[House Report 106-876] [From the U.S. Government Publishing Office] 106th Congress Report HOUSE OF REPRESENTATIVES 2d Session 106-876 ====================================================================== COMPUTER SECURITY ENHANCEMENT ACT OF 2000 _______ September 21, 2000.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Sensenbrenner, from the Committee on Science, submitted the following R E P O R T [To accompany H.R. 2413] [Including cost estimate of the Congressional Budget Office] The Committee on Science, to whom was referred the bill (H.R. 2413) to amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page I. Amendment.......................................................2 II. Purpose of the Bill.............................................6 III. Background and Need for the Legislation.........................6 IV. Summary of Hearings.............................................7 V. Committee Actions..............................................11 VI. Summary of Major Provisions of the Bill........................11 VII. Section-By-Section Analysis (By Title and Section)/Committee Views..........................................................12 VIII. Cost Estimate..................................................18 IX. Congressional Budget Office Cost Estimate......................18 X. Compliance with Public Law 104-4 (Unfunded Mandates)...........19 XI. Committee Oversight Findings and Recommendations...............19 XII. Oversight Findings and Recommendations by the Committee on Government Reform and Oversight................................20 XIII. Constitutional Authority Statement.............................20 XIV. Federal Advisory Committee Statement...........................20 XV. Congressional Accountability Act...............................20 XVI. Statement of Preemption of State, Local, or Tribal Law.........20 XVII. Changes in Existing Law Made by the Bill, As Reported..........20 XVIII.Committee Recommendations......................................23 XIX. Proceedings of Subcommittee Markup.............................24 XX. Proceedings of Full Committee Markup...........................59 I. Amendment The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Computer Security Enhancement Act of 2000''. SEC. 2. FINDINGS AND PURPOSES. (a) Findings.--The Congress finds the following: (1) The National Institute of Standards and Technology has responsibility for developing standards and guidelines needed to ensure the cost-effective security and privacy of sensitive information in Federal computer systems. (2) The Federal Government has an important role in ensuring the protection of sensitive, but unclassified, information controlled by Federal agencies. (3) Technology that is based on the application of cryptography exists and can be readily provided by private sector companies to ensure the confidentiality, authenticity, and integrity of information associated with public and private activities. (4) The development and use of encryption technologies by industry should be driven by market forces rather than by Government imposed requirements. (b) Purposes.--The purposes of this Act are to-- (1) reinforce the role of the National Institute of Standards and Technology in ensuring the security of unclassified information in Federal computer systems; and (2) promote technology solutions based on private sector offerings to protect the security of Federal computer systems. SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE. Section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)) is amended-- (1) by redesignating paragraphs (2), (3), (4), and (5) as paragraphs (3), (4), (8), and (9), respectively; and (2) by inserting after paragraph (1) the following new paragraph: ``(2) upon request from the private sector, to assist in establishing voluntary interoperable standards, guidelines, and associated methods and techniques to facilitate and expedite the establishment of non-Federal management infrastructures for public keys that can be used to communicate with and conduct transactions with the Federal Government;''. SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS. Section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is further amended by inserting after paragraph (4), as so redesignated by section 3(1) of this Act, the following new paragraphs: ``(5) except for national security systems, as defined in section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide guidance and assistance to Federal agencies for protecting the security and privacy of sensitive information in interconnected Federal computer systems, including identification of significant risks thereto; ``(6) to promote compliance by Federal agencies with existing Federal computer information security and privacy guidelines; ``(7) in consultation with appropriate Federal agencies, assist Federal response efforts related to unauthorized access to Federal computer systems;''. SEC. 5. COMPUTER SECURITY IMPLEMENTATION. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is further amended-- (1) by redesignating subsections (c) and (d) as subsections (e) and (f), respectively; and (2) by inserting after subsection (b) the following new subsection: ``(c)(1) In carrying out subsection (a)(2) and (3), the Institute shall-- ``(A) emphasize the development of technology-neutral policy guidelines for computer security practices by the Federal agencies; ``(B) promote the use of commercially available products, which appear on the list required by paragraph (2), to provide for the security and privacy of sensitive information in Federal computer systems; ``(C) develop qualitative and quantitative measures appropriate for assessing the quality and effectiveness of information security and privacy programs at Federal agencies; ``(D) perform evaluations and tests at Federal agencies to assess existing information security and privacy programs; ``(E) promote development of accreditation procedures for Federal agencies based on the measures developed under subparagraph (C); ``(F) if requested, consult with and provide assistance to Federal agencies regarding the selection by agencies of security technologies and products and the implementation of security practices; and ``(G)(i) develop uniform testing procedures suitable for determining the conformance of commercially available security products to the guidelines and standards developed under subsection (a)(2) and (3); ``(ii) establish procedures for certification of private sector laboratories to perform the tests and evaluations of commercially available security products developed in accordance with clause (i); and ``(iii) promote the testing of commercially available security products for their conformance with guidelines and standards developed under subsection (a)(2) and (3). ``(2) The Institute shall maintain and make available to Federal agencies and to the public a list of commercially available security products that have been tested by private sector laboratories certified in accordance with procedures established under paragraph (1)(G)(ii), and that have been found to be in conformance with the guidelines and standards developed under subsection (a)(2) and (3). ``(3) The Institute shall annually transmit to the Congress, in an unclassified format, a report containing-- ``(A) the findings of the evaluations and tests of Federal computer systems conducted under this section during the 12 months preceding the date of the report, including the frequency of the use of commercially available security products included on the list required by paragraph (2); ``(B) the planned evaluations and tests under this section for the 12 months following the date of the report; and ``(C) any recommendations by the Institute to Federal agencies resulting from the findings described in subparagraph (A), and the response by the agencies to those recommendations.''. SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by inserting after subsection (c), as added by section 5 of this Act, the following new subsection: ``(d)(1) The Institute shall solicit the recommendations of the Computer System Security and Privacy Advisory Board, established by section 21, regarding standards and guidelines that are being considered for submittal to the Secretary in accordance with subsection (a)(4). The recommendations of the Board shall accompany standards and guidelines submitted to the Secretary. ``(2) There are authorized to be appropriated to the Secretary $1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year 2002 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues related to computer security, privacy, and cryptography and to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects.''. SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by adding at the end the following new subsection: ``(g) The Institute shall not promulgate, enforce, or otherwise adopt standards, or carry out activities or policies, for the Federal establishment of encryption standards required for use in computer systems other than Federal Government computer systems.''. SEC. 8. MISCELLANEOUS AMENDMENTS. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended-- (1) in subsection (b)(9), as so redesignated by section 3(1) of this Act, by inserting ``to the extent that such coordination will improve computer security and to the extent necessary for improving such security for Federal computer systems'' after ``Management and Budget)''; (2) in subsection (e), as so redesignated by section 5(1) of this Act, by striking ``shall draw upon'' and inserting in lieu thereof ``may draw upon''; (3) in subsection (e)(2), as so redesignated by section 5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu thereof ``(b)(8)''; and (4) in subsection (f)(1)(B)(i), as so redesignated by section 5(1) of this Act, by inserting ``and computer networks'' after ``computers''. SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING. Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759 note) is amended-- (1) by striking ``and'' at the end of paragraph (1); (2) by striking the period at the end of paragraph (2) and inserting in lieu thereof ``; and''; and (3) by adding at the end the following new paragraph: ``(3) to include emphasis on protecting sensitive information in Federal databases and Federal computer sites that are accessible through public networks.''. SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM. There are authorized to be appropriated to the Secretary of Commerce $500,000 for fiscal year 2001 and $500,000 for fiscal year 2002 for the Director of the National Institute of Standards and Technology for fellowships, subject to the provisions of section 18 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-1), to support students at institutions of higher learning in computer security. Amounts authorized by this section shall not be subject to the percentage limitation stated in such section 18. SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH COUNCIL. (a) Review by National Research Council.--Not later than 90 days after the date of the enactment of this Act, the Secretary of Commerce shall enter into a contract with the National Research Council of the National Academy of Sciences to conduct a study of public key infrastructures for use by individuals, businesses, and government. (b) Contents.--The study referred to in subsection (a) shall-- (1) assess technology needed to support public key infrastructures; (2) assess current public and private plans for the deployment of public key infrastructures; (3) assess interoperability, scalability, and integrity of private and public entities that are elements of public key infrastructures; (4) make recommendations for Federal legislation and other Federal actions required to ensure the national feasibility and utility of public key infrastructures; and (5) address such other matters as the National Research Council considers relevant to the issues of public key infrastructure. (c) Interagency Cooperation With Study.--All agencies of the Federal Government shall cooperate fully with the National Research Council in its activities in carrying out the study under this section, including access by properly cleared individuals to classified information if necessary. (d) Report.--Not later than 18 months after the date of the enactment of this Act, the Secretary of Commerce shall transmit to the Committee on Science of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report setting forth the findings, conclusions, and recommendations of the National Research Council for public policy related to public key infrastructures for use by individuals, businesses, and government. Such report shall be submitted in unclassified form. (e) Authorization of Appropriations.--There are authorized to be appropriated to the Secretary of Commerce $450,000 for fiscal year 2001, to remain available until expended, for carrying out this section. SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY. The Under Secretary of Commerce for Technology shall-- (1) promote an increased use of security techniques, such as risk assessment, and security tools, such as cryptography, to enhance the protection of the Nation's information infrastructure; (2) establish a central repository of information for dissemination to the public to promote awareness of information security vulnerabilities and risks; and (3) promote the development of the national, standards-based infrastructure needed to support government, commercial, and private uses of encryption technologies for confidentiality and authentication. SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE. (a) Electronic Authentication Infrastructure.-- (1) Guidelines and standards.--Not later than 18 months after the date of the enactment of this Act, the Director, in consultation with industry and appropriate Federal agencies, shall develop electronic authentication infrastructure guidelines and standards for use by Federal agencies to assist those agencies to effectively select and utilize electronic authentication technologies in a manner that is-- (A) adequately secure to meet the needs of those agencies and their transaction partners; and (B) interoperable, to the maximum extent possible. (2) Elements.--The guidelines and standards developed under paragraph (1) shall include-- (A) protection profiles for cryptographic and noncryptographic methods of authenticating identity for electronic authentication products and services; (B) a core set of interoperability specifications for the Federal acquisition of electronic authentication products and services; and (C) validation criteria to enable Federal agencies to select cryptographic electronic authentication products and services appropriate to their needs. (3) Coordination with national policy panel.--The Director shall ensure that the development of guidelines and standards with respect to cryptographic electronic authentication products and services under this subsection is carried out in consultation with the National Policy Panel for Digital Signatures established under subsection (e). (4) Revisions.