[Congressional Record Volume 168, Number 157 (Wednesday, September 28, 2022)]
[Senate]
[Pages S5288-S5290]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 5814. Ms. SINEMA (for herself and Ms. Lummis) submitted an 
amendment intended to be proposed to amendment SA 5499 submitted by Mr. 
Reed (for himself and Mr. Inhofe) and intended to be proposed to the 
bill H.R. 7900, to authorize appropriations for fiscal year 2023 for 
military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

        At the appropriate place, insert the following:

     SEC. ___. IMPROVING DIGITAL IDENTITY.

       (a) Findings.--Congress finds the following:
       (1) The lack of an easy, affordable, reliable, and secure 
     way for organizations, businesses, and government agencies to 
     identify whether an individual is who they claim to be online 
     creates an attack vector that is widely exploited by 
     adversaries in cyberspace and precludes many high-value 
     transactions from being available online.
       (2) Incidents of identity theft and identity fraud continue 
     to rise in the United States, where more than 293,000,000 
     people were impacted by data breaches in 2021.
       (3) Since 2017, losses resulting from identity fraud have 
     increased by 333 percent, and, in 2020, those losses totaled 
     $56,000,000,000.
       (4) The Director of the Treasury Department Financial 
     Crimes Enforcement Network has stated that the abuse of 
     personally identifiable information and other building blocks 
     of identity is a key enabler behind much of the fraud and 
     cybercrime affecting the United States today.
       (5) The inadequacy of current digital identity solutions 
     degrades security and privacy for all people in the United 
     States, and next generation solutions are needed that improve 
     security, privacy, equity, and accessibility.
       (6) Government entities, as authoritative issuers of 
     identity in the United States, are uniquely positioned to 
     deliver critical components that address deficiencies in the 
     digital identity infrastructure of the United States and 
     augment private sector digital identity and authentication 
     solutions.
       (7) State governments are particularly well-suited to play 
     a role in enhancing digital identity solutions used by both 
     the public and private sectors, given the role of State 
     governments as the issuers of driver's licenses and other 
     identity documents commonly used today.
       (8) The public and private sectors should collaborate to 
     deliver solutions that promote confidence, privacy, choice, 
     equity, accessibility, and innovation. The private sector 
     drives much of the innovation around digital identity in the 
     United States and has an important role to play in delivering 
     digital identity solutions.
       (9) The bipartisan Commission on Enhancing National 
     Cybersecurity has called for the Federal Government to 
     ``create an interagency task force directed to find secure, 
     user-friendly, privacy-centric ways in which agencies can 
     serve as 1 authoritative source to validate identity 
     attributes in the broader identity market. This action would 
     enable Government agencies and the private sector to drive 
     significant risk out of new account openings and other high-
     risk, high-value online services, and it would help all 
     citizens more easily and securely engage in transactions 
     online.''.
       (10) The National Institute of Standards and Technology has 
     published digital identity guidelines that address technical 
     requirements for identity proofing and the authentication of 
     users, but those guidelines do not cover requirements for 
     providing identity attribute validation services that could 
     be used to support identity proofing.
       (11) It should be the policy of the Federal Government to 
     use the authorities and capabilities of the Federal 
     Government, in coordination with State, local, Tribal, and 
     territorial partners and private sector innovators, to 
     enhance the security, reliability, privacy, equity, 
     accessibility, and convenience of consent-based digital 
     identity solutions that support and protect transactions 
     between individuals, government entities, and businesses, and 
     that enable people in the United States to prove who they are 
     online.
       (b) Definitions.--In this section:
       (1) Appropriate notification entities.--The term 
     ``appropriate notification entities'' means--
       (A) the President;
       (B) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (C) the Committee on Oversight and Reform of the House of 
     Representatives.
       (2) Digital identity verification.--The term ``digital 
     identity verification'' means a process to verify the 
     identity or an identity

[[Page S5289]]

