[Congressional Record Volume 170, Number 115 (Thursday, July 11, 2024)]
[Senate]
[Pages S4932-S4935]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 2594. Ms. SINEMA submitted an amendment intended to be proposed by 
her to the bill S. 4638, to authorize appropriations for fiscal year 
2025 for

[[Page S4933]]

military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

       At the appropriate place, insert the following:

                  TITLE __--IMPROVING DIGITAL IDENTITY

     SEC. __01. FINDINGS.

       Congress finds the following:
       (1) The lack of an easy, affordable, reliable, and secure 
     way for organizations, businesses, and government agencies to 
     identify whether an individual is who they claim to be online 
     creates an attack vector that is widely exploited by 
     adversaries in cyberspace and precludes many high-value 
     transactions from being available online.
       (2) Incidents of identity theft and identity fraud continue 
     to rise in the United States, where more than 293,000,000 
     people were impacted by data breaches in 2021.
       (3) Since 2017, losses resulting from identity fraud have 
     increased by 333 percent, and, in 2020, those losses totaled 
     $56,000,000,000.
       (4) The Director of the Financial Crimes Enforcement 
     Network of the Department of the Treasury has stated that the 
     abuse of personally identifiable information and other 
     building blocks of identity is a key enabler behind much of 
     the fraud and cybercrime affecting the United States today.
       (5) The inadequacy of current digital identity solutions 
     degrades security and privacy for all people in the United 
     States, and next generation solutions are needed that improve 
     security, privacy, equity, and accessibility.
       (6) Government entities, as authoritative issuers of 
     identity in the United States, are uniquely positioned to 
     deliver critical components that address deficiencies in the 
     digital identity infrastructure of the United States and 
     augment private sector digital identity and authentication 
     solutions.
       (7) State governments are particularly well-suited to play 
     a role in enhancing digital identity solutions used by both 
     the public and private sectors, given the role of State 
     governments as the issuers of driver's licenses and other 
     identity documents commonly used today.
       (8) The public and private sectors should collaborate to 
     deliver solutions that promote confidence, privacy, choice, 
     equity, accessibility, and innovation. The private sector 
     drives much of the innovation around digital identity in the 
     United States and has an important role to play in delivering 
     digital identity solutions.
       (9) The bipartisan Commission on Enhancing National 
     Cybersecurity has called for the Federal Government to 
     ``create an interagency task force directed to find secure, 
     user-friendly, privacy-centric ways in which agencies can 
     serve as 1 authoritative source to validate identity 
     attributes in the broader identity market. This action would 
     enable Government agencies and the private sector to drive 
     significant risk out of new account openings and other high-
     risk, high-value online services, and it would help all 
     citizens more easily and securely engage in transactions 
     online.''.
       (10) It should be the policy of the Federal Government to 
     use the authorities and capabilities of the Federal 
     Government, in coordination with State, local, Tribal, and 
     territorial partners and private sector innovators, to 
     enhance the security, reliability, privacy, equity, 
     accessibility, and convenience of consent-based digital 
     identity solutions that support and protect transactions 
     between individuals, government entities, and businesses, and 
     that enable people in the United States to prove who they are 
     online.

     SEC. __02. DEFINITIONS.

       In this title:
       (1) Appropriate notification entities.--The term 
     ``appropriate notification entities'' means--
       (A) the President;
       (B) the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Commerce, Science, 
     and Transportation of the Senate; and
       (C) the Committee on Oversight and Accountability of the 
     House of Representatives.
       (2) Digital identity verification.--The term ``digital 
     identity verification'' means a process to verify the 
     identity or an identity attribute of an individual accessing 
     a service online.
       (3) Director.--The term ``Director'' means the Director of 
     the Task Force.
       (4) Federal agency.--The term ``Federal agency'' has the 
     meaning given the term in section 102 of the Robert T. 
     Stafford Disaster Relief and Emergency Assistance Act (42 
     U.S.C. 5122).
       (5) Identity attribute.--The term ``identity attribute'' 
     means a data element associated with the identity of an 
     individual, including the name, address, date of birth, or 
     social security number of an individual.
       (6) Identity credential.--The term ``identity credential'' 
     means a document or other evidence of the identity of an 
     individual issued by a government agency that conveys the 
     identity of the individual, including a driver's license or 
     passport.
       (7) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.
       (8) Task force.--The term ``Task Force'' means the 
     Improving Digital Identity Task Force established under 
     section __03(a).

     SEC. __03. IMPROVING DIGITAL IDENTITY TASK FORCE.

