[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4259 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 4259
To direct the Secretary of Commerce, acting through the Director of the
National Institute of Standards and Technology, to direct the Institute
to establish a robust program focusing on driving improvements in
America's cybersecurity posture by creating more robust digital
identity management standards and guidelines.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 30, 2021
Mr. Foster (for himself and Ms. Wexton) introduced the following bill;
which was referred to the Committee on Science, Space, and Technology
_______________________________________________________________________
A BILL
To direct the Secretary of Commerce, acting through the Director of the
National Institute of Standards and Technology, to direct the Institute
to establish a robust program focusing on driving improvements in
America's cybersecurity posture by creating more robust digital
identity management standards and guidelines.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Digital Identity Act
of 2021''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) NIST's work in identity research and standards is
unmatched anywhere in the world, with global standards
development organizations like the Financial Action Task Force
(FATF) pointing to NIST guidance in its own standards. Given
that adversaries continue to exploit weaknesses in digital
identity systems to conduct successful cyber-attacks,
additional NIST resources are needed to help government and
industry secure identity in cyberspace.
(2) The lack of an easy, affordable, and reliable way for
organizations and businesses to identify whether an individual
is who they claim to be online creates an attack vector that is
widely exploited by adversaries in cyberspace and precludes
many high value transactions from being available online.
(3) According to the identity theft resource center,
incidents of identity theft and identity fraud continue to rise
in the United States, where more than 164,000,000 consumer
records containing personally identifiable information were
breached in 2019, increasing the total number of data breaches
by 17 percent from the previous year.
(4) According to the Insurance Information Institute, in
2018, losses resulting from identity fraud amounted to
$16,800,000,000.
(5) The inadequacy of current digital identity solutions
degrades security and privacy for all Americans, and next
generation solutions are needed that improve both security and
privacy.
(6) Government entities, as authoritative issuers of
identity in the United States, are uniquely positioned to
deliver critical components that address deficiencies in our
digital identity infrastructure and augment private sector
digital identity and authentication solutions.
(7) State governments are particularly well suited to play
a role in enhancing digital identity solutions used by both the
public and private sectors, given the role of State governments
as the issuers of driver's licenses and other identity
documents commonly used today.
(8) It should be the policy of the Government to use the
authorities and capabilities of the Government to enhance the
security, reliability, privacy, and convenience of digital
identity solutions that support and protect transactions
between individuals, government entities, and businesses, and
that enable Americans to prove who they are online.
SEC. 3. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
Section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C.
7464) is amended to read as follows:
``SEC. 504. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
``(a) In General.--The Director shall administer a program to
support the development of voluntary and cost-effective technical
standards, metrology, testbeds, and conformance criteria, taking into
account appropriate user concerns--
``(1) to improve interoperability among identity management
technologies;
``(2) to strengthen identity proofing and authentication
methods used in identity management systems;
``(3) to improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
``(4) to improve the usability and inclusivity of identity
management systems.
``(b) Digital Identity Technical Roadmap.--The Director, in
consultation with other relevant Federal agencies and stakeholders from
the private sector, shall develop, implement, and maintain a technical
roadmap for identity management research and the development of
standards and guidelines focused on enabling the use and adoption of
modern digital identity solutions that align with the four criteria in
subsection (a). This roadmap and any subsequent updates shall be made
public.
``(c) Activities.--In carrying out the program described under
subsection (a), the Director shall give consideration to activities
that--
``(1) accelerate the development, in collaboration with the
private sector, of standards that address interoperability and
portability of digital identity solutions;
``(2) addresses gaps in current private-sector-led identity
management research and development and standards work, both
for consumer-focused and enterprise-focused identity
management;
``(3) advances the development of conformance testing
performed by the private sector in support of digital identity
standardization;
``(4) addresses challenges with inclusivity of existing
digital identity and identity management tools; and
``(5) support, in consultation with other relevant Federal
agencies and stakeholders from the private sector, the
development of appropriate security frameworks and reference
materials, and the identification of best practices, for use by
Federal agencies and the private sector to address security and
privacy requirements to enable the use and adoption of digital
identity services.''.
SEC. 4. DIGITAL IDENTITY FRAMEWORK.
(a) Establishment of a Framework.--Not later than 1 year after the
date of the enactment of this Act, the Director shall develop and
periodically update a framework of standards, methodologies,
procedures, and processes (in this section referred to as the
``Framework'') as a guide for Federal, State, and local governments to
follow when providing services to support digital identity
verification.
(b) Consideration.--In developing the Framework, the Director shall
consider--
(1) methods to protect the privacy of individuals;
(2) security needs; and
(3) the needs of potential end-users and individuals that
will use services related to digital identity verification.
(c) Consultation.--In carrying out subsection (a) the Director
shall consult with--
(1) Federal and State agencies;
(2) potential end-users and individuals that will use
services related to digital identity verification; and
(3) experts with relevant experience in the systems that
enable digital identity verification, as determined by the
Director.
(d) Interim Publication.--Not later than 240 days after the date of
the enactment of this Act, the Director shall publish an interim
version of the Framework.
(e) Authorization of Appropriations.--There is authorized to be
appropriated to the Secretary $10,000,000 for each of fiscal years 2022
through 2026 to carry out this Act and the amendments made by this Act.
SEC. 5. DEFINITIONS.
For purposes of this Act:
(1) Digital identity verification.--The term ``digital
identity verification'' means a process to verify the identity
of an individual accessing a service online.
(2) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(3) Institute.--The term ``Institute'' means the National
Institute of Standards and Technology.
(4) Secretary.--The term ``Secretary'' means the Secretary
of Commerce.
<all>