consult with--
(1) the Improving Digital Identity Task Force established
under section 3;
(2) potential end-users and individuals that will use
services related to digital identity verification; and
(3) experts with relevant experience in the systems that
enable digital identity verification, as determined by the
Director.
(d) Interim Publication.--Not later than 240 days after the date of
the enactment of this Act, the Director shall publish an interim
version of the Framework.
(e) Final Publication.--Not later than 1 year after the date of
enactment of this Act, the Director shall publish a final version of
the Framework.
(f) Updates to the Framework.--The Director shall, from time to
time, update the Framework, with consideration given to--
(1) feedback from Federal, State, and local agencies that
provide services related to digital identity verification; and
(2) any technological changes to the systems that enable
digital identity verification.
(g) Authorization of Appropriations.--There is authorized to be
appropriated to the Secretary of Commerce $10,000,000 for each of
fiscal years 2022 through 2026 to carry out this Act.
SEC. 5. DIGITAL IDENTITY INNOVATION GRANTS.
(a) Establishment.--Not later than 18 months after the date of the
enactment of this Act, the Secretary of Homeland Security (in this
section referred to as the ``Secretary'') shall award grants to States
to upgrade systems that provide drivers' licenses or other types of
identity credentials to support the development of highly secure,
interoperable State systems that enable digital identity verification.
(b) Use of Funds.--A State that receives a grant under this section
shall use--
(1) grant funds for services related to digital identity
verification using the Framework developed pursuant to section
4; and
(2) not less than 10 percent of grant funds to provide
services that assist individuals with obtaining identity
credentials or identity verification services needed to obtain
a digital driver's license or digital State identity card.
(c) Authorization of Appropriations.--There is authorized to be
appropriated to the Secretary such sums as may be necessary to carry
out this section.
SEC. 6. REPORT AND RECOMMENDATION ON THE USE OF SOCIAL SECURITY NUMBERS
BY NONGOVERNMENTAL ORGANIZATIONS.
Not later than 1 year after the date of the enactment of this Act,
the Comptroller General of the United States shall submit to the
Committees on Ways and Means and Financial Services of the House of
Representatives and the Committee on Finance of the Senate a report
that includes the following:
(1) An analysis of legal and regulatory requirements with
respect to the collection and retention of Social Security
numbers by nongovernmental organizations.
(2) A recommendation on the necessity and effectiveness of
any legal and regulatory requirement analyzed pursuant to
paragraph (1) and the use of a form of identification other
than a Social Security number.
SEC. 7. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.
(a) Directives for Federal Agencies.--Not later than 6 months after
the date of the enactment of this Act, the Secretary of Homeland
Security shall issue binding operational directives to Federal agencies
for purpose of implementing--
(1) the guidelines published by the National Institute of
Standards and Technology in ``Special Publication 800-63''
(commonly referred to as the ``Digital Identity Guidelines'');
and
(2) the memorandum of the Office of Management and Budget
issued on May 21, 2019, which includes the subject ``Enabling
Mission Delivery through Improved Identity, Credential, and
Access Management''.
(b) Reports.--
(1) Federal agency reports.--Not later than 1 year after
the date of the enactment of this Act, the head of each Federal
agency shall submit to the Secretary of Homeland Security a
report on the efforts of each such Federal agency to implement
the directives issued pursuant to subsection (a).
(2) Report to congress.-- Not later than 2 years after the
date of the enactment of this Act, the Secretary of Homeland
Security shall submit a report summarizing the efforts from the
reports submitted pursuant to paragraph (1) to the following:
(A) The Committee on Homeland Security of the House
of Representatives.
(B) The Committee on Oversight and Reform of the
House of Representatives.
(C) The Committee on Homeland Security and
Governmental Affairs of the Senate.
SEC. 8. DEFINITIONS.
For purposes of this Act:
(1) Digital identity verification.--The term ``digital
identity verification'' means a process to verify the identity
of an individual accessing a service online or through another
electronic means.
(2) Identity credential.--The term ``identity credential''
means a document or other evidence of the identity of an
individual issued by a government agency that conveys the
identity of the individual, including a driver's license or
passport.
<all>