12 September 1997
See House report on H.R. 1903: http://jya.com/hr105-242.txt

See H.R. 1903 Bill: http://jya.com/hr1903.htm

18 June 1997
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

  Committee on Science, June 19, Subcommittee on Technology, hearing 
on Computer Security Enhancement Act of 1997, 10 a.m., 2318 Rayburn.

-------------------------------------------------------------------------

[Congressional Record: June 17, 1997 (Extensions)]
[Page E1231-E1232]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr17jn97-44]



 
             THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997

                                 ______
                                 

                    HON. F. JAMES SENSENBRENNER, JR.

                              of wisconsin

                    in the house of representatives

                         Tuesday, June 17, 1997

  Mr. SENSENBRENNER. Mr. Speaker, I rise today to introduce H.R. 1903, 
the Computer Security Enhancement Act of 1997. I would like to thank 
Technology Subcommittee Chairwoman Constance Morella, and the full 
committee and subcommittee ranking minority members, Congressmen George 
Brown and Bart Gordon, for their efforts in crafting a bipartisan bill 
which should help strengthen computer security throughout the Federal 
Government.
  The lack of adequate security for Federal civilian computer systems 
is a significant problem. Since June 1993, the General Accounting 
Office [GAO] has issued over 30 reports detailing serious information 
security weaknesses at Federal agencies. This year, GAO highlighted 
computer security as a governmentwide, high-risk issue in its high risk 
series.
  H.R. 1903 is intended to address this problem by strengthening the 
National Institute of Standards and Technology's [NIST] historic role 
in computer security. The bill updates the Computer Security Act of 
1987 (P.L. 100-235) to give NIST the tools it needs to ensure that 
appropriate attention and effort is concentrated on securing our 
Federal information technology infrastructure.
  The Computer Security Act gives NIST the lead responsibility for 
computer security for Federal civilian agencies. The act requires NIST 
to develop the standards and guidelines needed to ensure cost-effective 
security and privacy of sensitive information in Federal computer 
systems.
  H.R. 1903 updates the act to take into account the evolution of 
computer networks and their use by both the Federal Government and the 
private sector. Further, the bill's authorizations are consistent with 
authorizations that have already passed the House as part of H.R. 1274, 
the NIST Authorization Act of 1997.
  Specifically, the bill:
  Reduces the cost and improves the availability of computer security 
technologies for Federal agencies by requiring NIST to promote the 
Federal use of off-the-shelf products for meeting civilian agency 
computer security needs.
  Enhances the role of the independent Computer System Security and 
Privacy Advisory Board in NIST's decisionmaking process. The board, 
which is made up of representatives from industry, Federal agencies and 
other outside experts, should assist NIST in its development of 
standards and guidelines for Federal systems.
  Requires NIST to develop standardized tests and procedures to 
evaluate the strength of foreign encryption products. Through such 
tests and procedures, NIST, with assistance from the private sector, 
will be able to judge the relative strength of foreign encryption, 
thereby defusing some of the concerns associated with the export of 
domestic encryption products.
  Limits NIST's involvement to the development of standards and 
guidelines for Federal civilian systems. The bill clarifies that NIST 
standards and guidelines are to be used for the acquisition of security 
technologies for the Federal Government and are not intended as 
restrictions on the production or use of encryption by the private 
sector.
  Updates the Computer Security Act to address changes in technology 
over the last decade. Significant changes in the manner in which 
information technology is used by the Federal Government has occurred 
since the enactment of the Computer Security Act. The bill updates the 
act, taking these changes into account.
  Establishes a new computer science fellowship program for graduate 
and undergraduate students studying computer security. The bill sets 
aside $250,000 a year, for each of the

[[Page E1232]]

next two fiscal years, to enable NIST to finance computer security 
fellowships under an existing NIST grant program.
  Requires the National Research Council to conduct a study to assess 
the desirability of, and the technology required to, support public key 
infrastructures.
  It has been 10 years since Congress passed the Computer Security Act. 
Over that time, computer technology has changed at a breathtaking rate. 
The Computer Security Enhancement Act of 1997 will help NIST and the 
rest of our Federal civilian agencies adapt to those changes.
  Mr. Speaker, ensuring that our agencies' computer systems as secure 
is a priority. H.R. 1903 is an important step toward this goal, and I 
urge all my colleagues to cosponsor this bipartisan bill.

                          ____________________


-------------------------------------------------------------------------

[Congressional Record: June 17, 1997 (Extensions)]
[Page E1232]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr17jn97-46]


  INTRODUCTION OF THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997, H.R.
                                  1903