--The Director shall periodically review the guidelines and standards developed under paragraph (1) and revise them as appropriate. (b) Listing of Validated Products.--Not later than 30 months after the date of the enactment of this Act, and thereafter, the Director shall maintain and make available to Federal agencies and to the public a list of commercially available electronic authentication products, and other such products used by Federal agencies, evaluated as conforming with the guidelines and standards developed under subsection (a). (c) Specifications for Electronic Certification and Management Technologies.-- (1) Specifications.--The Director shall, as appropriate, establish core specifications for particular electronic certification and management technologies, or their components, for use by Federal agencies. (2) Evaluation.--The Director shall advise Federal agencies on how to evaluate the conformance with the specifications established under paragraph (1) of electronic certification and management technologies, developed for use by Federal agencies or available for such use. (3) Maintenance of list.--The Director shall maintain and make available to Federal agencies a list of electronic certification and management technologies evaluated as conforming to the specifications established under paragraph (1). (d) Reports.--Not later than 18 months after the date of the enactment of this Act, and annually thereafter, the Director shall transmit to the Congress a report that includes-- (1) a description and analysis of the utilization by Federal agencies of electronic authentication technologies; and (2) an evaluation of the extent to which Federal agencies' electronic authentication infrastructures conform to the guidelines and standards developed under subsection (a)(1). (e) National Policy Panel for Digital Signatures.-- (1) Establishment.--Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws recognizing the use of digital signatures, and representative individuals from the interested public. (2) Responsibilities.--The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform guidelines and standards to enable the widespread availability and use of digital signature systems. The Panel shall develop-- (A) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates; (B) guidelines and standards to ensure consistency among jurisdictions that license certification authorities; and (C) audit procedures for certification authorities. (3) Coordination.--The Panel shall coordinate its efforts with those of the Director under subsection (a). (4) Administrative support.--The Under Secretary shall provide administrative support to enable the Panel to carry out its responsibilities. (5) Report.--Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel. (f) Definitions.--For purposes of this section-- (1) the term ``certification authorities'' means issuers of digital certificates; (2) the term ``digital certificate'' means an electronic document that binds an individual's identity to the individual's key; (3) the term ``digital signature'' means a mathematically generated mark utilizing key cryptography techniques that is unique to both the signatory and the information signed; (4) the term ``digital signature infrastructure'' means the software, hardware, and personnel resources, and the procedures, required to effectively utilize digital certificates and digital signatures; (5) the term ``electronic authentication'' means cryptographic or noncryptographic methods of authenticating identity in an electronic communication; (6) the term ``electronic authentication infrastructure'' means the software, hardware, and personnel resources, and the procedures, required to effectively utilize electronic authentication technologies; (7) the term ``electronic certification and management technologies'' means computer systems, including associated personnel and procedures, that enable individuals to apply unique digital signatures to electronic information; (8) the term ``protection profile'' means a list of security functions and associated assurance levels used to describe a product; and (9) the term ``Under Secretary'' means the Under Secretary of Commerce for Technology. SEC. 14. SOURCE OF AUTHORIZATIONS. There are authorized to be appropriated to the Secretary of Commerce $7,000,000 for fiscal year 2001 and $8,000,000 for fiscal year 2002, for the National Institute of Standards and Technology to carry out activities authorized by this Act for which funds are not otherwise specifically authorized to be appropriated by this Act. II. Purpose of the Bill The purpose of the bill is to update the Computer Security Act of 1987 to improve computer security for federal civilian agencies and the private sector. III. Background and Need for the Legislation The Computer Security Act of 1987 gave authority over computer and communication security standards in federal civilian agencies to NIST. The Computer Security Enhancement Act of 2000 strengthens that authority and directs funds to implement practices and procedures which will ensure that the federal standards setting process remains open to public input and analysis and that will provide guidance and assistance on protection of electronic information to federal civilian agencies. H.R. 2413 promotes open and public discussion, as well as the use of commercially available products to meet the information security needs of the federal civilian agencies. Since 1993, the General Accounting Office (GAO) has issued over 35 reports describing serious information security weaknesses at major federal agencies. In 1999, GAO reported that during the previous 2 years serious information security control weaknesses had been reported for most of the federal agencies. Recently, GAO gave the federal government an overall grade of D minus for its computer security efforts. Much has changed in the years since the Computer Security Act of 1987 was enacted. The proliferation of networked systems, the Internet, and web access are just a few of the dramatic advances in information technology that have occurred. The Computer Security Enhancement Act of 2000 addresses these changes and provides for greater security for the federal civilian agencies that base their procurement decisions for computer security hardware and software on NIST standards. H.R. 2413 also promotes the use of commercially available products and encourages an open exchange of information between NIST and the private sector. This renewed emphasis on open discussion should help facilitate better security in all communities. IV. Summary of Hearings On September 30, 1999, the Subcommittee on Technology held a hearing to review H.R. 2413, the Computer Security Enhancement Act of 2000, legislation introduced by Chairman Sensenbrenner, Representatives Morella and Gordon. Witnesses included Mr. Raymond Kammer, Director, National Institute of Standards and Technology; Mr. Keith Rhodes, Director, Office of Computer and Information, Technology Assessment, U.S. General Accounting Office; Mr. Harris Miller, President, Information Technology Association of America; and Dr. George Trubow, Professor and Director, Center for Information Technology and Privacy Law, The John Marshall Law School and Member, Computer System Security and Privacy Advisory Board (CSSPAB), NIST. Mr. Kammer testifying on behalf of the National Institute of Standards and Technology, stated that NIST's computer security program focuses on standards and guidelines, public key infrastructure and security research. Mr. Kammer noted that the President has recently requested an additional $39M in FY 2000 for initiatives proposed to protect critical infrastructure, of which $5M would be for NIST to establish an Expert Review Team to assist Government-wide agencies in adhering to Federal computer security requirements. NIST would consult with OMB and NSA on the team's plan to protect computer security for Federal agencies. Two million would fund a 15 member team responsible for helping agencies identify vulnerabilities, plan secure systems and implement critical infrastructure plans. Three million would establish an operational fund at NIST for computer security projects among Federal agencies. Projects would include independent vulnerability assessments, computer intrusion drill and emergency funds to cover security fixes for systems identified to have unacceptable risks. Mr. Rhodes, testifying on behalf of General Accounting Office (GAO), stated that H.R. 2413 aims to reinforce the role of NIST, whose mission is to provide guidance and technical assistance to government and industry to protect unclassified information systems. Mr. Rhodes discussed: (1) the urgent need to strengthen computer security across the Federal Government; (2) the current and future privacy concerns with any computer security legislation, (3) GAO's views on the proposed act, and (4) what can be done to further strengthen security program management at federal agencies. According to Rhodes, it is imperative that the Federal Government swiftly implement long- term solutions both at individual agencies and government-wide to protect systems and sensitive data. He noted that the need to protect sensitive data and systems must be weighed against cost, feasibility, privacy and security interests of citizens and private businesses as well as national security and law enforcement agencies. Without computer security, privacy cannot be assured. Without agreement among users, businesses, law enforcement, national security and other authorities on requirements, there is no way to implement new technology or to establish standards that will be universally accepted. Finally, Mr. Rhodes stated that it is important to ensure that NIST retains the ability to develop security standards for unclassified data and decide which industry standards are appropriate for Federal agencies and that the agencies consistently implement such standards. Mr. Harris, testifying on behalf of the ITAA, stated that his association and its members support both goals of H.R. 2413, to assist NIST in meeting the computer security needs of Federal agencies and to allow the Federal Government through NIST to harness the ingenuity of the private sector to help address its computer security needs. He noted that computer security solutions should be industry-led. Mr. Harris recognized that great opportunities for collaboration between Federal Government and private industry currently exist and that there is a need for information security computer specialists and additional resources. Finally, Mr. Harris stated there is a need for authentication through digital signatures and a public key infrastructure. Profesor Trubow, testifying on behalf of the Computer System Security and Privacy Advisory Board (CSSPAB), warned that for the Board to remain effective, it should maintain its role as an advisory board. He noted that it is appropriate for the board to be asked for its advice and wisdom. In his opinion, the board supports the goal of H.R. 2413 to expand NIST's activities in developing and promoting the use of information system security technologies. He noted that attention to privacy must not be overlooked. Finally, Professor Trubow recommended that ``privacy'' be inserted in the bill in several areas. On April 15, 1999, the Subcommittee on Technology held a hearing on ``The Melissa Virus: Inoculating Our Information Technology from Emerging Threats.'' The hearing was held to review computer security threats specifically computer viruses. Witnesses included: Mr. Raymond Kammer, Director, National Institutes of Standards and Technology, Mr. Michael Vatis, Director, National Infrastructure and Protection Center, FBI, Dr. Richard Pethia, Director, CERT Coordination Center, Carnegie Mellon University Software Engineering Institute, and Mr. Keith Rhodes, Technical Director, Office of the Chief Scientist, U.S. General Accounting Office. Mr. Raymond Kammer, Director, National Institutes of Standards and Technology, testified that the Melissa virus is what is known as a denial of service attack, whereby servers and routers are literally overwhelmed by e-mail. Mr. Kammer stressed that we as a nation must maintain a proper perspective in developing computer security solutions and not target the problem of the moment. Mr. Kammer stated that NIST has taken a broad perspective and that the agency has several initiatives underway to strengthen the IT security infrastructure of the U.S. economy. Mr. Michael Vatis, Director, National Infrastructure and Protection Center, FBI, testified that the Melissa virus is a macro virus spread through Microsoft Word 97 or Word 2000 e- mail attachments. He explained that the problem with this particular virus was its ability to spread quickly. Mr. Vatis moved on to state that we are fortunate this virus did not do more damage than it did. However, he added that its occurrence should serve as a wake up call for both the government and the private sector, because the virus exploited known vulnerabilities. Mr. Vatis stated that the notifications and information provided by the NIPC, CERT, and others demonstrated the value of cooperative efforts by the private and government sectors. Dr. Richard Pethia, Director, CERT Coordination Center, Carnegie Mellon University Software Engineering Institute, stated that the Melissa virus was a warning siren of the increased vulnerability of our networks. He believes that the press acted responsibly in reporting the outbreak. Dr. Pethia presumes that there will be a need in the future for enhanced incident response capability, faster communications, better analytical tools and techniques to solve this problem. He contends that if we have multiple outbreaks that spread at Internet speed, we would not be able to control the virus. He reiterates that real solutions in the long term can only come from improvements in technology. Along with virus-proof software, there is a need to make use of encryption technology in the form of digital signatures so those messages can be authenticated. Mr. Keith Rhodes, Technical Director, Office of the Chief Scientist, U.S. General Accounting Office testified that the Melissa virus disrupted the operations of thousands of companies and some government agencies, but did not permanently damage systems and did not compromise government data. He discussed the broader implications of the Melissa virus including how quickly the virus proliferated due to the extensive connectivity of today's networks. He believes that the next virus will propagate faster, do more damage and be more difficult to detect and to counter. He also claims that it is imperative that Federal agencies and the government implement long-term solutions to protect systems and sensitive data. Furthermore, Mr. Rhodes is a supporter of the GAO's Information Security Best Practice guides. They offer a framework for agencies to follow. Sustained government-wide leadership is needed to ensure that executives understand risks, monitor agency performs and resolve issues affecting multiple