15 October 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-----------------------------------------------------------------------

[DOCID: f:h1903rs.txt]

                                                       Calendar No. 718

105th CONGRESS

  2d Session

                               H. R. 1903

                          [Report No. 105-412]

_______________________________________________________________________

                                 AN ACT

  To amend the National Institute of Standards and Technology Act to
    enhance the ability of the National Institute of Standards and
    Technology to improve computer security, and for other purposes.

_______________________________________________________________________

             October 13 (legislative day, October 2), 1998

                       Reported without amendment

                                                       Calendar No. 718
105th CONGRESS
  2d Session
                                H. R. 1903

                          [Report No. 105-412]

_______________________________________________________________________

                   IN THE SENATE OF THE UNITED STATES

                           September 17, 1997

    Received; read twice and referred to the Committee on Commerce,
                      Science, and Transportation

             October 13 (legislative day, October 2), 1998

               Reported by Mr. McCain, without amendment

_______________________________________________________________________

                                 AN ACT


  To amend the National Institute of Standards and Technology Act to
    enhance the ability of the National Institute of Standards and
    Technology to improve computer security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement Act of
1997''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has
        responsibility for developing standards and guidelines needed
        to ensure the cost-effective security and privacy of sensitive
        information in Federal computer systems.
            (2) The Federal Government has an important role in
        ensuring the protection of sensitive, but unclassified,
        information controlled by Federal agencies.
            (3) Technology that is based on the application of
        cryptography exists and can be readily provided by private
        sector companies to ensure the confidentiality, authenticity,
        and integrity of information associated with public and private
        activities.
            (4) The development and use of encryption technologies
        should be driven by market forces rather than by Government
        imposed requirements.
            (5) Federal policy for control of the export of encryption
        technologies should be determined in light of the public
        availability of comparable encryption technologies outside of
        the United States in order to avoid harming the competitiveness
        of United States computer hardware and software companies.
    (b) Purposes.--The purposes of this Act are to--
            (1) reinforce the role of the National Institute of
        Standards and Technology in ensuring the security of
        unclassified information in Federal computer systems;
            (2) promote technology solutions based on private sector
        offerings to protect the security of Federal computer systems;
        and
            (3) provide the assessment of the capabilities of
        information security products incorporating cryptography that
        are generally available outside the United States.

SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.

    Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by redesignating paragraphs (2), (3), (4), and (5) as
        paragraphs (3), (4), (7), and (8), respectively; and
            (2) by inserting after paragraph (1) the following new
        paragraph:
            ``(2) upon request from the private sector, to assist in
        establishing voluntary interoperable standards, guidelines, and
        associated methods and techniques to facilitate and expedite
        the establishment of non-Federal management infrastructures for
        public keys that can be used to communicate with and conduct
        transactions with the Federal Government;''.

SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.

    Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is
further amended by inserting after paragraph (4), as so redesignated by
section 3(1) of this Act, the following new paragraphs:
            ``(5) to provide guidance and assistance to Federal
        agencies in the protection of interconnected computer systems
        and to coordinate Federal response efforts related to
        unauthorized access to Federal computer systems;
            ``(6) to perform evaluations and tests of--
                    ``(A) information technologies to assess security
                vulnerabilities; and
                    ``(B) commercially available security products for
                their suitability for use by Federal agencies for
                protecting sensitive information in computer
                systems;''.

SEC. 5. COMPUTER SECURITY IMPLEMENTATION.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsections (c) and (d) as subsections
        (e) and (f), respectively; and
            (2) by inserting after subsection (b) the following new
        subsection:
    ``(c) In carrying out subsection (a)(3), the Institute shall--
            ``(1) emphasize the development of technology-neutral
        policy guidelines for computer security practices by the
        Federal agencies;
            ``(2) actively promote the use of commercially available
        products to provide for the security and privacy of sensitive
        information in Federal computer systems; and
            ``(3) participate in implementations of encryption
        technologies in order to develop required standards and
        guidelines for Federal computer systems, including assessing
        the desirability of and the costs associated with establishing
        and managing key recovery infrastructures for Federal
        Government information.''.

SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
inserting after subsection (c), as added by section 5 of this Act, the
following new subsection:
    ``(d)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board, established by
section 21, regarding standards and guidelines that are being
considered for submittal to the Secretary of Commerce in accordance
with subsection (a)(4). No standards or guidelines shall be submitted
to the Secretary prior to the receipt by the Institute of the Board's
written recommendations. The recommendations of the Board shall
accompany standards and guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary of
Commerce $1,000,000 for fiscal year 1998 and $1,030,000 for fiscal year
1999 to enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues related to
computer security, privacy, and cryptography and to convene public
meetings on those subjects, receive presentations, and publish reports,
digests, and summaries for public distribution on those subjects.''.

SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
adding at the end the following new subsection:
    ``(g) The Institute shall not promulgate, enforce, or otherwise
adopt standards, or carry out activities or policies, for the Federal
establishment of encryption standards required for use in computer
systems other than Federal Government computer systems.''.

