[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4528 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 616
117th CONGRESS
  2d Session
                                S. 4528

                          [Report No. 117-238]

To establish a Government-wide approach to improving digital identity, 
                        and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 13, 2022

Ms. Sinema (for herself and Ms. Lummis) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                           December 12, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
To establish a Government-wide approach to improving digital identity, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Improving Digital Identity 
Act of 2022''.</DELETED>

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress finds the following:</DELETED>
        <DELETED>    (1) The lack of an easy, affordable, reliable, and 
        secure way for organizations, businesses, and government 
        agencies to identify whether an individual is who they claim to 
        be online creates an attack vector that is widely exploited by 
        adversaries in cyberspace and precludes many high-value 
        transactions from being available online.</DELETED>
        <DELETED>    (2) Incidents of identity theft and identity fraud 
        continue to rise in the United States, where more than 
        293,000,000 people were impacted by data breaches in 
        2021.</DELETED>
        <DELETED>    (3) Since 2017, losses resulting from identity 
        fraud have increased by 333 percent, and, in 2020, those losses 
        totaled $56,000,000,000.</DELETED>
        <DELETED>    (4) The Director of the Treasury Department 
        Financial Crimes Enforcement Network has stated that the abuse 
        of personally identifiable information and other building 
        blocks of identity is a key enabler behind much of the fraud 
        and cybercrime affecting the United States today.</DELETED>
        <DELETED>    (5) Trustworthy digital identity solutions can 
        help give under-banked and unbanked individuals better access 
        to digital financial services through innovative delivery 
        channels that promote financial inclusion.</DELETED>
        <DELETED>    (6) The inadequacy of current digital identity 
        solutions degrades security and privacy for all people in the 
        United States, and next generation solutions are needed that 
        improve security, privacy, equity, and accessibility.</DELETED>
        <DELETED>    (7) Government entities, as authoritative issuers 
        of identity in the United States, are uniquely positioned to 
        deliver critical components that address deficiencies in the 
        digital identity infrastructure of the United States and 
        augment private sector digital identity and authentication 
        solutions.</DELETED>
        <DELETED>    (8) State governments are particularly well-suited 
        to play a role in enhancing digital identity solutions used by 
        both the public and private sectors, given the role of State 
        governments as the issuers of driver's licenses and other 
        identity documents commonly used today.</DELETED>
        <DELETED>    (9) The public and private sectors should 
        collaborate to deliver solutions that promote confidence, 
        privacy, choice, equity, accessibility, and innovation. The 
        private sector drives much of the innovation around digital 
        identity in the United States and has an important role to play 
        in delivering digital identity solutions.</DELETED>
        <DELETED>    (10) The bipartisan Commission on Enhancing 
        National Cybersecurity has called for the Federal Government to 
        ``create an interagency task force directed to find secure, 
        user-friendly, privacy-centric ways in which agencies can serve 
        as 1 authoritative source to validate identity attributes in 
        the broader identity market. This action would enable 
        Government agencies and the private sector to drive significant 
        risk out of new account openings and other high-risk, high-
        value online services, and it would help all citizens more 
        easily and securely engage in transactions online.''.</DELETED>
        <DELETED>    (11) The National Institute of Standards and 
        Technology has published digital identity guidelines that 
        address technical requirements for identity proofing and the 
        authentication of users, but those guidelines do not cover 
        requirements for providing identity attribute validation 
        services that could be used to support identity 
        proofing.</DELETED>
        <DELETED>    (12) It should be the policy of the Federal 
        Government to use the authorities and capabilities of the 
        Federal Government to enhance the security, reliability, 
        privacy, equity, accessibility, and convenience of digital 
        identity solutions that support and protect transactions 
        between individuals, government entities, and businesses, and 
        that enable people in the United States to prove who they are 
        online, by providing consent-based identity attribute 
        validation services and other components that address 
        deficiencies in the digital identity infrastructure of the 
        United States and augment private sector digital identity and 
        authentication solutions.</DELETED>

<DELETED>SEC. 3. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Appropriate notification entities.--The term 
        ``appropriate notification entities'' means--</DELETED>
                <DELETED>    (A) the President;</DELETED>
                <DELETED>    (B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and</DELETED>
                <DELETED>    (C) the Committee on Oversight and Reform 
                of the House of Representatives.</DELETED>
        <DELETED>    (2) Digital identity verification.--The term 
        ``digital identity verification'' means a process to verify the 
        identity or an identity attribute of an individual accessing a 
        service online or through another electronic means.</DELETED>
        <DELETED>    (3) Director.--The term ``Director'' means the 
        Director of the Task Force.</DELETED>
        <DELETED>    (4) Federal agency.--The term ``Federal agency'' 
        has the meaning given the term in section 102 of the Robert T. 
        Stafford Disaster Relief and Emergency Assistance Act (42 
        U.S.C. 5122).</DELETED>
        <DELETED>    (5) Identity attribute.--The term ``identity 
        attribute'' means a data element associated with the identity 
        of an individual, including, the name, address, or date of 
        birth of an individual.</DELETED>
        <DELETED>    (6) Identity credential.--The term ``identity 
        credential'' means a document or other evidence of the identity 
        of an individual issued by a government agency that conveys the 
        identity of the individual, including a driver's license or 
        passport.</DELETED>
        <DELETED>    (7) Secretary.--The term ``Secretary'' means the 
        Secretary of Homeland Security.</DELETED>
        <DELETED>    (8) Task force.--The term ``Task Force'' means the 
        Improving Digital Identity Task Force established under section 
        4(a).</DELETED>

