[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2413 Reported in House (RH)]






                                                 Union Calendar No. 527
106th CONGRESS
  2d Session
                                H. R. 2413

                          [Report No. 106-876]

  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              July 1, 1999

     Mr. Sensenbrenner (for himself, Mr. Gordon, and Mrs. Morella) 
 introduced the following bill; which was referred to the Committee on 
                                Science

                           September 21, 2000

 Additional sponsors: Mr. Ehlers, Mr. Cook, Mr. Ewing, Mr. Gutknecht, 
                           and Mr. Kuykendall

                           September 21, 2000

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
 [For text of introduced bill, see copy of bill as introduced on July 
                               21, 1999]

_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement Act of 
2000''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has 
        responsibility for developing standards and guidelines needed 
        to ensure the cost-effective security and privacy of sensitive 
        information in Federal computer systems.
            (2) The Federal Government has an important role in 
        ensuring the protection of sensitive, but unclassified, 
        information controlled by Federal agencies.
            (3) Technology that is based on the application of 
        cryptography exists and can be readily provided by private 
        sector companies to ensure the confidentiality, authenticity, 
        and integrity of information associated with public and private 
        activities.
            (4) The development and use of encryption technologies by 
        industry should be driven by market forces rather than by 
        Government imposed requirements.
    (b) Purposes.--The purposes of this Act are to--
            (1) reinforce the role of the National Institute of 
        Standards and Technology in ensuring the security of 
        unclassified information in Federal computer systems; and
            (2) promote technology solutions based on private sector 
        offerings to protect the security of Federal computer systems.

SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by redesignating paragraphs (2), (3), (4), and (5) as 
        paragraphs (3), (4), (8), and (9), respectively; and
            (2) by inserting after paragraph (1) the following new 
        paragraph:
            ``(2) upon request from the private sector, to assist in 
        establishing voluntary interoperable standards, guidelines, and 
        associated methods and techniques to facilitate and expedite 
        the establishment of non-Federal management infrastructures for 
        public keys that can be used to communicate with and conduct 
        transactions with the Federal Government;''.

SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is 
further amended by inserting after paragraph (4), as so redesignated by 
section 3(1) of this Act, the following new paragraphs:
            ``(5) except for national security systems, as defined in 
        section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide 
        guidance and assistance to Federal agencies for protecting the 
        security and privacy of sensitive information in interconnected 
        Federal computer systems, including identification of 
        significant risks thereto;
            ``(6) to promote compliance by Federal agencies with 
        existing Federal computer information security and privacy 
        guidelines;
            ``(7) in consultation with appropriate Federal agencies, 
        assist Federal response efforts related to unauthorized access 
        to Federal computer systems;''.

SEC. 5. COMPUTER SECURITY IMPLEMENTATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsections (c) and (d) as subsections 
        (e) and (f), respectively; and
            (2) by inserting after subsection (b) the following new 
        subsection:
    ``(c)(1) In carrying out subsection (a)(2) and (3), the Institute 
shall--
            ``(A) emphasize the development of technology-neutral 
        policy guidelines for computer security practices by the 
        Federal agencies;
            ``(B) promote the use of commercially available products, 
        which appear on the list required by paragraph (2), to provide 
        for the security and privacy of sensitive information in 
        Federal computer systems;
            ``(C) develop qualitative and quantitative measures 
        appropriate for assessing the quality and effectiveness of 
        information security and privacy programs at Federal agencies;
            ``(D) perform evaluations and tests at Federal agencies to 
        assess existing information security and privacy programs;
            ``(E) promote development of accreditation procedures for 
        Federal agencies based on the measures developed under 
        subparagraph (C);
            ``(F) if requested, consult with and provide assistance to 
        Federal agencies regarding the selection by agencies of 
        security technologies and products and the implementation of 
        security practices; and
            ``(G)(i) develop uniform testing procedures suitable for 
        determining the conformance of commercially available security 
        products to the guidelines and standards developed under 
        subsection (a)(2) and (3);
            ``(ii) establish procedures for certification of private 
        sector laboratories to perform the tests and evaluations of 
        commercially available security products developed in 
        accordance with clause (i); and
            ``(iii) promote the testing of commercially available 
        security products for their conformance with guidelines and 
        standards developed under subsection (a)(2) and (3).
    ``(2) The Institute shall maintain and make available to Federal 
agencies and to the public a list of commercially available security 
products that have been tested by private sector laboratories certified 
in accordance with procedures established under paragraph (1)(G)(ii), 
and that have been found to be in conformance with the guidelines and 
standards developed under subsection (a)(2) and (3).
    ``(3) The Institute shall annually transmit to the Congress, in an 
unclassified format, a report containing--
            ``(A) the findings of the evaluations and tests of Federal 
        computer systems conducted under this section during the 12 
        months preceding the date of the report, including the 
        frequency of the use of commercially available security 
        products included on the list required by paragraph (2);
            ``(B) the planned evaluations and tests under this section 
        for the 12 months following the date of the report; and
            ``(C) any recommendations by the Institute to Federal 
        agencies resulting from the findings described in subparagraph 
        (A), and the response by the agencies to those 
        recommendations.''.

SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
inserting after subsection (c), as added by section 5 of this Act, the 
following new subsection:
    ``(d)(1) The Institute shall solicit the recommendations of the 
Computer System Security and Privacy Advisory Board, established by 
section 21, regarding standards and guidelines that are being 
considered for submittal to the Secretary in accordance with subsection 
(a)(4). The recommendations of the Board shall accompany standards and 
guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary 
$1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year 2002 to 
enable the Computer System Security and Privacy Advisory Board, 
established by section 21, to identify emerging issues related to 
computer security, privacy, and cryptography and to convene public 
meetings on those subjects, receive presentations, and publish reports, 
digests, and summaries for public distribution on those subjects.''.

SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
adding at the end the following new subsection:
    ``(g) The Institute shall not promulgate, enforce, or otherwise 
adopt standards, or carry out activities or policies, for the Federal 
establishment of encryption standards required for use in computer 
systems other than Federal Government computer systems.''.

SEC. 8. MISCELLANEOUS AMENDMENTS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
            (1) in subsection (b)(9), as so redesignated by section 
        3(1) of this Act, by inserting ``to the extent that such 
        coordination will improve computer security and to the extent 
        necessary for improving such security for Federal computer 
        systems'' after ``Management and Budget)'';
            (2) in subsection (e), as so redesignated by section 5(1) 
        of this Act, by striking ``shall draw upon'' and inserting in 
        lieu thereof ``may draw upon'';
            (3) in subsection (e)(2), as so redesignated by section 
        5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu 
        thereof ``(b)(8)''; and
            (4) in subsection (f)(1)(B)(i), as so redesignated by 
        section 5(1) of this Act, by inserting ``and computer 
        networks'' after ``computers''.

SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

    Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759 
note) is amended--
            (1) by striking ``and'' at the end of paragraph (1);
            (2) by striking the period at the end of paragraph (2) and 
        inserting in lieu thereof ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(3) to include emphasis on protecting sensitive 
        information in Federal databases and Federal computer sites 
        that are accessible through public networks.''.

SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.

    There are authorized to be appropriated to the Secretary of 
Commerce $500,000 for fiscal year 2001 and $500,000 for fiscal year 
2002 for the Director of the National Institute of Standards and 
Technology for fellowships, subject to the provisions of section 18 of 
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer 
security. Amounts authorized by this section shall not be subject to 
the percentage limitation stated in such section 18.

SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH 
              COUNCIL.

