[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4528 Reported in Senate (RS)]
<DOC>
Calendar No. 616
117th CONGRESS
2d Session
S. 4528
[Report No. 117-238]
To establish a Government-wide approach to improving digital identity,
and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 13, 2022
Ms. Sinema (for herself and Ms. Lummis) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
December 12, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To establish a Government-wide approach to improving digital identity,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Improving Digital Identity
Act of 2022''.</DELETED>
<DELETED>SEC. 2. FINDINGS.</DELETED>
<DELETED> Congress finds the following:</DELETED>
<DELETED> (1) The lack of an easy, affordable, reliable, and
secure way for organizations, businesses, and government
agencies to identify whether an individual is who they claim to
be online creates an attack vector that is widely exploited by
adversaries in cyberspace and precludes many high-value
transactions from being available online.</DELETED>
<DELETED> (2) Incidents of identity theft and identity fraud
continue to rise in the United States, where more than
293,000,000 people were impacted by data breaches in
2021.</DELETED>
<DELETED> (3) Since 2017, losses resulting from identity
fraud have increased by 333 percent, and, in 2020, those losses
totaled $56,000,000,000.</DELETED>
<DELETED> (4) The Director of the Treasury Department
Financial Crimes Enforcement Network has stated that the abuse
of personally identifiable information and other building
blocks of identity is a key enabler behind much of the fraud
and cybercrime affecting the United States today.</DELETED>
<DELETED> (5) Trustworthy digital identity solutions can
help give under-banked and unbanked individuals better access
to digital financial services through innovative delivery
channels that promote financial inclusion.</DELETED>
<DELETED> (6) The inadequacy of current digital identity
solutions degrades security and privacy for all people in the
United States, and next generation solutions are needed that
improve security, privacy, equity, and accessibility.</DELETED>
<DELETED> (7) Government entities, as authoritative issuers
of identity in the United States, are uniquely positioned to
deliver critical components that address deficiencies in the
digital identity infrastructure of the United States and
augment private sector digital identity and authentication
solutions.</DELETED>
<DELETED> (8) State governments are particularly well-suited
to play a role in enhancing digital identity solutions used by
both the public and private sectors, given the role of State
governments as the issuers of driver's licenses and other
identity documents commonly used today.</DELETED>
<DELETED> (9) The public and private sectors should
collaborate to deliver solutions that promote confidence,
privacy, choice, equity, accessibility, and innovation. The
private sector drives much of the innovation around digital
identity in the United States and has an important role to play
in delivering digital identity solutions.</DELETED>
<DELETED> (10) The bipartisan Commission on Enhancing
National Cybersecurity has called for the Federal Government to
``create an interagency task force directed to find secure,
user-friendly, privacy-centric ways in which agencies can serve
as 1 authoritative source to validate identity attributes in
the broader identity market. This action would enable
Government agencies and the private sector to drive significant
risk out of new account openings and other high-risk, high-
value online services, and it would help all citizens more
easily and securely engage in transactions online.''.</DELETED>
<DELETED> (11) The National Institute of Standards and
Technology has published digital identity guidelines that
address technical requirements for identity proofing and the
authentication of users, but those guidelines do not cover
requirements for providing identity attribute validation
services that could be used to support identity
proofing.</DELETED>
<DELETED> (12) It should be the policy of the Federal
Government to use the authorities and capabilities of the
Federal Government to enhance the security, reliability,
privacy, equity, accessibility, and convenience of digital
identity solutions that support and protect transactions
between individuals, government entities, and businesses, and
that enable people in the United States to prove who they are
online, by providing consent-based identity attribute
validation services and other components that address
deficiencies in the digital identity infrastructure of the
United States and augment private sector digital identity and
authentication solutions.</DELETED>
<DELETED>SEC. 3. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Appropriate notification entities.--The term
``appropriate notification entities'' means--</DELETED>
<DELETED> (A) the President;</DELETED>
<DELETED> (B) the Committee on Homeland Security and
Governmental Affairs of the Senate; and</DELETED>
<DELETED> (C) the Committee on Oversight and Reform
of the House of Representatives.</DELETED>
<DELETED> (2) Digital identity verification.--The term
``digital identity verification'' means a process to verify the
identity or an identity attribute of an individual accessing a
service online or through another electronic means.</DELETED>
<DELETED> (3) Director.--The term ``Director'' means the
Director of the Task Force.</DELETED>
<DELETED> (4) Federal agency.--The term ``Federal agency''
has the meaning given the term in section 102 of the Robert T.