agencies. On May 10, 2000 the Subcommittee on Technology held a hearing entitled, ``The Love Bug Virus: Protecting Lovesick Computers from Malicious Attack.'' The hearing examined the features of the ``love bug'' computer virus, explored its impact on the Federal Government and the private sector, and examined possible solutions and preventative actions individuals and organizations should take to prevent emerging threats form impacting information technology systems and networks. Witnesses included: Mr. Keith Rhodes, Technical Director, Office of the Chief Scientist, U.S. General Accounting Office; Mr. Harris Miller, President, Information Technology Association of America; Ms. Sandra England, Senior Vice President, McAfee--A Network Associates Company; Mr. Peter Tippett, Chief Technology Officer, ICSA.net. Mr. Keith Rhodes, Technical Director, Office of the Chief Scientist, U.S. General Accounting Office, stated that the world does not practice safe computing. He described how the ``I Love You'' virus worked. He noted that there were 14 variances of this virus some even more damaging. The Love Bug hit many large corporations such as AT&T, TWA, Ford and the Washington Post, ABC News, British Parliament, the IMF and at least 14 other United States Federal Agencies. These viruses were spreading faster due to the high dependency on our network systems. Mr. Rhodes claims that there is no silver bullet that will stop the infection of viruses. Therefore, agencies inside and outside the government must increase awareness, ensure that existing controls are operating effectively, ensure that software patches are brought up to date, use automated scanning and testing tools to quickly identify problems and be sure that common vulnerabilities are addressed. Mr. Harris Miller, President, Information Technology Association of America, testified that cyber crimes are given less priority than other types of crime since there is no actual physical violence. This attitude must change and the government agencies need to make information security a much higher priority. He stated that information sharing is the key challenge. He is working to create an information-sharing mechanism with over 100 IT companies. ITAA will host the first global security summit in Washington, D.C. on October 16 and 17. He hopes to establish the same type of international collaboration that existed with the Y2K bug. ITAA is also working with the Department of Justice on the Cybercitizen Partnership to help promote cyber ethics. In his closing remarks he stated that Cyber-crime must not become an accepted practice. Ms. Sandra England, Senior Vice President, McAfee--A Network Associates Company testified that the McAfee's Emergency response team, AVERT, immediately responded to the outbreak of the ``I Love You'' virus. They were able to dispense a cure within a couple hours of its first detection. She went on to add that many viruses are detected on a daily basis and last year alone there were $12 billion in damages due to various viruses. Ms. England claims that even though viruses attack on a more frequent basis, not much is being done to internal policies to respond to these new attacks. The actual cost from the viruses is hard to assess mainly since it is a loss of time and productivity. The anti virus companies alone can not combat this problem. Anti-virus software must be kept up to date, and signature files must be updated faithfully. She agreed that more must be done to stop virus writers and in turn stiffer punishments must be enacted. Mr. Peter Tippett, Chief Technology Officer, ICSA.net discussed the costs and risks associated with electronic, malicious code, privacy, down time, physical and human related factors. He described ICSA as a new breed of Internet company that provides security assurances services. Mr. Tippett states that every product that ICSA certifies can detect, prevent and recover from every virus that has ever been promulgated. However, after they are installed into companies they become only 30% effective. He suggests better education on how to use such software. He agreed with the other witnesses in stating that stiffer laws must be invoked on those who choose to write these malicious codes. ICSA estimates that 65% of Northern American companies were infected as well as 133,000 desktops. V. Committee Actions On Wednesday, October 20, 1999, the Committee on Science, Subcommittee on Technology convened to mark up H.R. 2413, The Computer Security Enhancement Act of 1999, to enhance the ability of the National Institute of Standards and Technology (NIST) to improve computer security. One amendment was offered at the mark-up. It was adopted by a voice vote. 1. Mrs. Morella and Mr. Barcia offered an en bloc amendment that would require NIST to access existing information security programs at Federal agencies, make recommendations to improve their security, and report to Congress annually on the information security status of Federal agencies. With a quorum present, Chairwoman Morella moved that H.R. 2413, as amended be reported. The motion was adopted by a voice vote. On Wednesday, July 26, 2000, the Committee on Science convened to mark up H.R. 2413. An amendment offered by Mrs. Morella and Mr. Barcia was offered and adopted by a voice vote. 1. Mrs. Morella and Mr. Barcia offered an amendment, which consisted of the text of H.R. 2413 as reported by the Subcommittee on Technology. The amendment was agreed to by a voice vote. With a quorum present, Chairman Sensenbrenner moved that H.R. 2413, as amended be reported. The motion was adopted by a voice vote. VI. Summary of Major Provisions of the Bill H.R. 2413, the Computer Security Enhancement Act of 2000 provides for greater security for the federal civilian agencies that base their procurement decisions for computer security hardware and software on NIST standards. The legislation also promotes the use of commercially available products and encourages an open exchange of information between NIST and the private sector. The legislation authorizes a total of $8,980,000 in FY 2001 and $9,560,000 in FY 2002. Specifically, the Computer Security Enhancement Act of 2000:Requires NIST to encourage the acquisition of commercial off-the-shelf (COTS) products to meet civilian agency computer security needs. This measures should reduce the costs of computer security technologies for federal agencies. Enhances the role of the independent Computer System Security and Privacy Advisory Board in NIST's decision- making process by requiring the Board, which is made up of representatives from industry, federal agencies and other external organizations, to make formal recommendations regarding proposed security standards and provide guidance to NIST on emerging computer security issues. Clarifies that NIST standards and guidelines are to be used for the acquisition of computer security technologies for the Federal Government and are not intended as restrictions on the production or use of encryption by the private sector. Updates the Computer Security Act by including references to computer networking, which has become an increasingly important component of the Federal Government Information technology system. Establishes a new computer science fellowship program for graduate and undergraduate students studying computer security. The bill sets aside $500,000 for the first year and $500,000 for the second year, to enable NIST to finance computer security fellowships under an existing NIST grant program. Requires the National Research Council (NRC) to conduct a study to assess the desirability of public key infrastructures. The NRC would also research the technologies required for the establishment of such public key infrastructures. Requires the Under Secretary of Commerce for Technology to actively promote the use of technologies by the Federal Government that will enhance the security of federal communications networks and information in electronic form; to establish a clearinghouse of information available to the public on information security threats; and to promote development of a market driven consensus standards-based infrastructure that will enable more widespread use of encryption technologies for confidentiality and authentication. Establishes a National Panel for Digital Signatures for the purpose of exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards and of developing model practices and standards associated with certification authorities. The Department of Commerce shall appoint the National Panel and provide necessary administrative support. VII. Section-by-Section Analysis (By Title and Section)/Committee Views Sec. 1. Short title Computer Security Enhancement Act of 2000. Sec. 2. Findings and purposes Details the findings and purpose of the bill. Sec. 3. Voluntary standards for public key management infrastructures Section 20 of the NIST Act is amended by authorizing NIST to assist (upon request from the private sector) in establishing voluntary interoperable standards, guidelines, and associated methods and techniques to facilitate and expedite the establishment of non-Federal public key management infrastructures. Committee views Historically, NIST has been most effective when helping the commercial sector, in a consensus process, to establish standards. The Committee supports such efforts, so long as they are fully voluntary and reflect a true consensus process. Sec. 4. Security of Federal computers and networks Section 20 of the NIST Act is amended by authorizing NIST to: (1) provide guidance and assistance to federal agencies in the protection of interconnected computer systems (except for national security systems), including identification of significant risks thereto; (2) promote compliance by Federal agencies with existing Federal computer information security and privacy guidelines; and, (3) consult with and assist Federal agencies in response to efforts related to unauthorized access to federal computer systems. Committee views The Committee believes it is important that NIST remain the lead agency in securing the information technology infrastructure of federal civilian agencies. NIST must place greater emphasis on its duties in this area. NIST should provide guidance and assistance to federal civilian agencies in helping to secure their information technology systems. Sec. 5. Computer security implementation. Section 20 of the NIST Act is amended to specify the approaches to be taken by NIST in carrying out its existing responsibilities for developing standards and guidelines for the security and privacy of sensitive information in federal computer systems and for assisting federal agencies in meeting those standards and guidelines. Specifically, NIST must emphasize technology-neutral policy guidelines, must actively promote commercially available products for meeting the security and privacy requirements of federal agencies and provide assistance to agencies in the selection of products; and must develop qualitative and quantitative measures for assessing the effectiveness of agencies' information security and privacy programs, perform evaluations of agencies' security and privacy programs, and promote appropriate accreditation procedures for agencies' programs. In addition, NIST is required to develop uniform procedures for determining the effectiveness of commercially available security products; establish procedures for certification of private sector laboratories to perform evaluations to promote the testing of products and make available the results of such tests to agencies and to the public. Committee views The Committee affirms NIST's lead role in setting policy guidelines for computer security practices implemented by federal civilian agencies. The Committee encourages the greater use of commercially available security products by federal agencies by directing NIST to promote the use of such products whenever feasible and appropriate. In order to identify the most effective security products, the Committee tasks NIST to establish appropriate evaluation procedures and to establish requirements to certify the capability of private sector laboratories to conduct such tests. The Committee expects NIST to expand its efforts to ensure the compliance of federal agencies with the information security and privacy guidelines developed by NIST in accordance with its statutory responsibilities. The Committee tasks NIST to develop metrics to assess the effectiveness of agencies' security and privacy programs, to conduct on-site evaluations of agencies' programs, and to report to Congress on the results of these evaluations. Sec. 6. Computer security review, public meetings, and information Section 20 of the NIST Act is amended by requiring NIST to solicit recommendations of the Computer System Security and Privacy Advisory Board regarding standards and guidelines that are under consideration for submittal to the Secretary of Commerce for promulgation as regulations and include such recommendations with any subsequent submission to the Secretary. Funds are also authorized for the Board ($1,030,000 for FY 2001 and $1,060,000 for FY 2002) to enable it to act as a forum for public discussion on emerging issues related to computer security privacy and cryptography. The Board is authorized to convene public meetings and to publish reports and other information for public distribution. Committee views The Committee believes that an open and transparent system should be used by NIST in promulgating federal standards. The Computer System Security and Privacy Advisory Board (CSSPAB), acting as an independent board, is uniquely positioned to make recommendations to the Department of Commerce. This Board will be charged with submitting its recommendations along with NIST's proposals to the Secretary of Commerce for promulgation as regulations. The Board is being provided with resources and specific direction by the Committee to allow it to operate in an independent and autonomous fashion to pursue public policy issues that are important for assuring the security and integrity of computing and network systems, and the information they contain. The Board is authorized to convene public meetings and to publish reports and other information for public distribution. The CSSPAB is to report directly to the Committee on Science of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate. The Committee emphasizes that CSSPAB reports do not require prior clearance by OMB or the Commerce Department before they are transmitted to the Congressional Committees. Sec. 7. Limitation on participation in requiring encryption standards Section 20 of the NIST Act is amended by prohibiting NIST from promulgating, enforcing, or otherwise adopting standards, or carrying out activities or policies, for the Federal establishment of encryption standards required for use in computer systems other than Federal Government computer systems. Committee views NIST does not currently promulgate, enforce or otherwise adopt standards, or carry out activities or policies, for the federal establishment of encryption, or