                                 ______


                            HON. BART GORDON

                              of tennessee

                    in the house of representatives

                         Tuesday, June 17, 1997

  Mr. GORDON. Mr. Speaker, I am pleased to join Chairman Sensenbrenner,
Ranking Member Brown, Chairwoman Morella and other members of the
Committee on Science in introducing the Computer Security Act of 1997.
  Not a day that goes by that we don't see some reference to the
Internet and the explosive growth of electronic commerce. What was
originally envisioned as a network for defense communications and
university researchers is now an international communications network
of which we are just beginning to realize its potential.
  Both Office of Technology Assessment and National Research Council
reports have identified a major obstacle to the growth of electronic
commerce--the lack of the widespread use of encryption products. The
bill we are introducing today is the first step to encourage the use of
encryption products, both by Federal agencies and the private sector.
This in turn will support the growth of electronic commerce.
  The Computer Security Enhancement Act of 1997, which amends the
Computer Security Act of 1987 (P.L. 100-235) builds on the close
collaboration and cooperation between the National Institute of
Standards and Technology [NIST] and industry to develop standard
reference materials and the standards that are key to the seamless
commerce we take for granted today. This legislation highlights the
need for NIST to expand its activities in the area of electronic
commerce.
  Our legislation also strengthens the NIST's role in coordinating
Federal agencies' effort to utilize encryption and digital
identification products. It encourages Federal agencies to adopt and
use commercially available encryption technologies whenever possible.
This legislation allows NIST to evaluate the technical merit of
industry claims of the strength of generally available foreign
encryption products. Hopefully, this will defuse some of the tension
surrounding the issue of export of domestic encryption products.
  Not only is this legislation consistent with the recommendations of
the Office of Technology Assessment and the National Research Council,
it is also in-line with a set of resolutions adopted by NIST's Computer
System Security and Privacy Advisory Board on June 6, 1997. Finally, I
believe this bill is consistent with the goals President's Clinton's
upcoming policy announcement on electronic commerce.
  It has been a pleasure working with Chairwoman Morella on crafting
this piece of legislation and I look forward to continuing to work with
her to move this bill through the legislative process.

                          ____________________

-------------------------------------------------------------------------

[Congressional Record: June 17, 1997 (Extensions)]
[Page E1232]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr17jn97-45]



 
             THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997

                                 ______
                                 

                       HON. CONSTANCE A. MORELLA

                              of maryland

                    in the house of representatives

                         Tuesday, June 17, 1997

  Mrs. MORELLA. Mr. Speaker, I rise today to join Science Committee 
Chairman Sensenbrenner and ranking committee and subcommittee members 
Brown and Gordon in introducing H.R. 1903, The Computer Security 
Enhancement Act of 1997. H.R. 1903 is designed to improve the security 
of computer systems throughout the Government.
  In 1987, Congress passed the Computer Security Act which gave the 
National Institute of Standards and Technology [NIST] the lead 
responsibility for developing security standards and technical 
guidelines for civilian government agency computer systems. H.R. 1903 
updates this 10-year-old statute.
  The networking revolution of the last decade has improved the ability 
of Federal agencies to process and transfer data. It has also made that 
same data more vulnerable to corruption and theft.
  In February, the General Accounting Office [GAO] highlighted computer 
security as a government-wide, high-risk issue in its high risk series. 
Concurrent with the release of GAO's high risk report, I held the 
second in a series of briefing on computer security. During the 
briefing, members of the Science Committee heard from some of the most 
respected experts in the field of electronic information security. They 
all agreed that the Federal Government must do more to secure sensitive 
electronic data.
  The Federal Government is not alone in its need to secure electronic 
information. The corruption of electronic data threatens every sector 
of our economy. The market for high-quality computer security products 
is enormous, and the U.S. software and hardware industries are 
responding. The Federal Government, through NIST, can harness these 
market forces to improve computer security within Federal agencies at a 
fraction of the cost of developing its own hardware and software.
  The Computer Security Enhancement Act of 1997 will assist in this 
process. The bill reduces the cost and improves the availability of 
computer security technologies for Federal agencies by requiring NIST 
to promote the use of off-the-shelf products for meeting civilian 
agency computer security needs.
  The bill also enhances the role of the independent Computer System 
Security and Privacy Advisory Board in NIST's decisionmaking process. 
The board, which is made up of representatives from industry, federal 
agencies as well as other outside experts, should assist NIST in its 
development of standards and guidelines for Federal systems which are 
compatible with existing private sector technologies.
  Further, the bill requires NIST to develop standardized tests and 
procedures to evaluate the strength of foreign encryption products. 
Through such tests and procedures, NIST, with assistance from the 
private sector, will be able to judge the relative strength of foreign 
encryption, thereby defusing some of the concerns associated with the 
export of domestic encryption products.
  The bill also clarifies that NIST standards and guidelines are to be 
used for the acquisition of security technologies for the Federal 
Government and are not intended as restrictions on the production or 
use of encryption by the private sector.
  Additionally, H.R. 1903 addresses the shortage of university students 
studying computer security. Of the 5500 Ph.D's in computer science 
awarded over the last 5 years in Canada and the United States, only 16 
were in fields related to computer security. To help address such 
shortfalls, the bill establishes a new computer science fellowship 
program for graduate and undergraduate students studying computer 
security. The bill sets aside $250,000 a year, for each of the next two 
fiscal years, to enable NIST to finance computer security fellowships 
under an existing NIST grant program.
  The provisions of the Computer Security Enhancement Act should help 
maintain a strong domestic computer security industry. A strong 
industry will not only help our economy but also significantly improve 
the security of Federal computer systems.
  Mr. Speaker, H.R. 1903 alone will not solve the Federal Government's 
computer security problems. It is, however, an important step in the 
right direction. I commend Chairman Sensenbrenner for crafting a 
bipartisan bill that should substantially improve computer security for 
the Federal Government, and I encourage all of my colleagues to join in 
cosponsoring the Computer Security Enhancement Act of 1997.

                          ____________________

-------------------------------------------------------------------------


