[House Report 106-876]
[From the U.S. Government Publishing Office]
106th Congress Report
HOUSE OF REPRESENTATIVES
2d Session 106-876
======================================================================
COMPUTER SECURITY ENHANCEMENT ACT OF 2000
_______
September 21, 2000.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Sensenbrenner, from the Committee on Science, submitted the
following
R E P O R T
[To accompany H.R. 2413]
[Including cost estimate of the Congressional Budget Office]
The Committee on Science, to whom was referred the bill (H.R.
2413) to amend the National Institute of Standards and
Technology Act to enhance the ability of the National Institute
of Standards and Technology to improve computer security, and
for other purposes, having considered the same, report
favorably thereon with an amendment and recommend that the bill
as amended do pass.
CONTENTS
Page
I. Amendment.......................................................2
II. Purpose of the Bill.............................................6
III. Background and Need for the Legislation.........................6
IV. Summary of Hearings.............................................7
V. Committee Actions..............................................11
VI. Summary of Major Provisions of the Bill........................11
VII. Section-By-Section Analysis (By Title and Section)/Committee
Views..........................................................12
VIII. Cost Estimate..................................................18
IX. Congressional Budget Office Cost Estimate......................18
X. Compliance with Public Law 104-4 (Unfunded Mandates)...........19
XI. Committee Oversight Findings and Recommendations...............19
XII. Oversight Findings and Recommendations by the Committee on
Government Reform and Oversight................................20
XIII. Constitutional Authority Statement.............................20
XIV. Federal Advisory Committee Statement...........................20
XV. Congressional Accountability Act...............................20
XVI. Statement of Preemption of State, Local, or Tribal Law.........20
XVII. Changes in Existing Law Made by the Bill, As Reported..........20
XVIII.Committee Recommendations......................................23
XIX. Proceedings of Subcommittee Markup.............................24
XX. Proceedings of Full Committee Markup...........................59
I. Amendment
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Computer Security Enhancement Act of
2000''.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--The Congress finds the following:
(1) The National Institute of Standards and Technology has
responsibility for developing standards and guidelines needed
to ensure the cost-effective security and privacy of sensitive
information in Federal computer systems.
(2) The Federal Government has an important role in ensuring
the protection of sensitive, but unclassified, information
controlled by Federal agencies.
(3) Technology that is based on the application of
cryptography exists and can be readily provided by private
sector companies to ensure the confidentiality, authenticity,
and integrity of information associated with public and private
activities.
(4) The development and use of encryption technologies by
industry should be driven by market forces rather than by
Government imposed requirements.
(b) Purposes.--The purposes of this Act are to--
(1) reinforce the role of the National Institute of Standards
and Technology in ensuring the security of unclassified
information in Federal computer systems; and
(2) promote technology solutions based on private sector
offerings to protect the security of Federal computer systems.
SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.
Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)) is amended--
(1) by redesignating paragraphs (2), (3), (4), and (5) as
paragraphs (3), (4), (8), and (9), respectively; and
(2) by inserting after paragraph (1) the following new
paragraph:
``(2) upon request from the private sector, to assist in
establishing voluntary interoperable standards, guidelines, and
associated methods and techniques to facilitate and expedite
the establishment of non-Federal management infrastructures for
public keys that can be used to communicate with and conduct
transactions with the Federal Government;''.
SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.
Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is
further amended by inserting after paragraph (4), as so redesignated by
section 3(1) of this Act, the following new paragraphs:
``(5) except for national security systems, as defined in
section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide
guidance and assistance to Federal agencies for protecting the
security and privacy of sensitive information in interconnected
Federal computer systems, including identification of
significant risks thereto;
``(6) to promote compliance by Federal agencies with existing
Federal computer information security and privacy guidelines;
``(7) in consultation with appropriate Federal agencies,
assist Federal response efforts related to unauthorized access
to Federal computer systems;''.
SEC. 5. COMPUTER SECURITY IMPLEMENTATION.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3) is further amended--
(1) by redesignating subsections (c) and (d) as subsections
(e) and (f), respectively; and
(2) by inserting after subsection (b) the following new
subsection:
``(c)(1) In carrying out subsection (a)(2) and (3), the Institute
shall--
``(A) emphasize the development of technology-neutral policy
guidelines for computer security practices by the Federal
agencies;
``(B) promote the use of commercially available products,
which appear on the list required by paragraph (2), to provide
for the security and privacy of sensitive information in
Federal computer systems;
``(C) develop qualitative and quantitative measures
appropriate for assessing the quality and effectiveness of
information security and privacy programs at Federal agencies;
``(D) perform evaluations and tests at Federal agencies to
assess existing information security and privacy programs;
``(E) promote development of accreditation procedures for
Federal agencies based on the measures developed under
subparagraph (C);
``(F) if requested, consult with and provide assistance to
Federal agencies regarding the selection by agencies of
security technologies and products and the implementation of
security practices; and
``(G)(i) develop uniform testing procedures suitable for
determining the conformance of commercially available security
products to the guidelines and standards developed under
subsection (a)(2) and (3);
``(ii) establish procedures for certification of private
sector laboratories to perform the tests and evaluations of
commercially available security products developed in
accordance with clause (i); and
``(iii) promote the testing of commercially available
security products for their conformance with guidelines and
standards developed under subsection (a)(2) and (3).
``(2) The Institute shall maintain and make available to Federal
agencies and to the public a list of commercially available security
products that have been tested by private sector laboratories certified
in accordance with procedures established under paragraph (1)(G)(ii),
and that have been found to be in conformance with the guidelines and
standards developed under subsection (a)(2) and (3).
``(3) The Institute shall annually transmit to the Congress, in an
unclassified format, a report containing--
``(A) the findings of the evaluations and tests of Federal
computer systems conducted under this section during the 12
months preceding the date of the report, including the
frequency of the use of commercially available security
products included on the list required by paragraph (2);
``(B) the planned evaluations and tests under this section
for the 12 months following the date of the report; and
``(C) any recommendations by the Institute to Federal
agencies resulting from the findings described in subparagraph
(A), and the response by the agencies to those
recommendations.''.
SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by this Act, is further amended by
inserting after subsection (c), as added by section 5 of this Act, the
following new subsection:
``(d)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board, established by
section 21, regarding standards and guidelines that are being
considered for submittal to the Secretary in accordance with subsection
(a)(4). The recommendations of the Board shall accompany standards and
guidelines submitted to the Secretary.
``(2) There are authorized to be appropriated to the Secretary
$1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year 2002 to
enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues related to
computer security, privacy, and cryptography and to convene public
meetings on those subjects, receive presentations, and publish reports,
digests, and summaries for public distribution on those subjects.''.
SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by this Act, is further amended by
adding at the end the following new subsection:
``(g) The Institute shall not promulgate, enforce, or otherwise adopt
standards, or carry out activities or policies, for the Federal
establishment of encryption standards required for use in computer
systems other than Federal Government computer systems.''.