     attribute of an individual accessing a service online or 
     through another electronic means.
       (3) Director.--The term ``Director'' means the Director of 
     the Task Force.
       (4) Federal agency.--The term ``Federal agency'' has the 
     meaning given the term in section 102 of the Robert T. 
     Stafford Disaster Relief and Emergency Assistance Act (42 
     U.S.C. 5122).
       (5) Identity attribute.--The term ``identity attribute'' 
     means a data element associated with the identity of an 
     individual, including, the name, address, or date of birth of 
     an individual.
       (6) Identity credential.--The term ``identity credential'' 
     means a document or other evidence of the identity of an 
     individual issued by a government agency that conveys the 
     identity of the individual, including a driver's license or 
     passport.
       (7) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.
       (8) Task force.--The term ``Task Force'' means the 
     Improving Digital Identity Task Force established under 
     subsection (c)(1).
       (c) Improving Digital Identity Task Force.--
       (1) Establishment.--There is established in the Executive 
     Office of the President a task force to be known as the 
     ``Improving Digital Identity Task Force''.
       (2) Purpose.--The purpose of the Task Force shall be to 
     establish and coordinate a government-wide effort to develop 
     secure methods for Federal, State, local, Tribal, and 
     territorial agencies to improve access and enhance security 
     between physical and digital identity credentials, 
     particularly by promoting the development of digital versions 
     of existing physical identity credentials, including driver's 
     licenses, e-Passports, social security credentials, and birth 
     certificates, to--
       (A) protect the privacy and security of individuals;
       (B) support reliable, interoperable digital identity 
     verification in the public and private sectors; and
       (C) in achieving subparagraphs (A) and (B), place a 
     particular emphasis on--
       (i) reducing identity theft and fraud;
       (ii) enabling trusted transactions; and
       (iii) ensuring equitable access to digital identity 
     verification.
       (3) Director.--
       (A) In general.--The Task Force shall have a Director, who 
     shall be appointed by the President.
       (B) Position.--The Director shall serve at the pleasure of 
     the President.
       (C) Pay and allowances.--The Director shall be compensated 
     at the rate of basic pay prescribed for level II of the 
     Executive Schedule under section 5313 of title 5, United 
     States Code.
       (D) Qualifications.--The Director shall have substantive 
     technical expertise and managerial acumen that--
       (i) is in the business of digital identity management, 
     information security, or benefits administration;
       (ii) is gained from not less than 1 organization; and
       (iii) includes specific expertise gained from academia, 
     advocacy organizations, or the private sector.
       (E) Exclusivity.--The Director may not serve in any other 
     capacity within the Federal Government while serving as 
     Director.
       (F) Term.--The term of the Director, including any official 
     acting in the role of the Director, shall terminate on the 
     date described in paragraph (11).
       (4) Membership.--
       (A) Federal government representatives.--The Task Force 
     shall include the following individuals or the designees of 
     such individuals:
       (i) The Secretary.
       (ii) The Secretary of the Treasury.
       (iii) The Director of the National Institute of Standards 
     and Technology.
       (iv) The Director of the Financial Crimes Enforcement 
     Network.
       (v) The Commissioner of Social Security.
       (vi) The Secretary of State.
       (vii) The Administrator of General Services.
       (viii) The Director of the Office of Management and Budget.
       (ix) The Postmaster General of the United States Postal 
     Service.
       (x) The National Cyber Director.
       (xi) The heads of other Federal agencies or offices as the 
     President may designate or invite, as appropriate.
       (B) State, local, tribal, and territorial government 
     representatives.--The Director shall appoint to the Task 
     Force 6 State, local, Tribal, and territorial government 
     officials who represent agencies that issue identity 
     credentials and who have--
       (i) experience in identity technology and services;
       (ii) knowledge of the systems used to provide identity 
     credentials; or
       (iii) any other qualifications or competencies that may 
     help achieve balance or otherwise support the mission of the 
     Task Force.
       (C) Nongovernmental experts.--
       (i) In general.--The Director shall appoint to the Task 
     Force 5 nongovernmental experts.
       (ii) Specific appointments.--The experts appointed under 
     clause (i) shall include the following:

       (I) A member who is a privacy and civil liberties expert.
       (II) A member who is a technical expert in identity 
     verification.
       (III) A member who is a technical expert in cybersecurity 
     focusing on identity verification services.
       (IV) A member who represents an industry identity 
     verification service provider.
       (V) A member who represents a party that relies on 
     effective identity verification services to conduct business.