SEC. 8. MISCELLANEOUS AMENDMENTS.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
            (1) in subsection (b)(8), as so redesignated by section
        3(1) of this Act, by inserting ``to the extent that such
        coordination will improve computer security and to the extent
        necessary for improving such security for Federal computer
        systems'' after ``Management and Budget)'';
            (2) in subsection (e), as so redesignated by section 5(1)
        of this Act, by striking ``shall draw upon'' and inserting in
        lieu thereof ``may draw upon'';
            (3) in subsection (e)(2), as so redesignated by section
        5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu
        thereof ``(b)(8)''; and
            (4) in subsection (f)(1)(B)(i), as so redesignated by
        section 5(1) of this Act, by inserting ``and computer
        networks'' after ``computers''.

SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

    Section 5(b) of the Computer Security Act of 1987 (49 U.S.C. 759
note) is amended--
            (1) by striking ``and'' at the end of paragraph (1);
            (2) by striking the period at the end of paragraph (2) and
        inserting in lieu thereof ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(3) to include emphasis on protecting sensitive
        information in Federal databases and Federal computer sites
        that are accessible through public networks.''.

SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.

    There are authorized to be appropriated to the Secretary of
Commerce $250,000 for fiscal year 1998 and $500,000 for fiscal year
1999 for the Director of the National Institute of Standards and
Technology for fellowships, subject to the provisions of section 18 of
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer
security. Amounts authorized by this section shall not be subject to
the percentage limitation stated in such section 18.

SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH
              COUNCIL.

    (a) Review by National Research Council.--Not later than 90 days
after the date of the enactment of this Act, the Secretary of Commerce
shall enter into a contract with the National Research Council of the
National Academy of Sciences to conduct a study of public key
infrastructures for use by individuals, businesses, and government.
    (b) Contents.--The study referred to in subsection (a) shall--
            (1) assess technology needed to support public key
        infrastructures;
            (2) assess current public and private plans for the
        deployment of public key infrastructures;
            (3) assess interoperability, scalability, and integrity of
        private and public entities that are elements of public key
        infrastructures;
            (4) make recommendations for Federal legislation and other
        Federal actions required to ensure the national feasibility and
        utility of public key infrastructures; and
            (5) address such other matters as the National Research
        Council considers relevant to the issues of public key
        infrastructure.
    (c) Interagency Cooperation With Study.--All agencies of the
Federal Government shall cooperate fully with the National Research
Council in its activities in carrying out the study under this section,
including access by properly cleared individuals to classified
information if necessary.
    (d) Report.--Not later than 18 months after the date of the
enactment of this Act, the Secretary of Commerce shall transmit to the
Committee on Science of the House of Representatives and the Committee
on Commerce, Science, and Transportation of the Senate a report setting
forth the findings, conclusions, and recommendations of the National
Research Council for public policy related to public key
infrastructures for use by individuals, businesses, and government.
Such report shall be submitted in unclassified form.
    (e) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary of Commerce $450,000 for fiscal year
1998, to remain available until expended, for carrying out this
section.

SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.

    The Under Secretary of Commerce for Technology shall--
            (1) promote the more widespread use of applications of
        cryptography and associated technologies to enhance the
        security of the Nation's information infrastructure;
            (2) establish a central clearinghouse for the collection by
        the Federal Government and dissemination to the public of
        information to promote awareness of information security
        threats; and
            (3) promote the development of the national, standards-
        based infrastructure needed to support commercial and private
        uses of encryption technologies for confidentiality and
        authentication.

SEC. 13. DIGITAL SIGNATURE INFRASTRUCTURE.

    (a) National Policy Panel.--The Under Secretary of Commerce for
Technology shall establish a National Policy Panel for Digital
Signatures. The Panel shall be composed of nongovernment and government
technical and legal experts on the implementation of digital signature
technologies, individuals from companies offering digital signature
products and services, State officials, including officials from States
which have enacted statutes establishing digital signature
infrastructures, and representative individuals from the interested
public.
    (b) Responsibilities.--The Panel established under subsection (a)
shall serve as a forum for exploring all relevant factors associated
with the development of a national digital signature infrastructure
based on uniform standards that will enable the widespread availability
and use of digital signature systems. The Panel shall develop--
            (1) model practices and procedures for certification
        authorities to ensure accuracy, reliability, and security of
        operations associated with issuing and managing certificates;
            (2) standards to ensure consistency among jurisdictions
        that license certification authorities; and
            (3) audit standards for certification authorities.
    (c) Administrative Support.--The Under Secretary of Commerce for
Technology shall provide administrative support to the Panel
established under subsection (a) of this section as necessary to enable
the Panel to carry out its responsibilities.

SEC. 14. SOURCE OF AUTHORIZATIONS.

    Amounts authorized to be appropriated by this Act shall be derived
from amounts authorized under the National Institute of Standards and
Technology Authorization Act of 1997.
