Home > 105th Congressional Bills > H.R. 1903 (rh) To amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes. ...H.R. 1903 (rh) To amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes. ...
105th CONGRESS
1st Session
H. R. 1903
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
September 17, 1997
Received; read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
AN ACT
To amend the National Institute of Standards and Technology Act to
enhance the ability of the National Institute of Standards and
Technology to improve computer security, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Computer Security Enhancement Act of
1997''.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--The Congress finds the following:
(1) The National Institute of Standards and Technology has
responsibility for developing standards and guidelines needed
to ensure the cost-effective security and privacy of sensitive
information in Federal computer systems.
(2) The Federal Government has an important role in
ensuring the protection of sensitive, but unclassified,
information controlled by Federal agencies.
(3) Technology that is based on the application of
cryptography exists and can be readily provided by private
sector companies to ensure the confidentiality, authenticity,
and integrity of information associated with public and private
activities.
(4) The development and use of encryption technologies
should be driven by market forces rather than by Government
imposed requirements.
(5) Federal policy for control of the export of encryption
technologies should be determined in light of the public
availability of comparable encryption technologies outside of
the United States in order to avoid harming the competitiveness
of United States computer hardware and software companies.
(b) Purposes.--The purposes of this Act are to--
(1) reinforce the role of the National Institute of
Standards and Technology in ensuring the security of
unclassified information in Federal computer systems;
(2) promote technology solutions based on private sector
offerings to protect the security of Federal computer systems;
and
(3) provide the assessment of the capabilities of
information security products incorporating cryptography that
are generally available outside the United States.
SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.
Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)) is amended--
(1) by redesignating paragraphs (2), (3), (4), and (5) as
paragraphs (3), (4), (7), and (8), respectively; and
(2) by inserting after paragraph (1) the following new
paragraph:
``(2) upon request from the private sector, to assist in
establishing voluntary interoperable standards, guidelines, and
associated methods and techniques to facilitate and expedite
the establishment of non-Federal management infrastructures for
public keys that can be used to communicate with and conduct
transactions with the Federal Government;''.
SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.
Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is
further amended by inserting after paragraph (4), as so redesignated by
section 3(1) of this Act, the following new paragraphs:
``(5) to provide guidance and assistance to Federal
agencies in the protection of interconnected computer systems
and to coordinate Federal response efforts related to
unauthorized access to Federal computer systems;
``(6) to perform evaluations and tests of--
``(A) information technologies to assess security
vulnerabilities; and
``(B) commercially available security products for
their suitability for use by Federal agencies for
protecting sensitive information in computer
systems;''.
SEC. 5. COMPUTER SECURITY IMPLEMENTATION.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is further amended--
(1) by redesignating subsections (c) and (d) as subsections
(e) and (f), respectively; and
(2) by inserting after subsection (b) the following new
subsection:
``(c) In carrying out subsection (a)(3), the Institute shall--
``(1) emphasize the development of technology-neutral
policy guidelines for computer security practices by the
Federal agencies;
``(2) actively promote the use of commercially available
products to provide for the security and privacy of sensitive
information in Federal computer systems; and
``(3) participate in implementations of encryption
technologies in order to develop required standards and
guidelines for Federal computer systems, including assessing
the desirability of and the costs associated with establishing
and managing key recovery infrastructures for Federal
Government information.''.
SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
inserting after subsection (c), as added by section 5 of this Act, the
following new subsection:
``(d)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board, established by
section 21, regarding standards and guidelines that are being
considered for submittal to the Secretary of Commerce in accordance
with subsection (a)(4). No standards or guidelines shall be submitted
to the Secretary prior to the receipt by the Institute of the Board's
written recommendations. The recommendations of the Board shall
accompany standards and guidelines submitted to the Secretary.
``(2) There are authorized to be appropriated to the Secretary of
Commerce $1,000,000 for fiscal year 1998 and $1,030,000 for fiscal year
1999 to enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues related to
computer security, privacy, and cryptography and to convene public
meetings on those subjects, receive presentations, and publish reports,
digests, and summaries for public distribution on those subjects.''.
SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by
adding at the end the following new subsection:
``(g) The Institute shall not promulgate, enforce, or otherwise
adopt standards, or carry out activities or policies, for the Federal
establishment of encryption standards required for use in computer
systems other than Federal Government computer systems.''.
SEC. 8. MISCELLANEOUS AMENDMENTS.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
(1) in subsection (b)(8), as so redesignated by section
3(1) of this Act, by inserting ``to the extent that such
coordination will improve computer security and to the extent
necessary for improving such security for Federal computer
systems'' after ``Management and Budget)'';
(2) in subsection (e), as so redesignated by section 5(1)
of this Act, by striking ``shall draw upon'' and inserting in
lieu thereof ``may draw upon'';
(3) in subsection (e)(2), as so redesignated by section
5(1) of this Act, by striking ``(b)(5)'' and inserting in lieu
thereof ``(b)(8)''; and
(4) in subsection (f)(1)(B)(i), as so redesignated by
section 5(1) of this Act, by inserting ``and computer
networks'' after ``computers''.
SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
Section 5(b) of the Computer Security Act of 1987 (49 U.S.C. 759
note) is amended--
(1) by striking ``and'' at the end of paragraph (1);
(2) by striking the period at the end of paragraph (2) and
inserting in lieu thereof ``; and''; and
(3) by adding at the end the following new paragraph:
``(3) to include emphasis on protecting sensitive
information in Federal databases and Federal computer sites
that are accessible through public networks.''.
SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.
There are authorized to be appropriated to the Secretary of
Commerce $250,000 for fiscal year 1998 and $500,000 for fiscal year
1999 for the Director of the National Institute of Standards and
Technology for fellowships, subject to the provisions of section 18 of
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
1), to support students at institutions of higher learning in computer
security. Amounts authorized by this section shall not be subject to
the percentage limitation stated in such section 18.
SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH
COUNCIL.
(a) Review by National Research Council.--Not later than 90 days
after the date of the enactment of this Act, the Secretary of Commerce
shall enter into a contract with the National Research Council of the
National Academy of Sciences to conduct a study of public key
infrastructures for use by individuals, businesses, and government.
(b) Contents.--The study referred to in subsection (a) shall--
(1) assess technology needed to support public key
infrastructures;
(2) assess current public and private plans for the
deployment of public key infrastructures;
(3) assess interoperability, scalability, and integrity of
private and public entities that are elements of public key
infrastructures;
(4) make recommendations for Federal legislation and other
Federal actions required to ensure the national feasibility and
utility of public key infrastructures; and
(5) address such other matters as the National Research
Council considers relevant to the issues of public key
infrastructure.
(c) Interagency Cooperation With Study.--All agencies of the
Federal Government shall cooperate fully with the National Research
Council in its activities in carrying out the study under this section,
including access by properly cleared individuals to classified
information if necessary.
(d) Report.--Not later than 18 months after the date of the
enactment of this Act, the Secretary of Commerce shall transmit to the
Committee on Science of the House of Representatives and the Committee
on Commerce, Science, and Transportation of the Senate a report setting
forth the findings, conclusions, and recommendations of the National
Research Council for public policy related to public key
infrastructures for use by individuals, businesses, and government.
Such report shall be submitted in unclassified form.
(e) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary of Commerce $450,000 for fiscal year
1998, to remain available until expended, for carrying out this
section.
SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.
The Under Secretary of Commerce for Technology shall--
(1) promote the more widespread use of applications of
cryptography and associated technologies to enhance the
security of the Nation's information infrastructure;
(2) establish a central clearinghouse for the collection by
the Federal Government and dissemination to the public of
information to promote awareness of information security
threats; and
(3) promote the development of the national, standards-
based infrastructure needed to support commercial and private
uses of encryption technologies for confidentiality and
authentication.
SEC. 13. DIGITAL SIGNATURE INFRASTRUCTURE.
(a) National Policy Panel.--The Under Secretary of Commerce for
Technology shall establish a National Policy Panel for Digital
Signatures. The Panel shall be composed of nongovernment and government
technical and legal experts on the implementation of digital signature
technologies, individuals from companies offering digital signature
products and services, State officials, including officials from States
which have enacted statutes establishing digital signature
infrastructures, and representative individuals from the interested
public.
(b) Responsibilities.--The Panel established under subsection (a)
shall serve as a forum for exploring all relevant factors associated
with the development of a national digital signature infrastructure
based on uniform standards that will enable the widespread availability
and use of digital signature systems. The Panel shall develop--
(1) model practices and procedures for certification
authorities to ensure accuracy, reliability, and security of
operations associated with issuing and managing certificates;
(2) standards to ensure consistency among jurisdictions
that license certification authorities; and
(3) audit standards for certification authorities.
(c) Administrative Support.--The Under Secretary of Commerce for
Technology shall provide administrative support to the Panel
established under subsection (a) of this section as necessary to enable
the Panel to carry out its responsibilities.
SEC. 14. SOURCE OF AUTHORIZATIONS.
Amounts authorized to be appropriated by this Act shall be derived
from amounts authorized under the National Institute of Standards and
Technology Authorization Act of 1997.
Passed the House of Representatives September 16, 1997.
Attest:
ROBIN H. CARLE,
Clerk.
Pages: 1 Other Popular 105th Congressional Bills Documents:
|
| GovRecords.org presents information on various agencies of the United States Government. Even though all information is believed to be credible and accurate, no guarantees are made on the complete accuracy of our government records archive. Care should be taken to verify the information presented by responsible parties. Please see our reference page for congressional, presidential, and judicial branch contact information. GovRecords.org values visitor privacy. Please see the privacy page for more information. |
 |