[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1259 Engrossed in House (EH)]


  1st Session

                               H. R. 1259

_______________________________________________________________________

                                 AN ACT

  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
107th CONGRESS
  1st Session
                                H. R. 1259

_______________________________________________________________________

                                 AN ACT


 
  To amend the National Institute of Standards and Technology Act to 
    enhance the ability of the National Institute of Standards and 
    Technology to improve computer security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement Act of 
2001''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has 
        responsibility for developing standards and guidelines needed 
        to ensure the cost-effective security and privacy of sensitive 
        information in Federal computer systems.
            (2) The Federal Government has an important role in 
        ensuring the protection of sensitive, but unclassified, 
        information controlled by Federal agencies.
            (3) Technology that is based on the application of 
        cryptography exists and can be readily provided by private 
        sector companies to ensure the confidentiality, authenticity, 
        and integrity of information associated with public and private 
        activities.
            (4) The development and use of encryption technologies by 
        industry should be driven by market forces rather than by 
        Government imposed requirements.
    (b) Purposes.--The purposes of this Act are to--
            (1) reinforce the role of the National Institute of 
        Standards and Technology in ensuring the security of 
        unclassified information in Federal computer systems; and
            (2) promote technology solutions based on private sector 
        offerings to protect the security of Federal computer systems.

SEC. 3. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.

    Section 20(b) of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by redesignating paragraphs (4) and (5) as paragraphs 
        (7) and (8), respectively; and
            (2) by inserting after paragraph (3) the following new 
        paragraphs:
            ``(4) except for national security systems, as defined in 
        section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide 
        guidance and assistance to Federal agencies for protecting the 
        security and privacy of sensitive information in interconnected 
        Federal computer systems, including identification of 
        significant risks thereto;
            ``(5) to promote compliance by Federal agencies with 
        existing Federal computer information security and privacy 
        guidelines;
            ``(6) in consultation with appropriate Federal agencies, 
        assist Federal response efforts related to unauthorized access 
        to Federal computer systems;''.

SEC. 4. COMPUTER SECURITY IMPLEMENTATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsections (c) and (d) as subsections 
        (e) and (f), respectively; and
            (2) by inserting after subsection (b) the following new 
        subsection:
    ``(c)(1) In carrying out subsection (a)(2) and (3), the Institute 
shall--
            ``(A) emphasize the development of technology-neutral 
        policy guidelines for computer security and electronic 
        authentication practices by the Federal agencies;
            ``(B) promote the use of commercially available products, 
        which appear on the list required by paragraph (2), to provide 
        for the security and privacy of sensitive information in 
        Federal computer systems;
            ``(C) develop qualitative and quantitative measures 
        appropriate for assessing the quality and effectiveness of 
        information security and privacy programs at Federal agencies;
            ``(D) upon the request of a Federal agency, perform 
        evaluations to assess its existing information security and 
        privacy programs;
            ``(E) promote development of accreditation procedures for 
        Federal agencies based on the measures developed under 
        subparagraph (C);
            ``(F) if requested, consult with and provide assistance to 
        Federal agencies regarding the selection by agencies of 
        security technologies and products and the implementation of 
        security practices; and
            ``(G)(i) develop uniform testing procedures suitable for 
        determining the conformance of commercially available security 
        products to the guidelines and standards developed under 
        subsection (a)(2) and (3);
            ``(ii) establish procedures for certification of private 
        sector laboratories to perform the tests and evaluations of 
        commercially available security products developed in 
        accordance with clause (i); and
            ``(iii) promote the testing of commercially available 
        security products for their conformance with guidelines and 
        standards developed under subsection (a)(2) and (3).
    ``(2) The Institute shall maintain and make available to Federal 
agencies and to the public a list of commercially available security 
products that have been tested by private sector laboratories certified 
in accordance with procedures established under paragraph (1)(G)(ii), 
and that  have been found to be in conformance with the guidelines and 
standards developed under subsection (a)(2) and (3).
    ``(3) The Institute shall annually transmit to the Congress, in an 
unclassified format, a report containing--
            ``(A) the findings of the evaluations and tests of Federal 
        computer systems conducted under this section during the 12 
        months preceding the date of the report, including the 
        frequency of the use of commercially available security 
        products included on the list required by paragraph (2);
            ``(B) the planned evaluations and tests under this section 
        for the 12 months following the date of the report; and
            ``(C) any recommendations by the Institute to Federal 
        agencies resulting from the findings described in subparagraph 
        (A), and the response by the agencies to those 
        recommendations.''.

