9 July 1999
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html

-----------------------------------------------------------------------

[Congressional Record: July 1, 1999 (Extensions)]
[Page E1491-E1492]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr01jy99pt2-78]


  INTRODUCTION OF H.R. 2413, THE COMPUTER SECURITY ENHANCEMENT ACT OF
                                  1999

                                 ______


                    HON. F. JAMES SENSENBRENNER, JR.

                              of wisconsin

                    in the house of representatives

                         Thursday, July 1, 1999

  Mr. SENSENBRENNER. Mr. Speaker, I am pleased to introduce, H.R. 2413,
the Computer Security Enhancement Act of 1999, a bipartisan bill to
address our government's computer security needs. Joining me as
cosponsors of this important legislation is Mr. Bart Gordon of
Tennessee and Mrs. Connie Morella of Maryland, the Chairwoman of the
Science Committee's Technology Subcommittee.
  The bill amends and updates the Computer Security Act of 1987 which
gave the National Institute of Standards and Technology (NIST) the lead
responsibility for developing security standards and technical
guidelines for civilian government agencies' computer security.
Specifically, the bill:
  1.  Reduces the cost and improves the availability of computer
security technologies for Federal agencies by requiring NIST to promote
the Federal use of off-the-shelf products for meeting civilian agency
computer security needs.
  2.  Enhances the role of the independent Computer System Security and
Privacy Advisory Board in NIST's decision-making process. The board,
which is made up of representatives from industry, federal agencies and
other outside experts, should assist NIST in its development of
standards and guidelines for Federal systems.
  3.  Requires NIST to develop standardized tests and procedures to
evaluate the strength of foreign encryption products. Through such
tests and procedures, NIST, with assistance from the private sector,
will be able to judge the relative strength of foreign encryption,
thereby defusing some of the concerns associated with the expert of
domestic encryption products.
  4.  Clarifies that NIST standards and guidelines are to be used for
the acquisition of security technologies for the Federal Government and
are not intended as restrictions on the production or use of encryption
by the private sector.
  5.  Addresses the shortage of university students studying computer
security. Of the 5,500 PhDs in Computer science awarded over the last
five years in Canada and the U.S., only 16 were in fields related to
computer security. To help address such short-falls, the bill
establishes a new computer science fellowship program for graduate and
undergraduate students studying computer security; and

[[Page E1492]]

  6.  Requires the National Research Council to conduct a study to
assess the desirability of creating public key infrastructures. The
study will also address advances in technology required for public key
in technology required for public key infrastructure.
  7. Establishes a national panel for the purpose of exploring all
relevant factors associated with the development of a national digital
signature infrastructure based on uniform standards and of developing
model practices and standards associated with certification
authorities.
  All these measures are intended to accomplish two goals. First,
assist NIST in meeting the ever-increasing computer security needs of
Federal civilian agencies. Second, to allow the Federal Government,
through NIST, to harness the ingenuity of the private sector to help
address its computer security needs.
  Since the passage of the Computer Security Act, the networking
revolution has improved the ability of Federal agencies to process and
transfer data. It has also made that same data more vulnerable to
corruption and theft.
  The General Accounting Office (GAO) has highlighted computer security
as a government-wide, high-risk issue. GAO specifically identified the
lack of adequate security for Federal civilian computer systems as a
significant problem. Since June of 1993, the General Accounting Office
(GAO) has issued over 30 reports detailing serious information security
weaknesses at 24 of our largest Federal agencies.
  The Science Committee has held seven hearings on computer security
since I became Chairman in 1997. During the hearings, Members of the
Science Committee heard from some of the most respected experts in the
field. They all agreed that the Federal Government must do more to
secure the sensitive electronic data it possesses.
  The Federal Government is not alone in its need to secure electronic
information. The corruption of electronic data threatens every sector
of our economy. The market for high-quality computer security products
is enormous, and the U.S. software and hardware industries are
responding. The passage of this legislation will enable the Federal
Government, through NIST, to benefit from these technological advances.
  I look forward to working with all interested parties to advance the
Computer Security Enhancement Act of 1999. In my estimation, it is a
good bill, and I am hopeful we can move it through the legislative
process in short order.

                          ____________________

-----------------------------------------------------------------------

[DOCID: f:h2413ih.txt]

106th CONGRESS
  1st Session
                                H. R. 2413

  To amend the National Institute of Standards and Technology Act to
    enhance the ability of the National Institute of Standards and
    Technology to improve computer security, and for other purposes.