computer security standards required for use in computer systems other than Federal Government computer systems. It is the Committee's intention that NIST not be used for such purposes in the future. Sec. 8. Miscellaneous amendments Technical and conforming amendments to Section 20 of the NIST Act as well as a language change which reasserts NIST's role as the lead agency for handling standards for civilian agency computer security. Committee views The Committee affirms NIST's role as the lead agency for handling standards for federal civilian agency computer security. The Committee believes that it is imperative that this function remain open to public scrutiny. NIST is the agency historically charged with setting the standards for computer security in the civilian agencies and it is the Committee's intention that NIST direct appropriate resources and expertise to this area. Sec. 9. Federal computer system security training Section 5(b) of the Computer Security Act of 1987 is amended by adding an emphasis on protecting sensitive information in Federal databases and Federal computer sites that are accessible through public networks. Committee views The Committee wishes to focus NIST's attention on security matters which have come about because of the changes in network information technology systems that have taken place since the enactment of the Computer Security Act of 1987. The World Wide Web is just one example of new developments in network technology programs which raise unique security concerns. Sec. 10. Computer security fellowship program Funds are authorized under Section 18 of the NIST Act to provide grants for research on computer security to students at institutions of higher learning ($500,000 for FY 2001 and $500,000 FY 2002). Committee views The Committee supports efforts to increase the number of college and graduate students in the field of computer security. NIST can play an important, although limited, role in this effort through its section 18 fellowship program. Sec. 11. Study of public key infrastructure by the National Research Council This section authorizes funds ($450,000 for FY 2001 to remain available until expended) and sets terms for the National Research Council of the National Academy of Sciences to conduct a study of public key infrastructures (PKI) for use by individuals, businesses, and government. Committee views The Committee is aware that the Federal Government is aggressively promoting the deployment of PKI technology. PKIs are not yet commonplace in either the private sector or in government because a number of significant challenges must still be overcome before the technology can be widely deployed and implemented. The NRC study will provide valuable information on the costs, vulnerabilities and scalability issues of such an infrastructure. Sec. 12. Promotion of national information security Requires the Under Secretary of Commerce for Technology to actively promote the use of technologies that will enhance the security of communications networks and information in electronic form; to establish a clearinghouse of information available to the public on information security threats; and to promote development of the standards-based infrastructure that will enable the more widespread use of encryption technologies for confidentiality and authentication. Committee views Through the requirements of section 12, the Committee intends to designate a central government focus for increasing public awareness of the need for improving the security of communications networks and the information accessed through such networks. The Committee notes that one of the central findings of the comprehensive 1996 report from the National Academy of Sciences, Cryptography's Role in Securing the Information Society, is the relative lack of attention paid to securing electronic information. Although the technical solutions for enhancing information security are available, the public has not been energized about the importance of utilizing these tools. H.R. 2413 encourages greater use of commercially available cryptography products for protection of government information, which may have the indirect effect of enhancing the general availability of such technologies. To further increase public awareness of security threats and to accelerate corrective action, section 12 of the bill charges the Technology Administration in the Commerce Department to actively promote greater use of cryptography and associated technologies by the private sector. One specific requirement is for the Technology Administration to establish a clearinghouse of information for the public on information security threats to networked computers, including information about procedural and technical approaches to guard against such threats. The Committee intends that the Technology Administration actively promote the development of a national, standards-based infrastructure to support the uses of encryption technologies for confidentiality and authentication by working closely with the private sector and by assisting and supporting the development of standards through a private-sector oriented, consensus-based process. Sec. 13. Electronic authentication infrastructure Directs NIST to work in consultation with industry to develop guidelines for electronic authentication infrastructures for use by federal agencies to ensure the security of transactions and interoperability with transaction partners. NIST will develop and maintain a list of conforming commercially available electronic authentication products used by federal agencies. NIST will develop criteria/guidelines for use by agencies for electronic management systems such as maintaining security of databases and validity of certificates. Eighteen months after enactment, NIST shall report to Congress on how agencies are deploying systems which are in accordance with guidelines developed by the agency. Guidelines developed by NIST or any Federal agency should be technology neutral. Establishes a National Panel for Digital Signatures for the purpose of exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards and of developing model practices and standards associated with certification authorities. The Technology Administration of the Department of Commerce shall appoint the National Panel and provide necessary administrative support. Committee views The Committee finds that digital signature technology is essential for the full use of public networks, such as the Internet, for commerce and for private communications. While P.L. 106-229, the Electronic Signatures in Global and National Commerce Act created the legal framework for the recognition and acceptance of electronic signatures, it does not address interoperability and other technical issues. Digital signatures verify the identity of a business or individual that is accessed via a network and assure the integrity of the information being exchanged. In order for digital signature technology to be deployed, in most cases, a trusted guarantor of the public identifier, or public key, of the digital signature must exist. This is the role of the certification authority. The Committee is aware that several States have enacted statutes to regulate certification authorities. Unfortunately, this has largely been an uncoordinated process resulting in the placement of varying requirements on certification authorities. In order for a truly national system to develop, which is required if use of digital signatures is to become widespread, the Committee believes that uniform market driven consensus standards must be in place for the practices and procedures of the certification authorities. Otherwise, variations in the requirements for certification authorities will degrade the overall level of reliability and security of digital signatures. To promote the required uniformity, section 13 of the bill establishes a national panel, under the auspices of the Technology Administration, to develop private voluntary model practices and procedures, promote uniformity among jurisdictions that license certification authorities, and private voluntary uniform audit standards for certification authorities. This national panel, with broadly based representation, including users of digital signature technology, will provide for the coordination needed to put in place the national technical infrastructure that is a prerequisite for the widespread use of digital signatures. Sec. 14. Source of authorizations This section authorizes $7 million in FY 2001 and $8 million in FY 2002 for NIST to carry out activities authorized by this Act for which funds are not otherwise specifically authorized. Committee views In addition to the funds authorized in H.R. 2413, H.R. 2086--the Networking and Information Technology Research and Development Act of 1999--which has passed the Science Committee and the House of Representatives--also authorizes funding for NIST to conduct fundamental computer security research in the area of advanced encryption standards and algorithms. VIII. Cost Estimate Rule XIII, clause 3(d)(2) of the House of Representatives requires each committee report accompanying each bill or joint resolution of a public character to contain: (1) an estimate, made by such committee, of the costs which would be incurred in carrying out such bill or joint resolution in the fiscal year in which it is reported, and in each of the five fiscal years following such fiscal year (or for the authorized duration of any program authorized by such bill or joint resolution, if less than five years); (2) a comparison of the estimate of costs described in subparagraph (1) of this paragraph made by such committee with an estimate of such costs made by any Government agency and submitted to such committee; and (3) when practicable, a comparison of the total estimated funding level for the relevant program (or programs) with the appropriate levels under current law. However, House rule XIII, clause 3(d)(3)(B) provides that this requirement does not apply when a cost estimate and comparison prepared by the Director of the Congressional Budget Office under section 402 of the Congressional Budget Act of 1974 has been timely submitted prior to the filing of the report and included in the report pursuant to House rule XIII, clause 3(c)(3). A cost estimate and comparison prepared by the Director of the Congressional Budget Office under section 402 of the Congressional Budget Act of 1974 has been timely submitted to the Committee on Science prior to the filing of this report and is included in this report pursuant to House rule XIII, clause 3(c)(3). Rule XIII, clause 3(c)(2) of the House of Representatives requires each committee report that accompanies a measure providing new budget authority (other than continuing appropriations), new spending authority, or new credit authority, or changes in revenues or tax expenditures to contain a cost estimate, as required by section 308(a)(1) of the Congressional Budget Act of 1974 and, when practicable with respect to estimates of new budget authority, a comparison of the total estimated funding level for the relevant program (or programs) to the appropriate levels under current law. H.R. 2413 does not contain any new budget authority, credit authority, or changes in revenues or tax expenditures. Assuming that the sums authorized under the bill are appropriated, H.R. 2413 does authorize additional discretionary spending, as described in the Congressional Budget Office report on the bill. IX. Congressional Budget Office Cost Estimate U.S. Congress, Congressional Budget Office, Washington, DC, August 18, 2000. Hon. F. James Sensenbrenner, Jr. Chairman, Committee on Science, House of Representatives, Washington, DC. Dear Congressman: The Congressional Budget Office has prepared the enclosed estimate for H.R. 2413, the Computer Security Enhancement Act of 2000. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contacts are Taman Morris and Mark Hadley. Sincerely, Arlene Holen (For Dan L. Crippen, Director). Enclosure. H.R. 2413--Computer Security Enhancement Act of 2000 Summary: H.R. 2413 would direct the National Institute of Standards and Technology (NIST) to develop policies to improve computer security for federal computer systems and would authorize the appropriation of funds for this purpose in fiscal years 2001 and 2002. CBO estimates that implementing the bill would cost $19 million over the 2001-2003 period, assuming appropriation of the authorized amounts. H.R. 2413 would not affect direct spending or receipts; therefore, pay-as-you-go procedures would not apply. The bill contains no intergovernmental or private- sector mandates as defined in the Unfunded Mandates Reform Act (UMRA). Estimated cost to the Federal Government: The estimated budgetary impact of H.R. 2413 is shown in the following table. For this estimate, CBO assumes that H.R. 2413 would be enacted near the start of fiscal year 2001 and that the amounts authorized will be appropriated each year. Outlays have been projected on the basis of historical spending patterns for NIST and information provided by the agency. The cost of this legislation would fall within budget function 370 (commerce and housing credit). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- -------------------------------------------- 2001 2002 2003 2004 2005 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Authorization level................................................ 9 10 0 0 0 Estimated outlays.................................................. 7 10 2 0 0 ---------------------------------------------------------------------------------------------------------------- Pay-as-you-go considerations: None. Intergovernmental and private-sector impact: H.R. 2413 contains no intergovernmental or private-sector mandates as defined in UMRA. Any costs incurred by states to participate in the National Policy Panel for Digital Signatures are unlikely to be significant. Estimate prepared by: Federal costs: Taman Morris and Mark Hadley; impact on State, local, and tribal governments: Victoria Heid Hall; impact on the private sector: Lauren Marks. Estimate approved by: Peter H. Fontaine, Deputy Assistant Director for Budget Analysis. X. Compliance With Public Law 104-4 H.R. 2413 contains no unfunded mandates. XI. Committee Oversight Findings and Recommendations Rule XIII, clause 3(c)(1) of the House of Representatives requires each committee report to include oversight findings and recommendations required pursuant to clause 2(b)(1) of rule X. The Committee on Science's oversight findings and recommendations are reflected in the body of this report. XII. Oversight Findings and Recommendations by the Committee on Government Reform Rule XIII, clause 3(c)(4) of the House of Representatives requires each committee report to contain a summary of the oversight findings and recommendations made by the House Government Reform Committee pursuant to clause 4(c)(2) of rule X, whenever such findings and recommendations have been submitted to the Committee in a timely fashion. The Committee on Science has received no such findings or recommendations from the Committee on Government Reform. XIII. Constitutional Authority Statement Rule XIII, clause 3(d)(1) of the House of Representatives requires each report of a committee on a bill or joint resolution of a public character to include a statement citing the specific powers granted to the Congress in the Constitution to enact the law proposed by the bill or joint resolution. Article I, section 8 of the Constitution of the United States grants Congress the authority to enact H.R. 2413. XIV. Federal Advisory Committee Statement H.R. 2413 does not establish nor authorize the establishment of any advisory committee XV. Congressional Accountability Act The Committee finds that H.R. 2413 does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act (Public Law 104-1). XVI. Statement on Preemption of State, Local, or Tribal Law The bill is not intended to preempt any state, local, or tribal law. XVII. Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): SECTION 20 OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT Sec. 20. (a) * * * (b) In fulfilling subsection (a) of this section, the Institute is authorized-- (1) to assist the private sector, upon request, in using and applying the results of the programs and activities under this section; (2) upon request from the private sector, to assist in establishing voluntary interoperable standards, guidelines, and associated methods and techniques to facilitate and expedite the establishment of non- Federal management infrastructures for public keys that can be used to communicate with and conduct transactions with the Federal Government; [(2)] (3) as requested, to provide to operators of Federal computer systems technical assistance in implementing the standards and guidelines promulgated pursuant to section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441); [(3)] (4) to assist, as appropriate, the Office of Personnel Management in developing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1987; (5) except for national security systems, as defined in section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide guidance and assistance to Federal agencies for protecting the security and privacy of sensitive information in interconnected Federal computer systems, including identification of significant risks thereto; (6) to promote compliance by Federal agencies with existing Federal computer information security and privacy guidelines; (7) in consultation with appropriate Federal agencies, assist Federal response efforts related to unauthorized access to Federal computer systems; [(4)] (8) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of, and to devise techniques for the cost-effective security and privacy of sensitive information in Federal computer systems; and [(5)] (9) to coordinate closely with other agencies and offices (including, but not limited to, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, the Office of Technology Assessment, and the Office of Management and Budget) to the extent that such coordination will improve computer security and to the extent necessary for improving such security for Federal computer systems-- (A) * * * * * * * * * * (c)(1) In carrying out subsection (a)(2) and (3), the Institute shall-- (A) emphasize the development of technology-neutral policy guidelines for computer security practices by the Federal agencies; (B) promote the use of commercially available products, which appear on the list required by paragraph (2), to provide for the security and privacy of sensitive information in Federal computer systems; (C) develop qualitative and quantitative measures appropriate for assessing the quality and effectiveness of information security and privacy programs at Federal agencies; (D) perform evaluations and tests at Federal agencies to assess existing information security and privacy programs; (E) promote development of accreditation procedures for Federal agencies based on the measures developed under subparagraph (C); (F) if requested, consult with and provide assistance to Federal agencies regarding the selection by agencies of security technologies and products and the implementation of security practices; and (G)(i) develop uniform testing procedures suitable for determining the conformance of commercially available security products to the guidelines and standards developed under subsection (a)(2) and (3); (ii) establish procedures for certification of private sector laboratories to perform the tests and evaluations of commercially available security products developed in accordance with clause (i); and (iii) promote the testing of commercially available security products for their conformance with guidelines and standards developed under subsection (a)(2) and (3). (2) The Institute shall maintain and make available to Federal agencies and to the public a list of commercially available security products that have been tested by private sector laboratories certified in accordance with procedures established under paragraph (1)(G)(ii), and that have been found to be in conformance with the guidelines and standards developed under subsection (a)(2) and (3). (3) The Institute shall annually transmit to the Congress, in an unclassified format, a report containing-- (A) the findings of the evaluations and tests of Federal computer systems conducted under this section during the 12 months preceding the date of the report, including the frequency of the use of commercially available security products included on the list required by paragraph (2); (B) the planned evaluations and tests under this section for the 12 months following the date of the report; and (C) any recommendations by the Institute to Federal agencies resulting from the findings described in subparagraph (A), and the response by the agencies to those recommendations. (d)(1) The Institute shall solicit the recommendations of the Computer System Security and Privacy Advisory Board, established by section 21, regarding standards and guidelines that are being considered for submittal to the Secretary in accordance with subsection (a)(4). The recommendations of the Board shall accompany standards and guidelines submitted to the Secretary. (2) There are authorized to be appropriated to the Secretary $1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year 2002 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues related to computer security, privacy, and cryptography and to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects. [(c)] (e) For the purposes of-- (1) developing standards and guidelines for the protection of sensitive information in Federal computer systems under subsections (a)(1) and (a)(3), and (2) performing research and conducting studies under subsection [(b)(5)] (b)(8), the Institute [shall] may draw upon computer system technical security guidelines developed by the National Security Agency to the extent that the Institute determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems. [(d)] (f) As used in this section-- (1) the term ``computer system''-- (A) means any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception, of data or information; and (B) includes-- (i) computers and computer networks; (ii) ancillary equipment; (iii) software, firmware, and similar procedures; (iv) services, including support services; and (v) related resources; * * * * * * * (g) The Institute shall not promulgate, enforce, or otherwise adopt standards, or carry out activities or policies, for the Federal establishment of encryption standards required for use in computer systems other than Federal Government computer systems. ---------- SECTION 5 OF THE COMPUTER SECURITY ACT OF 1987 SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING. (a) * * * (b) Training Objectives.--Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed-- (1) to enhance employees' awareness of the threats to and vulnerability of computer systems; [and] (2) to encourage the use of improved computer security practices[.]; and (3) to include emphasis on protecting sensitive information in Federal databases and Federal computer sites that are accessible through public networks. * * * * * * * XVIII. Committee Recommendations On July 26, 2000 a quorum being present, the Committee on Science favorably reported H.R. 2413, Computer Security Enhancement Act of 2000, by a voice vote and recommends its enactment. XIX. Proceedings of the Subcommittee Markup MARKUP ON H.R. 2413, THE COMPUTER SECURITY ENHANCEMENT ACT OF 1999 ---------- WEDNESDAY, OCTOBER 20, 1999 House of Representatives, Committee on Science, Subcommittee on Technology, Washington, DC. The subcommittee met, pursuant to notice, at 10:37 a.m. in room 2318, Rayburn House Office Building, Hon. Constance A. Morella (chairwoman of the subcommittee) presiding. Chairwoman Morella. I am going to convene the Technology Subcommittee of the Science Committee. Good morning. Pursuant to notice, the Subcommittee on Technology is meeting today. We are going to consider H.R. 2413, a bill to amend the National Institute of Standards and Technology Act, to enhance the ability of the National Institute of Standards and Technology to improve computer security. I ask unanimous consent for the authority to recess at any point. Hearing no objection, so ordered. Today we have one item of business to bring before the Subcommittee; that is, the bill H.R. 2413, a bill to enhance the ability of the National Institute of Standards and Technology to improve computer security. Computer security, as we all know, is an issue that is a priority not just with the Technology Subcommittee, but also by the Science Committee. In just this year, the Subcommittee has held three hearings on this important issue, that has the potential to disrupt public and private sector businesses, as well as to undermine the American people's confidence and trust in our rapidly developing information technology systems. In April, this Subcommittee met to explore the impact of the Melissa computer virus and other evolving threats to computer and information security. In June, in the face of several well-publicized cyberattacks, we met to review the security of federal agency websites. And last month, we met to review the provisions of H.R. 2413, the legislation that we are marking up today. In our hearings we repeatedly heard that federal agencies are not doing enough to protect their critical information systems from attacks and corruption. The Federal Government is not alone in its need to secure electronic information; the corruption of electronic data threatens every sector of our economy. H.R. 2413 was introduced in July by myself, Chairman Sensenbrenner of Wisconsin, and Congressman Gordon of Tennessee. It strengthens the National Institute of Standards and Technology's historic role in computer security, which was established by the Computer Security Act of 1987. What the bill does is update the decade-old act, while giving NIST the tools it needs to ensure that appropriate attention and effort is concentrated on securing our federal information technology infrastructure. I don't think it is necessary to go through each of the details of the bill. I will, if unanimously approved, just simply submit it all for the record. Hearing no objection, so ordered. [A copy of H.R. 2413 follows:] Chairwoman Morella. It is a very important bill, as we all know. Last Congress, both the House of Representatives and the Senate Commerce Committee passed this same legislation without opposition or amendment, and unfortunately the bill didn't clear the Senate before the end of the 105th Congress. While no single piece of legislation can fully protect our federal civilian computer systems or overcome all barriers to the creation of an interoperable electronic signature infrastructure, I think that H.R. 2413 is an important step in the right direction, so I urge all members to support its swift passage today, to move the bill on to the full Science Committee. I am now pleased to recognize Mr. Barcia, the distinguished ranking member of the Subcommittee, for any opening statement he may have. Mr. Barcia. Thank you very much, Chairwoman Morella. I will be very brief in my remarks on H.R. 2413. When the Subcommittee held a hearing on this bill on September 30th, I raised my concerns about the lack of a strong focal point to advise agencies on improving computer security practices and ensuring that such practices are implemented. H.R. 2413 strengthens the role of NIST in providing federal agencies with these services. The provisions of H.R. 2413 are entirely consistent with recommendations made by NIST's Private Sector Advisory Board and the witnesses at our recent hearing. In addition, the inclusions of Mr. Gordon's provisions on electronic authentication technologies improves the security of federal agencies' electronic transactions. More importantly, these provisions provide a framework that will enable federal agencies to begin to effectively implement the Government Paperwork Elimination Act, which requires them to begin using electronic authentication technologies. I would also request that Chairwoman Morella continue to work with us to clarify Section 7 of this bill. This language is unduly broad and could be interpreted to prevent NIST from working with industry to develop test beds and guidelines related to electronic commerce and computer security. For example, the language as drafted could be interpreted to prevent NIST from developing the follow-on to the Digital Encryption Standard, or DES. The current Digital Encryption Standard is widely used in industry, and NIST's work in this area has strong industry support. No one on this Committee supports the concept of federal standards that industry must follow, and neither does NIST. Although the concept behind this section is well-intentioned, as drafted it would limit NIST's activities to support industry's development of electronic commerce and computer security. H.R. 2413 would strengthen the overall security of federal computer systems and their electronic transactions. This bill establishes a blueprint for the Federal Government to become a model for good computer security practices. I fully support this legislation and urge my colleagues to support this well-crafted bill. I want to thank you, Chairwoman Morella, and with your indulgence I would like to yield the balance of my time to the distinguished Member from Tennessee, who has invested a great deal of his time and energy into crafting this legislation and enhancing and improving the language in it, Representative Bart Gordon of Tennessee. Chairwoman Morella. The distinguished Member from Tennessee is recognized. Mr. Gordon. Thank you, Mr. Barcia, for the good job you have done, and Chairwoman Morella, on this bill, and thank you for yielding to me. I also want to thank the staff for all the work they have put into this bill. I know most of you are sitting on the edge of your seats, waiting for this electronic authentication technology bill to pass. But for the ones of you who may not have been following it, let me give you a quick update. Some years ago we passed the Government Paperwork Elimination Act. That is going to allow us to reduce a lot of paperwork within the government so that agencies can communicate with each other, up and down and across, electronically. However, we neglected to set any kind of--I hate to use the word ``standards''--but ability for them to do so in a way that there is continuity. It doesn't help if Department of Agriculture at different levels have different types of authentication so that they can't communicate with each other. And so what this will do, it would allow NIST to set up a framework, just simply guidelines, so that the agencies will know that particular types of--hopefully-- software, off the shelf, will allow them to communicate with their own agencies as well as others, and also allow them to set up an appropriate level of security. Obviously, routine work takes less security needs than other things. So I think it will help us to really, truly eliminate paperwork and allow some continuity, and I thank you for working with me on this provision. Chairwoman Morella. I thank you, Mr. Gordon, for your contribution to this bill. [The statement of Hon. Debbie Stabenow follows:]