<DELETED>SEC. 4. IMPROVING DIGITAL IDENTITY TASK FORCE.</DELETED>

<DELETED>    (a) Establishment.--There is established in the Executive 
Office of the President a task force to be known as the ``Improving 
Digital Identity Task Force''.</DELETED>
<DELETED>    (b) Purpose.--The purpose of the Task Force shall be to 
establish and coordinate a government-wide effort to develop secure 
methods for Federal, State, local, Tribal, and territorial agencies to 
improve access and enhance security between physical and digital 
identity credentials to--</DELETED>
        <DELETED>    (1) protect the privacy and security of 
        individuals;</DELETED>
        <DELETED>    (2) support reliable, interoperable digital 
        identity verification in the public and private sectors; 
        and</DELETED>
        <DELETED>    (3) in achieving paragraphs (1) and (2), place a 
        particular emphasis on--</DELETED>
                <DELETED>    (A) reducing identity theft and 
                fraud;</DELETED>
                <DELETED>    (B) enabling trusted transactions; 
                and</DELETED>
                <DELETED>    (C) ensuring equitable access to digital 
                identity verification.</DELETED>
<DELETED>    (c) Director.--</DELETED>
        <DELETED>    (1) In general.--The Task Force shall have a 
        Director, who shall be appointed by the President.</DELETED>
        <DELETED>    (2) Position.--The Director shall serve at the 
        pleasure of the President.</DELETED>
        <DELETED>    (3) Pay and allowances.--The Director shall be 
        compensated at the rate of basic pay prescribed for level II of 
        the Executive Schedule under section 5313 of title 5, United 
        States Code.</DELETED>
        <DELETED>    (4) Qualifications.--The Director shall have 
        substantive technical expertise and managerial acumen that--
        </DELETED>
                <DELETED>    (A) is in the business of digital identity 
                management, information security, or benefits 
                administration;</DELETED>
                <DELETED>    (B) is gained from not less than 1 
                organization; and</DELETED>
                <DELETED>    (C) includes specific expertise gained 
                from academia, advocacy organizations, and the private 
                sector.</DELETED>
        <DELETED>    (5) Exclusivity.--The Director may not serve in 
        any other capacity within the Federal Government while serving 
        as Director.</DELETED>
        <DELETED>    (6) Term.--The term of the Director, including any 
        official acting in the role of the Director, shall terminate on 
        the date described in subsection (k).</DELETED>
<DELETED>    (d) Membership.--</DELETED>
        <DELETED>    (1) Federal government representatives.--The Task 
        Force shall include the following individuals or the designees 
        of such individuals:</DELETED>
                <DELETED>    (A) The Secretary.</DELETED>
                <DELETED>    (B) The Secretary of the 
                Treasury.</DELETED>
                <DELETED>    (C) The Director of the National Institute 
                of Standards and Technology.</DELETED>
                <DELETED>    (D) The Director of the Financial Crimes 
                Enforcement Network.</DELETED>
                <DELETED>    (E) The Commissioner of Social 
                Security.</DELETED>
                <DELETED>    (F) The Secretary of State.</DELETED>
                <DELETED>    (G) The Administrator of General 
                Services.</DELETED>
                <DELETED>    (H) The Director of the Office of 
                Management and Budget.</DELETED>
                <DELETED>    (I) The heads of other Federal agencies or 
                offices as the President may designate or invite, as 
                appropriate.</DELETED>
        <DELETED>    (2) State, local, tribal, and territorial 
        government representatives.--The Director shall appoint to the 
        Task Force 6 State, local, Tribal, and territorial government 
        officials who represent agencies that issue identity 
        credentials and who have--</DELETED>
                <DELETED>    (A) experience in identity technology and 
                services;</DELETED>
                <DELETED>    (B) knowledge of the systems used to 
                provide identity credentials; or</DELETED>
                <DELETED>    (C) any other qualifications or 
                competencies that may help achieve balance or otherwise 
                support the mission of the Task Force.</DELETED>
        <DELETED>    (3) Nongovernmental experts.--</DELETED>
                <DELETED>    (A) In general.--The Director shall 
                appoint to the Task Force 5 nongovernmental 
                experts.</DELETED>
                <DELETED>    (B) Specific appointments.--The experts 
                appointed under subparagraph (A) shall include the 
                following:</DELETED>
                        <DELETED>    (i) A member who is a privacy and 
                        civil liberties expert.</DELETED>
                        <DELETED>    (ii) A member who is a technical 
                        expert in identity verification.</DELETED>
                        <DELETED>    (iii) A member who is a technical 
                        expert in cybersecurity focusing on identity 
                        verification services.</DELETED>
                        <DELETED>    (iv) A member who represents an 
                        industry identity verification service 
                        provider.</DELETED>
                        <DELETED>    (v) A member who represents a 
                        party that relies on effective identity 
                        verification services to conduct 
                        business.</DELETED>
<DELETED>    (e) Working Groups.--The Director shall organize the 
members of the Task Force into appropriate working groups for the 
purpose of increasing the efficiency and effectiveness of the Task 
Force, as appropriate.</DELETED>
<DELETED>    (f) Meetings.--The Task Force shall--</DELETED>
        <DELETED>    (1) convene at the call of the Director; 
        and</DELETED>
        <DELETED>    (2) provide an opportunity for public comment in 
        accordance with section 10(a)(3) of the Federal Advisory 
        Committee Act (5 U.S.C. App.).</DELETED>
<DELETED>    (g) Duties.--In carrying out the purpose described in 
subsection (b), the Task Force shall--</DELETED>
        <DELETED>    (1) identify Federal, State, local, Tribal, and 
        territorial agencies that issue identity credentials or hold 
        information relating to identifying an individual;</DELETED>
        <DELETED>    (2) assess restrictions with respect to the 
        abilities of the agencies described in paragraph (1) to verify 
        identity information for other agencies and nongovernmental 
        organizations;</DELETED>
        <DELETED>    (3) assess any necessary changes in statutes, 
        regulations, or policy to address any restrictions assessed 
        under paragraph (2);</DELETED>
        <DELETED>    (4) recommend a standards-based architecture to 