SEC. 8. MISCELLANEOUS AMENDMENTS.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by this Act, is further amended--
(1) in subsection (b)(9), as so redesignated by section 3(1)
of this Act, by inserting ``to the extent that such
coordination will improve computer security and to the extent
necessary for improving such security for Federal computer
systems'' after ``Management and Budget)'';
(2) in subsection (e), as so redesignated by section 5(1) of
this Act, by striking ``shall draw upon'' and inserting in lieu
thereof ``may draw upon'';
(3) in subsection (e)(2), as so redesignated by section 5(1)
of this Act, by striking ``(b)(5)'' and inserting in lieu
thereof ``(b)(8)''; and
(4) in subsection (f)(1)(B)(i), as so redesignated by section
5(1) of this Act, by inserting ``and computer networks'' after
``computers''.
SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759
note) is amended--
(1) by striking ``and'' at the end of paragraph (1);
(2) by striking the period at the end of paragraph (2) and
inserting in lieu thereof ``; and''; and
(3) by adding at the end the following new paragraph:
``(3) to include emphasis on protecting sensitive information
in Federal databases and Federal computer sites that are
accessible through public networks.''.
SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.
There are authorized to be appropriated to the Secretary of Commerce
$500,000 for fiscal year 2001 and $500,000 for fiscal year 2002 for the
Director of the National Institute of Standards and Technology for
fellowships, subject to the provisions of section 18 of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-1), to
support students at institutions of higher learning in computer
security. Amounts authorized by this section shall not be subject to
the percentage limitation stated in such section 18.
SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH
COUNCIL.
(a) Review by National Research Council.--Not later than 90 days
after the date of the enactment of this Act, the Secretary of Commerce
shall enter into a contract with the National Research Council of the
National Academy of Sciences to conduct a study of public key
infrastructures for use by individuals, businesses, and government.
(b) Contents.--The study referred to in subsection (a) shall--
(1) assess technology needed to support public key
infrastructures;
(2) assess current public and private plans for the
deployment of public key infrastructures;
(3) assess interoperability, scalability, and integrity of
private and public entities that are elements of public key
infrastructures;
(4) make recommendations for Federal legislation and other
Federal actions required to ensure the national feasibility and
utility of public key infrastructures; and
(5) address such other matters as the National Research
Council considers relevant to the issues of public key
infrastructure.
(c) Interagency Cooperation With Study.--All agencies of the Federal
Government shall cooperate fully with the National Research Council in
its activities in carrying out the study under this section, including
access by properly cleared individuals to classified information if
necessary.
(d) Report.--Not later than 18 months after the date of the enactment
of this Act, the Secretary of Commerce shall transmit to the Committee
on Science of the House of Representatives and the Committee on
Commerce, Science, and Transportation of the Senate a report setting
forth the findings, conclusions, and recommendations of the National
Research Council for public policy related to public key
infrastructures for use by individuals, businesses, and government.
Such report shall be submitted in unclassified form.
(e) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary of Commerce $450,000 for fiscal year
2001, to remain available until expended, for carrying out this
section.
SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.
The Under Secretary of Commerce for Technology shall--
(1) promote an increased use of security techniques, such as
risk assessment, and security tools, such as cryptography, to
enhance the protection of the Nation's information
infrastructure;
(2) establish a central repository of information for
dissemination to the public to promote awareness of information
security vulnerabilities and risks; and
(3) promote the development of the national, standards-based
infrastructure needed to support government, commercial, and
private uses of encryption technologies for confidentiality and
authentication.
SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE.
(a) Electronic Authentication Infrastructure.--
(1) Guidelines and standards.--Not later than 18 months after
the date of the enactment of this Act, the Director, in
consultation with industry and appropriate Federal agencies,
shall develop electronic authentication infrastructure
guidelines and standards for use by Federal agencies to assist
those agencies to effectively select and utilize electronic
authentication technologies in a manner that is--
(A) adequately secure to meet the needs of those
agencies and their transaction partners; and
(B) interoperable, to the maximum extent possible.
(2) Elements.--The guidelines and standards developed under
paragraph (1) shall include--
(A) protection profiles for cryptographic and
noncryptographic methods of authenticating identity for
electronic authentication products and services;
(B) a core set of interoperability specifications for
the Federal acquisition of electronic authentication
products and services; and
(C) validation criteria to enable Federal agencies to
select cryptographic electronic authentication products
and services appropriate to their needs.
(3) Coordination with national policy panel.--The Director
shall ensure that the development of guidelines and standards
with respect to cryptographic electronic authentication
products and services under this subsection is carried out in
consultation with the National Policy Panel for Digital
Signatures established under subsection (e).
(4) Revisions.--The Director shall periodically review the
guidelines and standards developed under paragraph (1) and
revise them as appropriate.
(b) Listing of Validated Products.--Not later than 30 months after
the date of the enactment of this Act, and thereafter, the Director
shall maintain and make available to Federal agencies and to the public
a list of commercially available electronic authentication products,
and other such products used by Federal agencies, evaluated as
conforming with the guidelines and standards developed under subsection
(a).
(c) Specifications for Electronic Certification and Management
Technologies.--
(1) Specifications.--The Director shall, as appropriate,
establish core specifications for particular electronic
certification and management technologies, or their components,
for use by Federal agencies.
(2) Evaluation.--The Director shall advise Federal agencies
on how to evaluate the conformance with the specifications
established under paragraph (1) of electronic certification and
management technologies, developed for use by Federal agencies
or available for such use.
(3) Maintenance of list.--The Director shall maintain and
make available to Federal agencies a list of electronic
certification and management technologies evaluated as
conforming to the specifications established under paragraph
(1).
(d) Reports.--Not later than 18 months after the date of the
enactment of this Act, and annually thereafter, the Director shall
transmit to the Congress a report that includes--
(1) a description and analysis of the utilization by Federal
agencies of electronic authentication technologies; and
(2) an evaluation of the extent to which Federal agencies'
electronic authentication infrastructures conform to the
guidelines and standards developed under subsection (a)(1).
(e) National Policy Panel for Digital Signatures.--
(1) Establishment.--Not later than 90 days after the date of
the enactment of this Act, the Under Secretary shall establish
a National Policy Panel for Digital Signatures. The Panel shall
be composed of government, academic, and industry technical and
legal experts on the implementation of digital signature
technologies, State officials, including officials from States
which have enacted laws recognizing the use of digital
signatures, and representative individuals from the interested
public.
(2) Responsibilities.--The Panel shall serve as a forum for
exploring all relevant factors associated with the development
of a national digital signature infrastructure based on uniform
guidelines and standards to enable the widespread availability
and use of digital signature systems. The Panel shall develop--
(A) model practices and procedures for certification
authorities to ensure the accuracy, reliability, and
security of operations associated with issuing and
managing digital certificates;
(B) guidelines and standards to ensure consistency
among jurisdictions that license certification
authorities; and
(C) audit procedures for certification authorities.
(3) Coordination.--The Panel shall coordinate its efforts
with those of the Director under subsection (a).
(4) Administrative support.--The Under Secretary shall
provide administrative support to enable the Panel to carry out
its responsibilities.
(5) Report.--Not later than 1 year after the date of the
enactment of this Act, the Under Secretary shall transmit to
the Congress a report containing the recommendations of the
Panel.
