H. R. 4259
IN THE HOUSE OF REPRESENTATIVES
June 30, 2021
Mr. Foster (for himself and Ms. Wexton) introduced the following bill; which was referred to the Committee on Science, Space, and Technology
To direct the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology, to direct the Institute to establish a robust program focusing on driving improvements in America’s cybersecurity posture by creating more robust digital identity management standards and guidelines.
This Act may be cited as the
Strengthening Digital Identity Act of 2021.
Congress finds the following:
NIST’s work in identity research and standards is unmatched anywhere in the world, with global standards development organizations like the Financial Action Task Force (FATF) pointing to NIST guidance in its own standards. Given that adversaries continue to exploit weaknesses in digital identity systems to conduct successful cyber-attacks, additional NIST resources are needed to help government and industry secure identity in cyberspace.
The lack of an easy, affordable, and reliable way for organizations and businesses to identify whether an individual is who they claim to be online creates an attack vector that is widely exploited by adversaries in cyberspace and precludes many high value transactions from being available online.
According to the identity theft resource center, incidents of identity theft and identity fraud continue to rise in the United States, where more than 164,000,000 consumer records containing personally identifiable information were breached in 2019, increasing the total number of data breaches by 17 percent from the previous year.
According to the Insurance Information Institute, in 2018, losses resulting from identity fraud amounted to $16,800,000,000.
The inadequacy of current digital identity solutions degrades security and privacy for all Americans, and next generation solutions are needed that improve both security and privacy.
Government entities, as authoritative issuers of identity in the United States, are uniquely positioned to deliver critical components that address deficiencies in our digital identity infrastructure and augment private sector digital identity and authentication solutions.
State governments are particularly well suited to play a role in enhancing digital identity solutions used by both the public and private sectors, given the role of State governments as the issuers of driver’s licenses and other identity documents commonly used today.
It should be the policy of the Government to use the authorities and capabilities of the Government to enhance the security, reliability, privacy, and convenience of digital identity solutions that support and protect transactions between individuals, government entities, and businesses, and that enable Americans to prove who they are online.
Identity management research and development
Section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7464) is amended to read as follows:
Identity management research and development
The Director shall administer a program to support the development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns—
to improve interoperability among identity management technologies;
to strengthen identity proofing and authentication methods used in identity management systems;
to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and
to improve the usability and inclusivity of identity management systems.
Digital identity technical roadmap
The Director, in consultation with other relevant Federal agencies and stakeholders from the private sector, shall develop, implement, and maintain a technical roadmap for identity management research and the development of standards and guidelines focused on enabling the use and adoption of modern digital identity solutions that align with the four criteria in subsection (a). This roadmap and any subsequent updates shall be made public.
In carrying out the program described under subsection (a), the Director shall give consideration to activities that—
accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of digital identity solutions;
addresses gaps in current private-sector-led identity management research and development and standards work, both for consumer-focused and enterprise-focused identity management;
advances the development of conformance testing performed by the private sector in support of digital identity standardization;
addresses challenges with inclusivity of existing digital identity and identity management tools; and
support, in consultation with other relevant Federal agencies and stakeholders from the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies and the private sector to address security and privacy requirements to enable the use and adoption of digital identity services.
Digital identity framework
Establishment of a framework
Not later than 1 year after the date of the enactment of this Act, the Director shall develop and periodically update a framework of standards, methodologies, procedures, and processes (in this section referred to as the
Framework) as a guide for Federal, State, and local governments to follow when providing services to support digital identity verification.
In developing the Framework, the Director shall consider—
methods to protect the privacy of individuals;
security needs; and
the needs of potential end-users and individuals that will use services related to digital identity verification.
In carrying out subsection (a) the Director shall consult with—
Federal and State agencies;
potential end-users and individuals that will use services related to digital identity verification; and
experts with relevant experience in the systems that enable digital identity verification, as determined by the Director.
Not later than 240 days after the date of the enactment of this Act, the Director shall publish an interim version of the Framework.
Authorization of appropriations
There is authorized to be appropriated to the Secretary $10,000,000 for each of fiscal years 2022 through 2026 to carry out this Act and the amendments made by this Act.
For purposes of this Act:
Digital identity verification
The term digital identity verification means a process to verify the identity of an individual accessing a service online.
The term Director means the Director of the National Institute of Standards and Technology.
The term Institute means the National Institute of Standards and Technology.
The term Secretary means the Secretary of Commerce.