    (a) Review by National Research Council.--Not later than 90 days 
after the date of the enactment of this Act, the Secretary of Commerce 
shall enter into a contract with the National Research Council of the 
National Academy of Sciences to conduct a study of public key 
infrastructures for use by individuals, businesses, and government.
    (b) Contents.--The study referred to in subsection (a) shall--
            (1) assess technology needed to support public key 
        infrastructures;
            (2) assess current public and private plans for the 
        deployment of public key infrastructures;
            (3) assess interoperability, scalability, and integrity of 
        private and public entities that are elements of public key 
        infrastructures;
            (4) make recommendations for Federal legislation and other 
        Federal actions required to ensure the national feasibility and 
        utility of public key infrastructures; and
            (5) address such other matters as the National Research 
        Council considers relevant to the issues of public key 
        infrastructure.
    (c) Interagency Cooperation With Study.--All agencies of the 
Federal Government shall cooperate fully with the National Research 
Council in its activities in carrying out the study under this section, 
including access by properly cleared individuals to classified 
information if necessary.
    (d) Report.--Not later than 18 months after the date of the 
enactment of this Act, the Secretary of Commerce shall transmit to the 
Committee on Science of the House of Representatives and the Committee 
on Commerce, Science, and Transportation of the Senate a report setting 
forth the findings, conclusions, and recommendations of the National 
Research Council for public policy related to public key 
infrastructures for use by individuals, businesses, and government. 
Such report shall be submitted in unclassified form.
    (e) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce $450,000 for fiscal year 
2001, to remain available until expended, for carrying out this 
section.

SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.

    The Under Secretary of Commerce for Technology shall--
            (1) promote an increased use of security techniques, such 
        as risk assessment, and security tools, such as cryptography, 
        to enhance the protection of the Nation's information 
        infrastructure;
            (2) establish a central repository of information for 
        dissemination to the public to promote awareness of information 
        security vulnerabilities and risks; and
            (3) promote the development of the national, standards-
        based infrastructure needed to support government, commercial, 
        and private uses of encryption technologies for confidentiality 
        and authentication.

SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE.