(f) Definitions.--For purposes of this section--
(1) the term ``certification authorities'' means issuers of
digital certificates;
(2) the term ``digital certificate'' means an electronic
document that binds an individual's identity to the
individual's key;
(3) the term ``digital signature'' means a mathematically
generated mark utilizing key cryptography techniques that is
unique to both the signatory and the information signed;
(4) the term ``digital signature infrastructure'' means the
software, hardware, and personnel resources, and the
procedures, required to effectively utilize digital
certificates and digital signatures;
(5) the term ``electronic authentication'' means
cryptographic or noncryptographic methods of authenticating
identity in an electronic communication;
(6) the term ``electronic authentication infrastructure''
means the software, hardware, and personnel resources, and the
procedures, required to effectively utilize electronic
authentication technologies;
(7) the term ``electronic certification and management
technologies'' means computer systems, including associated
personnel and procedures, that enable individuals to apply
unique digital signatures to electronic information;
(8) the term ``protection profile'' means a list of security
functions and associated assurance levels used to describe a
product; and
(9) the term ``Under Secretary'' means the Under Secretary of
Commerce for Technology.
SEC. 14. SOURCE OF AUTHORIZATIONS.
There are authorized to be appropriated to the Secretary of Commerce
$7,000,000 for fiscal year 2001 and $8,000,000 for fiscal year 2002,
for the National Institute of Standards and Technology to carry out
activities authorized by this Act for which funds are not otherwise
specifically authorized to be appropriated by this Act.
II. Purpose of the Bill
The purpose of the bill is to update the Computer Security
Act of 1987 to improve computer security for federal civilian
agencies and the private sector.
III. Background and Need for the Legislation
The Computer Security Act of 1987 gave authority over
computer and communication security standards in federal
civilian agencies to NIST. The Computer Security Enhancement
Act of 2000 strengthens that authority and directs funds to
implement practices and procedures which will ensure that the
federal standards setting process remains open to public input
and analysis and that will provide guidance and assistance on
protection of electronic information to federal civilian
agencies. H.R. 2413 promotes open and public discussion, as
well as the use of commercially available products to meet the
information security needs of the federal civilian agencies.
Since 1993, the General Accounting Office (GAO) has issued
over 35 reports describing serious information security
weaknesses at major federal agencies. In 1999, GAO reported
that during the previous 2 years serious information security
control weaknesses had been reported for most of the federal
agencies. Recently, GAO gave the federal government an overall
grade of D minus for its computer security efforts.
Much has changed in the years since the Computer Security
Act of 1987 was enacted. The proliferation of networked
systems, the Internet, and web access are just a few of the
dramatic advances in information technology that have occurred.
The Computer Security Enhancement Act of 2000 addresses these
changes and provides for greater security for the federal
civilian agencies that base their procurement decisions for
computer security hardware and software on NIST standards. H.R.
2413 also promotes the use of commercially available products
and encourages an open exchange of information between NIST and
the private sector. This renewed emphasis on open discussion
should help facilitate better security in all communities.
IV. Summary of Hearings
On September 30, 1999, the Subcommittee on Technology held
a hearing to review H.R. 2413, the Computer Security
Enhancement Act of 2000, legislation introduced by Chairman
Sensenbrenner, Representatives Morella and Gordon.
Witnesses included Mr. Raymond Kammer, Director, National
Institute of Standards and Technology; Mr. Keith Rhodes,
Director, Office of Computer and Information, Technology
Assessment, U.S. General Accounting Office; Mr. Harris Miller,
President, Information Technology Association of America; and
Dr. George Trubow, Professor and Director, Center for
Information Technology and Privacy Law, The John Marshall Law
School and Member, Computer System Security and Privacy
Advisory Board (CSSPAB), NIST.
Mr. Kammer testifying on behalf of the National Institute
of Standards and Technology, stated that NIST's computer
security program focuses on standards and guidelines, public
key infrastructure and security research. Mr. Kammer noted that
the President has recently requested an additional $39M in FY
2000 for initiatives proposed to protect critical
infrastructure, of which $5M would be for NIST to establish an
Expert Review Team to assist Government-wide agencies in
adhering to Federal computer security requirements. NIST would
consult with OMB and NSA on the team's plan to protect computer
security for Federal agencies. Two million would fund a 15
member team responsible for helping agencies identify
vulnerabilities, plan secure systems and implement critical
infrastructure plans. Three million would establish an
operational fund at NIST for computer security projects among
Federal agencies. Projects would include independent
vulnerability assessments, computer intrusion drill and
emergency funds to cover security fixes for systems identified
to have unacceptable risks.
Mr. Rhodes, testifying on behalf of General Accounting
Office (GAO), stated that H.R. 2413 aims to reinforce the role
of NIST, whose mission is to provide guidance and technical
assistance to government and industry to protect unclassified
information systems. Mr. Rhodes discussed: (1) the urgent need
to strengthen computer security across the Federal Government;
(2) the current and future privacy concerns with any computer
security legislation, (3) GAO's views on the proposed act, and
(4) what can be done to further strengthen security program
management at federal agencies. According to Rhodes, it is
imperative that the Federal Government swiftly implement long-
term solutions both at individual agencies and government-wide
to protect systems and sensitive data. He noted that the need
to protect sensitive data and systems must be weighed against
cost, feasibility, privacy and security interests of citizens
and private businesses as well as national security and law
enforcement agencies. Without computer security, privacy cannot
be assured. Without agreement among users, businesses, law
enforcement, national security and other authorities on
requirements, there is no way to implement new technology or to
establish standards that will be universally accepted. Finally,
Mr. Rhodes stated that it is important to ensure that NIST
retains the ability to develop security standards for
unclassified data and decide which industry standards are
appropriate for Federal agencies and that the agencies
consistently implement such standards.
Mr. Harris, testifying on behalf of the ITAA, stated that
his association and its members support both goals of H.R.
2413, to assist NIST in meeting the computer security needs of
Federal agencies and to allow the Federal Government through
NIST to harness the ingenuity of the private sector to help
address its computer security needs. He noted that computer
security solutions should be industry-led. Mr. Harris
recognized that great opportunities for collaboration between
Federal Government and private industry currently exist and
that there is a need for information security computer
specialists and additional resources. Finally, Mr. Harris
stated there is a need for authentication through digital
signatures and a public key infrastructure.
Profesor Trubow, testifying on behalf of the Computer
System Security and Privacy Advisory Board (CSSPAB), warned
that for the Board to remain effective, it should maintain its
role as an advisory board. He noted that it is appropriate for
the board to be asked for its advice and wisdom. In his
opinion, the board supports the goal of H.R. 2413 to expand
NIST's activities in developing and promoting the use of
information system security technologies. He noted that
attention to privacy must not be overlooked. Finally, Professor
Trubow recommended that ``privacy'' be inserted in the bill in
several areas.
On April 15, 1999, the Subcommittee on Technology held a
hearing on ``The Melissa Virus: Inoculating Our Information
Technology from Emerging Threats.'' The hearing was held to
review computer security threats specifically computer viruses.
Witnesses included: Mr. Raymond Kammer, Director, National
Institutes of Standards and Technology, Mr. Michael Vatis,
Director, National Infrastructure and Protection Center, FBI,
Dr. Richard Pethia, Director, CERT Coordination Center,
Carnegie Mellon University Software Engineering Institute, and
Mr. Keith Rhodes, Technical Director, Office of the Chief
Scientist, U.S. General Accounting Office.
