[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2413 Introduced in House (IH)]







106th CONGRESS
  1st Session
                                H. R. 2413

  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              July 1, 1999

     Mr. Sensenbrenner (for himself, Mr. Gordon, and Mrs. Morella) 
 introduced the following bill; which was referred to the Committee on 
                                Science

_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement Act of 
1999''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has 
        responsibility for developing standards and guidelines needed 
        to ensure the cost-effective security and privacy of sensitive 
        information in Federal computer systems.
            (2) The Federal Government has an important role in 
        ensuring the protection of sensitive, but unclassified, 
        information controlled by Federal agencies.
            (3) Technology that is based on the application of 
        cryptography exists and can be readily provided by private 
        sector companies to ensure the confidentiality, authenticity, 
        and integrity of information associated with public and private 
        activities.
            (4) The development and use of encryption technologies 
        should be driven by market forces rather than by Government 
        imposed requirements.
    (b) Purposes.--The purposes of this Act are to--
            (1) reinforce the role of the National Institute of 
        Standards and Technology in ensuring the security of 
        unclassified information in Federal computer systems; and
            (2) promote technology solutions based on private sector 
        offerings to protect the security of Federal computer systems.

SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by redesignating paragraphs (2), (3), (4), and (5) as 
        paragraphs (3), (4), (7), and (8), respectively; and
            (2) by inserting after paragraph (1) the following new 
        paragraph:
            ``(2) upon request from the private sector, to assist in 
        establishing voluntary interoperable standards, guidelines, and 
        associated methods and techniques to facilitate and expedite 
        the establishment of non-Federal management infrastructures for 
        public keys that can be used to communicate with and conduct 
        transactions with the Federal Government;''.

SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is 
further amended by inserting after paragraph (4), as so redesignated by 
section 3(1) of this Act, the following new paragraphs:
            ``(5) to provide guidance and assistance to Federal 
        agencies in the protection of interconnected computer systems 
        and to coordinate Federal response efforts related to 
        unauthorized access to Federal computer systems;
            ``(6) to perform evaluations and tests of--
                    ``(A) information technologies to assess security 
                vulnerabilities; and
                    ``(B) commercially available security products for 
                their suitability for use by Federal agencies for 
                protecting sensitive information in computer 
                systems;''.

SEC. 5. COMPUTER SECURITY IMPLEMENTATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsections (c) and (d) as subsections 
        (e) and (f), respectively; and
            (2) by inserting after subsection (b) the following new 
        subsection:
    ``(c) In carrying out subsection (a)(3), the Institute shall--
            ``(1) emphasize the development of technology-neutral 
        policy guidelines for computer security practices by the 
        Federal agencies;
            ``(2) actively promote the use of commercially available 
        products to provide for the security and privacy of sensitive 
        information in Federal computer systems; and
            ``(3) participate in implementations of encryption 
        technologies in order to develop required standards and 
        guidelines for Federal computer systems, including assessing 
        the desirability of and the costs associated with establishing 
        and managing key recovery infrastructures for Federal 
        Government information.''.

SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
inserting after subsection (c), as added by section 5 of this Act, the 
following new subsection:
    ``(d)(1) The Institute shall solicit the recommendations of the 
Computer System Security and Privacy Advisory Board, established by 
section 21, regarding standards and guidelines that are being 
considered for submittal to the Secretary in accordance with subsection 
(a)(4). No standards or guidelines shall be submitted to the Secretary 
prior to the receipt by the Institute of the Board's written 
recommendations. The recommendations of the Board shall accompany 
standards and guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary 
$1,000,000 for fiscal year 2000 and $1,030,000 for fiscal year 2001 to 
enable the Computer System Security and Privacy Advisory Board, 
established by section 21, to identify emerging issues related to 
computer security, privacy, and cryptography and to convene public 
meetings on those subjects, receive presentations, and publish reports, 
digests, and summaries for public distribution on those subjects.''.

SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
adding at the end the following new subsection:
    ``(g) The Institute shall not promulgate, enforce, or otherwise 
adopt standards, or carry out activities or policies, for the Federal 
establishment of encryption standards required for use in computer 
systems other than Federal Government computer systems.''.

SEC. 8. MISCELLANEOUS AMENDMENTS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
            (1) in subsection (b)(8), as so redesignated by section 
        3(1) of this Act, by inserting ``to the extent that such 
        coordination will improve computer security and to the extent 
        necessary for improving such security for Federal computer 
        systems'' after ``Management and Budget)'';
            (2) in subsection (e), as so redesignated by section 5(1) 
        of this Act, by striking ``shall draw upon'' and inserting in 
        lieu thereof ``may draw upon'';
            (3) in subsection (e)(2), as so redesignated by section 
        5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu 
        thereof ``(b)(8)''; and
            (4) in subsection (f)(1)(B)(i), as so redesignated by 
        section 5(1) of this Act, by inserting ``and computer 
        networks'' after ``computers''.

SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

    Section 5(b) of the Computer Security Act of 1987 (49 U.S.C. 759 
note) is amended--
            (1) by striking ``and'' at the end of paragraph (1);
            (2) by striking the period at the end of paragraph (2) and 
        inserting in lieu thereof ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(3) to include emphasis on protecting sensitive 
        information in Federal databases and Federal computer sites 
        that are accessible through public networks.''.

SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.

    There are authorized to be appropriated to the Secretary of 
Commerce $250,000 for fiscal year 2000 and $500,000 for fiscal year 
2001 for the Director of the National Institute of Standards and 
Technology for fellowships, subject to the provisions of section 18 of 
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer 
security. Amounts authorized by this section shall not be subject to 
the percentage limitation stated in such section 18.

SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH 
              COUNCIL.

    (a) Review by National Research Council.--Not later than 90 days 
after the date of the enactment of this Act, the Secretary of Commerce 
shall enter into a contract with the National Research Council of the 
National Academy of Sciences to conduct a study of public key 
infrastructures for use by individuals, businesses, and government.
    (b) Contents.--The study referred to in subsection (a) shall--
            (1) assess technology needed to support public key 
        infrastructures;
            (2) assess current public and private plans for the 
        deployment of public key infrastructures;
            (3) assess interoperability, scalability, and integrity of 
        private and public entities that are elements of public key 
        infrastructures;
            (4) make recommendations for Federal legislation and other 
        Federal actions required to ensure the national feasibility and 
        utility of public key infrastructures; and
            (5) address such other matters as the National Research 
        Council considers relevant to the issues of public key 
        infrastructure.
    (c) Interagency Cooperation With Study.--All agencies of the 
Federal Government shall cooperate fully with the National Research 
Council in its activities in carrying out the study under this section, 
including access by properly cleared individuals to classified 
information if necessary.
    (d) Report.--Not later than 18 months after the date of the 
enactment of this Act, the Secretary of Commerce shall transmit to the 
Committee on Science of the House of Representatives and the Committee 
on Commerce, Science, and Transportation of the Senate a report setting 
forth the findings, conclusions, and recommendations of the National 
Research Council for public policy related to public key 
infrastructures for use by individuals, businesses, and government. 
Such report shall be submitted in unclassified form.
    (e) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce $450,000 for fiscal year 
2000, to remain available until expended, for carrying out this 
section.

SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.

    The Under Secretary of Commerce for Technology shall--
            (1) promote the more widespread use of applications of 
        cryptography and associated technologies to enhance the 
        security of the Nation's information infrastructure;
            (2) establish a central clearinghouse for the collection by 
        the Federal Government and dissemination to the public of 
        information to promote awareness of information security 
        threats; and
            (3) promote the development of the national, standards-
        based infrastructure needed to support commercial and private 
        uses of encryption technologies for confidentiality and 
        authentication.

SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE.