Stafford Disaster Relief and Emergency Assistance Act (42
U.S.C. 5122).</DELETED>
<DELETED> (5) Identity attribute.--The term ``identity
attribute'' means a data element associated with the identity
of an individual, including, the name, address, or date of
birth of an individual.</DELETED>
<DELETED> (6) Identity credential.--The term ``identity
credential'' means a document or other evidence of the identity
of an individual issued by a government agency that conveys the
identity of the individual, including a driver's license or
passport.</DELETED>
<DELETED> (7) Secretary.--The term ``Secretary'' means the
Secretary of Homeland Security.</DELETED>
<DELETED> (8) Task force.--The term ``Task Force'' means the
Improving Digital Identity Task Force established under section
4(a).</DELETED>
<DELETED>SEC. 4. IMPROVING DIGITAL IDENTITY TASK FORCE.</DELETED>
<DELETED> (a) Establishment.--There is established in the Executive
Office of the President a task force to be known as the ``Improving
Digital Identity Task Force''.</DELETED>
<DELETED> (b) Purpose.--The purpose of the Task Force shall be to
establish and coordinate a government-wide effort to develop secure
methods for Federal, State, local, Tribal, and territorial agencies to
improve access and enhance security between physical and digital
identity credentials to--</DELETED>
<DELETED> (1) protect the privacy and security of
individuals;</DELETED>
<DELETED> (2) support reliable, interoperable digital
identity verification in the public and private sectors;
and</DELETED>
<DELETED> (3) in achieving paragraphs (1) and (2), place a
particular emphasis on--</DELETED>
<DELETED> (A) reducing identity theft and
fraud;</DELETED>
<DELETED> (B) enabling trusted transactions;
and</DELETED>
<DELETED> (C) ensuring equitable access to digital
identity verification.</DELETED>
<DELETED> (c) Director.--</DELETED>
<DELETED> (1) In general.--The Task Force shall have a
Director, who shall be appointed by the President.</DELETED>
<DELETED> (2) Position.--The Director shall serve at the
pleasure of the President.</DELETED>
<DELETED> (3) Pay and allowances.--The Director shall be
compensated at the rate of basic pay prescribed for level II of
the Executive Schedule under section 5313 of title 5, United
States Code.</DELETED>
<DELETED> (4) Qualifications.--The Director shall have
substantive technical expertise and managerial acumen that--
</DELETED>
<DELETED> (A) is in the business of digital identity
management, information security, or benefits
administration;</DELETED>
<DELETED> (B) is gained from not less than 1
organization; and</DELETED>
<DELETED> (C) includes specific expertise gained
from academia, advocacy organizations, and the private
sector.</DELETED>
<DELETED> (5) Exclusivity.--The Director may not serve in
any other capacity within the Federal Government while serving
as Director.</DELETED>
<DELETED> (6) Term.--The term of the Director, including any
official acting in the role of the Director, shall terminate on
the date described in subsection (k).</DELETED>
<DELETED> (d) Membership.--</DELETED>
<DELETED> (1) Federal government representatives.--The Task
Force shall include the following individuals or the designees
of such individuals:</DELETED>
<DELETED> (A) The Secretary.</DELETED>
<DELETED> (B) The Secretary of the
Treasury.</DELETED>
<DELETED> (C) The Director of the National Institute
of Standards and Technology.</DELETED>
<DELETED> (D) The Director of the Financial Crimes
Enforcement Network.</DELETED>
<DELETED> (E) The Commissioner of Social
Security.</DELETED>
<DELETED> (F) The Secretary of State.</DELETED>
<DELETED> (G) The Administrator of General
Services.</DELETED>
<DELETED> (H) The Director of the Office of
Management and Budget.</DELETED>
<DELETED> (I) The heads of other Federal agencies or
offices as the President may designate or invite, as
appropriate.</DELETED>
<DELETED> (2) State, local, tribal, and territorial
government representatives.--The Director shall appoint to the
Task Force 6 State, local, Tribal, and territorial government
officials who represent agencies that issue identity
credentials and who have--</DELETED>
<DELETED> (A) experience in identity technology and
services;</DELETED>
<DELETED> (B) knowledge of the systems used to
provide identity credentials; or</DELETED>
<DELETED> (C) any other qualifications or
competencies that may help achieve balance or otherwise
support the mission of the Task Force.</DELETED>
<DELETED> (3) Nongovernmental experts.--</DELETED>
<DELETED> (A) In general.--The Director shall
appoint to the Task Force 5 nongovernmental
experts.</DELETED>
<DELETED> (B) Specific appointments.--The experts
appointed under subparagraph (A) shall include the
following:</DELETED>
<DELETED> (i) A member who is a privacy and
civil liberties expert.</DELETED>
<DELETED> (ii) A member who is a technical
expert in identity verification.</DELETED>
<DELETED> (iii) A member who is a technical
expert in cybersecurity focusing on identity
verification services.</DELETED>
<DELETED> (iv) A member who represents an
industry identity verification service
provider.</DELETED>
<DELETED> (v) A member who represents a
party that relies on effective identity
verification services to conduct
business.</DELETED>
<DELETED> (e) Working Groups.--The Director shall organize the
members of the Task Force into appropriate working groups for the
purpose of increasing the efficiency and effectiveness of the Task
Force, as appropriate.</DELETED>
<DELETED> (f) Meetings.--The Task Force shall--</DELETED>