Mr. Raymond Kammer, Director, National Institutes of
Standards and Technology, testified that the Melissa virus is
what is known as a denial of service attack, whereby servers
and routers are literally overwhelmed by e-mail. Mr. Kammer
stressed that we as a nation must maintain a proper perspective
in developing computer security solutions and not target the
problem of the moment. Mr. Kammer stated that NIST has taken a
broad perspective and that the agency has several initiatives
underway to strengthen the IT security infrastructure of the
U.S. economy.
Mr. Michael Vatis, Director, National Infrastructure and
Protection Center, FBI, testified that the Melissa virus is a
macro virus spread through Microsoft Word 97 or Word 2000 e-
mail attachments. He explained that the problem with this
particular virus was its ability to spread quickly. Mr. Vatis
moved on to state that we are fortunate this virus did not do
more damage than it did. However, he added that its occurrence
should serve as a wake up call for both the government and the
private sector, because the virus exploited known
vulnerabilities. Mr. Vatis stated that the notifications and
information provided by the NIPC, CERT, and others demonstrated
the value of cooperative efforts by the private and government
sectors.
Dr. Richard Pethia, Director, CERT Coordination Center,
Carnegie Mellon University Software Engineering Institute,
stated that the Melissa virus was a warning siren of the
increased vulnerability of our networks. He believes that the
press acted responsibly in reporting the outbreak. Dr. Pethia
presumes that there will be a need in the future for enhanced
incident response capability, faster communications, better
analytical tools and techniques to solve this problem. He
contends that if we have multiple outbreaks that spread at
Internet speed, we would not be able to control the virus. He
reiterates that real solutions in the long term can only come
from improvements in technology. Along with virus-proof
software, there is a need to make use of encryption technology
in the form of digital signatures so those messages can be
authenticated.
Mr. Keith Rhodes, Technical Director, Office of the Chief
Scientist, U.S. General Accounting Office testified that the
Melissa virus disrupted the operations of thousands of
companies and some government agencies, but did not permanently
damage systems and did not compromise government data. He
discussed the broader implications of the Melissa virus
including how quickly the virus proliferated due to the
extensive connectivity of today's networks. He believes that
the next virus will propagate faster, do more damage and be
more difficult to detect and to counter. He also claims that it
is imperative that Federal agencies and the government
implement long-term solutions to protect systems and sensitive
data. Furthermore, Mr. Rhodes is a supporter of the GAO's
Information Security Best Practice guides. They offer a
framework for agencies to follow. Sustained government-wide
leadership is needed to ensure that executives understand
risks, monitor agency performs and resolve issues affecting
multiple agencies.
On May 10, 2000 the Subcommittee on Technology held a
hearing entitled, ``The Love Bug Virus: Protecting Lovesick
Computers from Malicious Attack.'' The hearing examined the
features of the ``love bug'' computer virus, explored its
impact on the Federal Government and the private sector, and
examined possible solutions and preventative actions
individuals and organizations should take to prevent emerging
threats form impacting information technology systems and
networks.
Witnesses included: Mr. Keith Rhodes, Technical Director,
Office of the Chief Scientist, U.S. General Accounting Office;
Mr. Harris Miller, President, Information Technology
Association of America; Ms. Sandra England, Senior Vice
President, McAfee--A Network Associates Company; Mr. Peter
Tippett, Chief Technology Officer, ICSA.net.
Mr. Keith Rhodes, Technical Director, Office of the Chief
Scientist, U.S. General Accounting Office, stated that the
world does not practice safe computing. He described how the
``I Love You'' virus worked. He noted that there were 14
variances of this virus some even more damaging. The Love Bug
hit many large corporations such as AT&T, TWA, Ford and the
Washington Post, ABC News, British Parliament, the IMF and at
least 14 other United States Federal Agencies. These viruses
were spreading faster due to the high dependency on our network
systems. Mr. Rhodes claims that there is no silver bullet that
will stop the infection of viruses. Therefore, agencies inside
and outside the government must increase awareness, ensure that
existing controls are operating effectively, ensure that
software patches are brought up to date, use automated scanning
and testing tools to quickly identify problems and be sure that
common vulnerabilities are addressed.
Mr. Harris Miller, President, Information Technology
Association of America, testified that cyber crimes are given
less priority than other types of crime since there is no
actual physical violence. This attitude must change and the
government agencies need to make information security a much
higher priority. He stated that information sharing is the key
challenge. He is working to create an information-sharing
mechanism with over 100 IT companies. ITAA will host the first
global security summit in Washington, D.C. on October 16 and
17. He hopes to establish the same type of international
collaboration that existed with the Y2K bug. ITAA is also
working with the Department of Justice on the Cybercitizen
Partnership to help promote cyber ethics. In his closing
remarks he stated that Cyber-crime must not become an accepted
practice.
Ms. Sandra England, Senior Vice President, McAfee--A
Network Associates Company testified that the McAfee's
Emergency response team, AVERT, immediately responded to the
outbreak of the ``I Love You'' virus. They were able to
dispense a cure within a couple hours of its first detection.
She went on to add that many viruses are detected on a daily
basis and last year alone there were $12 billion in damages due
to various viruses. Ms. England claims that even though viruses
attack on a more frequent basis, not much is being done to
internal policies to respond to these new attacks. The actual
cost from the viruses is hard to assess mainly since it is a
loss of time and productivity. The anti virus companies alone
can not combat this problem. Anti-virus software must be kept
up to date, and signature files must be updated faithfully. She
agreed that more must be done to stop virus writers and in turn
stiffer punishments must be enacted.
Mr. Peter Tippett, Chief Technology Officer, ICSA.net
discussed the costs and risks associated with electronic,
malicious code, privacy, down time, physical and human related
factors. He described ICSA as a new breed of Internet company
that provides security assurances services. Mr. Tippett states
that every product that ICSA certifies can detect, prevent and
recover from every virus that has ever been promulgated.
However, after they are installed into companies they become
only 30% effective. He suggests better education on how to use
such software. He agreed with the other witnesses in stating
that stiffer laws must be invoked on those who choose to write
these malicious codes. ICSA estimates that 65% of Northern
American companies were infected as well as 133,000 desktops.
V. Committee Actions
On Wednesday, October 20, 1999, the Committee on Science,
Subcommittee on Technology convened to mark up H.R. 2413, The
Computer Security Enhancement Act of 1999, to enhance the
ability of the National Institute of Standards and Technology
(NIST) to improve computer security. One amendment was offered
at the mark-up. It was adopted by a voice vote.
1. Mrs. Morella and Mr. Barcia offered an en bloc amendment
that would require NIST to access existing information security
programs at Federal agencies, make recommendations to improve
their security, and report to Congress annually on the
information security status of Federal agencies.
With a quorum present, Chairwoman Morella moved that H.R.
2413, as amended be reported. The motion was adopted by a voice
vote.
On Wednesday, July 26, 2000, the Committee on Science
convened to mark up H.R. 2413. An amendment offered by Mrs.
Morella and Mr. Barcia was offered and adopted by a voice vote.
1. Mrs. Morella and Mr. Barcia offered an amendment, which
consisted of the text of H.R. 2413 as reported by the
Subcommittee on Technology. The amendment was agreed to by a
voice vote.
With a quorum present, Chairman Sensenbrenner moved that
H.R. 2413, as amended be reported. The motion was adopted by a
voice vote.
