skip to main content

H.R. 4259: Strengthening Digital Identity Act of 2021


The text of the bill below is as of Jun 30, 2021 (Introduced).


I

117th CONGRESS

1st Session

H. R. 4259

IN THE HOUSE OF REPRESENTATIVES

June 30, 2021

(for himself and Ms. Wexton) introduced the following bill; which was referred to the Committee on Science, Space, and Technology

A BILL

To direct the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology, to direct the Institute to establish a robust program focusing on driving improvements in America’s cybersecurity posture by creating more robust digital identity management standards and guidelines.

1.

Short title

This Act may be cited as the Strengthening Digital Identity Act of 2021.

2.

Findings

Congress finds the following:

(1)

NIST’s work in identity research and standards is unmatched anywhere in the world, with global standards development organizations like the Financial Action Task Force (FATF) pointing to NIST guidance in its own standards. Given that adversaries continue to exploit weaknesses in digital identity systems to conduct successful cyber-attacks, additional NIST resources are needed to help government and industry secure identity in cyberspace.

(2)

The lack of an easy, affordable, and reliable way for organizations and businesses to identify whether an individual is who they claim to be online creates an attack vector that is widely exploited by adversaries in cyberspace and precludes many high value transactions from being available online.

(3)

According to the identity theft resource center, incidents of identity theft and identity fraud continue to rise in the United States, where more than 164,000,000 consumer records containing personally identifiable information were breached in 2019, increasing the total number of data breaches by 17 percent from the previous year.

(4)

According to the Insurance Information Institute, in 2018, losses resulting from identity fraud amounted to $16,800,000,000.

(5)

The inadequacy of current digital identity solutions degrades security and privacy for all Americans, and next generation solutions are needed that improve both security and privacy.

(6)

Government entities, as authoritative issuers of identity in the United States, are uniquely positioned to deliver critical components that address deficiencies in our digital identity infrastructure and augment private sector digital identity and authentication solutions.

(7)

State governments are particularly well suited to play a role in enhancing digital identity solutions used by both the public and private sectors, given the role of State governments as the issuers of driver’s licenses and other identity documents commonly used today.

(8)

It should be the policy of the Government to use the authorities and capabilities of the Government to enhance the security, reliability, privacy, and convenience of digital identity solutions that support and protect transactions between individuals, government entities, and businesses, and that enable Americans to prove who they are online.

3.

Identity management research and development

Section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7464) is amended to read as follows:

504.

Identity management research and development

(a)

In general

The Director shall administer a program to support the development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns—

(1)

to improve interoperability among identity management technologies;

(2)

to strengthen identity proofing and authentication methods used in identity management systems;

(3)

to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and

(4)

to improve the usability and inclusivity of identity management systems.

(b)

Digital identity technical roadmap

The Director, in consultation with other relevant Federal agencies and stakeholders from the private sector, shall develop, implement, and maintain a technical roadmap for identity management research and the development of standards and guidelines focused on enabling the use and adoption of modern digital identity solutions that align with the four criteria in subsection (a). This roadmap and any subsequent updates shall be made public.

(c)

Activities

In carrying out the program described under subsection (a), the Director shall give consideration to activities that—

(1)

accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of digital identity solutions;

(2)

addresses gaps in current private-sector-led identity management research and development and standards work, both for consumer-focused and enterprise-focused identity management;

(3)

advances the development of conformance testing performed by the private sector in support of digital identity standardization;

(4)

addresses challenges with inclusivity of existing digital identity and identity management tools; and

(5)

support, in consultation with other relevant Federal agencies and stakeholders from the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies and the private sector to address security and privacy requirements to enable the use and adoption of digital identity services.

.

4.

Digital identity framework

(a)

Establishment of a framework

Not later than 1 year after the date of the enactment of this Act, the Director shall develop and periodically update a framework of standards, methodologies, procedures, and processes (in this section referred to as the Framework) as a guide for Federal, State, and local governments to follow when providing services to support digital identity verification.

(b)

Consideration

In developing the Framework, the Director shall consider—

(1)

methods to protect the privacy of individuals;

(2)

security needs; and

(3)

the needs of potential end-users and individuals that will use services related to digital identity verification.

(c)

Consultation

In carrying out subsection (a) the Director shall consult with—

(1)

Federal and State agencies;

(2)

potential end-users and individuals that will use services related to digital identity verification; and

(3)

experts with relevant experience in the systems that enable digital identity verification, as determined by the Director.

(d)

Interim publication

Not later than 240 days after the date of the enactment of this Act, the Director shall publish an interim version of the Framework.

(e)

Authorization of appropriations

There is authorized to be appropriated to the Secretary $10,000,000 for each of fiscal years 2022 through 2026 to carry out this Act and the amendments made by this Act.

5.

Definitions

For purposes of this Act:

(1)

Digital identity verification

The term digital identity verification means a process to verify the identity of an individual accessing a service online.

(2)

Director

The term Director means the Director of the National Institute of Standards and Technology.

(3)

Institute

The term Institute means the National Institute of Standards and Technology.

(4)

Secretary

The term Secretary means the Secretary of Commerce.