_______________________________________________________________________

                    IN THE HOUSE OF REPRESENTATIVES

                              July 1, 1999

     Mr. Sensenbrenner (for himself, Mr. Gordon, and Mrs. Morella)
 introduced the following bill; which was referred to the Committee on
                                Science

_______________________________________________________________________

                                 A BILL


  To amend the National Institute of Standards and Technology Act to
    enhance the ability of the National Institute of Standards and
    Technology to improve computer security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Computer Security Enhancement Act of
1999''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds the following:
            (1) The National Institute of Standards and Technology has
        responsibility for developing standards and guidelines needed
        to ensure the cost-effective security and privacy of sensitive
        information in Federal computer systems.
            (2) The Federal Government has an important role in
        ensuring the protection of sensitive, but unclassified,
        information controlled by Federal agencies.
            (3) Technology that is based on the application of
        cryptography exists and can be readily provided by private
        sector companies to ensure the confidentiality, authenticity,
        and integrity of information associated with public and private
        activities.
            (4) The development and use of encryption technologies
        should be driven by market forces rather than by Government
        imposed requirements.
    (b) Purposes.--The purposes of this Act are to--
            (1) reinforce the role of the National Institute of
        Standards and Technology in ensuring the security of
        unclassified information in Federal computer systems; and
            (2) promote technology solutions based on private sector
        offerings to protect the security of Federal computer systems.

SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.

    Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)) is amended--
            (1) by redesignating paragraphs (2), (3), (4), and (5) as
        paragraphs (3), (4), (7), and (8), respectively; and
            (2) by inserting after paragraph (1) the following new
        paragraph:
            ``(2) upon request from the private sector, to assist in
        establishing voluntary interoperable standards, guidelines, and
        associated methods and techniques to facilitate and expedite
        the establishment of non-Federal management infrastructures for
        public keys that can be used to communicate with and conduct
        transactions with the Federal Government;''.

SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.

    Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is
further amended by inserting after paragraph (4), as so redesignated by
section 3(1) of this Act, the following new paragraphs:
            ``(5) to provide guidance and assistance to Federal
        agencies in the protection of interconnected computer systems
        and to coordinate Federal response efforts related to
        unauthorized access to Federal computer systems;
            ``(6) to perform evaluations and tests of--
                    ``(A) information technologies to assess security
                vulnerabilities; and
                    ``(B) commercially available security products for
                their suitability for use by Federal agencies for
                protecting sensitive information in computer
                systems;''.

SEC. 5. COMPUTER SECURITY IMPLEMENTATION.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsections (c) and (d) as subsections
        (e) and (f), respectively; and
            (2) by inserting after subsection (b) the following new
        subsection:
    ``(c) In carrying out subsection (a)(3), the Institute shall--
            ``(1) emphasize the development of technology-neutral
        policy guidelines for computer security practices by the
        Federal agencies;
            ``(2) actively promote the use of commercially available
        products to provide for the security and privacy of sensitive
        information in Federal computer systems; and
            ``(3) participate in implementations of encryption
        technologies in order to develop required standards and
        guidelines for Federal computer systems, including assessing
        the desirability of and the costs associated with establishing
        and managing key recovery infrastructures for Federal
        Government information.''.

SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
inserting after subsection (c), as added by section 5 of this Act, the
following new subsection:
    ``(d)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board, established by
section 21, regarding standards and guidelines that are being
considered for submittal to the Secretary in accordance with subsection
(a)(4). No standards or guidelines shall be submitted to the Secretary
prior to the receipt by the Institute of the Board's written
recommendations. The recommendations of the Board shall accompany
standards and guidelines submitted to the Secretary.
    ``(2) There are authorized to be appropriated to the Secretary
$1,000,000 for fiscal year 2000 and $1,030,000 for fiscal year 2001 to
enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues related to
computer security, privacy, and cryptography and to convene public
meetings on those subjects, receive presentations, and publish reports,
digests, and summaries for public distribution on those subjects.''.

SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
adding at the end the following new subsection:
    ``(g) The Institute shall not promulgate, enforce, or otherwise
adopt standards, or carry out activities or policies, for the Federal
establishment of encryption standards required for use in computer
systems other than Federal Government computer systems.''.

SEC. 8. MISCELLANEOUS AMENDMENTS.

    Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
            (1) in subsection (b)(8), as so redesignated by section
        3(1) of this Act, by inserting ``to the extent that such
        coordination will improve computer security and to the extent
        necessary for improving such security for Federal computer
        systems'' after ``Management and Budget)'';
            (2) in subsection (e), as so redesignated by section 5(1)
        of this Act, by striking ``shall draw upon'' and inserting in
        lieu thereof ``may draw upon'';
            (3) in subsection (e)(2), as so redesignated by section
        5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu
        thereof ``(b)(8)''; and
            (4) in subsection (f)(1)(B)(i), as so redesignated by
        section 5(1) of this Act, by inserting ``and computer
        networks'' after ``computers''.

SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

    Section 5(b) of the Computer Security Act of 1987 (49 U.S.C. 759
note) is amended--
            (1) by striking ``and'' at the end of paragraph (1);
            (2) by striking the period at the end of paragraph (2) and
        inserting in lieu thereof ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(3) to include emphasis on protecting sensitive
        information in Federal databases and Federal computer sites
        that are accessible through public networks.''.

SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.

    There are authorized to be appropriated to the Secretary of
Commerce $250,000 for fiscal year 2000 and $500,000 for fiscal year
2001 for the Director of the National Institute of Standards and
Technology for fellowships, subject to the provisions of section 18 of
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer
security. Amounts authorized by this section shall not be subject to
the percentage limitation stated in such section 18.

SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH
              COUNCIL.

    (a) Review by National Research Council.--Not later than 90 days
after the date of the enactment of this Act, the Secretary of Commerce
shall enter into a contract with the National Research Council of the
National Academy of Sciences to conduct a study of public key
infrastructures for use by individuals, businesses, and government.
    (b) Contents.--The study referred to in subsection (a) shall--
            (1) assess technology needed to support public key
        infrastructures;
            (2) assess current public and private plans for the
        deployment of public key infrastructures;
            (3) assess interoperability, scalability, and integrity of
        private and public entities that are elements of public key
        infrastructures;
            (4) make recommendations for Federal legislation and other
        Federal actions required to ensure the national feasibility and
        utility of public key infrastructures; and
            (5) address such other matters as the National Research
        Council considers relevant to the issues of public key
        infrastructure.
    (c) Interagency Cooperation With Study.--All agencies of the
Federal Government shall cooperate fully with the National Research
Council in its activities in carrying out the study under this section,
including access by properly cleared individuals to classified
information if necessary.
    (d) Report.--Not later than 18 months after the date of the
enactment of this Act, the Secretary of Commerce shall transmit to the
Committee on Science of the House of Representatives and the Committee
on Commerce, Science, and Transportation of the Senate a report setting
forth the findings, conclusions, and recommendations of the National
Research Council for public policy related to public key
infrastructures for use by individuals, businesses, and government.
Such report shall be submitted in unclassified form.
    (e) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary of Commerce $450,000 for fiscal year
2000, to remain available until expended, for carrying out this
section.

SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.

    The Under Secretary of Commerce for Technology shall--
            (1) promote the more widespread use of applications of
        cryptography and associated technologies to enhance the
        security of the Nation's information infrastructure;
            (2) establish a central clearinghouse for the collection by
        the Federal Government and dissemination to the public of
        information to promote awareness of information security
        threats; and
            (3) promote the development of the national, standards-
        based infrastructure needed to support commercial and private
        uses of encryption technologies for confidentiality and
        authentication.

SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE.