VI. Summary of Major Provisions of the Bill
H.R. 2413, the Computer Security Enhancement Act of 2000
provides for greater security for the federal civilian agencies
that base their procurement decisions for computer security
hardware and software on NIST standards. The legislation also
promotes the use of commercially available products and
encourages an open exchange of information between NIST and the
private sector. The legislation authorizes a total of
$8,980,000 in FY 2001 and $9,560,000 in FY 2002. Specifically,
the Computer Security Enhancement Act of 2000:
Requires NIST to encourage the acquisition of
commercial off-the-shelf (COTS) products to meet civilian
agency computer security needs. This measures should reduce the
costs of computer security technologies for federal agencies.
Enhances the role of the independent Computer
System Security and Privacy Advisory Board in NIST's decision-
making process by requiring the Board, which is made up of
representatives from industry, federal agencies and other
external organizations, to make formal recommendations
regarding proposed security standards and provide guidance to
NIST on emerging computer security issues.
Clarifies that NIST standards and guidelines are
to be used for the acquisition of computer security
technologies for the Federal Government and are not intended as
restrictions on the production or use of encryption by the
private sector.
Updates the Computer Security Act by including
references to computer networking, which has become an
increasingly important component of the Federal Government
Information technology system.
Establishes a new computer science fellowship
program for graduate and undergraduate students studying
computer security. The bill sets aside $500,000 for the first
year and $500,000 for the second year, to enable NIST to
finance computer security fellowships under an existing NIST
grant program.
Requires the National Research Council (NRC) to
conduct a study to assess the desirability of public key
infrastructures. The NRC would also research the technologies
required for the establishment of such public key
infrastructures.
Requires the Under Secretary of Commerce for
Technology to actively promote the use of technologies by the
Federal Government that will enhance the security of federal
communications networks and information in electronic form; to
establish a clearinghouse of information available to the
public on information security threats; and to promote
development of a market driven consensus standards-based
infrastructure that will enable more widespread use of
encryption technologies for confidentiality and authentication.
Establishes a National Panel for Digital
Signatures for the purpose of exploring all relevant factors
associated with the development of a national digital signature
infrastructure based on uniform standards and of developing
model practices and standards associated with certification
authorities. The Department of Commerce shall appoint the
National Panel and provide necessary administrative support.
VII. Section-by-Section Analysis (By Title and Section)/Committee Views
Sec. 1. Short title
Computer Security Enhancement Act of 2000.
Sec. 2. Findings and purposes
Details the findings and purpose of the bill.
Sec. 3. Voluntary standards for public key management infrastructures
Section 20 of the NIST Act is amended by authorizing NIST
to assist (upon request from the private sector) in
establishing voluntary interoperable standards, guidelines, and
associated methods and techniques to facilitate and expedite
the establishment of non-Federal public key management
infrastructures.
Committee views
Historically, NIST has been most effective when helping the
commercial sector, in a consensus process, to establish
standards. The Committee supports such efforts, so long as they
are fully voluntary and reflect a true consensus process.
Sec. 4. Security of Federal computers and networks
Section 20 of the NIST Act is amended by authorizing NIST
to:
(1) provide guidance and assistance to federal
agencies in the protection of interconnected computer
systems (except for national security systems),
including identification of significant risks thereto;
(2) promote compliance by Federal agencies with
existing Federal computer information security and
privacy guidelines; and,
(3) consult with and assist Federal agencies in
response to efforts related to unauthorized access to
federal computer systems.
Committee views
The Committee believes it is important that NIST remain the
lead agency in securing the information technology
infrastructure of federal civilian agencies. NIST must place
greater emphasis on its duties in this area. NIST should
provide guidance and assistance to federal civilian agencies in
helping to secure their information technology systems.
Sec. 5. Computer security implementation.
Section 20 of the NIST Act is amended to specify the
approaches to be taken by NIST in carrying out its existing
responsibilities for developing standards and guidelines for
the security and privacy of sensitive information in federal
computer systems and for assisting federal agencies in meeting
those standards and guidelines. Specifically, NIST must
emphasize technology-neutral policy guidelines, must actively
promote commercially available products for meeting the
security and privacy requirements of federal agencies and
provide assistance to agencies in the selection of products;
and must develop qualitative and quantitative measures for
assessing the effectiveness of agencies' information security
and privacy programs, perform evaluations of agencies' security
and privacy programs, and promote appropriate accreditation
procedures for agencies' programs. In addition, NIST is
required to develop uniform procedures for determining the
effectiveness of commercially available security products;
establish procedures for certification of private sector
laboratories to perform evaluations to promote the testing of
products and make available the results of such tests to
agencies and to the public.
Committee views
The Committee affirms NIST's lead role in setting policy
guidelines for computer security practices implemented by
federal civilian agencies. The Committee encourages the greater
use of commercially available security products by federal
agencies by directing NIST to promote the use of such products
whenever feasible and appropriate. In order to identify the
most effective security products, the Committee tasks NIST to
establish appropriate evaluation procedures and to establish
requirements to certify the capability of private sector
laboratories to conduct such tests.
The Committee expects NIST to expand its efforts to ensure
the compliance of federal agencies with the information
security and privacy guidelines developed by NIST in accordance
with its statutory responsibilities. The Committee tasks NIST
to develop metrics to assess the effectiveness of agencies'
security and privacy programs, to conduct on-site evaluations
of agencies' programs, and to report to Congress on the results
of these evaluations.
Sec. 6. Computer security review, public meetings, and information
Section 20 of the NIST Act is amended by requiring NIST to
solicit recommendations of the Computer System Security and
Privacy Advisory Board regarding standards and guidelines that
are under consideration for submittal to the Secretary of
Commerce for promulgation as regulations and include such
recommendations with any subsequent submission to the
Secretary. Funds are also authorized for the Board ($1,030,000
for FY 2001 and $1,060,000 for FY 2002) to enable it to act as
a forum for public discussion on emerging issues related to
computer security privacy and cryptography. The Board is
authorized to convene public meetings and to publish reports
and other information for public distribution.
Committee views
The Committee believes that an open and transparent system
should be used by NIST in promulgating federal standards. The
Computer System Security and Privacy Advisory Board (CSSPAB),
acting as an independent board, is uniquely positioned to make
recommendations to the Department of Commerce. This Board will
be charged with submitting its recommendations along with
NIST's proposals to the Secretary of Commerce for promulgation
as regulations. The Board is being provided with resources and
specific direction by the Committee to allow it to operate in
an independent and autonomous fashion to pursue public policy
issues that are important for assuring the security and
integrity of computing and network systems, and the information
they contain. The Board is authorized to convene public
meetings and to publish reports and other information for
public distribution.
The CSSPAB is to report directly to the Committee on
Science of the House of Representatives and the Committee on
Commerce, Science, and Transportation of the Senate. The
Committee emphasizes that CSSPAB reports do not require prior
clearance by OMB or the Commerce Department before they are
transmitted to the Congressional Committees.
Sec. 7. Limitation on participation in requiring encryption standards
Section 20 of the NIST Act is amended by prohibiting NIST
from promulgating, enforcing, or otherwise adopting standards,
or carrying out activities or policies, for the Federal
establishment of encryption standards required for use in
computer systems other than Federal Government computer
systems.
Committee views
NIST does not currently promulgate, enforce or otherwise
adopt standards, or carry out activities or policies, for the
federal establishment of encryption, or computer security
standards required for use in computer systems other than
Federal Government computer systems. It is the Committee's
intention that NIST not be used for such purposes in the
future.