<DELETED> (1) convene at the call of the Director;
and</DELETED>
<DELETED> (2) provide an opportunity for public comment in
accordance with section 10(a)(3) of the Federal Advisory
Committee Act (5 U.S.C. App.).</DELETED>
<DELETED> (g) Duties.--In carrying out the purpose described in
subsection (b), the Task Force shall--</DELETED>
<DELETED> (1) identify Federal, State, local, Tribal, and
territorial agencies that issue identity credentials or hold
information relating to identifying an individual;</DELETED>
<DELETED> (2) assess restrictions with respect to the
abilities of the agencies described in paragraph (1) to verify
identity information for other agencies and nongovernmental
organizations;</DELETED>
<DELETED> (3) assess any necessary changes in statutes,
regulations, or policy to address any restrictions assessed
under paragraph (2);</DELETED>
<DELETED> (4) recommend a standards-based architecture to
enable agencies to provide services relating to digital
identity verification in a way that--</DELETED>
<DELETED> (A) is secure, protects privacy, and
protects individuals against unfair and misleading
practices;</DELETED>
<DELETED> (B) prioritizes equity and
accessibility;</DELETED>
<DELETED> (C) requires individual consent for the
provision of digital identify verification services by
a Federal, State, local, Tribal, or territorial agency;
and</DELETED>
<DELETED> (D) is interoperable among participating
Federal, State, local, Tribal, and territorial
agencies, as appropriate and in accordance with
applicable laws;</DELETED>
<DELETED> (5) recommend principles to promote policies for
shared identity proofing across public sector agencies, which
may include single sign-on or broadly accepted
attestations;</DELETED>
<DELETED> (6) identify funding or other resources needed to
support the agencies described in paragraph (4) that provide
digital identity verification, including a recommendation with
respect to additional funding required for the grant program
under section 5;</DELETED>
<DELETED> (7) recommend funding models to provide digital
identity verification to private sector entities, which may
include fee-based funding models;</DELETED>
<DELETED> (8) determine if any additional steps are
necessary with respect to Federal, State, local, Tribal, and
territorial agencies to improve digital identity verification
and management processes for the purpose of enhancing the
security, reliability, privacy, accessibility, equity, and
convenience of digital identity solutions that support and
protect transactions between individuals, government entities,
and businesses; and</DELETED>
<DELETED> (9) undertake other activities necessary to assess
and address other matters relating to digital identity
verification, including with respect to--</DELETED>
<DELETED> (A) the potential exploitation of digital
identity tools or associated products and services by
malign actors;</DELETED>
<DELETED> (B) privacy implications; and</DELETED>
<DELETED> (C) increasing access to foundational
identity documents.</DELETED>
<DELETED> (h) Prohibition.--The Task Force may not implicitly or
explicitly recommend the creation of--</DELETED>
<DELETED> (1) a single identity credential provided or
mandated by the Federal Government for the purposes of
verifying identity or associated attributes;</DELETED>
<DELETED> (2) a unilateral central national identification
registry relating to digital identity verification;
or</DELETED>
<DELETED> (3) a requirement that any individual be forced to
use digital identity verification for a given public
purpose.</DELETED>
<DELETED> (i) Required Consultation.--The Task Force shall closely
consult with leaders of Federal, State, local, Tribal, and territorial
governments and nongovernmental leaders, which shall include the
following:</DELETED>
<DELETED> (1) The Administrator of General
Services.</DELETED>
<DELETED> (2) The Secretary of Education.</DELETED>
<DELETED> (3) The heads of other Federal agencies and
offices determined appropriate by the Director.</DELETED>
<DELETED> (4) State, local, Tribal, and territorial
government officials focused on identity, such as information
technology officials and directors of State departments of
motor vehicles and vital records bureaus.</DELETED>
<DELETED> (5) Digital privacy experts.</DELETED>
<DELETED> (6) Civil liberties experts.</DELETED>
<DELETED> (7) Technology and cybersecurity
experts.</DELETED>
<DELETED> (8) Users of identity verification
services.</DELETED>
<DELETED> (9) Representatives with relevant expertise from
academia and advocacy organizations.</DELETED>
<DELETED> (10) Industry representatives with experience
implementing digital identity systems.</DELETED>
<DELETED> (11) Identity theft and fraud prevention experts,
including advocates for victims of identity theft and
fraud.</DELETED>
<DELETED> (j) Reports.--</DELETED>
<DELETED> (1) Initial report.--Not later than 180 days after
the date of enactment of this Act, the Director shall submit to
the appropriate notification entities a report on the
activities of the Task Force, including--</DELETED>
<DELETED> (A) recommendations on--</DELETED>
<DELETED> (i) priorities for research and
development in the systems that enable digital
identity verification, including how the
priorities can be executed;</DELETED>
<DELETED> (ii) the standards-based
architecture developed pursuant to subsection
(g)(4);</DELETED>
<DELETED> (iii) methods to leverage digital
driver's licenses, distributed ledger
technology, and other technologies;
and</DELETED>
<DELETED> (iv) priorities for research and