I don't think anyone else has any opening statements, so we will move as quickly as possible. As we now consider H.R. 2413, I ask unanimous consent that the bill be considered as read and open to amendment at any point, and I ask members to proceed with the amendments in the order on the roster. And therefore, in our desire to move ahead, I am going to offer an amendment, a Manager's Amendment, a bipartisan Manager's Amendment, crafted in careful consideration with the Ranking Member Barcia. The Clerk will report the amendment. The Clerk. Amendment to H.R. 2413, offered by Mrs. Morella and Mr. Barcia---- Chairwoman Morella. I ask unanimous consent to dispense with the reading. I recognize myself for five minutes, but I will take less time than that to explain the amendment. In cooperation with the Ranking Member Barcia, I am pleased to offer the bipartisan amendment that has been crafted to improve the bill. According to the General Accounting Office and other computer security experts, there is a dire need for agencies to realize their computer security vulnerabilities and to take immediate action to address them. The amendment tasks NIST to utilize their computer security expertise to assess existing information security programs of federal agencies, and then to make recommendations to improve their security. What NIST would do is report to Congress annually on the information security status of our federal agencies. We found this to be very, very important. NIST would also document on the process and progress of agencies to implement recorded and recommended security improvements. [The amendment offered by Mrs. Morella and Mr. Barcia follows:]
Chairwoman Morella. The rest of my statement I am going to submit for the record, but frankly, it enhances the role of NIST in protecting the information security of federal agencies. [The statement of Mrs. Morella follows:]
Chairwoman Morella. It doesn't shift any responsibility away from the agencies, but will also allow for some oversight. Finally, the amendment makes certain changes to Section 6 of the bill, as recommended by the Computer Systems Security and Privacy Advisory Board and NIST. I urge all members to support this bipartisan amendment. At this point I want to recognize the Ranking Member of the Subcommittee, Mr. Barcia, to speak on behalf of the amendment. Before we do that, I want to note the presence of a recording quorum. Mr. Barcia. Mr. Barcia. I want to thank Chairwoman Morella for her thorough but concise explanation of the en bloc amendment. I, too, have a more lengthy statement to make in support of the en bloc amendment, and I certainly would urge my colleagues to support the amendment. I would just like to, on the record, though, however, say that I do have one small reservation. This amendment increases NIST's responsibilities to assist agencies in protecting their information systems without providing any additional funding to carry out these additional responsibilities. Discussions with the General Accounting Office indicate that security checks of civilian agencies' information systems would cost around $4.8 million per year. If this Committee is serious about strengthening this role in this area, we must provide the resources to enable them to carry out the responsibilities. The issue of inadequate resources has been the major concern of NIST's Advisory Board from its beginning. I would hope that Chairwoman Morella would work with us in a bipartisan way, as she has in the past, to help resolve this issue before we proceed to the full Committee level. With those brief remarks, I want to say I fully support the en bloc amendment, and in the interest of time will not touch on the strong recommendations I have in terms of the other language that has been worked out. I just wanted to go on the record with that one reservation I have about the resources being there to carry out the responsibilities we're assigning. [The statement of Mr. Barcia follows:]
Chairwoman Morella. Thank you, Mr. Barcia. I think everybody knows that NIST is located in my District, and I, along with this Committee, have been a strong advocate for it. As H.R. 2413 moves forward to the full Science Committee for consideration, I intend to work with our Ranking Member and with Chairman Sensenbrenner to identify additional funding for NIST to carry out the important responsibilities required under the bill. I think it is a very important point that you bring up. I wonder if there is any discussion on the amendment? [No response.] Chairwoman Morella. If no, the vote occurs on the amendment. All in favor, say aye. [Chorus of ayes.] Chairwoman Morella. Opposed, no. [No response.] Chairwoman Morella. The yeas have it. The amendment is agreed to. Any further amendments? [No response.] Chairwoman Morella. Hearing none, the question is on the bill, H.R. 2413, as amended. All those in favor will say aye. [Chorus of ayes.] Chairwoman Morella. All those opposed will say no. [No response.] Chairwoman Morella. In the opinion of the Chair the ayes have it. Mr. Barcia. Mr. Barcia. Yes, Madam Chairwoman. I move that the Subcommittee favorably report H.R. 2413, as amended, to the full Committee, and that the Chairwoman take all such necessary steps to bring the bill before the full Committee for consideration. Further, I ask unanimous consent that the staff be instructed to make all necessary technical and conforming changes to the bill. Chairwoman Morella. The Subcommittee has heard the motion. Those in favor will say aye. [Chorus of ayes.] Chairwoman Morella. Those opposed, no. [No response.] Chairwoman Morella. The ayes have it. The motion is agreed to. Without objection, the motion to reconsider is laid upon the table. I move that members have two subsequent calendar days in which to submit supplemental, minority, or additional views on the measure. Without objection, the motion is adopted. Mr. Barcia had raised section 7. It was pointed out to me that--I wanted to just have the record show that section 7 is necessary because there is a great deal of concern by the private sector that the Federal Government is interested in setting standards that would be forced upon the private sector. And it wasn't long ago when NIST and the National Security Agency were involved in the Federal Government's so-called ``Clipper Chip'' initiative, and in that case the Federal Government attempted to set a standard in a manner that gave them the keys to otherwise private information. So I am going to include further response to your question of section 7 for the record. [Information to be supplied follows:]
Chairwoman Morella. That being the case, the bill is approved by this Subcommittee in a very expeditious and wise fashion, and it will be reported to the full Committee, and staff have the authority to do what has to be done to bring it to the full Committee for its deliberate and expeditious passage. I thank the Subcommittee. You have been just great. There is now a vote on the Journal, and the Subcommittee is now adjourned. [Whereupon, at 10:51 a.m., the Subcommittee was adjourned, to reconvene at the call of the Chair.] XX. Proceedings of the Full Committee Markup BUSINESS MEETING ---------- WEDNESDAY, JULY 26, 2000 House of Representatives, Committee on Science, Washington, DC. The committee met, pursuant to call, at 2:04 p.m. in room 2318, Rayburn House Office Building, Hon. F. James Sensenbrenner, Jr. (chairman of the committee) presiding. Chairman Sensenbrenner. We will now go back to H.R. 2413, the Computer Security Enhancement Act of 1999, as amended by the Subcommittee on Technology. This bill has been introduced by myself, Mr. Gordon, Mrs. Morella, and Mr. Kuykendall. The legislation strengthens the National Institute of Standards and Technology's historical role in computer security that was established by the Computer Security Act of 1987, Public Law 100-235, and updates the act to give NIST the tools it needs to ensure that appropriate attention and effort is concentrated on securing our Federal information technology infrastructure. Let me point out that this bill is not a knee-jerk reaction to recent well-publicized computer security problems. In the last Congress, this bill passed the House and was cleared by a Senate Committee without opposition or amendment but was unable to reach the Senate Floor before the 105th Congress adjourned. Improving the information security of Federal civilian agencies has been an oversight priority of the Science Committee and I am now pleased that H.R. 2413 will play an important role in this effort. [A copy of the bill H.R. 2413 follows:]
Chairman Sensenbrenner. I will now recognize the gentleman from Texas, Mr. Hall, for his opening statement on this bill. The gentleman is recognized for five minutes. Mr. Hall. Thank you, Mr. Chairman. Before I yield to Mr. Gordon, I would like to compliment him, Mrs. Morella, and others for their very hard work on the question of computer security. This has been a very important topic for the Committee for about 15 years, and dating back to when this Committee worked with Congressman Jack Brooks to enact the first computer security law dealing with federally owned computers. H.R. 2413 brings our computer security efforts into the Internet age by working to upgrade security of Federal computer systems and networks. Thanks to the ideas of Mr. Gordon and to others, it will also permit the Federal Government to advance e-commerce and e-government by providing for secure electronic authentication technology. I plan to support the Morella-Gordon amendment in the nature of a substitute and I urge my colleagues to do so. I yield the balance of my time to Congressman Bart Gordon. And before Mr. Gordon reports, I will yield to Mr. Barcia. [The prepared statement of Mr. Hall follows:] Statement of Hon. Ralph M. Hall Mr. Chairman, before, I yield to Mr. Barcia, the Technology Subcommittee Ranking Member, I would like to complement him, Mrs. Morella, and Mr. Gordon for their hard work on the question of computer security. This has been an important topic for the Committee for 15 years or more, dating to when this Committee worked with Congressman Jack Brooks to enact the first computer security law dealing with Federally-owned computers. H.R. 2413 brings our computer security efforts into the Internet age by working to upgrade security of Federal computer systems and networks. Thanks to the ideas of Mr. Gordon, it also will permit the Federal government to advance e-Commerce and e-Government by providing for secure electronic authentication technologies. I plan to support the Morella-Gordon amendment in the nature of a substitute and urge my colleagues to do so as well. I yield the balance of my time to Congressman Barcia. Mr. Barcia. Thank you very much, Ranking Member Hall. Mr. Chairman, I will be very brief. H.R. 2413, the Computer Security Enhancement Act, represents more than four years of effort by the Technology Subcommittee. During the past two years, the Subcommittee has examined the impact of computer viruses and the lack of good computer security practices at Federal agencies. H.R. 2413 strengthens the role of NIST in providing Federal agencies with needed advice on good security practices. The provisions of H.R. 2413 are entirely consistent with recommendations made by NIST's private sector advisory board and the witnesses who testified at our hearings. The inclusion of Mr. Gordon's provisions on electronic authentication technologies also serves to improve the security of Federal agencies' electronic transactions. In addition, the provisions provide a framework to enable Federal agencies to effectively implement the Government Paperwork Elimination Act, which requires agencies to begin using electronic authentication technologies. H.R. 2413 will strengthen the overall security of Federal computer systems and their electronic transactions. This bill establishes a blueprint for the Federal Government to become a model for good computer security and authentication practices. The Technology Subcommittee reported this bill with unanimous support. I also want to say that I support the amendment in the nature of a substitute to be offered by Representatives Gordon and Morella, and I would urge all of my colleagues to support this bill. And once again I thank the Chair of the Subcommittee for all of her diligent work on this issue and the hearings that were held as well as Congressman Gordon. And I yield my time back. Chairman Sensenbrenner. You have got two minutes left. Mr. Hall. I yield back my time, sir. Chairman Sensenbrenner. Okay. Time is yielded back. Without objection, other members may insert opening statements at this point in the record. The Chair is aware of only one amendment in the nature of a substitute by Mrs. Morella and Mr. Gordon. And at this point, the Chair recognizes the gentlewoman from Maryland. Mrs. Morella. Thank you, Mr. Chairman. And I do have an amendment at the desk. Chairman Sensenbrenner. The Clerk will report the amendment. The Clerk. Amendment in the nature of a substitute to H.R. 2413, offered by Mrs. Morella and Mr. Gordon. Mrs. Morella. Mr. Chairman, I move that the amendment be considered as read. Chairman Sensenbrenner. Without objection. And the gentlewoman is recognized for five minutes. Mrs. Morella. Thank you. I am pleased to offer this bipartisan amendment to improve H.R. 2413. It has been crafted in cooperation with Congressman Bart Gordon. First of all, Mr. Chairman, I want to thank you and Mr. Hall for bringing this bill up. I want to thank Mr. Barcia for continuing the legacy that began with Mr. Gordon and myself. This bill, as you mentioned, has passed in the previous Congress and here it is back again, a new enhanced version which we hope will get through the House and through the Senate. Over the past two years, the Technology Subcommittee, we have had a series of computer