Sec. 8. Miscellaneous amendments
Technical and conforming amendments to Section 20 of the
NIST Act as well as a language change which reasserts NIST's
role as the lead agency for handling standards for civilian
agency computer security.
Committee views
The Committee affirms NIST's role as the lead agency for
handling standards for federal civilian agency computer
security. The Committee believes that it is imperative that
this function remain open to public scrutiny. NIST is the
agency historically charged with setting the standards for
computer security in the civilian agencies and it is the
Committee's intention that NIST direct appropriate resources
and expertise to this area.
Sec. 9. Federal computer system security training
Section 5(b) of the Computer Security Act of 1987 is
amended by adding an emphasis on protecting sensitive
information in Federal databases and Federal computer sites
that are accessible through public networks.
Committee views
The Committee wishes to focus NIST's attention on security
matters which have come about because of the changes in network
information technology systems that have taken place since the
enactment of the Computer Security Act of 1987. The World Wide
Web is just one example of new developments in network
technology programs which raise unique security concerns.
Sec. 10. Computer security fellowship program
Funds are authorized under Section 18 of the NIST Act to
provide grants for research on computer security to students at
institutions of higher learning ($500,000 for FY 2001 and
$500,000 FY 2002).
Committee views
The Committee supports efforts to increase the number of
college and graduate students in the field of computer
security. NIST can play an important, although limited, role in
this effort through its section 18 fellowship program.
Sec. 11. Study of public key infrastructure by the National Research
Council
This section authorizes funds ($450,000 for FY 2001 to
remain available until expended) and sets terms for the
National Research Council of the National Academy of Sciences
to conduct a study of public key infrastructures (PKI) for use
by individuals, businesses, and government.
Committee views
The Committee is aware that the Federal Government is
aggressively promoting the deployment of PKI technology. PKIs
are not yet commonplace in either the private sector or in
government because a number of significant challenges must
still be overcome before the technology can be widely deployed
and implemented. The NRC study will provide valuable
information on the costs, vulnerabilities and scalability
issues of such an infrastructure.
Sec. 12. Promotion of national information security
Requires the Under Secretary of Commerce for Technology to
actively promote the use of technologies that will enhance the
security of communications networks and information in
electronic form; to establish a clearinghouse of information
available to the public on information security threats; and to
promote development of the standards-based infrastructure that
will enable the more widespread use of encryption technologies
for confidentiality and authentication.
Committee views
Through the requirements of section 12, the Committee
intends to designate a central government focus for increasing
public awareness of the need for improving the security of
communications networks and the information accessed through
such networks. The Committee notes that one of the central
findings of the comprehensive 1996 report from the National
Academy of Sciences, Cryptography's Role in Securing the
Information Society, is the relative lack of attention paid to
securing electronic information. Although the technical
solutions for enhancing information security are available, the
public has not been energized about the importance of utilizing
these tools.
H.R. 2413 encourages greater use of commercially available
cryptography products for protection of government information,
which may have the indirect effect of enhancing the general
availability of such technologies. To further increase public
awareness of security threats and to accelerate corrective
action, section 12 of the bill charges the Technology
Administration in the Commerce Department to actively promote
greater use of cryptography and associated technologies by the
private sector. One specific requirement is for the Technology
Administration to establish a clearinghouse of information for
the public on information security threats to networked
computers, including information about procedural and technical
approaches to guard against such threats.
The Committee intends that the Technology Administration
actively promote the development of a national, standards-based
infrastructure to support the uses of encryption technologies
for confidentiality and authentication by working closely with
the private sector and by assisting and supporting the
development of standards through a private-sector oriented,
consensus-based process.
Sec. 13. Electronic authentication infrastructure
Directs NIST to work in consultation with industry to
develop guidelines for electronic authentication
infrastructures for use by federal agencies to ensure the
security of transactions and interoperability with transaction
partners. NIST will develop and maintain a list of conforming
commercially available electronic authentication products used
by federal agencies. NIST will develop criteria/guidelines for
use by agencies for electronic management systems such as
maintaining security of databases and validity of certificates.
Eighteen months after enactment, NIST shall report to Congress
on how agencies are deploying systems which are in accordance
with guidelines developed by the agency. Guidelines developed
by NIST or any Federal agency should be technology neutral.
Establishes a National Panel for Digital Signatures for the
purpose of exploring all relevant factors associated with the
development of a national digital signature infrastructure
based on uniform standards and of developing model practices
and standards associated with certification authorities. The
Technology Administration of the Department of Commerce shall
appoint the National Panel and provide necessary administrative
support.
Committee views
The Committee finds that digital signature technology is
essential for the full use of public networks, such as the
Internet, for commerce and for private communications. While
P.L. 106-229, the Electronic Signatures in Global and National
Commerce Act created the legal framework for the recognition
and acceptance of electronic signatures, it does not address
interoperability and other technical issues. Digital signatures
verify the identity of a business or individual that is
accessed via a network and assure the integrity of the
information being exchanged. In order for digital signature
technology to be deployed, in most cases, a trusted guarantor
of the public identifier, or public key, of the digital
signature must exist. This is the role of the certification
authority.
The Committee is aware that several States have enacted
statutes to regulate certification authorities. Unfortunately,
this has largely been an uncoordinated process resulting in the
placement of varying requirements on certification authorities.
In order for a truly national system to develop, which is
required if use of digital signatures is to become widespread,
the Committee believes that uniform market driven consensus
standards must be in place for the practices and procedures of
the certification authorities. Otherwise, variations in the
requirements for certification authorities will degrade the
overall level of reliability and security of digital
signatures.
To promote the required uniformity, section 13 of the bill
establishes a national panel, under the auspices of the
Technology Administration, to develop private voluntary model
practices and procedures, promote uniformity among
jurisdictions that license certification authorities, and
private voluntary uniform audit standards for certification
authorities. This national panel, with broadly based
representation, including users of digital signature
technology, will provide for the coordination needed to put in
place the national technical infrastructure that is a
prerequisite for the widespread use of digital signatures.
Sec. 14. Source of authorizations
This section authorizes $7 million in FY 2001 and $8
million in FY 2002 for NIST to carry out activities authorized
by this Act for which funds are not otherwise specifically
authorized.
Committee views
In addition to the funds authorized in H.R. 2413, H.R.
2086--the Networking and Information Technology Research and
Development Act of 1999--which has passed the Science Committee
and the House of Representatives--also authorizes funding for
NIST to conduct fundamental computer security research in the
area of advanced encryption standards and algorithms.
VIII. Cost Estimate
Rule XIII, clause 3(d)(2) of the House of Representatives
requires each committee report accompanying each bill or joint
resolution of a public character to contain: (1) an estimate,
made by such committee, of the costs which would be incurred in
carrying out such bill or joint resolution in the fiscal year
in which it is reported, and in each of the five fiscal years
following such fiscal year (or for the authorized duration of
any program authorized by such bill or joint resolution, if
less than five years); (2) a comparison of the estimate of
costs described in subparagraph (1) of this paragraph made by
such committee with an estimate of such costs made by any
Government agency and submitted to such committee; and (3) when
practicable, a comparison of the total estimated funding level
for the relevant program (or programs) with the appropriate
levels under current law. However, House rule XIII, clause
3(d)(3)(B) provides that this requirement does not apply when a
cost estimate and comparison prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974 has been timely submitted
prior to the filing of the report and included in the report
pursuant to House rule XIII, clause 3(c)(3). A cost estimate
and comparison prepared by the Director of the Congressional
Budget Office under section 402 of the Congressional Budget Act
of 1974 has been timely submitted to the Committee on Science
prior to the filing of this report and is included in this
report pursuant to House rule XIII, clause 3(c)(3).