    (a) Electronic Authentication Infrastructure.--
            (1) Guidelines and standards.--Not later than 1 year after 
        the date of the enactment of this Act, the Director, in 
        consultation with industry, shall develop electronic 
        authentication infrastructure guidelines and standards for use 
        by Federal agencies to enable those agencies to effectively 
        utilize electronic authentication technologies in a manner that 
        is--
                    (A) sufficiently secure to meet the needs of those 
                agencies and their transaction partners; and
                    (B) interoperable, to the maximum extent possible.
            (2) Elements.--The guidelines and standards developed under 
        paragraph (1) shall include--
                    (A) protection profiles for cryptographic and 
                noncryptographic methods of authenticating identity for 
                electronic authentication products and services;
                    (B) minimum interoperability specifications for the 
                Federal acquisition of electronic authentication 
                products and services; and
                    (C) validation criteria to enable Federal agencies 
                to select cryptographic electronic authentication 
                products and services appropriate to their needs.
            (3) Coordination with national policy panel.--The Director 
        shall ensure that the development of guidelines and standards 
        with respect to cryptographic electronic authentication 
        products and services under this subsection is carried out in 
        coordination with the efforts of the National Policy Panel for 
        Digital Signatures under subsection (e).
            (4) Revisions.--The Director shall periodically review the 
        guidelines and standards developed under paragraph (1) and 
        revise them as appropriate.
    (b) Validation of Products.--Not later than 1 year after the date 
of the enactment of this Act, and thereafter, the Director shall 
maintain and make available to Federal agencies and to the public a 
list of commercially available electronic authentication products, and 
other such products used by Federal agencies, evaluated as conforming 
with the guidelines and standards developed under subsection (a).
    (c) Electronic Certification and Management Systems.--
            (1) Criteria.--Not later than 1 year after the date of the 
        enactment of this Act, the Director shall establish minimum 
        technical criteria for the use by Federal agencies of 
        electronic certification and management systems.
            (2) Evaluation.--The Director shall establish a program for 
        evaluating the conformance with the criteria established under 
        paragraph (1) of electronic certification and management 
        systems, developed for use by Federal agencies or available for 
        such use.
            (3) Maintenance of list.--The Director shall maintain and 
        make available to Federal agencies a list of electronic 
        certification and management systems evaluated as conforming to 
        the criteria established under paragraph (1).
    (d) Reports.--Not later than 18 months after the date of the 
enactment of this Act, and annually thereafter, the Director shall 
transmit to the Congress a report that includes--
            (1) a description and analysis of the utilization by 
        Federal agencies of electronic authentication technologies;
            (2) an evaluation of the extent to which Federal agencies' 
        electronic authentication infrastructures conform to the 
        guidelines and standards developed under subsection (a)(1);
            (3) an evaluation of the extent to which Federal agencies' 
        electronic certification and management systems conform to the 
        criteria established under subsection (c)(1);
            (4) the list described in subsection (c)(3); and
            (5) evaluations made under subsection (b).
    (e) National Policy Panel for Digital Signatures.--
            (1) Establishment.--Not later than 90 days after the date 
        of the enactment of this Act, the Under Secretary shall 
        establish a National Policy Panel for Digital Signatures. The 
        Panel shall be composed of government, academic, and industry 
        technical and legal experts on the implementation of digital 
        signature technologies, State officials, including officials 
        from States which have enacted laws recognizing the use of 
        digital signatures, and representative individuals from the 
        interested public.
            (2) Responsibilities.--The Panel shall serve as a forum for 
        exploring all relevant factors associated with the development 
        of a national digital signature infrastructure based on uniform 
        guidelines and standards to enable the widespread availability 
        and use of digital signature systems. The Panel shall develop--
                    (A) model practices and procedures for 
                certification authorities to ensure the accuracy, 
                reliability, and security of operations associated with 
                issuing and managing digital certificates;
                    (B) guidelines and standards to ensure consistency 
                among jurisdictions that license certification 
                authorities; and
                    (C) audit procedures for certification authorities.
            (3) Coordination.--The Panel shall coordinate its efforts 
        with those of the Director under subsection (a).
            (4) Administrative support.--The Under Secretary shall 
        provide administrative support to enable the Panel to carry out 
        its responsibilities.
            (5) Report.--Not later than 1 year after the date of the 
        enactment of this Act, the Under Secretary shall transmit to 
        the Congress a report containing the recommendations of the 
        Panel.
    (f) Definitions.--For purposes of this section--
            (1) the term ``certification authorities'' means issuers of 
        digital certificates;
            (2) the term ``digital certificate'' means an electronic 
        document that binds an individual's identity to the 
        individual's key;
            (3) the term ``digital signature'' means a mathematically 
        generated mark utilizing key cryptography techniques that is 
        unique to both the signatory and the information signed;
            (4) the term ``digital signature infrastructure'' means the 
        software, hardware, and personnel resources, and the 
        procedures, required to effectively utilize digital 
        certificates and digital signatures;
            (5) the term ``electronic authentication'' means 
        cryptographic or noncryptographic methods of authenticating 
        identity in an electronic communication;
            (6) the term ``electronic authentication infrastructure'' 
        means the software, hardware, and personnel resources, and the 
        procedures, required to effectively utilize electronic 
        authentication technologies;
            (7) the term ``electronic certification and management 
        systems'' means computer systems, including associated 
        personnel and procedures, that enable individuals to apply 
        unique digital signatures to electronic information;
            (8) the term ``protection profile'' means a list of 
        security functions and associated assurance levels used to 
        describe a product; and
            (9) the term ``Under Secretary'' means the Under Secretary 
        of Commerce for Technology.

SEC. 14. SOURCE OF AUTHORIZATIONS.

    There are authorized to be appropriated to the Secretary of 
Commerce $3,000,000 for fiscal year 2000 and $4,000,000 for fiscal year 
2001, for the National Institute of Standards and Technology to carry 
out activities authorized by this Act for which funds are not otherwise 
specifically authorized to be appropriated by this Act.
                                 <all>