development in the systems and processes that
reduce identity fraud; and</DELETED>
<DELETED> (B) summaries of the input and
recommendations of the leaders consulted under
subsection (i).</DELETED>
<DELETED> (2) Interim reports.--The Director may submit to
the appropriate notification entities interim reports the
Director determines necessary to support the work of the Task
Force and educate the public.</DELETED>
<DELETED> (3) Final report.--Not later than 45 days before
the date described in subsection (k), the Director shall submit
to the appropriate notification entities a final report that
includes recommendations for the President and Congress
relating to any relevant matter within the scope of the duties
of the Task Force.</DELETED>
<DELETED> (4) Public availability.--The Task Force shall
make the reports required under this subsection publicly
available on centralized website as an open Government data
asset (as defined in section 3502 of title 44, United States
Code).</DELETED>
<DELETED> (k) Sunset.--The Task Force shall conclude business on the
date that is 3 years after the date of enactment of this Act.</DELETED>
<DELETED>SEC. 5. DIGITAL IDENTITY INNOVATION GRANTS.</DELETED>
<DELETED> (a) Establishment.--Not later than 1 year after the date
of enactment of this Act, the Secretary shall establish a grant program
to award grants to State, local, Tribal, and territorial governments to
upgrade systems that provide identity credentials to support the
development of highly secure, interoperable systems that enable digital
identity verification.</DELETED>
<DELETED> (b) Required Consultation.--In establishing the grant
program under subsection (a), the Secretary shall consult with the Task
Force and the governmental and nongovernmental leaders described in
section 4(i), with an emphasis on the consultation of--</DELETED>
<DELETED> (1) leaders of State, local, Tribal, and
territorial governments; and</DELETED>
<DELETED> (2) leaders of State, local, Tribal, and
territorial agencies that issue identity credentials or provide
identity verification services and support relating to identify
verification services.</DELETED>
<DELETED> (c) Use of Funds.--A State, local, Tribal, or territorial
government that receives a grant under this section shall--</DELETED>
<DELETED> (1) use funds from the grant for services relating
to digital identity verification;</DELETED>
<DELETED> (2) implement meaningful digital identity
verification cybersecurity, data protection, and privacy
safeguards consistent with, or in excess of, any safeguards
described in management guidance issued by the National
Institute of Standards and Technology relating to--</DELETED>
<DELETED> (A) digital identity;</DELETED>
<DELETED> (B) cybersecurity;</DELETED>
<DELETED> (C) privacy;</DELETED>
<DELETED> (D) equity; or</DELETED>
<DELETED> (E) accessibility;</DELETED>
<DELETED> (3) expend not less than 10 percent of grant funds
to provide services that assist individuals with obtaining
identity credentials or identity verification services needed
to obtain a driver's license or a comparable identity card;
and</DELETED>
<DELETED> (4) comply with any other requirements determined
relevant by the Secretary to ensure the effective
administration of the grant program established under this
section.</DELETED>
<DELETED> (d) Requirements.--A State, local, Tribal, or territorial
government that receives a grant under this section shall expend
amounts from the grant in a manner that--</DELETED>
<DELETED> (1) complies with the management guidance of the
National Institute of Standards and Technology described in
subsection (c)(2); and</DELETED>
<DELETED> (2) does not correspond with a matter described in
section 4(h).</DELETED>
<DELETED> (e) Authorization of Appropriations.--There is authorized
to be appropriated to the Secretary such sums as may be necessary to
carry out this section.</DELETED>
<DELETED>SEC. 6. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.</DELETED>
<DELETED> (a) Guidance for Federal Agencies.--Not later than 180
days after the date on which the Director submits the report required
under section 4(j)(1), the Director of the Office of Management and
Budget shall issue guidance to Federal agencies for the purpose of
implementing any recommendations included in such report determined
appropriate by the Director of the Office of Management and
Budget.</DELETED>
<DELETED> (b) Reports on Federal Agency Progress Improving Digital
Identity Verification Capabilities.--</DELETED>
<DELETED> (1) Annual report on guidance implementation.--Not
later than 1 year after the date of the issuance of guidance
under subsection (a), and annually thereafter, the head of each
Federal agency shall submit to the Director of the Office of
Management and Budget a report on the efforts of the Federal
agency to implement that guidance.</DELETED>
<DELETED> (2) Public report.--</DELETED>
<DELETED> (A) In general.--Not later than 450 days
after the date of the issuance of guidance under
subsection (a), and annually thereafter, the Director
shall develop and make publicly available a report that
includes--</DELETED>
<DELETED> (i) a list of digital identity
verification services offered by Federal
agencies;</DELETED>
<DELETED> (ii) the volume of digital
identity verifications performed by each
Federal agency;</DELETED>
<DELETED> (iii) information relating to the
effectiveness of digital identity verification
services by Federal agencies; and</DELETED>
<DELETED> (iv) recommendations to improve
the effectiveness of digital identity
verification services by Federal