security hearings, including a specific legislative hearing focusing on this bill. As amended, H.R. 2413 authorizes $9 million in fiscal year 2001, and $9.5 million in fiscal year 2002 for the National Institute of Standards and Technology. What these funds would do is they would allow NIST to promote the use of commercially available off-the-shelf security products by Federal agencies, have an independent advisory board review NIST's computer security and privacy protection efforts and make recommendations, create a fellowship program in the field of computer security to address IT worker shortages, establish an expert review team to assist agencies to identify and fix existing information security vulnerabilities. Mr. Chairman, while no single piece of legislation can fully protect our Federal civilian computer systems, we really feel that H.R. 2413 is a necessary step in the right direction. It has already been favorably reported by the Technology Subcommittee, endorsed by the Information Technology Association of America, and I strongly urge all members to support this amendment and this important legislation. You know, we took care of the Y2K computer glitch but that had a terminal period of January 1st and February 29th of this year. But computer security goes beyond, and it is international in scope, and this legislation is a good step toward trying to remediate that terrible problem. And I yield back, Mr. Chairman. [The statement on the amendment in the nature of a substitute offered by Mrs. Morella follows:] I am pleased to offer this bipartisan amendment to improve H.R. 2413 that has been crafted in cooperation with Congressman Bart Gordon. Over the past two years, the Technology Subcommittee has held a series of computer security hearings, including a specific legislative hearing focusing on the bill. As amended, H.R. 2413 authorizes $9 million in FY 2001 and $9.5 million in FY 2002 for the National Institute of Standards and Technology. The funds would allow NIST to: Promote the use of commercially available off-the-shelf security products by federal agencies, an initiative strongly supported by the Information Technology Association of America and others; Increase privacy protection by giving an independent advisory boards more responsibility and resources to review NIST's computer security efforts and to make recommendations; Support the development of a well trained workforce by creating a fellowship program in the field of computer security; Study the efforts of the Federal government to develop a secure, interoperable electronic infrastructure; and finally, Establish an expert review team to assist agencies to identify and fix existing information security vulnerabilities. The General Accounting Office and other computer security experts have all recognized the need for H.R. 2413. Mr. Chairman, while no single piece of legislation can fully protect our federal civilian computer systems; H.R. 2413 is a necessary step in the right direction. It has already been favorably reported by the Technology Subcommittee and I strongly urge all members to support this amendment to this important legislation. Thank you. committee on science full committee markup, july 26, 2000--amendment roster for h.r. 2413, computer security enhancement act of 1999 No. and sponsor, description, results: 1. Mrs. Morella and Mr. Gordon, amendment to H.R. 2413, adopted by a voice vote. ______ Amendment in the Nature of a Substitute H.R. 2413 Offered by Mrs. Morella and Mr. Gordon Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Computer Security Enhancement Act of 2000''. SEC. 2. FINDINGS AND PURPOSES. (a) Findings.--The Congress finds the following: (1) The National Institute of Standards and Technology has responsibility for developing standards and guidelines needed to ensure the cost-effective security and privacy of sensitive information in Federal computer systems. (2) The Federal Government has an important role in ensuring the protection of sensitive, but unclassified, information controlled by Federal agencies. (3) Technology that is based on the application of cryptography exists and can be readily provided by private sector companies to ensure the confidentiality, authenticity, and integrity of information associated with public and private activities. (4) The development and use of encryption technologies by industry should be driven by market forces rather than by Government imposed requirements. (b) Purposes.--The purposes of this Act are to-- (1) reinforce the role of the National Institute of Standards and Technology in ensuring the security of unclassified information in Federal computer systems; and (2) promote technology solutions based on private sector offerings to protect the security of Federal computer systems. SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE. Section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)) is amended-- (1) by redesignating paragraphs (2), (3), (4), and (5) as paragraphs (3), (4), (8), and (9), respectively; and (2) by inserting after paragraph (1) the following new paragraph: ``(2) upon request from the private sector, to assist in establishing voluntary interoperable standards, guidelines, and associated methods and techniques to facilitate and expedite the establishment of non-Federal management infrastructures for public keys that can be used to communicate with and conduct transactions with the Federal Government;''. SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS. Section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is further amended by inserting after paragraph (4), as so redesignated by section 3(1) of this Act, the following new paragraphs: ``(5) except for national security systems, as defined in section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide guidance and assistance to Federal agencies for protecting the security and privacy of sensitive information in interconnected Federal computer systems, including identification of significant risks thereto; ``(6) to promote compliance by Federal agencies with existing Federal computer information security and privacy guidelines; ``(7) in consultation with appropriate Federal agencies, assist Federal response efforts related to unauthorized access to Federal computer systems;''. SEC. 5. COMPUTER SECURITY IMPLEMENTATION. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is further amended-- (1) by redesignating subsections (c) and (d) as subsections (e) and (f), respectively; and (2) by inserting after subsection (b) the following new subsection: ``(c)(1) In carrying out subsection (a)(2) and (3), the Institute shall-- ``(A) emphasize the development of technology-neutral policy guidelines for computer security practices by the Federal agencies; ``(B) promote the use of commercially available products, which appear on the list required by paragraph (2), to provide for the security and privacy of sensitive information in Federal computer systems; ``(C) develop qualitative and quantitative measures appropriate for assessing the quality and effectiveness of information security and privacy programs at Federal agencies; ``(D) perform evaluations and tests at Federal agencies to assess existing information security and privacy programs; ``(E) promote development of accreditation procedures for Federal agencies based on the measures developed under subparagraph (C); ``(F) if requested, consult with and provide assistance to Federal agencies regarding the selection by agencies of security technologies and products and the implementation of security practices; and ``(G)(i) develop uniform testing procedures suitable for determining the conformance of commercially available security products to the guidelines and standards developed under subsection (a)(2) and (3); ``(ii) establish procedures for certification of private sector laboratories to perform the tests and evaluations of commercially available security products developed in accordance with clause (i); and ``(iii) promote the testing of commercially available security products for their conformance with guidelines and standards developed under subsection (a)(2) and (3). ``(2) The Institute shall maintain and make available to Federal agencies and to the public a list of commercially available security products that have been tested by private sector laboratories certified in accordance with procedures established under paragraph (1)(G)(ii), and that have been found to be in conformance with the guidelines and standards developed under subsection (a)(2) and (3). ``(3) The Institute shall annually transmit to the Congress, in an unclassified format, a report containing-- ``(A) the findings of the evaluations and tests of Federal computer systems conducted under this section during the 12 months preceding the date of the report, including the frequency of the use of commercially available security products included on the list required by paragraph (2); ``(B) the planned evaluations and tests under this section for the 12 months following the date of the report; and ``(C) any recommendations by the Institute to Federal agencies resulting from the findings described in subparagraph (A), and the response by the agencies to those recommendations.''. SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by inserting after subsection (c), as added by section 5 of this Act, the following new subsection: ``(d)(1) The Institute shall solicit the recommendations of the Computer System Security and Privacy Advisory Board, established by section 21, regarding standards and guidelines that are being considered for submittal to the Secretary in accordance with subsection (a)(4). The recommendations of the Board shall accompany standards and guidelines submitted to the Secretary. ``(2) There are authorized to be appropriated to the Secretary $1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year 2002 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues related to computer security, privacy, and cryptography and to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects.''. SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by adding at the end the following new subsection: ``(g) The Institute shall not promulgate, enforce, or otherwise adopt standards, or carry out activities or policies, for the Federal establishment of encryption standards required for use in computer systems other than Federal Government computer systems.''. SEC. 8. MISCELLANEOUS AMENDMENTS. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended-- (1) in subsection (b)(8), as so redesignated by section 3(1) of this Act, by inserting ``to the extent that such coordination will improve computer security and to the extent necessary for improving such security for Federal computer systems'' after ``Management and Budget)''; (2) in subsection (e), as so redesignated by section 5(1) of this Act, by striking ``shall draw upon'' and inserting in lieu thereof ``may draw upon''; (3) in subsection (e)(2), as so redesignated by section 5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu thereof ``(b)(8)''; and (4) in subsection (f)(1)(B)(i), as so redesignated by section 5(1) of this Act, by inserting ``and computer networks'' after ``computers''. SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING. Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759 note) is amended-- (1) by striking ``and'' at the end of paragraph (1); (2) by striking the period at the end of paragraph (2) and inserting in lieu thereof ``; and''; and (3) by adding at the end the following new paragraph: ``(3) to include emphasis on protecting sensitive information in Federal databases and Federal computer sites that are accessible through public networks.''. SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM. There are authorized to be appropriated to the Secretary of Commerce $500,000 for fiscal year 2001 and $500,000 for fiscal year 2002 for the Director of the National Institute of Standards and Technology for fellowships, subject to the provisions of section 18 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-1), to support students at institutions of higher learning in computer security. Amounts authorized by this section shall not be subject to the percentage limitation stated in such section 18. SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH COUNCIL. (a) Review by National Research Council.--Not later than 90 days after the date of the enactment of this Act, the Secretary of Commerce shall enter into a contract with the National Research Council of the National Academy of Sciences to conduct a study of public key infrastructures for use by individuals, businesses, and government. (b) Contents.--The study referred to in subsection (a) shall-- (1) assess technology needed to support public key infrastructures; (2) assess current public and private plans for the deployment of public key infrastructures; (3) assess interoperability, scalability, and integrity of private and public entities that are elements of public key infrastructures; (4) make recommendations for Federal legislation and other Federal actions required to ensure the national feasibility and utility of public key infrastructures; and (5) address such other matters as the National Research Council considers relevant to the issues of public key infrastructure. (c) Interagency Cooperation With Study.--All agencies of the Federal Government shall cooperate fully with the National Research Council in its activities in carrying out the study under this section, including access by properly cleared individuals to classified information if necessary. (d) Report.--Not later than 18 months after the date of the enactment of this Act, the Secretary of Commerce shall transmit to the Committee on Science of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report setting forth the findings, conclusions, and recommendations of the National Research Council for public policy related to public key infrastructures for use by individuals, businesses, and government. Such report shall be submitted in unclassified form. (e) Authorization of Appropriations.--There are authorized to be appropriated to the Secretary of Commerce $450,000 for fiscal year 2001, to remain available until expended, for carrying out this section. SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY. The Under Secretary of Commerce for Technology shall-- (1) promote an increased use of security techniques, such as risk assessment, and security tools, such as cryptography, to enhance the protection of the Nation's information infrastructure; (2) establish a central repository of information for dissemination to the public to promote awareness of information security vulnerabilities and risks; and (3) promote the development of the national, standards-based infrastructure needed to support government, commercial, and private uses of encryption technologies for confidentiality and authentication. SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE. (a) Electronic Authentication Infrastructure.-- (1) Guidelines and standards.