SEC. 5. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
inserting after subsection (c), as added by section 4 of this Act, the 
following new subsection:
    ``(d)(1) The Institute shall solicit the recommendations of the 
Computer System Security and Privacy Advisory Board, established by 
section 21, regarding standards and guidelines that are being 
considered for submittal to the Secretary in accordance with subsection 
(a)(4). The recommendations of the Board shall accompany standards and 
guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary 
$1,030,000 for fiscal year 2002 and $1,060,000 for fiscal year 2003 to 
enable the Computer System Security and Privacy Advisory Board, 
established by section 21, to identify emerging issues related to 
computer security, privacy, and cryptography and to convene public 
meetings on those subjects, receive presentations, and publish reports, 
digests, and summaries for public distribution on those subjects.''.

SEC. 6. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION AND 
              ELECTRONIC AUTHENTICATION STANDARDS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by 
adding at the end the following new subsection:
    ``(g) The Institute shall not promulgate, enforce, or otherwise 
adopt standards or policies for the Federal establishment of encryption 
and electronic authentication standards required for use in computer 
systems other than Federal Government computer systems.''.

SEC. 7. MISCELLANEOUS AMENDMENTS.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
            (1) in subsection (b)(8), as so redesignated by section 
        3(1) of this Act, by inserting ``to the extent that such 
        coordination will improve computer security and to the extent 
        necessary for improving such security for Federal computer 
        systems'' after ``Management and Budget)'';
            (2) in subsection (e), as so redesignated by section 4(1) 
        of this Act, by striking ``shall draw upon'' and inserting in 
        lieu thereof ``may draw upon'';
            (3) in subsection (e)(2), as so redesignated by section 
        4(1) of this Act, by striking ``(b)(5)'' and inserting in lieu 
        thereof ``(b)(7)''; and
            (4) in subsection (f)(1)(B)(i), as so redesignated by 
        section 4(1) of this Act, by inserting ``and computer 
        networks'' after ``computers''.

SEC. 8. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

    Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759 
note) is amended--
            (1) by striking ``and'' at the end of paragraph (1);
            (2) by striking the period at the end of paragraph (2) and 
        inserting in lieu thereof ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(3) to include emphasis on protecting information in 
        Federal databases and Federal computer sites that are 
        accessible through public networks.''.

SEC. 9. COMPUTER SECURITY FELLOWSHIP PROGRAM.

    There are authorized to be appropriated to the Secretary of 
Commerce $5,000,000 for fiscal year 2002 and $5,000,000 for fiscal year 
2003 for the Director of the National Institute of Standards and 
Technology for fellowships, subject to the provisions of section 18 of 
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer 
security. Amounts authorized by this section shall not be subject to 
the percentage limitation stated in such section 18.

SEC. 10. STUDY OF ELECTRONIC AUTHENTICATION TECHNOLOGIES BY THE 
              NATIONAL RESEARCH COUNCIL.

    (a) Review by National Research Council.--Not later than 90 days 
after the date of the enactment of this Act, the Secretary of Commerce 
shall enter into a contract with the National Research Council of the 
National Academy of Sciences to conduct a study of electronic 
authentication technologies for use by individuals, businesses, and 
government.
    (b) Contents.--The study referred to in subsection (a) shall--
            (1) assess technology needed to support electronic 
        authentication technologies;
            (2) assess current public and private plans for the 
        deployment of electronic authentication technologies;
            (3) assess interoperability, scalability, and integrity of 
        private and public entities that are elements of electronic 
        authentication technologies; and
            (4) address such other matters as the National Research 
        Council considers relevant to the issues of electronic 
        authentication technologies.
    (c) Interagency Cooperation With Study.--All agencies of the 
Federal Government shall cooperate fully with the National Research 
Council in its activities in carrying out the study under this section, 
including access by properly cleared individuals to classified 
information if necessary.
    (d) Report.--Not later than 18 months after the date of the 
enactment of this Act, the Secretary of Commerce shall transmit to the 
Committee on Science of the House of Representatives and the Committee 
on Commerce, Science, and Transportation of the Senate a report setting 
forth the findings, conclusions, and recommendations of the National 
Research Council for public policy related to electronic authentication 
technologies for use by individuals, businesses, and government. The 
National Research Council shall not recommend the implementation or 
application of a specific electronic authentication technology or 
electronic authentication technical specification for use by the 
Federal Government. Such report shall be submitted in unclassified 
form.
    (e) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce $450,000 for fiscal year 
2002, to remain available until expended, for carrying out this 
section.