        enable agencies to provide services relating to digital 
        identity verification in a way that--</DELETED>
                <DELETED>    (A) is secure, protects privacy, and 
                protects individuals against unfair and misleading 
                practices;</DELETED>
                <DELETED>    (B) prioritizes equity and 
                accessibility;</DELETED>
                <DELETED>    (C) requires individual consent for the 
                provision of digital identify verification services by 
                a Federal, State, local, Tribal, or territorial agency; 
                and</DELETED>
                <DELETED>    (D) is interoperable among participating 
                Federal, State, local, Tribal, and territorial 
                agencies, as appropriate and in accordance with 
                applicable laws;</DELETED>
        <DELETED>    (5) recommend principles to promote policies for 
        shared identity proofing across public sector agencies, which 
        may include single sign-on or broadly accepted 
        attestations;</DELETED>
        <DELETED>    (6) identify funding or other resources needed to 
        support the agencies described in paragraph (4) that provide 
        digital identity verification, including a recommendation with 
        respect to additional funding required for the grant program 
        under section 5;</DELETED>
        <DELETED>    (7) recommend funding models to provide digital 
        identity verification to private sector entities, which may 
        include fee-based funding models;</DELETED>
        <DELETED>    (8) determine if any additional steps are 
        necessary with respect to Federal, State, local, Tribal, and 
        territorial agencies to improve digital identity verification 
        and management processes for the purpose of enhancing the 
        security, reliability, privacy, accessibility, equity, and 
        convenience of digital identity solutions that support and 
        protect transactions between individuals, government entities, 
        and businesses; and</DELETED>
        <DELETED>    (9) undertake other activities necessary to assess 
        and address other matters relating to digital identity 
        verification, including with respect to--</DELETED>
                <DELETED>    (A) the potential exploitation of digital 
                identity tools or associated products and services by 
                malign actors;</DELETED>
                <DELETED>    (B) privacy implications; and</DELETED>
                <DELETED>    (C) increasing access to foundational 
                identity documents.</DELETED>
<DELETED>    (h) Prohibition.--The Task Force may not implicitly or 
explicitly recommend the creation of--</DELETED>
        <DELETED>    (1) a single identity credential provided or 
        mandated by the Federal Government for the purposes of 
        verifying identity or associated attributes;</DELETED>
        <DELETED>    (2) a unilateral central national identification 
        registry relating to digital identity verification; 
        or</DELETED>
        <DELETED>    (3) a requirement that any individual be forced to 
        use digital identity verification for a given public 
        purpose.</DELETED>
<DELETED>    (i) Required Consultation.--The Task Force shall closely 
consult with leaders of Federal, State, local, Tribal, and territorial 
governments and nongovernmental leaders, which shall include the 
following:</DELETED>
        <DELETED>    (1) The Administrator of General 
        Services.</DELETED>
        <DELETED>    (2) The Secretary of Education.</DELETED>
        <DELETED>    (3) The heads of other Federal agencies and 
        offices determined appropriate by the Director.</DELETED>
        <DELETED>    (4) State, local, Tribal, and territorial 
        government officials focused on identity, such as information 
        technology officials and directors of State departments of 
        motor vehicles and vital records bureaus.</DELETED>
        <DELETED>    (5) Digital privacy experts.</DELETED>
        <DELETED>    (6) Civil liberties experts.</DELETED>
        <DELETED>    (7) Technology and cybersecurity 
        experts.</DELETED>
        <DELETED>    (8) Users of identity verification 
        services.</DELETED>
        <DELETED>    (9) Representatives with relevant expertise from 
        academia and advocacy organizations.</DELETED>
        <DELETED>    (10) Industry representatives with experience 
        implementing digital identity systems.</DELETED>
        <DELETED>    (11) Identity theft and fraud prevention experts, 
        including advocates for victims of identity theft and 
        fraud.</DELETED>
<DELETED>    (j) Reports.--</DELETED>
        <DELETED>    (1) Initial report.--Not later than 180 days after 
        the date of enactment of this Act, the Director shall submit to 
        the appropriate notification entities a report on the 
        activities of the Task Force, including--</DELETED>
                <DELETED>    (A) recommendations on--</DELETED>
                        <DELETED>    (i) priorities for research and 
                        development in the systems that enable digital 
                        identity verification, including how the 
                        priorities can be executed;</DELETED>
                        <DELETED>    (ii) the standards-based 
                        architecture developed pursuant to subsection 
                        (g)(4);</DELETED>
                        <DELETED>    (iii) methods to leverage digital 
                        driver's licenses, distributed ledger 
                        technology, and other technologies; 
                        and</DELETED>
                        <DELETED>    (iv) priorities for research and 
                        development in the systems and processes that 
                        reduce identity fraud; and</DELETED>
                <DELETED>    (B) summaries of the input and 
                recommendations of the leaders consulted under 
                subsection (i).</DELETED>
        <DELETED>    (2) Interim reports.--The Director may submit to 
        the appropriate notification entities interim reports the 
        Director determines necessary to support the work of the Task 
        Force and educate the public.</DELETED>
        <DELETED>    (3) Final report.--Not later than 45 days before 
        the date described in subsection (k), the Director shall submit 
        to the appropriate notification entities a final report that 
        includes recommendations for the President and Congress 
        relating to any relevant matter within the scope of the duties 
        of the Task Force.</DELETED>
        <DELETED>    (4) Public availability.--The Task Force shall 
        make the reports required under this subsection publicly 
        available on centralized website as an open Government data 
        asset (as defined in section 3502 of title 44, United States 
        Code).</DELETED>
<DELETED>    (k) Sunset.--The Task Force shall conclude business on the 
date that is 3 years after the date of enactment of this Act.</DELETED>