Rule XIII, clause 3(c)(2) of the House of Representatives
requires each committee report that accompanies a measure
providing new budget authority (other than continuing
appropriations), new spending authority, or new credit
authority, or changes in revenues or tax expenditures to
contain a cost estimate, as required by section 308(a)(1) of
the Congressional Budget Act of 1974 and, when practicable with
respect to estimates of new budget authority, a comparison of
the total estimated funding level for the relevant program (or
programs) to the appropriate levels under current law. H.R.
2413 does not contain any new budget authority, credit
authority, or changes in revenues or tax expenditures. Assuming
that the sums authorized under the bill are appropriated, H.R.
2413 does authorize additional discretionary spending, as
described in the Congressional Budget Office report on the
bill.
IX. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 18, 2000.
Hon. F. James Sensenbrenner, Jr.
Chairman, Committee on Science,
House of Representatives, Washington, DC.
Dear Congressman: The Congressional Budget Office has
prepared the enclosed estimate for H.R. 2413, the Computer
Security Enhancement Act of 2000.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Taman
Morris and Mark Hadley.
Sincerely,
Arlene Holen
(For Dan L. Crippen, Director).
Enclosure.
H.R. 2413--Computer Security Enhancement Act of 2000
Summary: H.R. 2413 would direct the National Institute of
Standards and Technology (NIST) to develop policies to improve
computer security for federal computer systems and would
authorize the appropriation of funds for this purpose in fiscal
years 2001 and 2002.
CBO estimates that implementing the bill would cost $19
million over the 2001-2003 period, assuming appropriation of
the authorized amounts. H.R. 2413 would not affect direct
spending or receipts; therefore, pay-as-you-go procedures would
not apply. The bill contains no intergovernmental or private-
sector mandates as defined in the Unfunded Mandates Reform Act
(UMRA).
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 2413 is shown in the following table.
For this estimate, CBO assumes that H.R. 2413 would be enacted
near the start of fiscal year 2001 and that the amounts
authorized will be appropriated each year. Outlays have been
projected on the basis of historical spending patterns for NIST
and information provided by the agency. The cost of this
legislation would fall within budget function 370 (commerce and
housing credit).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
--------------------------------------------
2001 2002 2003 2004 2005
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Authorization level................................................ 9 10 0 0 0
Estimated outlays.................................................. 7 10 2 0 0
----------------------------------------------------------------------------------------------------------------
Pay-as-you-go considerations: None.
Intergovernmental and private-sector impact: H.R. 2413
contains no intergovernmental or private-sector mandates as
defined in UMRA. Any costs incurred by states to participate in
the National Policy Panel for Digital Signatures are unlikely
to be significant.
Estimate prepared by: Federal costs: Taman Morris and Mark
Hadley; impact on State, local, and tribal governments:
Victoria Heid Hall; impact on the private sector: Lauren Marks.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
X. Compliance With Public Law 104-4
H.R. 2413 contains no unfunded mandates.
XI. Committee Oversight Findings and Recommendations
Rule XIII, clause 3(c)(1) of the House of Representatives
requires each committee report to include oversight findings
and recommendations required pursuant to clause 2(b)(1) of rule
X. The Committee on Science's oversight findings and
recommendations are reflected in the body of this report.
XII. Oversight Findings and Recommendations by the Committee on
Government Reform
Rule XIII, clause 3(c)(4) of the House of Representatives
requires each committee report to contain a summary of the
oversight findings and recommendations made by the House
Government Reform Committee pursuant to clause 4(c)(2) of rule
X, whenever such findings and recommendations have been
submitted to the Committee in a timely fashion. The Committee
on Science has received no such findings or recommendations
from the Committee on Government Reform.
XIII. Constitutional Authority Statement
Rule XIII, clause 3(d)(1) of the House of Representatives
requires each report of a committee on a bill or joint
resolution of a public character to include a statement citing
the specific powers granted to the Congress in the Constitution
to enact the law proposed by the bill or joint resolution.
Article I, section 8 of the Constitution of the United States
grants Congress the authority to enact H.R. 2413.
XIV. Federal Advisory Committee Statement
H.R. 2413 does not establish nor authorize the
establishment of any advisory committee
XV. Congressional Accountability Act
The Committee finds that H.R. 2413 does not relate to the
terms and conditions of employment or access to public services
or accommodations within the meaning of section 102(b)(3) of
the Congressional Accountability Act (Public Law 104-1).
XVI. Statement on Preemption of State, Local, or Tribal Law
The bill is not intended to preempt any state, local, or
tribal law.
XVII. Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):
SECTION 20 OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
Sec. 20. (a) * * *
(b) In fulfilling subsection (a) of this section, the
Institute is authorized--
(1) to assist the private sector, upon request, in
using and applying the results of the programs and
activities under this section;
(2) upon request from the private sector, to assist
in establishing voluntary interoperable standards,
guidelines, and associated methods and techniques to
facilitate and expedite the establishment of non-
Federal management infrastructures for public keys that
can be used to communicate with and conduct
transactions with the Federal Government;
[(2)] (3) as requested, to provide to operators of
Federal computer systems technical assistance in
implementing the standards and guidelines promulgated
pursuant to section 5131 of the Clinger-Cohen Act of
1996 (40 U.S.C. 1441);
[(3)] (4) to assist, as appropriate, the Office of
Personnel Management in developing regulations
pertaining to training, as required by section 5 of the
Computer Security Act of 1987;
(5) except for national security systems, as defined
in section 5142 of Public Law 104-106 (40 U.S.C. 1452),
to provide guidance and assistance to Federal agencies
for protecting the security and privacy of sensitive
information in interconnected Federal computer systems,
including identification of significant risks thereto;
(6) to promote compliance by Federal agencies with
existing Federal computer information security and
privacy guidelines;
(7) in consultation with appropriate Federal
agencies, assist Federal response efforts related to
unauthorized access to Federal computer systems;
[(4)] (8) to perform research and to conduct studies,
as needed, to determine the nature and extent of the
vulnerabilities of, and to devise techniques for the
cost-effective security and privacy of sensitive
information in Federal computer systems; and
[(5)] (9) to coordinate closely with other agencies
and offices (including, but not limited to, the
Departments of Defense and Energy, the National
Security Agency, the General Accounting Office, the
Office of Technology Assessment, and the Office of
Management and Budget) to the extent that such
coordination will improve computer security and to the
extent necessary for improving such security for
Federal computer systems--
(A) * * *
* * * * * * *
(c)(1) In carrying out subsection (a)(2) and (3), the
Institute shall--
(A) emphasize the development of technology-neutral
policy guidelines for computer security practices by
the Federal agencies;
(B) promote the use of commercially available
products, which appear on the list required by
paragraph (2), to provide for the security and privacy
of sensitive information in Federal computer systems;
(C) develop qualitative and quantitative measures
appropriate for assessing the quality and effectiveness
of information security and privacy programs at Federal
agencies;
(D) perform evaluations and tests at Federal agencies
to assess existing information security and privacy
programs;
(E) promote development of accreditation procedures
for Federal agencies based on the measures developed
under subparagraph (C);
(F) if requested, consult with and provide assistance
to Federal agencies regarding the selection by agencies
of security technologies and products and the
implementation of security practices; and
(G)(i) develop uniform testing procedures suitable
for determining the conformance of commercially
available security products to the guidelines and
standards developed under subsection (a)(2) and (3);
(ii) establish procedures for certification of
private sector laboratories to perform the tests and
evaluations of commercially available security products
developed in accordance with clause (i); and
(iii) promote the testing of commercially available
security products for their conformance with guidelines
and standards developed under subsection (a)(2) and
(3).