agencies.</DELETED>
<DELETED> (B) Consultation.--In developing the first
report required under subparagraph (A), the Director
shall consult the Task Force.</DELETED>
<DELETED> (3) Congressional report on federal agency digital
identity capabilities.--</DELETED>
<DELETED> (A) In general.--Not later than 180 days
after the date of the enactment of this Act, the
Director of the Office of Management and Budget, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, shall submit to the
Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Oversight and Reform
of the House of Representatives a report relating to
the implementation and effectiveness of the digital
identity capabilities of Federal agencies.</DELETED>
<DELETED> (B) Consultation.--In developing the
report required under subparagraph (A), the Director of
the Office of Management and Budget shall--</DELETED>
<DELETED> (i) consult with the Task Force;
and</DELETED>
<DELETED> (ii) to the greatest extent
practicable, include in the report
recommendations of the Task Force.</DELETED>
<DELETED> (C) Contents of report.--The report
required under subparagraph (A) shall include--
</DELETED>
<DELETED> (i) an analysis, including metrics
and milestones, for the implementation by
Federal agencies of--</DELETED>
<DELETED> (I) the guidelines
published by the National Institute of
Standards and Technology in the
document entitled ``Special Publication
800-63'' (commonly referred to as the
``Digital Identity Guidelines''), or
any successor document; and</DELETED>
<DELETED> (II) if feasible, any
additional requirements relating to
enhancing digital identity capabilities
identified in the document of the
Office of Management and Budget
entitled ``M-19-17'' and issued on May
21, 2019, or any successor
document;</DELETED>
<DELETED> (ii) a review of measures taken to
advance the equity, accessibility,
cybersecurity, and privacy of digital identity
verification services offered by Federal
agencies; and</DELETED>
<DELETED> (iii) any other relevant data,
information, or plans for Federal agencies to
improve the digital identity capabilities of
Federal agencies.</DELETED>
<DELETED> (c) Additional Reports.--On the first March 1 occurring
after the date described in subsection (b)(3)(A), and annually
thereafter, the Director of the Office of Management and Budget shall
include in the report required under section 3553(c) of title 44,
United States Code--</DELETED>
<DELETED> (1) any additional and ongoing reporting on the
matters described in subsection (b)(3)(C); and</DELETED>
<DELETED> (2) associated information collection
mechanisms.</DELETED>
<DELETED>SEC. 7. GAO REPORT.</DELETED>
<DELETED> (a) In General.--Not later than 1 year after the date of
enactment of this Act, the Comptroller General of the United States
shall submit to Congress a report on the estimated potential savings,
due to the increased adoption and widespread use of digital
identification, of--</DELETED>
<DELETED> (1) the Federal Government from averted benefit
fraud; and</DELETED>
<DELETED> (2) the economy of the United States and consumers
from averted identity theft.</DELETED>
<DELETED> (b) Contents.--Among other variables the Comptroller
General of the United States determines relevant, the report required
under subsection (a) shall include multiple scenarios with varying
uptake rates to demonstrate a range of possible outcomes.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Improving Digital Identity Act of
2022''.
SEC. 2. FINDINGS.
Congress finds the following:
(1) The lack of an easy, affordable, reliable, and secure
way for organizations, businesses, and government agencies to
identify whether an individual is who they claim to be online
creates an attack vector that is widely exploited by
adversaries in cyberspace and precludes many high-value
transactions from being available online.
(2) Incidents of identity theft and identity fraud continue
to rise in the United States, where more than 293,000,000
people were impacted by data breaches in 2021.
(3) Since 2017, losses resulting from identity fraud have
increased by 333 percent, and, in 2020, those losses totaled
$56,000,000,000.
(4) The Director of the Treasury Department Financial
Crimes Enforcement Network has stated that the abuse of
personally identifiable information and other building blocks
of identity is a key enabler behind much of the fraud and
cybercrime affecting the United States today.
(5) The inadequacy of current digital identity solutions
degrades security and privacy for all people in the United
States, and next generation solutions are needed that improve
security, privacy, equity, and accessibility.
(6) Government entities, as authoritative issuers of
identity in the United States, are uniquely positioned to
deliver critical components that address deficiencies in the
digital identity infrastructure of the United States and
augment private sector digital identity and authentication
solutions.
(7) State governments are particularly well-suited to play
a role in enhancing digital identity solutions used by both the
public and private sectors, given the role of State governments
as the issuers of driver's licenses and other identity
documents commonly used today.
(8) The public and private sectors should collaborate to
deliver solutions that promote confidence, privacy, choice,
equity, accessibility, and innovation. The private sector
drives much of the innovation around digital identity in the
United States and has an important role to play in delivering
digital identity solutions.