       (a) Establishment.--There is established in the Executive 
     Office of the President a task force to be known as the 
     ``Improving Digital Identity Task Force''.
       (b) Purpose.--The purpose of the Task Force shall be to 
     establish and coordinate a government-wide effort to develop 
     secure methods for Federal, State, local, Tribal, and 
     territorial agencies to improve access and enhance security 
     between physical and digital identity attributes and identity 
     credentials, particularly by promoting the development of 
     digital versions of existing physical identity credentials, 
     including driver's licenses, e-Passports, and birth 
     certificates, to--
       (1) protect the privacy and security of individuals;
       (2) support reliable, interoperable digital identity 
     verification in the public and private sectors; and
       (3) in achieving paragraphs (1) and (2), place a particular 
     emphasis on--
       (A) reducing identity theft and fraud;
       (B) enabling trusted transactions; and
       (C) ensuring equitable access to digital identity 
     verification.
       (c) Director.--
       (1) In general.--The Task Force shall have a Director, who 
     shall be appointed by the President.
       (2) Position.--The Director shall serve at the pleasure of 
     the President.
       (3) Pay and allowances.--The Director shall be compensated 
     at the rate of basic pay prescribed for level II of the 
     Executive Schedule under section 5313 of title 5, United 
     States Code.
       (4) Qualifications.--The Director shall have substantive 
     technical expertise and managerial acumen that--
       (A) is in the business of digital identity management, 
     information security, or benefits administration;
       (B) is gained from not less than 1 organization; and
       (C) includes specific expertise gained from academia, 
     advocacy organizations, or the private sector.
       (5) Exclusivity.--The Director may not serve in any other 
     capacity within the Federal Government while serving as 
     Director.
       (6) Term.--The term of the Director, including any official 
     acting in the role of the Director, shall terminate on the 
     date described in subsection (k).
       (d) Membership.--
       (1) Federal government representatives.--The Task Force 
     shall include the following individuals or the designees of 
     such individuals:
       (A) The Secretary.
       (B) The Secretary of the Treasury.
       (C) The Director of the National Institute of Standards and 
     Technology.
       (D) The Director of the Financial Crimes Enforcement 
     Network.
       (E) The Commissioner of Social Security.
       (F) The Secretary of State.
       (G) The Administrator of General Services.
       (H) The Director of the Office of Management and Budget.
       (I) The Postmaster General of the United States Postal 
     Service.
       (J) The National Cyber Director.
       (K) The Attorney General.
       (L) The Chair of the Federal Trade Commission.
       (M) The heads of other Federal agencies or offices as the 
     President may designate or invite, as appropriate.
       (2) State, local, tribal, and territorial government 
     representatives.--The Director shall appoint to the Task 
     Force 6 State, local, Tribal, or territorial government 
     officials who represent agencies that issue identity 
     credentials and who have--
       (A) experience in identity technology and services;
       (B) knowledge of the systems used to provide identity 
     credentials; or
       (C) any other qualifications or competencies that may help 
     achieve balance or otherwise support the mission of the Task 
     Force.
       (3) Nongovernmental experts.--
       (A) In general.--The Director shall appoint to the Task 
     Force 5 nongovernmental experts.
       (B) Specific appointments.--The experts appointed under 
     subparagraph (A) shall include the following:
       (i) A member who is a privacy and civil liberties expert.
       (ii) A member who is a technical expert in identity 
     verification.
       (iii) A member who is a technical expert in cybersecurity 
     focusing on identity verification services.
       (iv) A member who represents the identity verification 
     services industry.
       (v) A member who represents a party that relies on 
     effective identity verification services to conduct business.
       (e) Working Groups.--The Director shall organize the 
     members of the Task Force into appropriate working groups for 
     the purpose of increasing the efficiency and effectiveness of 
     the Task Force, as appropriate.
       (f) Meetings.--The Task Force shall--
       (1) convene at the call of the Director; and
       (2) provide an opportunity for public comment in accordance 
     with section 1009(a)(3) of title 5, United States Code.
       (g) Duties.--In carrying out the purpose described in 
     subsection (b), the Task Force shall--
       (1) identify Federal, State, local, Tribal, and territorial 
     agencies that issue identity