<DELETED>SEC. 5. DIGITAL IDENTITY INNOVATION GRANTS.</DELETED>

<DELETED>    (a) Establishment.--Not later than 1 year after the date 
of enactment of this Act, the Secretary shall establish a grant program 
to award grants to State, local, Tribal, and territorial governments to 
upgrade systems that provide identity credentials to support the 
development of highly secure, interoperable systems that enable digital 
identity verification.</DELETED>
<DELETED>    (b) Required Consultation.--In establishing the grant 
program under subsection (a), the Secretary shall consult with the Task 
Force and the governmental and nongovernmental leaders described in 
section 4(i), with an emphasis on the consultation of--</DELETED>
        <DELETED>    (1) leaders of State, local, Tribal, and 
        territorial governments; and</DELETED>
        <DELETED>    (2) leaders of State, local, Tribal, and 
        territorial agencies that issue identity credentials or provide 
        identity verification services and support relating to identify 
        verification services.</DELETED>
<DELETED>    (c) Use of Funds.--A State, local, Tribal, or territorial 
government that receives a grant under this section shall--</DELETED>
        <DELETED>    (1) use funds from the grant for services relating 
        to digital identity verification;</DELETED>
        <DELETED>    (2) implement meaningful digital identity 
        verification cybersecurity, data protection, and privacy 
        safeguards consistent with, or in excess of, any safeguards 
        described in management guidance issued by the National 
        Institute of Standards and Technology relating to--</DELETED>
                <DELETED>    (A) digital identity;</DELETED>
                <DELETED>    (B) cybersecurity;</DELETED>
                <DELETED>    (C) privacy;</DELETED>
                <DELETED>    (D) equity; or</DELETED>
                <DELETED>    (E) accessibility;</DELETED>
        <DELETED>    (3) expend not less than 10 percent of grant funds 
        to provide services that assist individuals with obtaining 
        identity credentials or identity verification services needed 
        to obtain a driver's license or a comparable identity card; 
        and</DELETED>
        <DELETED>    (4) comply with any other requirements determined 
        relevant by the Secretary to ensure the effective 
        administration of the grant program established under this 
        section.</DELETED>
<DELETED>    (d) Requirements.--A State, local, Tribal, or territorial 
government that receives a grant under this section shall expend 
amounts from the grant in a manner that--</DELETED>
        <DELETED>    (1) complies with the management guidance of the 
        National Institute of Standards and Technology described in 
        subsection (c)(2); and</DELETED>
        <DELETED>    (2) does not correspond with a matter described in 
        section 4(h).</DELETED>
<DELETED>    (e) Authorization of Appropriations.--There is authorized 
to be appropriated to the Secretary such sums as may be necessary to 
carry out this section.</DELETED>