    (a) Electronic Authentication Infrastructure.--
            (1) Guidelines and standards.--Not later than 1 year after
        the date of the enactment of this Act, the Director, in
        consultation with industry, shall develop electronic
        authentication infrastructure guidelines and standards for use
        by Federal agencies to enable those agencies to effectively
        utilize electronic authentication technologies in a manner that
        is--
                    (A) sufficiently secure to meet the needs of those
                agencies and their transaction partners; and
                    (B) interoperable, to the maximum extent possible.
            (2) Elements.--The guidelines and standards developed under
        paragraph (1) shall include--
                    (A) protection profiles for cryptographic and
                noncryptographic methods of authenticating identity for
                electronic authentication products and services;
                    (B) minimum interoperability specifications for the
                Federal acquisition of electronic authentication
                products and services; and
                    (C) validation criteria to enable Federal agencies
                to select cryptographic electronic authentication
                products and services appropriate to their needs.
            (3) Coordination with national policy panel.--The Director
        shall ensure that the development of guidelines and standards
        with respect to cryptographic electronic authentication
        products and services under this subsection is carried out in
        coordination with the efforts of the National Policy Panel for
        Digital Signatures under subsection (e).
            (4) Revisions.--The Director shall periodically review the
        guidelines and standards developed under paragraph (1) and
        revise them as appropriate.
    (b) Validation of Products.--Not later than 1 year after the date
of the enactment of this Act, and thereafter, the Director shall
maintain and make available to Federal agencies and to the public a
list of commercially available electronic authentication products, and
other such products used by Federal agencies, evaluated as conforming
with the guidelines and standards developed under subsection (a).
    (c) Electronic Certification and Management Systems.--
            (1) Criteria.--Not later than 1 year after the date of the
        enactment of this Act, the Director shall establish minimum
        technical criteria for the use by Federal agencies of
        electronic certification and management systems.
            (2) Evaluation.--The Director shall establish a program for
        evaluating the conformance with the criteria established under
        paragraph (1) of electronic certification and management
        systems, developed for use by Federal agencies or available for
        such use.
            (3) Maintenance of list.--The Director shall maintain and
        make available to Federal agencies a list of electronic
        certification and management systems evaluated as conforming to
        the criteria established under paragraph (1).
    (d) Reports.--Not later than 18 months after the date of the
enactment of this Act, and annually thereafter, the Director shall
transmit to the Congress a report that includes--
            (1) a description and analysis of the utilization by
        Federal agencies of electronic authentication technologies;
            (2) an evaluation of the extent to which Federal agencies'
        electronic authentication infrastructures conform to the
        guidelines and standards developed under subsection (a)(1);
            (3) an evaluation of the extent to which Federal agencies'
        electronic certification and management systems conform to the
        criteria established under subsection (c)(1);
            (4) the list described in subsection (c)(3); and
            (5) evaluations made under subsection (b).
    (e) National Policy Panel for Digital Signatures.--
            (1) Establishment.--Not later than 90 days after the date
        of the enactment of this Act, the Under Secretary shall
        establish a National Policy Panel for Digital Signatures. The
        Panel shall be composed of government, academic, and industry
        technical and legal experts on the implementation of digital
        signature technologies, State officials, including officials
        from States which have enacted laws recognizing the use of
        digital signatures, and representative individuals from the
        interested public.
            (2) Responsibilities.--The Panel shall serve as a forum for
        exploring all relevant factors associated with the development
        of a national digital signature infrastructure based on uniform
        guidelines and standards to enable the widespread availability
        and use of digital signature systems. The Panel shall develop--
                    (A) model practices and procedures for
                certification authorities to ensure the accuracy,
                reliability, and security of operations associated with
                issuing and managing digital certificates;
                    (B) guidelines and standards to ensure consistency
                among jurisdictions that license certification
                authorities; and
                    (C) audit procedures for certification authorities.
            (3) Coordination.--The Panel shall coordinate its efforts
        with those of the Director under subsection (a).
            (4) Administrative support.--The Under Secretary shall
        provide administrative support to enable the Panel to carry out
        its responsibilities.
            (5) Report.--Not later than 1 year after the date of the
        enactment of this Act, the Under Secretary shall transmit to
        the Congress a report containing the recommendations of the
        Panel.
    (f) Definitions.--For purposes of this section--
            (1) the term ``certification authorities'' means issuers of
        digital certificates;
            (2) the term ``digital certificate'' means an electronic
        document that binds an individual's identity to the
        individual's key;
            (3) the term ``digital signature'' means a mathematically
        generated mark utilizing key cryptography techniques that is
        unique to both the signatory and the information signed;
            (4) the term ``digital signature infrastructure'' means the
        software, hardware, and personnel resources, and the
        procedures, required to effectively utilize digital
        certificates and digital signatures;
            (5) the term ``electronic authentication'' means
        cryptographic or noncryptographic methods of authenticating
        identity in an electronic communication;
            (6) the term ``electronic authentication infrastructure''
        means the software, hardware, and personnel resources, and the
        procedures, required to effectively utilize electronic
        authentication technologies;
            (7) the term ``electronic certification and management
        systems'' means computer systems, including associated
        personnel and procedures, that enable individuals to apply
        unique digital signatures to electronic information;
            (8) the term ``protection profile'' means a list of
        security functions and associated assurance levels used to
        describe a product; and
            (9) the term ``Under Secretary'' means the Under Secretary
        of Commerce for Technology.

SEC. 14. SOURCE OF AUTHORIZATIONS.

    There are authorized to be appropriated to the Secretary of
Commerce $3,000,000 for fiscal year 2000 and $4,000,000 for fiscal year
2001, for the National Institute of Standards and Technology to carry
out activities authorized by this Act for which funds are not otherwise
specifically authorized to be appropriated by this Act.
                                 <all>