--Not later than 18 months after the date of the enactment of this Act, the Director, in consultation with industry and appropriate Federal agencies, shall develop electronic authentication infrastructure guidelines and standards for use by Federal agencies to assist those agencies to effectively select and utilize electronic authentication technologies in a manner that is-- (A) adequately secure to meet the needs of those agencies and their transaction partners; and (B) interoperable, to the maximum extent possible. (2) Elements.--The guidelines and standards developed under paragraph (1) shall include-- (A) protection profiles for cryptographic and noncryptographic methods of authenticating identity for electronic authentication products and services; (B) a core set of interoperability specifications for the Federal acquisition of electronic authentication products and services; and (C) validation criteria to enable Federal agencies to select cryptographic electronic authentication products and services appropriate to their needs. (3) Coordination with national policy panel.--The Director shall ensure that the development of guidelines and standards with respect to cryptographic electronic authentication products and services under this subsection is carried out in consultation with the National Policy Panel for Digital Signatures established under subsection (e). (4) Revisions.--The Director shall periodically review the guidelines and standards developed under paragraph (1) and revise them as appropriate. (b) Listing of Validated Products.--Not later than 30 months after the date of the enactment of this Act, and thereafter, the Director shall maintain and make available to Federal agencies and to the public a list of commercially available electronic authentication products, and other such products used by Federal agencies, evaluated as conforming with the guidelines and standards developed under subsection (a). (c) Specifications for Electronic Certification and Management Technologies.-- (1) Specifications.--The Director shall, as appropriate, establish core specifications for particular electronic certification and management technologies, or their components, for use by Federal agencies. (2) Evaluation.--The Director shall advise Federal agencies on how to evaluate the conformance with the specifications established under paragraph (1) of electronic certification and management technologies, developed for use by Federal agencies or available for such use. (3) Maintenance of list.--The Director shall maintain and make available to Federal agencies a list of electronic certification and management technologies evaluated as conforming to the specifications established under paragraph (1). (d) Reports.--Not later than 18 months after the date of the enactment of this Act, and annually thereafter, the Director shall transmit to the Congress a report that includes-- (1) a description and analysis of the utilization by Federal agencies of electronic authentication technologies; and (2) an evaluation of the extent to which Federal agencies' electronic authentication infrastructures conform to the guidelines and standards developed under subsection (a)(1). (e) National Policy Panel for Digital Signatures.-- (1) Establishment.--Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws recognizing the use of digital signatures, and representative individuals from the interested public. (2) Responsibilities.--The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform guidelines and standards to enable the widespread availability and use of digital signature systems. The Panel shall develop-- (A) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates; (B) guidelines and standards to ensure consistency among jurisdictions that license certification authorities; and (C) audit procedures for certification authorities. (3) Coordination.--The Panel shall coordinate its efforts with those of the Director under subsection (a). (4) Administrative support.--The Under Secretary shall provide administrative support to enable the Panel to carry out its responsibilities. (5) Report.--Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel. (f) Definitions.--For purposes of this section-- (1) the term ``certification authorities'' means issuers of digital certificates; (2) the term ``digital certificate'' means an electronic document that binds an individual's identity to the individual's key; (3) the term ``digital signature'' means a mathematically generated mark utilizing key cryptography techniques that is unique to both the signatory and the information signed; (4) the term ``digital signature infrastructure'' means the software, hardware, and personnel resources, and the procedures, required to effectively utilize digital certificates and digital signatures; (5) the term ``electronic authentication'' means cryptographic or noncryptographic methods of authenticating identity in an electronic communication; (6) the term ``electronic authentication infrastructure'' means the software, hardware, and personnel resources, and the procedures, required to effectively utilize electronic authentication technologies; (7) the term ``electronic certification and management technologies'' means computer systems, including associated personnel and procedures, that enable individuals to apply unique digital signatures to electronic information; (8) the term ``protection profile'' means a list of security functions and associated assurance levels used to describe a product; and (9) the term ``Under Secretary'' means the Under Secretary of Commerce for Technology. SEC. 14. SOURCE OF AUTHORIZATIONS. There are authorized to be appropriated to the Secretary of Commerce $7,000,000 for fiscal year 2001 and $8,000,000 for fiscal year 2002, for the National Institute of Standards and Technology to carry out activities authorized by this Act for which funds are not otherwise specifically authorized to be appropriated by this Act. Chairman Sensenbrenner. The gentlewoman yields back the balance of her time. Is there further discussion on the amendment? The gentleman from Tennessee. Mr. Gordon. Mr. Chairman, I move to strike the last word. Chairman Sensenbrenner. The gentleman is recognized for five minutes. Mr. Gordon. Thank you. First, I want to thank Chair Morella for working in such a bipartisan manner on this amendment. Primarily, the amendment incorporates comments and clarifications that we received from the Administration on the electronic authentication provisions in the bill. However, we also have strengthened this role in improving security practices at Federal agencies as well as advising them on the effective deployment of electronic authentication technologies. The underlying principle of H.R. 2413 and this amendment is that they recognize that government and the private sector computer security needs are similar. This amendment ensures that the private sector has a strong voice in the development of any electronic authentication guidelines for use by Federal agencies and that the agencies rely on commercially available products and services as much as possible. I also want to thank Chairman Sensenbrenner for his leadership on this issue and for working closely with me on the development of this legislation. We both have been motivated by the importance that we place on the Science Committee to act on the broad issue of electronic security. Additionally, I want to thank Mike Quear for the long and good hours of staff work on this issue. This has been a good bill, is a good amendment, and it represents sound policy. I urge my colleagues to support this amendment. [The prepared statement of Mr. Gordon follows:] Statement of Hon. Bart Gordon Mr. Chairman, First, I want to thank Chair Morella for working in such a bipartisan manner on this amendment. Primarily, the amendment incorporates comments and clarifications that we received from the Administration on the electronic authentication provisions in the bill. However, we have also strengthened NIST's role in improving computer security practices at federal agencies as well as advising them on the effective deployment of electronic authentication technologies. The underlying principle of H.R. 2413 and this amendment is that they recognize that government and private sector computer security needs are similar. This amendment ensures that the private sector has a strong voice in the development of any electronic authentication guidelines for use by federal agencies and that agencies rely on commercially available products and services as much as possible. I also want to thank chairman Sensenbrenner for his leadership on this issue and for working closely with me on the development of this legislation. We have both been motivated by the importance that we place on the Science Committee to act on the broad issue of electronic security. This is a good bill, a good amendment and it represents sound policy. I would urge my colleagues to support this amendment. Chairman Sensenbrenner. Does the gentleman yield back? Mr. Gordon. Yes. Chairman Sensenbrenner. Further discussion on the amendment? Ms. Lofgren. Mr. Chairman. Chairman Sensenbrenner. The gentlewoman from California. Ms. Lofgren. I move to strike the last word. Chairman Sensenbrenner. The gentlewoman is recognized for five minutes. Ms. Lofgren. Mr. Chairman, I would like to thank members on both sides of the aisle for working to address some concerns that this bill in its original form raised for me. I think that this amendment in the nature of a substitute offered by Mr. Gordon and Mrs. Morella is a real step in the right direction and I am very happy to support it. I look forward to continuing to work with members on the Committee Report to this bill to clarify that our intentions are unanimously benign relative to encryption and key recovery. In particular, I hope that the report will emphasize that we are in no manner encouraging the promulgation of third party encryption key recovery systems into the private sector. In addition, I hope it will express that we do not intend, the Federal Government, through the force of its purchasing powers, one of the world's largest contractors, to impose its encryption standards and regulations on the companies with which it does business. I look forward to working further with my colleagues and I greatly appreciate their tremendous and well-guided efforts on this bill to this point, and in particular this bipartisan amendment. And I yield back. [The prepared statement of Ms. Lofgren follows:] Statement of Hon. Zoe Lofgren Mr. Chairman, I would like to thank Members on both sides of the aisle for working to address some concerns that this bill in its original form raised for me. I think that this amendment in the nature of a substitute offered by Mr. Gordon and Mrs. Morella is a real step in the right direction, and I am very happy to support it. I look forward to continuing to work with Members on the Committee Report to this bill to clarify that our intentions are unanimously benign relative to encryption technology. In particular, I hope that the Report will emphasize that we are in no manner encouraging the promulgation of third-party encryption key recovery systems into the private sector. In addition, I hope it will express that we do not intend the Federal Government, through the force of its purchasing powers as one of the world's largest contractors, to impose its encryption standards and regulations on companies with which it does business. I look forward to working further with my colleagues and I greatly appreciate their tremendous and well- guided efforts on this bill to this point and, in particular, this bipartisan amendment. Chairman Sensenbrenner. Will the gentlewoman yield? Ms. Lofgren. I certainly will, sir. Chairman Sensenbrenner. The Chair enthusiastically endorses the request of the gentlewoman from California to put the language in the Report language so that we can make it quite clear that this is a cooperative venture rather than a hammer in the hand of the Federal Government. Ms. Lofgren. Thank you, Mr. Chairman. I yield back. Mrs. Morella. Mr. Chairman. Chairman Sensenbrenner. The gentlewoman from Maryland has already been recognized on this amendment. Somebody else want to move to strike the last word? Mr. Etheridge. I move to strike the last word. Chairman Sensenbrenner. The gentleman from North Carolina is recognized for five minutes. Mr. Etheridge. I yield to the lady from Maryland. Mrs. Morella. I thank the gentleman for yielding. And I really only need probably about 30 seconds simply to indicate that I do understand the concerns that the gentlewoman from California posed with regard to Section 7. I just want to reiterate that it was really intended to be a safeguard to reflect the concerns, what she was offering, the concerns of the private sector and to reiterate the fact that it is not intended to prevent NIST from working with industry to develop voluntary--voluntary encryption standards and guidelines. So I emphasize on a voluntary basis. I yield back. I thank the gentleman from North Carolina. Chairman Sensenbrenner. Further discussion on the amendment? [No response.] Chairman Sensenbrenner. Hearing none, all those in favor of the amendment in the nature of a substitute by Mrs. Morella and Mr. Gordon will signify by saying aye. [Chorus of ayes.] Chairman Sensenbrenner. Opposed, no. [No response.] Chairman Sensenbrenner. The ayes have it, and the amendment is agreed to. Are there further amendments to the bill? [No response.] Chairman Sensenbrenner. Hearing none, the Chair recognizes the gentleman from Michigan for purposes of a motion. Mr. Barcia. Thank you, Mr. Chairman. I move that the Committee favorably report H.R. 2413, as amended, to the House with the recommendation that the bill as amended do pass. Furthermore, I move that staff be instructed to prepare the legislative report and make necessary technical and conforming amendments, and that the Chairman take all necessary steps to bring the bill before the House for consideration. Chairman Sensenbrenner. You have heard the motion of the gentleman from Michigan to report the bill favorably. Is there any discussion on the motion? [No response.] Chairman Sensenbrenner. Hearing none, the Chair notes the presence of a reporting quorum. Those in favor will say aye. [Chorus of ayes.] Chairman Sensenbrenner. Opposed, no. [No response.] Chairman Sensenbrenner. The ayes appear to have it. The ayes have it, and the bill is reported favorably. Without objection, members will have two subsequent calendar days in which to submit supplemental, minority, additional, or dissenting views on the measure. Without objection, the bill will be reported in the form of a single amendment in the nature of a substitute reflecting amendments adopted today. And finally, without objection, pursuant to clause 1 of Rule 22 of the Rules of the House, the Committee authorizes the Chairman to offer such motions as may be necessary in the House to go to conference with the Senate on the bill just reported. Without objection, these unanimous consents are agreed to.