I
116th CONGRESS
2d Session
H. R. 8215
IN THE HOUSE OF REPRESENTATIVES
September 11, 2020
Mr. Foster (for himself, Mr. Katko, Mr. Langevin, and Mr. Loudermilk) introduced the following bill; which was referred to the Committee on Oversight and Reform, and in addition to the Committees on Science, Space, and Technology, and Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
A BILL
To establish a governmentwide approach to improving digital identity, and for other purposes.
Short title
This Act may be cited as the Improving Digital Identity Act of 2020
.
Findings
Congress finds the following:
The lack of an easy, affordable, and reliable way for organizations, businesses, and government agencies to identify whether an individual is who they claim to be online creates an attack vector that is widely exploited by adversaries in cyberspace, and precludes many high-value transactions from being available online.
Incidents of identity theft and identity fraud continue to rise in the United States, where more than 164,000,000 consumer records containing personally identifiable information were breached in 2019, increasing the total number of data breaches by 17 percent from the previous year.
In 2019, losses resulting from identity fraud amounted to $16,900,000,000.
In 2019, the Director of the Treasury Department Financial Crimes Enforcement Network stated, “The abuse of personally identifiable information, and other building blocks of identity, is a key enabler behind much of the fraud and cybercrime affecting our nation today.”
Trustworthy digital identity solutions can help under-banked and unbanked individuals better access to digital financial services through innovative delivery channels that promote financial inclusion.
The inadequacy of current digital identity solutions degrades security and privacy for all Americans, and next generation solutions are needed that improve both security and privacy.
Government entities, as authoritative issuers of identity in the United States, are uniquely positioned to deliver critical components that address deficiencies in our digital identity infrastructure and augment private sector digital identity and authentication solutions.
State governments are particularly well suited to play a role in enhancing digital identity solutions used by both the public and private sectors, given the role of State governments as the issuers of driver’s licenses and other identity documents commonly used today.
The private sector drives much of the innovation around digital identity in the United States and has an important role to play in delivering digital identity solutions.
The 2016 bipartisan Commission on Enhancing National Cybersecurity called for the Federal government to “create an interagency task force directed to find secure, user-friendly, privacy-centric ways in which agencies can serve as one authoritative source to validate identity attributes in the broader identity market. This action would enable government agencies and the private sector to drive significant risk out of new account openings and other high-risk, high-value online services, and it would help all citizens more easily and securely engage in transactions online.”
The public and private sectors should collaborate to deliver solutions that promote confidence, privacy, choice, and innovation.
It should be the policy of the Government to use the authorities and capabilities of the Government to enhance the security, reliability, privacy, and convenience of digital identity solutions that support and protect transactions between individuals, government entities, and businesses, and that enable Americans to prove who they are online.
Improving digital identity task force
Establishment
There is established in the Executive Office of the President a task force to be known as the Improving Digital Identity Task Force
(in this section referred to as the Task Force
).
Purpose
The purpose of the Task Force is to establish a governmentwide effort to develop secure methods for Federal, State, and local agencies to validate identity attributes to protect the privacy and security of individuals and support reliable, interoperable digital identity verification in the public and private sectors.
Director
The Task Force shall have a Director who shall be appointed by the President.
Membership
The Task Force shall include the following individuals or the designees of such individuals:
Federal Government membership
The Secretary of the Treasury.
The Secretary of Homeland Security.
The Secretary of State.
The Secretary of Education.
The Director of the Office of Management and Budget.
The Commissioner of the Social Security Administration.
The Director of the National Institute of Standards and Technology.
The Administrator of General Services.
The heads of other Federal agencies and offices who the President may designate or invite.
State government membership
The Task Force shall include 5 State government officials who represent State agencies that issue identity credentials and who have knowledge of the systems used to provide such credentials. Such officials shall include the following:
A member appointed by the Speaker of the House of Representatives, in consultation with the Chairman of the Committee on Oversight and Reform and the Chairman of the Committee on Homeland Security of the House of Representatives.
A member appointed by the minority leader of the House of Representatives, in consultation with the Ranking Member of the Committee on Oversight and Reform and the Ranking Member of the Committee on Homeland Security of the House of Representatives.
A member appointed by the majority leader of the Senate, in consultation with the Chairman of the Committee on Homeland Security and Governmental Affairs of the Senate.
A member appointed by the minority leader of the Senate, in consultation with the Ranking Member of the Committee on Homeland Security and Governmental Affairs of the Senate.
A member appointed by the President.
Local government membership
The Task Force shall include 5 local government officials who represent local agencies that issue identity credentials and who have knowledge of the systems used to provide such credentials. Such officials shall include the following:
A member appointed by the Speaker of the House of Representatives, in consultation with the Chairman of the Committee on Oversight and Reform and Chairman of the Committee on Homeland Security of the House of Representatives.
A member appointed by the minority leader of the House of Representatives, in consultation with the Chairman of the Committee on Oversight and Reform and the Chairman of the Committee on Homeland Security of the House of Representatives.
A member appointed by the majority leader of the Senate, in consultation with the Chairman of the Committee on Homeland Security and Governmental Affairs of the Senate.
A member appointed by the minority leader of the Senate, in consultation with the Ranking Member of the Committee on Homeland Security and Governmental Affairs of the Senate.
A member appointed by the President.