<DELETED>SEC. 6. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.</DELETED>

<DELETED>    (a) Guidance for Federal Agencies.--Not later than 180 
days after the date on which the Director submits the report required 
under section 4(j)(1), the Director of the Office of Management and 
Budget shall issue guidance to Federal agencies for the purpose of 
implementing any recommendations included in such report determined 
appropriate by the Director of the Office of Management and 
Budget.</DELETED>
<DELETED>    (b) Reports on Federal Agency Progress Improving Digital 
Identity Verification Capabilities.--</DELETED>
        <DELETED>    (1) Annual report on guidance implementation.--Not 
        later than 1 year after the date of the issuance of guidance 
        under subsection (a), and annually thereafter, the head of each 
        Federal agency shall submit to the Director of the Office of 
        Management and Budget a report on the efforts of the Federal 
        agency to implement that guidance.</DELETED>
        <DELETED>    (2) Public report.--</DELETED>
                <DELETED>    (A) In general.--Not later than 450 days 
                after the date of the issuance of guidance under 
                subsection (a), and annually thereafter, the Director 
                shall develop and make publicly available a report that 
                includes--</DELETED>
                        <DELETED>    (i) a list of digital identity 
                        verification services offered by Federal 
                        agencies;</DELETED>
                        <DELETED>    (ii) the volume of digital 
                        identity verifications performed by each 
                        Federal agency;</DELETED>
                        <DELETED>    (iii) information relating to the 
                        effectiveness of digital identity verification 
                        services by Federal agencies; and</DELETED>
                        <DELETED>    (iv) recommendations to improve 
                        the effectiveness of digital identity 
                        verification services by Federal 
                        agencies.</DELETED>
                <DELETED>    (B) Consultation.--In developing the first 
                report required under subparagraph (A), the Director 
                shall consult the Task Force.</DELETED>
        <DELETED>    (3) Congressional report on federal agency digital 
        identity capabilities.--</DELETED>
                <DELETED>    (A) In general.--Not later than 180 days 
                after the date of the enactment of this Act, the 
                Director of the Office of Management and Budget, in 
                coordination with the Director of the Cybersecurity and 
                Infrastructure Security Agency, shall submit to the 
                Committee on Homeland Security and Governmental Affairs 
                of the Senate and the Committee on Oversight and Reform 
                of the House of Representatives a report relating to 
                the implementation and effectiveness of the digital 
                identity capabilities of Federal agencies.</DELETED>
                <DELETED>    (B) Consultation.--In developing the 
                report required under subparagraph (A), the Director of 
                the Office of Management and Budget shall--</DELETED>
                        <DELETED>    (i) consult with the Task Force; 
                        and</DELETED>
                        <DELETED>    (ii) to the greatest extent 
                        practicable, include in the report 
                        recommendations of the Task Force.</DELETED>
                <DELETED>    (C) Contents of report.--The report 
                required under subparagraph (A) shall include--
                </DELETED>
                        <DELETED>    (i) an analysis, including metrics 
                        and milestones, for the implementation by 
                        Federal agencies of--</DELETED>
                                <DELETED>    (I) the guidelines 
                                published by the National Institute of 
                                Standards and Technology in the 
                                document entitled ``Special Publication 
                                800-63'' (commonly referred to as the 
                                ``Digital Identity Guidelines''), or 
                                any successor document; and</DELETED>
                                <DELETED>    (II) if feasible, any 
                                additional requirements relating to 
                                enhancing digital identity capabilities 
                                identified in the document of the 
                                Office of Management and Budget 
                                entitled ``M-19-17'' and issued on May 
                                21, 2019, or any successor 
                                document;</DELETED>
                        <DELETED>    (ii) a review of measures taken to 
                        advance the equity, accessibility, 
                        cybersecurity, and privacy of digital identity 
                        verification services offered by Federal 
                        agencies; and</DELETED>
                        <DELETED>    (iii) any other relevant data, 
                        information, or plans for Federal agencies to 
                        improve the digital identity capabilities of 
                        Federal agencies.</DELETED>
<DELETED>    (c) Additional Reports.--On the first March 1 occurring 
after the date described in subsection (b)(3)(A), and annually 
thereafter, the Director of the Office of Management and Budget shall 
include in the report required under section 3553(c) of title 44, 
United States Code--</DELETED>
        <DELETED>    (1) any additional and ongoing reporting on the 
        matters described in subsection (b)(3)(C); and</DELETED>
        <DELETED>    (2) associated information collection 
        mechanisms.</DELETED>

<DELETED>SEC. 7. GAO REPORT.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, the Comptroller General of the United States 
shall submit to Congress a report on the estimated potential savings, 
due to the increased adoption and widespread use of digital 
identification, of--</DELETED>
        <DELETED>    (1) the Federal Government from averted benefit 
        fraud; and</DELETED>
        <DELETED>    (2) the economy of the United States and consumers 
        from averted identity theft.</DELETED>
<DELETED>    (b) Contents.--Among other variables the Comptroller 
General of the United States determines relevant, the report required 
under subsection (a) shall include multiple scenarios with varying 
uptake rates to demonstrate a range of possible outcomes.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Improving Digital Identity Act of 
2022''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) The lack of an easy, affordable, reliable, and secure 
        way for organizations, businesses, and government agencies to 
        identify whether an individual is who they claim to be online 
        creates an attack vector that is widely exploited by 
        adversaries in cyberspace and precludes many high-value 
        transactions from being available online.
            (2) Incidents of identity theft and identity fraud continue 
        to rise in the United States, where more than 293,000,000 
        people were impacted by data breaches in 2021.
            (3) Since 2017, losses resulting from identity fraud have 
        increased by 333 percent, and, in 2020, those losses totaled 
        $56,000,000,000.
            (4) The Director of the Treasury Department Financial 
        Crimes Enforcement Network has stated that the abuse of 
        personally identifiable information and other building blocks 
        of identity is a key enabler behind much of the fraud and 
        cybercrime affecting the United States today.
            (5) The inadequacy of current digital identity solutions 
        degrades security and privacy for all people in the United 
        States, and next generation solutions are needed that improve 
        security, privacy, equity, and accessibility.
            (6) Government entities, as authoritative issuers of 
        identity in the United States, are uniquely positioned to 
        deliver critical components that address deficiencies in the 
        digital identity infrastructure of the United States and 
        augment private sector digital identity and authentication 
        solutions.
            (7) State governments are particularly well-suited to play 
        a role in enhancing digital identity solutions used by both the 
        public and private sectors, given the role of State governments 
        as the issuers of driver's licenses and other identity 
        documents commonly used today.
            (8) The public and private sectors should collaborate to 
        deliver solutions that promote confidence, privacy, choice, 
        equity, accessibility, and innovation. The private sector 
        drives much of the innovation around digital identity in the 
        United States and has an important role to play in delivering 
        digital identity solutions.
            (9) The bipartisan Commission on Enhancing National 
        Cybersecurity has called for the Federal Government to ``create 
        an interagency task force directed to find secure, user-
        friendly, privacy-centric ways in which agencies can serve as 1 
        authoritative source to validate identity attributes in the 
        broader identity market. This action would enable Government 
        agencies and the private sector to drive significant risk out 
        of new account openings and other high-risk, high-value online 
        services, and it would help all citizens more easily and 
        securely engage in transactions online.''.
            (10) The National Institute of Standards and Technology has 
        published digital identity guidelines that address technical 
        requirements for identity proofing and the authentication of 
        users, but those guidelines do not cover requirements for 
        providing identity attribute validation services that could be 
        used to support identity proofing.
            (11) It should be the policy of the Federal Government to 
        use the authorities and capabilities of the Federal Government, 
        in coordination with State, local, Tribal, and territorial 
        partners and private sector innovators, to enhance the 
        security, reliability, privacy, equity, accessibility, and 
        convenience of consent-based digital identity solutions that 
        support and protect transactions between individuals, 
        government entities, and businesses, and that enable people in 
        the United States to prove who they are online.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Appropriate notification entities.--The term 
        ``appropriate notification entities'' means--
                    (A) the President;
                    (B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                    (C) the Committee on Oversight and Reform of the 
                House of Representatives.
            (2) Digital identity verification.--The term ``digital 
        identity verification'' means a process to verify the identity 
        or an identity attribute of an individual accessing a service 
        online or through another electronic means.
            (3) Director.--The term ``Director'' means the Director of 
        the Task Force.
            (4) Federal agency.--The term ``Federal agency'' has the 
        meaning given the term in section 102 of the Robert T. Stafford 
        Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122).
            (5) Identity attribute.--The term ``identity attribute'' 
        means a data element associated with the identity of an 
        individual, including, the name, address, or date of birth of 
        an individual.
            (6) Identity credential.--The term ``identity credential'' 
        means a document or other evidence of the identity of an 
        individual issued by a government agency that conveys the 
        identity of the individual, including a driver's license or 
        passport.
            (7) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
            (8) Task force.--The term ``Task Force'' means the 
        Improving Digital Identity Task Force established under section 
        4(a).