(9) The bipartisan Commission on Enhancing National
Cybersecurity has called for the Federal Government to ``create
an interagency task force directed to find secure, user-
friendly, privacy-centric ways in which agencies can serve as 1
authoritative source to validate identity attributes in the
broader identity market. This action would enable Government
agencies and the private sector to drive significant risk out
of new account openings and other high-risk, high-value online
services, and it would help all citizens more easily and
securely engage in transactions online.''.
(10) The National Institute of Standards and Technology has
published digital identity guidelines that address technical
requirements for identity proofing and the authentication of
users, but those guidelines do not cover requirements for
providing identity attribute validation services that could be
used to support identity proofing.
(11) It should be the policy of the Federal Government to
use the authorities and capabilities of the Federal Government,
in coordination with State, local, Tribal, and territorial
partners and private sector innovators, to enhance the
security, reliability, privacy, equity, accessibility, and
convenience of consent-based digital identity solutions that
support and protect transactions between individuals,
government entities, and businesses, and that enable people in
the United States to prove who they are online.
SEC. 3. DEFINITIONS.
In this Act:
(1) Appropriate notification entities.--The term
``appropriate notification entities'' means--
(A) the President;
(B) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(C) the Committee on Oversight and Reform of the
House of Representatives.
(2) Digital identity verification.--The term ``digital
identity verification'' means a process to verify the identity
or an identity attribute of an individual accessing a service
online or through another electronic means.
(3) Director.--The term ``Director'' means the Director of
the Task Force.
(4) Federal agency.--The term ``Federal agency'' has the
meaning given the term in section 102 of the Robert T. Stafford
Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122).
(5) Identity attribute.--The term ``identity attribute''
means a data element associated with the identity of an
individual, including, the name, address, or date of birth of
an individual.
(6) Identity credential.--The term ``identity credential''
means a document or other evidence of the identity of an
individual issued by a government agency that conveys the
identity of the individual, including a driver's license or
passport.
(7) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(8) Task force.--The term ``Task Force'' means the
Improving Digital Identity Task Force established under section
4(a).
SEC. 4. IMPROVING DIGITAL IDENTITY TASK FORCE.
(a) Establishment.--There is established in the Executive Office of
the President a task force to be known as the ``Improving Digital
Identity Task Force''.
(b) Purpose.--The purpose of the Task Force shall be to establish
and coordinate a government-wide effort to develop secure methods for
Federal, State, local, Tribal, and territorial agencies to improve
access and enhance security between physical and digital identity
credentials, particularly by promoting the development of digital
versions of existing physical identity credentials, including driver's
licenses, e-Passports, social security credentials, and birth
certificates, to--
(1) protect the privacy and security of individuals;
(2) support reliable, interoperable digital identity
verification in the public and private sectors; and
(3) in achieving paragraphs (1) and (2), place a particular
emphasis on--
(A) reducing identity theft and fraud;
(B) enabling trusted transactions; and
(C) ensuring equitable access to digital identity
verification.
(c) Director.--
(1) In general.--The Task Force shall have a Director, who
shall be appointed by the President.
(2) Position.--The Director shall serve at the pleasure of
the President.
(3) Pay and allowances.--The Director shall be compensated
at the rate of basic pay prescribed for level II of the
Executive Schedule under section 5313 of title 5, United States
Code.
(4) Qualifications.--The Director shall have substantive
technical expertise and managerial acumen that--
(A) is in the business of digital identity
management, information security, or benefits
administration;
(B) is gained from not less than 1 organization;
and
(C) includes specific expertise gained from
academia, advocacy organizations, or the private
sector.
(5) Exclusivity.--The Director may not serve in any other
capacity within the Federal Government while serving as
Director.
(6) Term.--The term of the Director, including any official
acting in the role of the Director, shall terminate on the date
described in subsection (k).
(d) Membership.--
(1) Federal government representatives.--The Task Force
shall include the following individuals or the designees of
such individuals:
(A) The Secretary.
(B) The Secretary of the Treasury.
(C) The Director of the National Institute of
Standards and Technology.
(D) The Director of the Financial Crimes
Enforcement Network.
(E) The Commissioner of Social Security.
(F) The Secretary of State.
(G) The Administrator of General Services.
(H) The Director of the Office of Management and
Budget.
(I) The Postmaster General of the United States
Postal Service.
(J) The National Cyber Director.
(K) The heads of other Federal agencies or offices
as the President may designate or invite, as
appropriate.
(2) State, local, tribal, and territorial government
representatives.--The Director shall appoint to the Task Force
6 State, local, Tribal, and territorial government officials
who represent agencies that issue identity credentials and who
have--
(A) experience in identity technology and services;
(B) knowledge of the systems used to provide
identity credentials; or
(C) any other qualifications or competencies that
may help achieve balance or otherwise support the
mission of the Task Force.