    (a) Electronic Authentication Infrastructure.--
            (1) Guidelines and standards.--Not later than 18 months 
        after the date of the enactment of this Act, the Director, in 
        consultation with industry and appropriate Federal agencies, 
        shall develop electronic authentication infrastructure 
        guidelines and standards for use by Federal agencies to assist 
        those agencies to effectively select and utilize electronic 
        authentication technologies in a manner that is--
                    (A) adequately secure to meet the needs of those 
                agencies and their transaction partners; and
                    (B) interoperable, to the maximum extent possible.
            (2) Elements.--The guidelines and standards developed under 
        paragraph (1) shall include--
                    (A) protection profiles for cryptographic and 
                noncryptographic methods of authenticating identity for 
                electronic authentication products and services;
                    (B) a core set of interoperability specifications 
                for the Federal acquisition of electronic 
                authentication products and services; and
                    (C) validation criteria to enable Federal agencies 
                to select cryptographic electronic authentication 
                products and services appropriate to their needs.
            (3) Coordination with national policy panel.--The Director 
        shall ensure that the development of guidelines and standards 
        with respect to cryptographic electronic authentication 
        products and services under this subsection is carried out in 
        consultation with the National Policy Panel for Digital 
        Signatures established under subsection (e).
            (4) Revisions.--The Director shall periodically review the 
        guidelines and standards developed under paragraph (1) and 
        revise them as appropriate.
    (b) Listing of Validated Products.--Not later than 30 months after 
the date of the enactment of this Act, and thereafter, the Director 
shall maintain and make available to Federal agencies and to the public 
a list of commercially available electronic authentication products, 
and other such products used by Federal agencies, evaluated as 
conforming with the guidelines and standards developed under subsection 
(a).
    (c) Specifications for Electronic Certification and Management 
Technologies.--
            (1) Specifications.--The Director shall, as appropriate, 
        establish core specifications for particular electronic 
        certification and management technologies, or their components, 
        for use by Federal agencies.
            (2) Evaluation.--The Director shall advise Federal agencies 
        on how to evaluate the conformance with the specifications 
        established under paragraph (1) of electronic certification and 
        management technologies, developed for use by Federal agencies 
        or available for such use.
            (3) Maintenance of list.--The Director shall maintain and 
        make available to Federal agencies a list of electronic 
        certification and management technologies evaluated as 
        conforming to the specifications established under paragraph 
        (1).
    (d) Reports.--Not later than 18 months after the date of the 
enactment of this Act, and annually thereafter, the Director shall 
transmit to the Congress a report that includes--
            (1) a description and analysis of the utilization by 
        Federal agencies of electronic authentication technologies; and
            (2) an evaluation of the extent to which Federal agencies' 
        electronic authentication infrastructures conform to the 
        guidelines and standards developed under subsection (a)(1).
    (e) National Policy Panel for Digital Signatures.--
            (1) Establishment.--Not later than 90 days after the date 
        of the enactment of this Act, the Under Secretary shall 
        establish a National Policy Panel for Digital Signatures. The 
        Panel shall be composed of government, academic, and industry 
        technical and legal experts on the implementation of digital 
signature technologies, State officials, including officials from 
States which have enacted laws recognizing the use of digital 
signatures, and representative individuals from the interested public.
            (2) Responsibilities.--The Panel shall serve as a forum for 
        exploring all relevant factors associated with the development 
        of a national digital signature infrastructure based on uniform 
        guidelines and standards to enable the widespread availability 
        and use of digital signature systems. The Panel shall develop--
                    (A) model practices and procedures for 
                certification authorities to ensure the accuracy, 
                reliability, and security of operations associated with 
                issuing and managing digital certificates;
                    (B) guidelines and standards to ensure consistency 
                among jurisdictions that license certification 
                authorities; and
                    (C) audit procedures for certification authorities.
            (3) Coordination.--The Panel shall coordinate its efforts 
        with those of the Director under subsection (a).
            (4) Administrative support.--The Under Secretary shall 
        provide administrative support to enable the Panel to carry out 
        its responsibilities.
            (5) Report.--Not later than 1 year after the date of the 
        enactment of this Act, the Under Secretary shall transmit to 
        the Congress a report containing the recommendations of the 
        Panel.
    (f) Definitions.--For purposes of this section--
            (1) the term ``certification authorities'' means issuers of 
        digital certificates;
            (2) the term ``digital certificate'' means an electronic 
        document that binds an individual's identity to the 
        individual's key;
            (3) the term ``digital signature'' means a mathematically 
        generated mark utilizing key cryptography techniques that is 
        unique to both the signatory and the information signed;
            (4) the term ``digital signature infrastructure'' means the 
        software, hardware, and personnel resources, and the 
        procedures, required to effectively utilize digital 
        certificates and digital signatures;
            (5) the term ``electronic authentication'' means 
        cryptographic or noncryptographic methods of authenticating 
        identity in an electronic communication;
            (6) the term ``electronic authentication infrastructure'' 
        means the software, hardware, and personnel resources, and the 
        procedures, required to effectively utilize electronic 
        authentication technologies;
            (7) the term ``electronic certification and management 
        technologies'' means computer systems, including associated 
        personnel and procedures, that enable individuals to apply 
        unique digital signatures to electronic information;
            (8) the term ``protection profile'' means a list of 
        security functions and associated assurance levels used to 
        describe a product; and
            (9) the term ``Under Secretary'' means the Under Secretary 
        of Commerce for Technology.

SEC. 14. SOURCE OF AUTHORIZATIONS.

    There are authorized to be appropriated to the Secretary of 
Commerce $7,000,000 for fiscal year 2001 and $8,000,000 for fiscal year 
2002, for the National Institute of Standards and Technology to carry 
out activities authorized by this Act for which funds are not otherwise 
specifically authorized to be appropriated by this Act.
                                                 Union Calendar No. 527

106th CONGRESS

  2d Session

                               H. R. 2413

                          [Report No. 106-876]

_______________________________________________________________________

                                 A BILL

  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.

_______________________________________________________________________

                           September 21, 2000

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed