[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1903 Reported in House (RH)]





                                                 Union Calendar No. 139

105th CONGRESS

  1st Session

                               H. R. 1903

                          [Report No. 105-243]

_______________________________________________________________________

                                 A BILL

  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.

_______________________________________________________________________

                           September 3, 1997

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed





                                                 Union Calendar No. 139
105th CONGRESS
  1st Session
                                H. R. 1903

                          [Report No. 105-243]

  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 17, 1997

Mr. Sensenbrenner (for himself, Mr. Brown of California, Mrs. Morella, 
   Mr. Gordon, Mr. Davis of Virginia, Ms. Stabenow, Mr. Ehlers, Ms. 
 Jackson-Lee of Texas, Mr. Sessions, Mr. Pickering, Mr. Traficant, Mr. 
Cook, and Mr. Cannon) introduced the following bill; which was referred 
                      to the Committee on Science

                           September 3, 1997

   Additional sponsors: Mr. Gutknecht, Mr. Brady, Mrs. Tauscher, Mr. 
    Weldon of Pennsylvania, Mr. Lampson, Mr. Foley, Mr. English of 
Pennsylvania, Mr. Dan Schaefer of Colorado, Mr. Doyle, Mr. Barcia, Mr. 
      Capps, Mr. Ewing, Mr. Bartlett of Maryland, Ms. Rivers, Mr. 
              Rohrabacher, Mr. Roemer, and Mr. Nethercutt

                           September 3, 1997

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
 [For text of introduced bill, see copy of bill as introduced on June 
                               17, 1997]

_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement Act of 
1997''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has 
        responsibility for developing standards and guidelines needed 
        to ensure the cost-effective security and privacy of sensitive 
        information in Federal computer systems.
            (2) The Federal Government has an important role in 
        ensuring the protection of sensitive, but unclassified, 
        information controlled by Federal agencies.
            (3) Technology that is based on the application of 
        cryptography exists and can be readily provided by private 
        sector companies to ensure the confidentiality, authenticity, 
        and integrity of information associated with public and private 
        activities.
            (4) The development and use of encryption technologies 
        should be driven by market forces rather than by Government 
        imposed requirements.
            (5) Federal policy for control of the export of encryption 
        technologies should be determined in light of the public 
        availability of comparable encryption technologies outside of 
        the United States in order to avoid harming the competitiveness 
        of United States computer hardware and software companies.
    (b) Purposes.--The purposes of this Act are to--
            (1) reinforce the role of the National Institute of 
        Standards and Technology in ensuring the security of 
        unclassified information in Federal computer systems;
            (2) promote technology solutions based on private sector 
        offerings to protect the security of Federal computer systems; 
        and
            (3) provide the assessment of the capabilities of 
        information security products incorporating cryptography that 
        are generally available outside the United States.

SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by redesignating paragraphs (2), (3), (4), and (5) as 
        paragraphs (3), (4), (7), and (8), respectively; and
            (2) by inserting after paragraph (1) the following new 
        paragraph:
            ``(2) upon request from the private sector, to assist in 
        establishing voluntary interoperable standards, guidelines, and 
        associated methods and techniques to facilitate and expedite 
        the establishment of non-Federal management infrastructures for 
        public keys that can be used to communicate with and conduct 
        transactions with the Federal Government;''.

SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is 
further amended by inserting after paragraph (4), as so redesignated by 
section 3(1) of this Act, the following new paragraphs:
            ``(5) to provide guidance and assistance to Federal 
        agencies in the protection of interconnected computer systems 
        and to coordinate Federal response efforts related to 
        unauthorized access to Federal computer systems;
            ``(6) to perform evaluations and tests of--
                    ``(A) information technologies to assess security 
                vulnerabilities; and
                    ``(B) commercially available security products for 
                their suitability for use by Federal agencies for 
                protecting sensitive information in computer 
                systems;''.

SEC. 5. COMPUTER SECURITY IMPLEMENTATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsections (c) and (d) as subsections 
        (f) and (g), respectively; and
            (2) by inserting after subsection (b) the following new 
        subsection:
    ``(c) In carrying out subsection (a)(3), the Institute shall--
            ``(1) emphasize the development of technology-neutral 
        policy guidelines for computer security practices by the 
        Federal agencies;
            ``(2) actively promote the use of commercially available 
        products to provide for the security and privacy of sensitive 
        information in Federal computer systems; and
            ``(3) participate in implementations of encryption 
        technologies in order to develop required standards and 
        guidelines for Federal computer systems, including assessing 
        the desirability of and the costs associated with establishing 
        and managing key recovery infrastructures for Federal 
        Government information.''.

SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
inserting after subsection (c), as added by section 5 of this Act, the 
following new subsection:
    ``(d)(1) The Institute shall solicit the recommendations of the 
Computer System Security and Privacy Advisory Board, established by 
section 21, regarding standards and guidelines that are being 
considered for submittal to the Secretary of Commerce in accordance 
with subsection (a)(4). No standards or guidelines shall be submitted 
to the Secretary prior to the receipt by the Institute of the Board's 
written recommendations. The recommendations of the Board shall 
accompany standards and guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary of 
Commerce $1,000,000 for fiscal year 1998 and $1,030,000 for fiscal year 
1999 to enable the Computer System Security and Privacy Advisory Board, 
established by section 21, to identify emerging issues related to 
computer security, privacy, and cryptography and to convene public 
meetings on those subjects, receive presentations, and publish reports, 
digests, and summaries for public distribution on those subjects.''.

SEC. 7. EVALUATION OF CAPABILITIES OF FOREIGN ENCRYPTION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
inserting after subsection (d), as added by section 6 of this Act, the 
following new subsection:
    ``(e)(1) If the Secretary has imposed, or proposes to impose, 
export restrictions on a product that incorporates encryption 
technologies, the Institute may accept technical evidence from the 
commercial provider of the product offered to indicate that encryption 
technologies, embodied in the form of software or hardware, that are 
offered and generally available outside the United States for use, 
sale, license, or transfer (whether for consideration or not) provide 
stronger participation for privacy of computer data and transmissions 
of information in digital form than the encryption technologies 
incorporated in the commercial provider's product.
    ``(2) Within 30 days after accepting technical evidence from a 
commercial provider under paragraph (1), the Institute shall evaluate 
the accuracy and completeness of the technical evidence and transmit to 
the Secretary, and to the Committee on Science of the House of 
Representatives and the Committee on Commerce, Science, and 
Transportation of the Senate, a report containing the results of that 
evaluation. The Institute may obtain assistance from other Federal and 
private sector entities in carrying out evaluations under this 
paragraph.
    ``(3) Not later than 180 days after the date of the enactment of 
the Computer Security Enhancement Act of 1997, the Institute shall 
develop standard procedures and tests for determining the capabilities 
of encryption technologies, and shall provide information regarding 
those procedures and tests to the public.
    ``(4) The Institute may require a commercial provider seeking 
evaluation under this subsection to follow procedures and carry out 
tests developed by the Institute pursuant to paragraph (3).''.

SEC. 8. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
adding at the end the following new subsection:
    ``(h) The Institute shall not promulgate, enforce, or otherwise 
adopt standards, or carry out activities or policies, for the Federal 
establishment of encryption standards required for use in computer 
systems other than Federal Government computer systems.''.

SEC. 9. MISCELLANEOUS AMENDMENTS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
            (1) in subsection (b)(8), as so redesignated by section 
        3(1) of this Act, by inserting ``to the extent that such 
        coordination will improve computer security and to the extent 
        necessary for improving such security for Federal computer 
        systems'' after ``Management and Budget)'';
            (2) in subsection (f), as so redesignated by section 5(1) 
        of this Act, by striking ``shall draw upon'' and inserting in 
        lieu thereof ``may draw upon'';
            (3) in subsection (f)(2), as so redesignated by section 
        5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu 
        thereof ``(b)(8)''; and
            (4) in subsection (g)(1)(B)(i), as so redesignated by 
        section 5(1) of this Act, by inserting ``and computer 
        networks'' after ``computers''.

SEC. 10. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

    Section 5(b) of the Computer Security Act of 1987 (49 U.S.C. 759 
note) is amended--
            (1) by striking ``and'' at the end of paragraph (1);
            (2) by striking the period at the end of paragraph (2) and 
        inserting in lieu thereof ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(3) to include emphasis on protecting sensitive 
        information in Federal databases and Federal computer sites 
        that are accessible through public networks.''.

