[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8214 Introduced in House (IH)]

<DOC>






116th CONGRESS
  2d Session
                                H. R. 8214

To direct the Secretary of Commerce, acting through the Director of the 
National Institute of Standards and Technology, to direct the Institute 
   to establish a robust program focusing on driving improvements in 
    America's cybersecurity posture by creating more robust digital 
             identity management standards and guidelines.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 11, 2020

Mr. Foster (for himself and Ms. Wexton) introduced the following bill; 
 which was referred to the Committee on Science, Space, and Technology

_______________________________________________________________________

                                 A BILL


 
To direct the Secretary of Commerce, acting through the Director of the 
National Institute of Standards and Technology, to direct the Institute 
   to establish a robust program focusing on driving improvements in 
    America's cybersecurity posture by creating more robust digital 
             identity management standards and guidelines.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening Digital Identity Act 
of 2020''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) NIST's work in identity research and standards is 
        unmatched anywhere in the world, with global standards 
        development organizations like the Financial Action Task Force 
        (FATF) pointing to NIST guidance in its own standards. Given 
        that adversaries continue to exploit weaknesses in digital 
        identity systems to conduct successful cyber-attacks, 
        additional NIST resources are needed to help government and 
        industry secure identity in cyberspace.
            (2) The lack of an easy, affordable, and reliable way for 
        organizations and businesses to identify whether an individual 
        is who they claim to be online creates an attack vector that is 
        widely exploited by adversaries in cyberspace and precludes 
        many high value transactions from being available online.
            (3) According to the identity theft resource center, 
        incidents of identity theft and identity fraud continue to rise 
        in the United States, where more than 164,000,000 consumer 
        records containing personally identifiable information were 
        breached in 2019, increasing the total number of data breaches 
        by 17 percent from the previous year.
            (4) According to the Insurance Information Institute, in 
        2018, losses resulting from identity fraud amounted to 
        $16,800,000,000.
            (5) The inadequacy of current digital identity solutions 
        degrades security and privacy for all Americans, and next 
        generation solutions are needed that improve both security and 
        privacy.
            (6) Government entities, as authoritative issuers of 
        identity in the United States, are uniquely positioned to 
        deliver critical components that address deficiencies in our 
        digital identity infrastructure and augment private sector 
        digital identity and authentication solutions.
            (7) State governments are particularly well suited to play 
        a role in enhancing digital identity solutions used by both the 
        public and private sectors, given the role of State governments 
        as the issuers of driver's licenses and other identity 
        documents commonly used today.
            (8) It should be the policy of the Government to use the 
        authorities and capabilities of the Government to enhance the 
        security, reliability, privacy, and convenience of digital 
        identity solutions that support and protect transactions 
        between individuals, government entities, and businesses, and 
        that enable Americans to prove who they are online.

SEC. 3. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    Section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
7464) is amended to read as follows:

``SEC. 504. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    ``(a) In General.--The Director shall continue a program to support 
the development of voluntary and cost-effective technical standards, 
metrology, testbeds, and conformance criteria, taking into account 
appropriate user concerns--
            ``(1) to improve interoperability among identity management 
        technologies;
            ``(2) to strengthen identity proofing and authentication 
        methods used in identity management systems;
            ``(3) to improve privacy protection in identity management 
        systems, including health information technology systems, 
        through authentication and security protocols; and
            ``(4) to improve the usability and inclusivity of identity 
        management systems.
    ``(b) Updates and Investment Strategy.--The Director, in 
consultation with other relevant Federal agencies and stakeholders from 
the private sector, shall develop and implement a comprehensive 
forward-looking investment strategy for identity management research 
and development and standards focused on enabling the use and adoption 
of modern digital identity solutions that align with the four criteria 
in section (a). This strategy shall:
            ``(1) Identify where additional funding may be needed to 
        execute all elements of the strategy, both in NIST and 
        potentially in other parts of government.
            ``(2) Be updated not less than every 2 years with reports 
        to the House Science Committee, Senate Commerce Committee, and 
        House and Senate appropriations committees.
    ``(c) Activities.--In carrying out the strategy described under 
subsection (a), the Director shall give consideration to activities 
that--
            ``(1) accelerate the development, in collaboration with the 
        private sector, of standards that address interoperability and 
        portability of digital identity solutions;
            ``(2) addresses gaps in current private-sector-led identity 
        management research and development and standards work, both 
        for consumer-focused and enterprise-focused identity 
        management;
            ``(3) advances the development of conformance testing 
        performed by the private sector in support of digital identity 
        standardization;
            ``(4) addresses challenges with inclusivity of existing 
        digital identity and identity management tools; and
            ``(5) support, in consultation with other relevant Federal 
        agencies and stakeholders from the private sector, the 
        development of appropriate security frameworks and reference 
        materials, and the identification of best practices, for use by 
        Federal agencies and the private sector to address security and 
        privacy requirements to enable the use and adoption of digital 
        identity services.''.

SEC. 4. DIGITAL IDENTITY STANDARDS.

    (a) Establishment of a Standards Framework.--The Director shall 
develop a framework of standards, methodologies, procedures, and 
processes (in this section referred to as the ``Framework'') as a guide 
for Federal, State, and local governments to follow when providing 
services related to digital identity verification.
    (b) Consideration.--In developing the Framework, the Director shall 
consider--
            (1) methods to protect the privacy of individuals;
            (2) security needs; and
            (3) the needs of potential end-users and individuals that 
        will use services related to digital identity verification.
    (c) Consultation.--In carrying out subsection the Director shall 
consult with--
            (1) Federal and State agencies;
            (2) potential end-users and individuals that will use 
        services related to digital identity verification; and
            (3) experts with relevant experience in the systems that 
        enable digital identity verification, as determined by the 
        Director.
    (d) Interim Publication.--Not later than 240 days after the date of 
the enactment of this Act, the Director shall publish an interim 
version of the Framework.
    (e) Final Publication.--Not later than 1 year after the date of the 
enactment of this Act, the Director shall publish a final version of 
the Framework.
    (f) Updates to the Framework.--The Director shall, from time to 
time, update the Framework, with consideration given to--
            (1) feedback from Federal, State, and local agencies that 
        provide services related to digital identity verification; and
            (2) any technological changes to the systems that enable 
        digital identity verification.
    (g) Authorization of Appropriations.--There is authorized to be 
appropriated to the Secretary $10,000,000 for each of fiscal years 2021 
through 2025 to carry out this Act and the amendments made by this Act.

SEC. 5. DEFINITIONS.

    For purposes of this Act:
            (1) Bot.--The term ``Bot'' means an autonomous program on 
        an Internet network that can interact with computer systems or 
        users, especially one designed to respond or behave like a 
        human being.
            (2) Digital identity verification.--The term ``digital 
        identity verification'' means a process to verify the identity 
        of an individual accessing a service online.
            (3) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (4) Institute.--The term ``Institute'' means the National 
        Institute of Standards and Technology.
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.
                                 <all>