SEC. 4. IMPROVING DIGITAL IDENTITY TASK FORCE.

    (a) Establishment.--There is established in the Executive Office of 
the President a task force to be known as the ``Improving Digital 
Identity Task Force''.
    (b) Purpose.--The purpose of the Task Force shall be to establish 
and coordinate a government-wide effort to develop secure methods for 
Federal, State, local, Tribal, and territorial agencies to improve 
access and enhance security between physical and digital identity 
credentials, particularly by promoting the development of digital 
versions of existing physical identity credentials, including driver's 
licenses, e-Passports, social security credentials, and birth 
certificates, to--
            (1) protect the privacy and security of individuals;
            (2) support reliable, interoperable digital identity 
        verification in the public and private sectors; and
            (3) in achieving paragraphs (1) and (2), place a particular 
        emphasis on--
                    (A) reducing identity theft and fraud;
                    (B) enabling trusted transactions; and
                    (C) ensuring equitable access to digital identity 
                verification.
    (c) Director.--
            (1) In general.--The Task Force shall have a Director, who 
        shall be appointed by the President.
            (2) Position.--The Director shall serve at the pleasure of 
        the President.
            (3) Pay and allowances.--The Director shall be compensated 
        at the rate of basic pay prescribed for level II of the 
        Executive Schedule under section 5313 of title 5, United States 
        Code.
            (4) Qualifications.--The Director shall have substantive 
        technical expertise and managerial acumen that--
                    (A) is in the business of digital identity 
                management, information security, or benefits 
                administration;
                    (B) is gained from not less than 1 organization; 
                and
                    (C) includes specific expertise gained from 
                academia, advocacy organizations, or the private 
                sector.
            (5) Exclusivity.--The Director may not serve in any other 
        capacity within the Federal Government while serving as 
        Director.
            (6) Term.--The term of the Director, including any official 
        acting in the role of the Director, shall terminate on the date 
        described in subsection (k).
    (d) Membership.--
            (1) Federal government representatives.--The Task Force 
        shall include the following individuals or the designees of 
        such individuals:
                    (A) The Secretary.
                    (B) The Secretary of the Treasury.
                    (C) The Director of the National Institute of 
                Standards and Technology.
                    (D) The Director of the Financial Crimes 
                Enforcement Network.
                    (E) The Commissioner of Social Security.
                    (F) The Secretary of State.
                    (G) The Administrator of General Services.
                    (H) The Director of the Office of Management and 
                Budget.
                    (I) The Postmaster General of the United States 
                Postal Service.
                    (J) The National Cyber Director.
                    (K) The heads of other Federal agencies or offices 
                as the President may designate or invite, as 
                appropriate.
            (2) State, local, tribal, and territorial government 
        representatives.--The Director shall appoint to the Task Force 
        6 State, local, Tribal, and territorial government officials 
        who represent agencies that issue identity credentials and who 
        have--
                    (A) experience in identity technology and services;
                    (B) knowledge of the systems used to provide 
                identity credentials; or
                    (C) any other qualifications or competencies that 
                may help achieve balance or otherwise support the 
                mission of the Task Force.
            (3) Nongovernmental experts.--
                    (A) In general.--The Director shall appoint to the 
                Task Force 5 nongovernmental experts.
                    (B) Specific appointments.--The experts appointed 
                under subparagraph (A) shall include the following:
                            (i) A member who is a privacy and civil 
                        liberties expert.
                            (ii) A member who is a technical expert in 
                        identity verification.
                            (iii) A member who is a technical expert in 
                        cybersecurity focusing on identity verification 
                        services.
                            (iv) A member who represents an industry 
                        identity verification service provider.
                            (v) A member who represents a party that 
                        relies on effective identity verification 
                        services to conduct business.
    (e) Working Groups.--The Director shall organize the members of the 
Task Force into appropriate working groups for the purpose of 
increasing the efficiency and effectiveness of the Task Force, as 
appropriate.
    (f) Meetings.--The Task Force shall--
            (1) convene at the call of the Director; and
            (2) provide an opportunity for public comment in accordance 
        with section 10(a)(3) of the Federal Advisory Committee Act (5 
        U.S.C. App.).
    (g) Duties.--In carrying out the purpose described in subsection 
(b), the Task Force shall--
            (1) identify Federal, State, local, Tribal, and territorial 
        agencies that issue identity credentials or hold information 
        relating to identifying an individual;
            (2) assess restrictions with respect to the abilities of 
        the agencies described in paragraph (1) to verify identity 
        information for other agencies and nongovernmental 
        organizations;
            (3) assess any necessary changes in statutes, regulations, 
        or policy to address any restrictions assessed under paragraph 
        (2);
            (4) recommend a standards-based architecture to enable 
        agencies to provide services relating to digital identity 
        verification in a way that--
                    (A) is secure, protects privacy, and protects 
                individuals against unfair and misleading practices;
                    (B) prioritizes equity and accessibility;
