[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4259 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 4259

To direct the Secretary of Commerce, acting through the Director of the 
National Institute of Standards and Technology, to direct the Institute 
   to establish a robust program focusing on driving improvements in 
    America's cybersecurity posture by creating more robust digital 
             identity management standards and guidelines.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 30, 2021

Mr. Foster (for himself and Ms. Wexton) introduced the following bill; 
 which was referred to the Committee on Science, Space, and Technology

_______________________________________________________________________

                                 A BILL


 
To direct the Secretary of Commerce, acting through the Director of the 
National Institute of Standards and Technology, to direct the Institute 
   to establish a robust program focusing on driving improvements in 
    America's cybersecurity posture by creating more robust digital 
             identity management standards and guidelines.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening Digital Identity Act 
of 2021''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) NIST's work in identity research and standards is 
        unmatched anywhere in the world, with global standards 
        development organizations like the Financial Action Task Force 
        (FATF) pointing to NIST guidance in its own standards. Given 
        that adversaries continue to exploit weaknesses in digital 
        identity systems to conduct successful cyber-attacks, 
        additional NIST resources are needed to help government and 
        industry secure identity in cyberspace.
            (2) The lack of an easy, affordable, and reliable way for 
        organizations and businesses to identify whether an individual 
        is who they claim to be online creates an attack vector that is 
        widely exploited by adversaries in cyberspace and precludes 
        many high value transactions from being available online.
            (3) According to the identity theft resource center, 
        incidents of identity theft and identity fraud continue to rise 
        in the United States, where more than 164,000,000 consumer 
        records containing personally identifiable information were 
        breached in 2019, increasing the total number of data breaches 
        by 17 percent from the previous year.
            (4) According to the Insurance Information Institute, in 
        2018, losses resulting from identity fraud amounted to 
        $16,800,000,000.
            (5) The inadequacy of current digital identity solutions 
        degrades security and privacy for all Americans, and next 
        generation solutions are needed that improve both security and 
        privacy.
            (6) Government entities, as authoritative issuers of 
        identity in the United States, are uniquely positioned to 
        deliver critical components that address deficiencies in our 
        digital identity infrastructure and augment private sector 
        digital identity and authentication solutions.
            (7) State governments are particularly well suited to play 
        a role in enhancing digital identity solutions used by both the 
        public and private sectors, given the role of State governments 
        as the issuers of driver's licenses and other identity 
        documents commonly used today.
            (8) It should be the policy of the Government to use the 
        authorities and capabilities of the Government to enhance the 
        security, reliability, privacy, and convenience of digital 
        identity solutions that support and protect transactions 
        between individuals, government entities, and businesses, and 
        that enable Americans to prove who they are online.

SEC. 3. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    Section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
7464) is amended to read as follows:

``SEC. 504. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.

    ``(a) In General.--The Director shall administer a program to 
support the development of voluntary and cost-effective technical 
standards, metrology, testbeds, and conformance criteria, taking into 
account appropriate user concerns--
            ``(1) to improve interoperability among identity management 
        technologies;
            ``(2) to strengthen identity proofing and authentication 
        methods used in identity management systems;
            ``(3) to improve privacy protection in identity management 
        systems, including health information technology systems, 
        through authentication and security protocols; and
            ``(4) to improve the usability and inclusivity of identity 
        management systems.
    ``(b) Digital Identity Technical Roadmap.--The Director, in 
consultation with other relevant Federal agencies and stakeholders from 
the private sector, shall develop, implement, and maintain a technical 
roadmap for identity management research and the development of 
standards and guidelines focused on enabling the use and adoption of 
modern digital identity solutions that align with the four criteria in 
subsection (a). This roadmap and any subsequent updates shall be made 
public.
    ``(c) Activities.--In carrying out the program described under 
subsection (a), the Director shall give consideration to activities 
that--
            ``(1) accelerate the development, in collaboration with the 
        private sector, of standards that address interoperability and 
        portability of digital identity solutions;
            ``(2) addresses gaps in current private-sector-led identity 
        management research and development and standards work, both 
        for consumer-focused and enterprise-focused identity 
        management;
            ``(3) advances the development of conformance testing 
        performed by the private sector in support of digital identity 
        standardization;
            ``(4) addresses challenges with inclusivity of existing 
        digital identity and identity management tools; and
            ``(5) support, in consultation with other relevant Federal 
        agencies and stakeholders from the private sector, the 
        development of appropriate security frameworks and reference 
        materials, and the identification of best practices, for use by 
        Federal agencies and the private sector to address security and 
        privacy requirements to enable the use and adoption of digital 
        identity services.''.

SEC. 4. DIGITAL IDENTITY FRAMEWORK.

    (a) Establishment of a Framework.--Not later than 1 year after the 
date of the enactment of this Act, the Director shall develop and 
periodically update a framework of standards, methodologies, 
procedures, and processes (in this section referred to as the 
``Framework'') as a guide for Federal, State, and local governments to 
follow when providing services to support digital identity 
verification.
    (b) Consideration.--In developing the Framework, the Director shall 
consider--
            (1) methods to protect the privacy of individuals;
            (2) security needs; and
            (3) the needs of potential end-users and individuals that 
        will use services related to digital identity verification.
    (c) Consultation.--In carrying out subsection (a) the Director 
shall consult with--
            (1) Federal and State agencies;
            (2) potential end-users and individuals that will use 
        services related to digital identity verification; and
            (3) experts with relevant experience in the systems that 
        enable digital identity verification, as determined by the 
        Director.
    (d) Interim Publication.--Not later than 240 days after the date of 
the enactment of this Act, the Director shall publish an interim 
version of the Framework.
    (e) Authorization of Appropriations.--There is authorized to be 
appropriated to the Secretary $10,000,000 for each of fiscal years 2022 
through 2026 to carry out this Act and the amendments made by this Act.

SEC. 5. DEFINITIONS.

    For purposes of this Act:
            (1) Digital identity verification.--The term ``digital 
        identity verification'' means a process to verify the identity 
        of an individual accessing a service online.
            (2) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (3) Institute.--The term ``Institute'' means the National 
        Institute of Standards and Technology.
            (4) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.
                                 <all>