[[Page S4934]]

     credentials or hold identity attribute information of 
     individuals;
       (2) assess restrictions with respect to the abilities of 
     the agencies described in paragraph (1) to verify identity or 
     attribute information for other agencies and nongovernmental 
     organizations;
       (3) assess any necessary changes in statutes, regulations, 
     or policy to address any restrictions assessed under 
     paragraph (2);
       (4) recommend a strategy, based on existing standards, to 
     enable agencies to provide services relating to digital 
     identity verification in a way that--
       (A) is secure, protects privacy, and protects individuals 
     against unfair and misleading practices;
       (B) prioritizes equity and accessibility;
       (C) requires individual consent for the provision of 
     digital identify verification services by a Federal, State, 
     local, Tribal, or territorial agency;
       (D) is interoperable among participating Federal, State, 
     local, Tribal, and territorial agencies, as appropriate and 
     in accordance with applicable laws; and
       (E) prioritizes technical standards developed by voluntary 
     consensus standards bodies in accordance with section 12(d) 
     of the National Technology Transfer and Advancement Act of 
     1995 (15 U.S.C. 272 note) and guidance under OMB Circular A-
     119, entitled ``Federal Participation in the Development and 
     Use of Voluntary Consensus Standards and in Conformity 
     Assessment Activities'', or any successor thereto;
       (5) recommend principles to promote policies for shared 
     identity proofing across public sector agencies, which may 
     include single sign-on or broadly accepted attestations;
       (6) identify funding or other resources needed to support 
     the agencies described in paragraph (4) that provide digital 
     identity verification, including recommendations with respect 
     to the need for and the design of a Federal grant program to 
     implement the recommendations of the Task Force and 
     facilitate the development and upgrade of State, local, 
     Tribal, and territorial highly-secure interoperable systems 
     that enable digital identity verification;
       (7) recommend funding models to provide digital identity 
     verification to private sector entities, which may include 
     fee-based funding models;
       (8) determine if any additional steps are necessary with 
     respect to Federal, State, local, Tribal, and territorial 
     agencies to improve digital identity verification and 
     management processes for the purpose of enhancing the 
     security, reliability, privacy, accessibility, equity, and 
     convenience of digital identity solutions that support and 
     protect transactions between individuals, government 
     entities, and businesses; and
       (9) undertake other activities necessary to assess and 
     address other matters relating to digital identity 
     verification, including with respect to--
       (A) the potential exploitation of digital identity tools or 
     associated products and services by malign actors;
       (B) privacy implications; and
       (C) increasing access to foundational identity documents.
       (h) Prohibition.--The Task Force may not implicitly or 
     explicitly recommend the creation of--
       (1) a single identity credential provided or mandated by 
     the Federal Government for the purposes of verifying identity 
     or associated attributes;
       (2) a unilateral central national identification registry 
     relating to digital identity verification; or
       (3) a requirement that any individual be forced to use 
     digital identity verification for a given public purpose.
       (i) Required Consultation.--The Task Force shall closely 
     consult with leaders of Federal, State, local, Tribal, and 
     territorial governments and nongovernmental leaders, which 
     shall include the following:
       (1) The Secretary of Education.
       (2) The heads of other Federal agencies and offices 
     determined appropriate by the Director.
       (3) State, local, Tribal, and territorial government 
     officials focused on identity, such as information technology 
     officials and directors of State departments of motor 
     vehicles and vital records bureaus.
       (4) Digital privacy experts.
       (5) Civil liberties experts.
       (6) Technology and cybersecurity experts.
       (7) Users of identity verification services.
       (8) Representatives with relevant expertise from academia 
     and advocacy organizations.
       (9) Industry representatives with experience implementing 
     digital identity systems.
       (10) Identity theft and fraud prevention experts, including 
     advocates for victims of identity theft and fraud.
       (j) Reports.--
       (1) Initial report.--Not later than 180 days after the date 
     of enactment of this Act, the Director shall submit to the 
     appropriate notification entities a report on the activities 
     of the Task Force, including--
       (A) recommendations on--
       (i) implementing the strategy pursuant to subsection 
     (g)(4); and
       (ii) methods to leverage digital driver's licenses, 
     distributed ledger technology, and other technologies; and
       (B) summaries of the input and recommendations of the 
     leaders consulted under subsection (i).
       (2) Interim reports.--
       (A) In general.--The Director may submit to the appropriate 
     notification entities interim reports the Director determines 
     necessary to support the work of the Task Force and educate 
     the public.
       (B) Mandatory report.--Not later than the date that is 18 
     months after the date of enactment of this Act, the Director 
     shall submit to the appropriate notification entities an 
     interim report addressing--
       (i) the matters described in paragraphs (1), (2), (4), and 
     (6) of subsection (g); and
       (ii) any other matters the Director determines necessary to 
     support the work of the Task Force and educate the public.
       (3) Final report.--Not later than 180 days before the date 
     described in subsection (k), the Director shall submit to the 
     appropriate notification entities a final report that 
     includes recommendations for the President and Congress 
     relating to any relevant matter within the scope of the 
     duties of the Task Force.
       (4) Public availability.--The Task Force shall make the 
     reports required under this subsection publicly available on 
     a centralized website as an open Government data asset (as 
     defined in section 3502 of title 44, United States Code).
       (k) Sunset.--The Task Force shall conclude business on the 
     date that is 3 years after the date of enactment of this Act.