                    (C) requires individual consent for the provision 
                of digital identify verification services by a Federal, 
                State, local, Tribal, or territorial agency; and
                    (D) is interoperable among participating Federal, 
                State, local, Tribal, and territorial agencies, as 
                appropriate and in accordance with applicable laws;
            (5) recommend principles to promote policies for shared 
        identity proofing across public sector agencies, which may 
        include single sign-on or broadly accepted attestations;
            (6) identify funding or other resources needed to support 
        the agencies described in paragraph (4) that provide digital 
        identity verification, including recommendations with respect 
        to the need for and the design of a Federal grant program to 
        implement the recommendations of the Task Force and facilitate 
        the development and upgrade of State, local, Tribal, and 
        territorial highly-secure interoperable systems that enable 
        digital identity verification;
            (7) recommend funding models to provide digital identity 
        verification to private sector entities, which may include fee-
        based funding models;
            (8) determine if any additional steps are necessary with 
        respect to Federal, State, local, Tribal, and territorial 
        agencies to improve digital identity verification and 
        management processes for the purpose of enhancing the security, 
        reliability, privacy, accessibility, equity, and convenience of 
        digital identity solutions that support and protect 
        transactions between individuals, government entities, and 
        businesses; and
            (9) undertake other activities necessary to assess and 
        address other matters relating to digital identity 
        verification, including with respect to--
                    (A) the potential exploitation of digital identity 
                tools or associated products and services by malign 
                actors;
                    (B) privacy implications; and
                    (C) increasing access to foundational identity 
                documents.
    (h) Prohibition.--The Task Force may not implicitly or explicitly 
recommend the creation of--
            (1) a single identity credential provided or mandated by 
        the Federal Government for the purposes of verifying identity 
        or associated attributes;
            (2) a unilateral central national identification registry 
        relating to digital identity verification; or
            (3) a requirement that any individual be forced to use 
        digital identity verification for a given public purpose.
    (i) Required Consultation.--The Task Force shall closely consult 
with leaders of Federal, State, local, Tribal, and territorial 
governments and nongovernmental leaders, which shall include the 
following:
            (1) The Secretary of Education.
            (2) The heads of other Federal agencies and offices 
        determined appropriate by the Director.
            (3) State, local, Tribal, and territorial government 
        officials focused on identity, such as information technology 
        officials and directors of State departments of motor vehicles 
        and vital records bureaus.
            (4) Digital privacy experts.
            (5) Civil liberties experts.
            (6) Technology and cybersecurity experts.
            (7) Users of identity verification services.
            (8) Representatives with relevant expertise from academia 
        and advocacy organizations.
            (9) Industry representatives with experience implementing 
        digital identity systems.
            (10) Identity theft and fraud prevention experts, including 
        advocates for victims of identity theft and fraud.
    (j) Reports.--
            (1) Initial report.--Not later than 180 days after the date 
        of enactment of this Act, the Director shall submit to the 
        appropriate notification entities a report on the activities of 
        the Task Force, including--
                    (A) recommendations on--
                            (i) priorities for research and development 
                        in the systems that enable digital identity 
                        verification, including how the priorities can 
                        be executed;
                            (ii) the standards-based architecture 
                        developed pursuant to subsection (g)(4);
                            (iii) methods to leverage digital driver's 
                        licenses, distributed ledger technology, and 
                        other technologies; and
                            (iv) priorities for research and 
                        development in the systems and processes that 
                        reduce identity fraud; and
                    (B) summaries of the input and recommendations of 
                the leaders consulted under subsection (i).
            (2) Interim reports.--
                    (A) In general.--The Director may submit to the 
                appropriate notification entities interim reports the 
                Director determines necessary to support the work of 
                the Task Force and educate the public.
                    (B) Mandatory report.--Not later than the date that 
                is 18 months after the date of enactment of this Act, 
                the Director shall submit to the appropriate 
                notification entities an interim report addressing--
                            (i) the matters described in paragraphs 
                        (1), (2), (4), and (6) of subsection (g); and
                            (ii) any other matters the Director 
                        determines necessary to support the work of the 
                        Task Force and educate the public.
            (3) Final report.--Not later than 180 days before the date 
        described in subsection (k), the Director shall submit to the 
        appropriate notification entities a final report that includes 
        recommendations for the President and Congress relating to any 
        relevant matter within the scope of the duties of the Task 
        Force.
            (4) Public availability.--The Task Force shall make the 
        reports required under this subsection publicly available on 
        centralized website as an open Government data asset (as 
        defined in section 3502 of title 44, United States Code).
    (k) Sunset.--The Task Force shall conclude business on the date 
that is 3 years after the date of enactment of this Act.