SEC. 11. COMPUTER SECURITY FELLOWSHIP PROGRAM.

    There are authorized to be appropriated to the Secretary of 
Commerce $250,000 for fiscal year 1998 and $500,000 for fiscal year 
1999 for the Director of the National Institute of Standards and 
Technology for fellowships, subject to the provisions of section 18 of 
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer 
security. Amounts authorized by this section shall not be subject to 
the percentage limitation stated in such section 18.

SEC. 12. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH 
              COUNCIL.

    (a) Review by National Research Council.--Not later than 90 days 
after the date of the enactment of this Act, the Secretary of Commerce 
shall enter into a contract with the National Research Council of the 
National Academy of Sciences to conduct a study of public key 
infrastructures for use by individuals, businesses, and government.
    (b) Contents.--The study referred to in subsection (a) shall--
            (1) assess technology needed to support public key 
        infrastructures;
            (2) assess current public and private plans for the 
        deployment of public key infrastructures;
            (3) assess interoperability, scalability, and integrity of 
        private and public entities that are elements of public key 
        infrastructures;
            (4) make recommendations for Federal legislation and other 
        Federal actions required to ensure the national feasibility and 
        utility of public key infrastructures; and
            (5) address such other matters as the National Research 
        Council considers relevant to the issues of public key 
        infrastructure.
    (c) Interagency Cooperation With Study.--All agencies of the 
Federal Government shall cooperate fully with the National Research 
Council in its activities in carrying out the study under this section, 
including access by properly cleared individuals to classified 
information if necessary.
    (d) Report.--Not later than 18 months after the date of the 
enactment of this Act, the Secretary of Commerce shall transmit to the 
Committee on Science of the House of Representatives and the Committee 
on Commerce, Science, and Transportation of the Senate a report setting 
forth the findings, conclusions, and recommendations of the National 
Research Council for public policy related to public key 
infrastructures for use by individuals, businesses, and government. 
Such report shall be submitted in unclassified form.
    (e) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce $450,000 for fiscal year 
1998, to remain available until expended, for carrying out this 
section.

SEC. 13. PROMOTION OF NATIONAL INFORMATION SECURITY.

    The Under Secretary of Commerce for Technology shall--
            (1) promote the more widespread use of applications of 
        cryptography and associated technologies to enhance the 
        security of the Nation's information infrastructure;
            (2) establish a central clearinghouse for the collection by 
        the Federal Government and dissemination to the public of 
        information to promote awareness of information security 
        threats; and
            (3) promote the development of the national, standards-
        based infrastructure needed to support commercial and private 
        uses of encryption technologies for confidentiality and 
        authentication.

SEC. 14. DIGITAL SIGNATURE INFRASTRUCTURE.

    (a) National Policy Panel.--The Under Secretary of Commerce for 
Technology shall establish a National Policy Panel for Digital 
Signatures. The Panel shall be composed of nongovernment and government 
technical and legal experts on the implementation of digital signature 
technologies, individuals from companies offering digital signature 
products and services, State officials, including officials from States 
which have enacted statutes establishing digital signature 
infrastructures, and representative individuals from the interested 
public.
    (b) Responsibilities.--The Panel established under subsection (a) 
shall serve as a forum for exploring all relevant factors associated 
with the development of a national digital signature infrastructure 
based on uniform standards that will enable the widespread availability 
and use of digital signature systems. The Panel shall develop--
            (1) model practices and procedures for certification 
        authorities to ensure accuracy, reliability, and security of 
        operations associated with issuing and managing certificates;
            (2) standards to ensure consistency among jurisdictions 
        that license certification authorities; and
            (3) audit standards for certification authorities.
    (c) Administrative Support.--The Under Secretary of Commerce for 
Technology shall provide administrative support to the Panel 
established under subsection (a) of this section as necessary to enable 
the Panel to carry out its responsibilities.

SEC. 15. SOURCE OF AUTHORIZATIONS.

    Amounts authorized to be appropriated by this Act shall be derived 
from amounts authorized under the National Institute of Standards and 
Technology Authorization Act of 1997.