       (5) Working groups.--The Director shall organize the 
     members of the Task Force into appropriate working groups for 
     the purpose of increasing the efficiency and effectiveness of 
     the Task Force, as appropriate.
       (6) Meetings.--The Task Force shall--
       (A) convene at the call of the Director; and
       (B) provide an opportunity for public comment in accordance 
     with section 10(a)(3) of the Federal Advisory Committee Act 
     (5 U.S.C. App.).
       (7) Duties.--In carrying out the purpose described in 
     paragraph (2), the Task Force shall--
       (A) identify Federal, State, local, Tribal, and territorial 
     agencies that issue identity credentials or hold information 
     relating to identifying an individual;
       (B) assess restrictions with respect to the abilities of 
     the agencies described in subparagraph (A) to verify identity 
     information for other agencies and nongovernmental 
     organizations;
       (C) assess any necessary changes in statutes, regulations, 
     or policy to address any restrictions assessed under 
     subparagraph (B);
       (D) recommend a standards-based architecture to enable 
     agencies to provide services relating to digital identity 
     verification in a way that--
       (i) is secure, protects privacy, and protects individuals 
     against unfair and misleading practices;
       (ii) prioritizes equity and accessibility;
       (iii) requires individual consent for the provision of 
     digital identify verification services by a Federal, State, 
     local, Tribal, or territorial agency; and
       (iv) is interoperable among participating Federal, State, 
     local, Tribal, and territorial agencies, as appropriate and 
     in accordance with applicable laws;
       (E) recommend principles to promote policies for shared 
     identity proofing across public sector agencies, which may 
     include single sign-on or broadly accepted attestations;
       (F) identify funding or other resources needed to support 
     the agencies described in subparagraph (D) that provide 
     digital identity verification, including recommendations with 
     respect to the need for and the design of a Federal grant 
     program to implement the recommendations of the Task Force 
     and facilitate the development and upgrade of State, local, 
     Tribal, and territorial highly-secure interoperable systems 
     that enable digital identity verification;
       (G) recommend funding models to provide digital identity 
     verification to private sector entities, which may include 
     fee-based funding models;
       (H) determine if any additional steps are necessary with 
     respect to Federal, State, local, Tribal, and territorial 
     agencies to improve digital identity verification and 
     management processes for the purpose of enhancing the 
     security, reliability, privacy, accessibility, equity, and 
     convenience of digital identity solutions that support and 
     protect transactions between individuals, government 
     entities, and businesses; and
       (I) undertake other activities necessary to assess and 
     address other matters relating to digital identity 
     verification, including with respect to--
       (i) the potential exploitation of digital identity tools or 
     associated products and services by malign actors;
       (ii) privacy implications; and
       (iii) increasing access to foundational identity documents.
       (8) Prohibition.--The Task Force may not implicitly or 
     explicitly recommend the creation of--
       (A) a single identity credential provided or mandated by 
     the Federal Government for the purposes of verifying identity 
     or associated attributes;
       (B) a unilateral central national identification registry 
     relating to digital identity verification; or
       (C) a requirement that any individual be forced to use 
     digital identity verification for a given public purpose.
       (9) Required consultation.--The Task Force shall closely 
     consult with leaders of Federal, State, local, Tribal, and 
     territorial governments and nongovernmental leaders, which 
     shall include the following:
       (A) The Secretary of Education.
       (B) The heads of other Federal agencies and offices 
     determined appropriate by the Director.
       (C) State, local, Tribal, and territorial government 
     officials focused on identity, such as information technology 
     officials and directors of State departments of motor 
     vehicles and vital records bureaus.
       (D) Digital privacy experts.
       (E) Civil liberties experts.
       (F) Technology and cybersecurity experts.
       (G) Users of identity verification services.
       (H) Representatives with relevant expertise from academia 
     and advocacy organizations.
       (I) Industry representatives with experience implementing 
     digital identity systems.
       (J) Identity theft and fraud prevention experts, including 
     advocates for victims of identity theft and fraud.
       (10) Reports.--
       (A) Initial report.--Not later than 180 days after the date 
     of enactment of this Act, the Director shall submit to the 
     appropriate

[[Page S5290]]

     notification entities a report on the activities of the Task 
     Force, including--
       (i) recommendations on--

       (I) priorities for research and development in the systems 
     that enable digital identity verification, including how the 
     priorities can be executed;
       (II) the standards-based architecture developed pursuant to 
     paragraph (7)(D);
       (III) methods to leverage digital driver's licenses, 
     distributed ledger technology, and other technologies; and
       (IV) priorities for research and development in the systems 
     and processes that reduce identity fraud; and

       (ii) summaries of the input and recommendations of the 
     leaders consulted under paragraph (9).
       (B) Interim reports.--
       (i) In general.--The Director may submit to the appropriate 
     notification entities interim reports the Director determines 
     necessary to support the work of the Task Force and educate 
     the public.
       (ii) Mandatory report.--Not later than the date that is 18 
     months after the date of enactment of this Act, the Director 
     shall submit to the appropriate notification entities an 
     interim report addressing--

       (I) the matters described in subparagraphs (A), (B), (D), 
     and (F) of paragraph (7); and
       (II) any other matters the Director determines necessary to 
     support the work of the Task Force and educate the public.

       (C) Final report.--Not later than 180 days before the date 
     described in paragraph (11), the Director shall submit to the 
     appropriate notification entities a final report that 
     includes recommendations for the President and Congress 
     relating to any relevant matter within the scope of the 
     duties of the Task Force.
       (D) Public availability.--The Task Force shall make the 
     reports required under this paragraph publicly available on 
     centralized website as an open Government data asset (as 
     defined in section 3502 of title 44, United States Code).
       (11) Sunset.--The Task Force shall conclude business on the 
     date that is 3 years after the date of enactment of this Act.
       (d) Security Enhancements to Federal Systems.--
       (1) Guidance for federal agencies.--Not later than 180 days 
     after the date on which the Director submits the report 
     required under subsection (c)(10)(A), the Director of the 
     Office of Management and Budget shall issue guidance to 
     Federal agencies for the purpose of implementing any 
     recommendations included in such report determined 
     appropriate by the Director of the Office of Management and 
     Budget.
       (2) Reports on federal agency progress improving digital 
     identity verification capabilities.--
       (A) Annual report on guidance implementation.--Not later 
     than 1 year after the date of the issuance of guidance under 
     paragraph (1), and annually thereafter, the head of each 
     Federal agency shall submit to the Director of the Office of 
     Management and Budget a report on the efforts of the Federal 
     agency to implement that guidance.
       (B) Public report.--
       (i) In general.--Not later than 45 days after the date of 
     the issuance of guidance under paragraph (1), and annually 
     thereafter, the Director shall develop and make publicly 
     available a report that includes--

       (I) a list of digital identity verification services 
     offered by Federal agencies;
       (II) the volume of digital identity verifications performed 
     by each Federal agency;
       (III) information relating to the effectiveness of digital 
     identity verification services by Federal agencies; and
       (IV) recommendations to improve the effectiveness of 
     digital identity verification services by Federal agencies.

       (ii) Consultation.--In developing the first report required 
     under clause (i), the Director shall consult the Task Force.
       (C) Congressional report on federal agency digital identity 
     capabilities.--
       (i) In general.--Not later than 180 days after the date of 
     the enactment of this Act, the Director of the Office of 
     Management and Budget, in coordination with the Director of 
     the Cybersecurity and Infrastructure Security Agency, shall 
     submit to the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Oversight and 
     Reform of the House of Representatives a report relating to 
     the implementation and effectiveness of the digital identity 
     capabilities of Federal agencies.
       (ii) Consultation.--In developing the report required under 
     clause (i), the Director of the Office of Management and 
     Budget shall--

       (I) consult with the Task Force; and
       (II) to the greatest extent practicable, include in the 
     report recommendations of the Task Force.

       (iii) Contents of report.--The report required under clause 
     (i) shall include--

       (I) an analysis, including metrics and milestones, for the 
     implementation by Federal agencies of--

       (aa) the guidelines published by the National Institute of 
     Standards and Technology in the document entitled ``Special 
     Publication 800-63'' (commonly referred to as the ``Digital 
     Identity Guidelines''), or any successor document; and
       (bb) if feasible, any additional requirements relating to 
     enhancing digital identity capabilities identified in the 
     document of the Office of Management and Budget entitled ``M-
     19-17'' and issued on May 21, 2019, or any successor 
     document;

       (II) a review of measures taken to advance the equity, 
     accessibility, cybersecurity, and privacy of digital identity 
     verification services offered by Federal agencies; and
       (III) any other relevant data, information, or plans for 
     Federal agencies to improve the digital identity capabilities 
     of Federal agencies.

       (3) Additional reports.--On the first March 1 occurring 
     after the date described in paragraph (2)(C)(i), and annually 
     thereafter, the Director of the Office of Management and 
     Budget shall include in the report required under section 
     3553(c) of title 44, United States Code--
       (A) any additional and ongoing reporting on the matters 
     described in paragraph (2)(C)(iii); and
       (B) associated information collection mechanisms.
       (e) GAO Report.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to Congress a report on the estimated 
     potential savings, including estimated annual potential 
     savings, due to the increased adoption and widespread use of 
     digital identification, of--
       (A) the Federal Government from averted fraud, including 
     benefit fraud; and
       (B) the economy of the United States and consumers from 
     averted identity theft .
       (2) Contents.--Among other variables the Comptroller 
     General of the United States determines relevant, the report 
     required under paragraph (1) shall include multiple scenarios 
     with varying uptake rates to demonstrate a range of possible 
     outcomes.
                                 ______