SEC. 5. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.

    (a) Guidance for Federal Agencies.--Not later than 180 days after 
the date on which the Director submits the report required under 
section 4(j)(1), the Director of the Office of Management and Budget 
shall issue guidance to Federal agencies for the purpose of 
implementing any recommendations included in such report determined 
appropriate by the Director of the Office of Management and Budget.
    (b) Reports on Federal Agency Progress Improving Digital Identity 
Verification Capabilities.--
            (1) Annual report on guidance implementation.--Not later 
        than 1 year after the date of the issuance of guidance under 
        subsection (a), and annually thereafter, the head of each 
        Federal agency shall submit to the Director of the Office of 
        Management and Budget a report on the efforts of the Federal 
        agency to implement that guidance.
            (2) Public report.--
                    (A) In general.--Not later than 45 days after the 
                date of the issuance of guidance under subsection (a), 
                and annually thereafter, the Director shall develop and 
                make publicly available a report that includes--
                            (i) a list of digital identity verification 
                        services offered by Federal agencies;
                            (ii) the volume of digital identity 
                        verifications performed by each Federal agency;
                            (iii) information relating to the 
                        effectiveness of digital identity verification 
                        services by Federal agencies; and
                            (iv) recommendations to improve the 
                        effectiveness of digital identity verification 
                        services by Federal agencies.
                    (B) Consultation.--In developing the first report 
                required under subparagraph (A), the Director shall 
                consult the Task Force.
            (3) Congressional report on federal agency digital identity 
        capabilities.--
                    (A) In general.--Not later than 180 days after the 
                date of the enactment of this Act, the Director of the 
                Office of Management and Budget, in coordination with 
                the Director of the Cybersecurity and Infrastructure 
                Security Agency, shall submit to the Committee on 
                Homeland Security and Governmental Affairs of the 
                Senate and the Committee on Oversight and Reform of the 
                House of Representatives a report relating to the 
                implementation and effectiveness of the digital 
                identity capabilities of Federal agencies.
                    (B) Consultation.--In developing the report 
                required under subparagraph (A), the Director of the 
                Office of Management and Budget shall--
                            (i) consult with the Task Force; and
                            (ii) to the greatest extent practicable, 
                        include in the report recommendations of the 
                        Task Force.
                    (C) Contents of report.--The report required under 
                subparagraph (A) shall include--
                            (i) an analysis, including metrics and 
                        milestones, for the implementation by Federal 
                        agencies of--
                                    (I) the guidelines published by the 
                                National Institute of Standards and 
                                Technology in the document entitled 
                                ``Special Publication 800-63'' 
                                (commonly referred to as the ``Digital 
                                Identity Guidelines''), or any 
                                successor document; and
                                    (II) if feasible, any additional 
                                requirements relating to enhancing 
                                digital identity capabilities 
                                identified in the document of the 
                                Office of Management and Budget 
                                entitled ``M-19-17'' and issued on May 
                                21, 2019, or any successor document;
                            (ii) a review of measures taken to advance 
                        the equity, accessibility, cybersecurity, and 
                        privacy of digital identity verification 
                        services offered by Federal agencies; and
                            (iii) any other relevant data, information, 
                        or plans for Federal agencies to improve the 
                        digital identity capabilities of Federal 
                        agencies.
    (c) Additional Reports.--On the first March 1 occurring after the 
date described in subsection (b)(3)(A), and annually thereafter, the 
Director of the Office of Management and Budget shall include in the 
report required under section 3553(c) of title 44, United States Code--
            (1) any additional and ongoing reporting on the matters 
        described in subsection (b)(3)(C); and
            (2) associated information collection mechanisms.

SEC. 6. GAO REPORT.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Comptroller General of the United States shall submit 
to Congress a report on the estimated potential savings, including 
estimated annual potential savings, due to the increased adoption and 
widespread use of digital identification, of--
            (1) the Federal Government from averted fraud, including 
        benefit fraud; and
            (2) the economy of the United States and consumers from 
        averted identity theft.
    (b) Contents.--Among other variables the Comptroller General of the 
United States determines relevant, the report required under subsection 
(a) shall include multiple scenarios with varying uptake rates to 
demonstrate a range of possible outcomes.
                                                       Calendar No. 616

117th CONGRESS

  2d Session

                                S. 4528

                          [Report No. 117-238]

_______________________________________________________________________

                                 A BILL

To establish a Government-wide approach to improving digital identity, 
                        and for other purposes.

_______________________________________________________________________

                           December 12, 2022

                       Reported with an amendment