(3) Nongovernmental experts.--
(A) In general.--The Director shall appoint to the
Task Force 5 nongovernmental experts.
(B) Specific appointments.--The experts appointed
under subparagraph (A) shall include the following:
(i) A member who is a privacy and civil
liberties expert.
(ii) A member who is a technical expert in
identity verification.
(iii) A member who is a technical expert in
cybersecurity focusing on identity verification
services.
(iv) A member who represents an industry
identity verification service provider.
(v) A member who represents a party that
relies on effective identity verification
services to conduct business.
(e) Working Groups.--The Director shall organize the members of the
Task Force into appropriate working groups for the purpose of
increasing the efficiency and effectiveness of the Task Force, as
appropriate.
(f) Meetings.--The Task Force shall--
(1) convene at the call of the Director; and
(2) provide an opportunity for public comment in accordance
with section 10(a)(3) of the Federal Advisory Committee Act (5
U.S.C. App.).
(g) Duties.--In carrying out the purpose described in subsection
(b), the Task Force shall--
(1) identify Federal, State, local, Tribal, and territorial
agencies that issue identity credentials or hold information
relating to identifying an individual;
(2) assess restrictions with respect to the abilities of
the agencies described in paragraph (1) to verify identity
information for other agencies and nongovernmental
organizations;
(3) assess any necessary changes in statutes, regulations,
or policy to address any restrictions assessed under paragraph
(2);
(4) recommend a standards-based architecture to enable
agencies to provide services relating to digital identity
verification in a way that--
(A) is secure, protects privacy, and protects
individuals against unfair and misleading practices;
(B) prioritizes equity and accessibility;
(C) requires individual consent for the provision
of digital identify verification services by a Federal,
State, local, Tribal, or territorial agency; and
(D) is interoperable among participating Federal,
State, local, Tribal, and territorial agencies, as
appropriate and in accordance with applicable laws;
(5) recommend principles to promote policies for shared
identity proofing across public sector agencies, which may
include single sign-on or broadly accepted attestations;
(6) identify funding or other resources needed to support
the agencies described in paragraph (4) that provide digital
identity verification, including recommendations with respect
to the need for and the design of a Federal grant program to
implement the recommendations of the Task Force and facilitate
the development and upgrade of State, local, Tribal, and
territorial highly-secure interoperable systems that enable
digital identity verification;
(7) recommend funding models to provide digital identity
verification to private sector entities, which may include fee-
based funding models;
(8) determine if any additional steps are necessary with
respect to Federal, State, local, Tribal, and territorial
agencies to improve digital identity verification and
management processes for the purpose of enhancing the security,
reliability, privacy, accessibility, equity, and convenience of
digital identity solutions that support and protect
transactions between individuals, government entities, and
businesses; and
(9) undertake other activities necessary to assess and
address other matters relating to digital identity
verification, including with respect to--
(A) the potential exploitation of digital identity
tools or associated products and services by malign
actors;
(B) privacy implications; and
(C) increasing access to foundational identity
documents.
(h) Prohibition.--The Task Force may not implicitly or explicitly
recommend the creation of--
(1) a single identity credential provided or mandated by
the Federal Government for the purposes of verifying identity
or associated attributes;
(2) a unilateral central national identification registry
relating to digital identity verification; or
(3) a requirement that any individual be forced to use
digital identity verification for a given public purpose.
(i) Required Consultation.--The Task Force shall closely consult
with leaders of Federal, State, local, Tribal, and territorial
governments and nongovernmental leaders, which shall include the
following:
(1) The Secretary of Education.
(2) The heads of other Federal agencies and offices
determined appropriate by the Director.
(3) State, local, Tribal, and territorial government
officials focused on identity, such as information technology
officials and directors of State departments of motor vehicles
and vital records bureaus.
(4) Digital privacy experts.
(5) Civil liberties experts.
(6) Technology and cybersecurity experts.
(7) Users of identity verification services.
(8) Representatives with relevant expertise from academia
and advocacy organizations.
(9) Industry representatives with experience implementing
digital identity systems.
(10) Identity theft and fraud prevention experts, including
advocates for victims of identity theft and fraud.
(j) Reports.--
(1) Initial report.--Not later than 180 days after the date
of enactment of this Act, the Director shall submit to the
appropriate notification entities a report on the activities of
the Task Force, including--
(A) recommendations on--
(i) priorities for research and development
in the systems that enable digital identity
verification, including how the priorities can
be executed;
(ii) the standards-based architecture
developed pursuant to subsection (g)(4);
(iii) methods to leverage digital driver's
licenses, distributed ledger technology, and
other technologies; and
(iv) priorities for research and
development in the systems and processes that
reduce identity fraud; and
(B) summaries of the input and recommendations of
the leaders consulted under subsection (i).
(2) Interim reports.--
(A) In general.--The Director may submit to the
appropriate notification entities interim reports the
Director determines necessary to support the work of
the Task Force and educate the public.