SEC. 11. PROMOTION OF NATIONAL INFORMATION SECURITY.

    The Under Secretary of Commerce for Technology shall--
            (1) promote an increased use of security techniques, such 
        as risk assessment, and security tools, such as cryptography, 
        to enhance the protection of the Nation's information 
        infrastructure;
            (2) establish a central repository of information for 
        dissemination to the public to promote awareness of information 
        security vulnerabilities and risks; and
            (3) in a manner consistent with section 12(d) of the 
        National Technology Transfer and Advancement Act of 1995 (15 
        U.S.C. 272 nt), promote the development of national standards-
        based infrastructures needed to support government, commercial, 
        and private uses of encryption technologies for confidentiality 
        and authentication.

SEC. 12. ELECTRONIC AUTHENTICATION INFRASTRUCTURES.

    (a) Electronic Authentication Infrastructures.--
            (1) Technology-neutral guidelines and standards.--Not later 
        than 18 months after the date of the enactment of this Act, the 
        Director, in consultation with industry and appropriate Federal 
        agencies, shall develop technology-neutral guidelines and 
        standards, or adopt existing technology-neutral industry 
        guidelines and standards, for electronic authentication 
        infrastructures to be made available to Federal agencies so 
        that such agencies may effectively select and utilize 
        electronic authentication technologies in a manner that is--
                    (A) adequately secure to meet the needs of those 
                agencies and their transaction partners; and
                    (B) interoperable, to the maximum extent possible.
            (2) Elements.--The guidelines and standards developed under 
        paragraph (1) shall include--
                    (A) protection profiles for cryptographic and 
                noncryptographic methods of authenticating identity for 
                electronic authentication products and services;
                    (B) a core set of interoperability specifications 
                for the use of electronic authentication products and 
                services in electronic transactions between Federal 
                agencies and their transaction partners; and
                    (C) validation criteria to enable Federal agencies 
                to select cryptographic electronic authentication 
                products and services appropriate to their needs.
            (3) Revisions.--The Director shall periodically review the 
        guidelines and standards developed under paragraph (1) and 
        revise them as appropriate.
    (b) Listing of Products.--Not later than 30 months after the date 
of the enactment of this Act, and thereafter, the Director shall 
maintain and make available to Federal agencies a nonmandatory list of 
commercially available electronic authentication products, and other 
such products used by Federal agencies, evaluated as conforming with 
the guidelines and standards developed under subsection (a).
    (c) Specifications for Electronic Certification and Management 
Technologies.--
            (1) Specifications.--The Director shall, as appropriate, 
        establish core specifications for particular electronic 
        certification and management technologies, or their components, 
        for use by Federal agencies.
            (2) Evaluation.--The Director shall advise Federal agencies 
        on how to evaluate the conformance with the specifications 
        established under paragraph (1) of electronic certification and 
        management technologies, developed for use by Federal agencies 
        or available for such use.
            (3) Maintenance of list.--The Director shall maintain and 
        make available to Federal agencies a list of electronic 
        certification and management technologies evaluated as 
        conforming to the specifications established under paragraph 
        (1).
    (d) Reports.--Not later than 18 months after the date of the 
enactment of this Act, and annually thereafter, the Director shall 
transmit to the Congress a report that includes--
            (1) a description and analysis of the utilization by 
        Federal agencies of electronic authentication technologies; and
            (2) a description and analysis regarding the problems 
        Federal agencies are having, and the progress such agencies are 
        making, in implementing electronic authentication 
        infrastructures.
    (e) Definitions.--For purposes of this section--
            (1) the term ``electronic authentication'' means 
        cryptographic or noncryptographic methods of authenticating 
        identity in an electronic communication;
            (2) the term ``electronic authentication infrastructure'' 
        means the software, hardware, and personnel resources, and the 
        procedures, required to effectively utilize electronic 
        authentication technologies;
            (3) the term ``electronic certification and management 
        technologies'' means computer systems, including associated 
        personnel and procedures, that enable individuals to apply 
        electronic authentication to electronic information; and
            (4) the term ``protection profile'' means a list of 
        security functions and associated assurance levels used to 
        describe a product.

SEC. 13. SOURCE OF AUTHORIZATIONS.

    There are authorized to be appropriated to the Secretary of 
Commerce $7,000,000 for fiscal year 2002 and $8,000,000 for fiscal year 
2003, for the National Institute of Standards and Technology to carry 
out activities authorized by this Act for which funds are not otherwise 
specifically authorized to be appropriated by this Act.

            Passed the House of Representatives November 27, 2001.

            Attest:

                                                                 Clerk.