Meetings
The Task Force shall convene at the call of the Director.
Duties
The Task Force shall—
identify Federal, State, and local agencies that issue identity information or hold information related to identifying an individual;
assess restrictions with respect to the abilities of such agencies to verify identity information for other agencies and for nongovernmental organizations;
assess any necessary changes in statute, regulation, or policy to address any restrictions determined under paragraph (2);
recommend a standards-based architecture to enable agencies to provide services related to digital identity verification in a way that is secure, protects privacy, and is rooted in consumer consent;
identify funding or resources needed to support such agencies that provide digital identity verification, including a recommendation with respect to additional funding required for the grant program under section 5;
determine whether it would be practicable for such agencies to use a fee-based model to provide digital identity verification to private sector entities;
determine if any additional steps are necessary with respect to Federal, State, and local agencies to improve digital identity verification and management processes for the purpose of enhancing the security, reliability, privacy, and convenience of digital identity solutions that support and protect transactions between individuals, government entities, and businesses;
assess risks related to potential criminal exploitation of digital identity verification services; and
to the extent practicable, seek input from and collaborate with interested parties in the private sector to carry out the purpose under subsection (b).
Recommendations
Not later than 180 days after the date of the enactment of this Act, the Task Force shall publish a report on the activities of the Task force, including recommendations on—
priorities for research and development in the systems that enable digital identity verification, including how such priorities can be executed; and
the standards-based architecture developed pursuant to subsection (f)(4).
Digital identity standards
Establishment of a standards framework
The Director of the National Institute of Standards and Technology (in this section referred to as the Director
) shall develop a framework of standards, methodologies, procedures, and processes (in this section referred to as the Framework
) as a guide for Federal, State, and local governments to follow when providing services related to digital identity verification.
Consideration
In developing the Framework, the Director shall consider—
methods to protect the privacy of individuals;
security needs; and
the needs of potential end-users and individuals that will use services related to digital identity verification.
Consultation
In carrying out subsection (a), the Director shall consult with—
the Improving Digital Identity Task Force established under section 3;
potential end-users and individuals that will use services related to digital identity verification; and
experts with relevant experience in the systems that enable digital identity verification, as determined by the Director.
Interim publication
Not later than 240 days after the date of the enactment of this Act, the Director shall publish an interim version of the Framework.
Final publication
Not later than 1 year after the date of the enactment of this Act, the Director shall publish a final version of the Framework.
Updates to the Framework
The Director shall, from time to time, update the Framework, with consideration given to—
feedback from Federal, State, and local agencies that provide services related to digital identity verification; and
any technological changes to the systems that enable digital identity verification.
Digital identity innovation grants
Establishment
Not later than 18 months after the date of the enactment of this Act, the Secretary of Homeland Security (in this section referred to as the Secretary
) shall award grants to States to upgrade systems that provide drivers’ licenses or other types of identity credentials to support the development of highly secure, interoperable State systems that enable digital identity verification.
Use of funds
A State that receives a grant under this section shall use—
grant funds for services related to digital identity verification using the Framework developed pursuant to section 4; and
not less than 10 percent of grant funds to provide services that assist individuals with obtaining identity credentials or identity verification services needed to obtain a driver’s license or State identity card.
Authorization of appropriations
There is authorized to be appropriated to the Secretary such sums as may be necessary to carry out this section.
Report and recommendation on the use of social security numbers by nongovernmental organizations
Not later than 1 year after the date of the enactment of this Act, the Comptroller General of the United States shall submit to the Committees on Ways and Means and Financial Services of the House of Representatives and the Committee on Finance of the Senate a report that includes the following:
An analysis of legal and regulatory requirements with respect to the collection and retention of Social Security numbers by nongovernmental organizations.
A recommendation on the necessity and effectiveness of any legal and regulatory requirement analyzed pursuant to paragraph (1) and the use of a form of identification other than a Social Security number.
Security enhancements to Federal systems
Directives for Federal agencies
Not later than 6 months after the date of the enactment of this Act, the Secretary of Homeland Security shall issue binding operational directives to Federal agencies for purpose of implementing—
the guidelines published by the National Institute of Standards and Technology in Special Publication 800–63
(commonly referred to as the Digital Identity Guidelines
); and
the memorandum of the Office of Management and Budget issued on May 21, 2019, which includes the subject Enabling Mission Delivery through Improved Identity, Credential, and Access Management
.
Reports
Federal Agency reports
Not later than 1 year after the date of the enactment of this Act, the head of each Federal agency shall submit to the Secretary of Homeland Security a report on the efforts of each such Federal agency to implement the directives issued pursuant to subsection (a).
Report to Congress
Not later than 2 years after the date of the enactment of this Act, the Secretary of Homeland Security shall submit a report summarizing the efforts from the reports submitted pursuant to paragraph (1) to the following:
The Committee on Homeland Security of the House of Representatives.
The Committee on Oversight and Reform of the House of Representatives.
The Committee on Homeland Security and Governmental Affairs of the Senate.
Definitions
For purposes of this Act:
Digital identity verification
The term digital identity verification means a process to verify the identity of an individual accessing a service online or through another electronic means.
Identity credential
The term identity credential means a document or other evidence of the identity of an individual issued by a government agency that conveys the identity of the individual, including a driver’s license or passport.