(B) Mandatory report.--Not later than the date that
is 18 months after the date of enactment of this Act,
the Director shall submit to the appropriate
notification entities an interim report addressing--
(i) the matters described in paragraphs
(1), (2), (4), and (6) of subsection (g); and
(ii) any other matters the Director
determines necessary to support the work of the
Task Force and educate the public.
(3) Final report.--Not later than 180 days before the date
described in subsection (k), the Director shall submit to the
appropriate notification entities a final report that includes
recommendations for the President and Congress relating to any
relevant matter within the scope of the duties of the Task
Force.
(4) Public availability.--The Task Force shall make the
reports required under this subsection publicly available on
centralized website as an open Government data asset (as
defined in section 3502 of title 44, United States Code).
(k) Sunset.--The Task Force shall conclude business on the date
that is 3 years after the date of enactment of this Act.
SEC. 5. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.
(a) Guidance for Federal Agencies.--Not later than 180 days after
the date on which the Director submits the report required under
section 4(j)(1), the Director of the Office of Management and Budget
shall issue guidance to Federal agencies for the purpose of
implementing any recommendations included in such report determined
appropriate by the Director of the Office of Management and Budget.
(b) Reports on Federal Agency Progress Improving Digital Identity
Verification Capabilities.--
(1) Annual report on guidance implementation.--Not later
than 1 year after the date of the issuance of guidance under
subsection (a), and annually thereafter, the head of each
Federal agency shall submit to the Director of the Office of
Management and Budget a report on the efforts of the Federal
agency to implement that guidance.
(2) Public report.--
(A) In general.--Not later than 45 days after the
date of the issuance of guidance under subsection (a),
and annually thereafter, the Director shall develop and
make publicly available a report that includes--
(i) a list of digital identity verification
services offered by Federal agencies;
(ii) the volume of digital identity
verifications performed by each Federal agency;
(iii) information relating to the
effectiveness of digital identity verification
services by Federal agencies; and
(iv) recommendations to improve the
effectiveness of digital identity verification
services by Federal agencies.
(B) Consultation.--In developing the first report
required under subparagraph (A), the Director shall
consult the Task Force.
(3) Congressional report on federal agency digital identity
capabilities.--
(A) In general.--Not later than 180 days after the
date of the enactment of this Act, the Director of the
Office of Management and Budget, in coordination with
the Director of the Cybersecurity and Infrastructure
Security Agency, shall submit to the Committee on
Homeland Security and Governmental Affairs of the
Senate and the Committee on Oversight and Reform of the
House of Representatives a report relating to the
implementation and effectiveness of the digital
identity capabilities of Federal agencies.
(B) Consultation.--In developing the report
required under subparagraph (A), the Director of the
Office of Management and Budget shall--
(i) consult with the Task Force; and
(ii) to the greatest extent practicable,
include in the report recommendations of the
Task Force.
(C) Contents of report.--The report required under
subparagraph (A) shall include--
(i) an analysis, including metrics and
milestones, for the implementation by Federal
agencies of--
(I) the guidelines published by the
National Institute of Standards and
Technology in the document entitled
``Special Publication 800-63''
(commonly referred to as the ``Digital
Identity Guidelines''), or any
successor document; and
(II) if feasible, any additional
requirements relating to enhancing
digital identity capabilities
identified in the document of the
Office of Management and Budget
entitled ``M-19-17'' and issued on May
21, 2019, or any successor document;
(ii) a review of measures taken to advance
the equity, accessibility, cybersecurity, and
privacy of digital identity verification
services offered by Federal agencies; and
(iii) any other relevant data, information,
or plans for Federal agencies to improve the
digital identity capabilities of Federal
agencies.
(c) Additional Reports.--On the first March 1 occurring after the
date described in subsection (b)(3)(A), and annually thereafter, the
Director of the Office of Management and Budget shall include in the
report required under section 3553(c) of title 44, United States Code--
(1) any additional and ongoing reporting on the matters
described in subsection (b)(3)(C); and
(2) associated information collection mechanisms.
SEC. 6. GAO REPORT.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Comptroller General of the United States shall submit
to Congress a report on the estimated potential savings, including
estimated annual potential savings, due to the increased adoption and
widespread use of digital identification, of--
(1) the Federal Government from averted fraud, including
benefit fraud; and
(2) the economy of the United States and consumers from
averted identity theft.
(b) Contents.--Among other variables the Comptroller General of the
United States determines relevant, the report required under subsection
(a) shall include multiple scenarios with varying uptake rates to
demonstrate a range of possible outcomes.
Calendar No. 616
117th CONGRESS
2d Session
S. 4528
[Report No. 117-238]
_______________________________________________________________________
A BILL
To establish a Government-wide approach to improving digital identity,
and for other purposes.
_______________________________________________________________________
December 12, 2022
Reported with an amendment