     SEC. __04. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.

       (a) Guidance for Federal Agencies.--Not later than 180 days 
     after the date on which the Director submits the report 
     required under section __03(j)(1), the Director of the Office 
     of Management and Budget shall issue guidance to Federal 
     agencies for the purpose of implementing any recommendations 
     included in such report determined appropriate by the 
     Director of the Office of Management and Budget.
       (b) Reports on Federal Agency Progress Toward Improving 
     Digital Identity Verification Capabilities.--
       (1) Annual report on guidance implementation.--Not later 
     than 1 year after the date of the issuance of guidance under 
     subsection (a), and annually thereafter, the head of each 
     Federal agency shall submit to the Director of the Office of 
     Management and Budget a report on the efforts of the Federal 
     agency to implement that guidance.
       (2) Public report.--
       (A) In general.--Not later than 45 days after the date of 
     the issuance of guidance under subsection (a), and annually 
     thereafter, the Director shall develop and make publicly 
     available a report that includes--
       (i) a list of digital identity verification services 
     offered by Federal agencies;
       (ii) the volume of digital identity verifications performed 
     by each Federal agency;
       (iii) information relating to the effectiveness of digital 
     identity verification services by Federal agencies; and
       (iv) recommendations to improve the effectiveness of 
     digital identity verification services by Federal agencies.
       (B) Consultation.--In developing the first report required 
     under subparagraph (A), the Director shall consult the Task 
     Force.
       (3) Congressional report on federal agency digital identity 
     capabilities.--
       (A) Reform.--Not later than 180 days after the date of the 
     enactment of this Act, the Director of the Office of 
     Management and Budget, in coordination with the Director of 
     the Cybersecurity and Infrastructure Security Agency, shall 
     submit to the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Oversight and 
     Accountability of the House of Representatives a report 
     relating to the implementation and effectiveness of the 
     digital identity capabilities of Federal agencies.
       (B) Consultation.--In developing the report required under 
     subparagraph (A), the Director of the Office of Management 
     and Budget shall--
       (i) consult with the Task Force; and
       (ii) to the greatest extent practicable, include in the 
     report recommendations of the Task Force.
       (C) Contents of report.--The report required under 
     subparagraph (A) shall include--
       (i) an analysis, including metrics and milestones, for the 
     implementation by Federal agencies of--

       (I) the guidelines published by the National Institute of 
     Standards and Technology in the document entitled ``Special 
     Publication 800-63'' (commonly referred to as the ``Digital 
     Identity Guidelines''), or any successor document; and
       (II) if feasible, any additional requirements relating to 
     enhancing digital identity capabilities identified in the 
     document of the Office of Management and Budget entitled ``M-
     19-17'' and issued on May 21, 2019, or any successor 
     document;

       (ii) a review of measures taken to advance the equity, 
     accessibility, cybersecurity, and privacy of digital identity 
     verification services offered by Federal agencies; and
       (iii) any other relevant data, information, or plans for 
     Federal agencies to improve the digital identity capabilities 
     of Federal agencies.
       (c) Additional Reports.--On the first March 1 occurring 
     after the date described in subsection (b)(3)(A), and 
     annually thereafter, the Director of the Office of Management 
     and Budget, in consultation with the Director of the National 
     Institute of Standards and Technology, shall include in the 
     report required under section 3553(c) of title 44, United 
     States Code--
       (1) any additional and ongoing reporting on the matters 
     described in subsection (b)(3)(C); and

[[Page S4935]]

       (2) associated information collection mechanisms.

     SEC. __05. GAO REPORT.

       (a) In General.--Not later than 1 year after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to Congress a report on the estimated 
     potential savings, including estimated annual potential 
     savings, due to the increased adoption and widespread use of 
     digital identification, of--
       (1) the Federal Government from averted fraud, including 
     benefit fraud; and
       (2) the economy of the United States and consumers from 
     averted identity theft.
       (b) Contents.--Among other variables the Comptroller 
     General of the United States determines relevant, the report 
     required under subsection (a) shall include multiple 
     scenarios with varying uptake rates to demonstrate a range of 
     possible outcomes.
                                 ______