(2) The Institute shall maintain and make available to
Federal agencies and to the public a list of commercially
available security products that have been tested by private
sector laboratories certified in accordance with procedures
established under paragraph (1)(G)(ii), and that have been
found to be in conformance with the guidelines and standards
developed under subsection (a)(2) and (3).
(3) The Institute shall annually transmit to the Congress, in
an unclassified format, a report containing--
(A) the findings of the evaluations and tests of
Federal computer systems conducted under this section
during the 12 months preceding the date of the report,
including the frequency of the use of commercially
available security products included on the list
required by paragraph (2);
(B) the planned evaluations and tests under this
section for the 12 months following the date of the
report; and
(C) any recommendations by the Institute to Federal
agencies resulting from the findings described in
subparagraph (A), and the response by the agencies to
those recommendations.
(d)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board,
established by section 21, regarding standards and guidelines
that are being considered for submittal to the Secretary in
accordance with subsection (a)(4). The recommendations of the
Board shall accompany standards and guidelines submitted to the
Secretary.
(2) There are authorized to be appropriated to the Secretary
$1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year
2002 to enable the Computer System Security and Privacy
Advisory Board, established by section 21, to identify emerging
issues related to computer security, privacy, and cryptography
and to convene public meetings on those subjects, receive
presentations, and publish reports, digests, and summaries for
public distribution on those subjects.
[(c)] (e) For the purposes of--
(1) developing standards and guidelines for the
protection of sensitive information in Federal computer
systems under subsections (a)(1) and (a)(3), and
(2) performing research and conducting studies under
subsection [(b)(5)] (b)(8),
the Institute [shall] may draw upon computer system technical
security guidelines developed by the National Security Agency
to the extent that the Institute determines that such
guidelines are consistent with the requirements for protecting
sensitive information in Federal computer systems.
[(d)] (f) As used in this section--
(1) the term ``computer system''--
(A) means any equipment or interconnected
system or subsystems of equipment that is used
in the automatic acquisition, storage,
manipulation, management, movement, control,
display, switching, interchange, transmission,
or reception, of data or information; and
(B) includes--
(i) computers and computer networks;
(ii) ancillary equipment;
(iii) software, firmware, and similar
procedures;
(iv) services, including support
services; and
(v) related resources;
* * * * * * *
(g) The Institute shall not promulgate, enforce, or otherwise
adopt standards, or carry out activities or policies, for the
Federal establishment of encryption standards required for use
in computer systems other than Federal Government computer
systems.
----------
SECTION 5 OF THE COMPUTER SECURITY ACT OF 1987
SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
(a) * * *
(b) Training Objectives.--Training under this section shall
be started within 60 days after the issuance of the regulations
described in subsection (c). Such training shall be designed--
(1) to enhance employees' awareness of the threats to
and vulnerability of computer systems; [and]
(2) to encourage the use of improved computer
security practices[.]; and
(3) to include emphasis on protecting sensitive
information in Federal databases and Federal computer
sites that are accessible through public networks.
* * * * * * *
XVIII. Committee Recommendations
On July 26, 2000 a quorum being present, the Committee on
Science favorably reported H.R. 2413, Computer Security
Enhancement Act of 2000, by a voice vote and recommends its
enactment.
XIX. Proceedings of the Subcommittee Markup
MARKUP ON H.R. 2413, THE COMPUTER SECURITY ENHANCEMENT ACT OF 1999
----------
WEDNESDAY, OCTOBER 20, 1999
House of Representatives,
Committee on Science,
Subcommittee on Technology,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:37 a.m. in
room 2318, Rayburn House Office Building, Hon. Constance A.
Morella (chairwoman of the subcommittee) presiding.
Chairwoman Morella. I am going to convene the Technology
Subcommittee of the Science Committee. Good morning. Pursuant
to notice, the Subcommittee on Technology is meeting today. We
are going to consider H.R. 2413, a bill to amend the National
Institute of Standards and Technology Act, to enhance the
ability of the National Institute of Standards and Technology
to improve computer security.
I ask unanimous consent for the authority to recess at any
point. Hearing no objection, so ordered.
Today we have one item of business to bring before the
Subcommittee; that is, the bill H.R. 2413, a bill to enhance
the ability of the National Institute of Standards and
Technology to improve computer security.
Computer security, as we all know, is an issue that is a
priority not just with the Technology Subcommittee, but also by
the Science Committee. In just this year, the Subcommittee has
held three hearings on this important issue, that has the
potential to disrupt public and private sector businesses, as
well as to undermine the American people's confidence and trust
in our rapidly developing information technology systems.
In April, this Subcommittee met to explore the impact of
the Melissa computer virus and other evolving threats to
computer and information security. In June, in the face of
several well-publicized cyberattacks, we met to review the
security of federal agency websites. And last month, we met to
review the provisions of H.R. 2413, the legislation that we are
marking up today.
In our hearings we repeatedly heard that federal agencies
are not doing enough to protect their critical information
systems from attacks and corruption. The Federal Government is
not alone in its need to secure electronic information; the
corruption of electronic data threatens every sector of our
economy.
H.R. 2413 was introduced in July by myself, Chairman
Sensenbrenner of Wisconsin, and Congressman Gordon of
Tennessee. It strengthens the National Institute of Standards
and Technology's historic role in computer security, which was
established by the Computer Security Act of 1987.
What the bill does is update the decade-old act, while
giving NIST the tools it needs to ensure that appropriate
attention and effort is concentrated on securing our federal
information technology infrastructure.
I don't think it is necessary to go through each of the
details of the bill. I will, if unanimously approved, just
simply submit it all for the record. Hearing no objection, so
ordered.
[A copy of H.R. 2413 follows:]
Chairwoman Morella. It is a very important bill, as we all
know. Last Congress, both the House of Representatives and the
Senate Commerce Committee passed this same legislation without
opposition or amendment, and unfortunately the bill didn't
clear the Senate before the end of the 105th Congress.
While no single piece of legislation can fully protect our
federal civilian computer systems or overcome all barriers to
the creation of an interoperable electronic signature
infrastructure, I think that H.R. 2413 is an important step in
the right direction, so I urge all members to support its swift
passage today, to move the bill on to the full Science
Committee.
I am now pleased to recognize Mr. Barcia, the distinguished
ranking member of the Subcommittee, for any opening statement
he may have.
Mr. Barcia. Thank you very much, Chairwoman Morella. I will
be very brief in my remarks on H.R. 2413.
When the Subcommittee held a hearing on this bill on
September 30th, I raised my concerns about the lack of a strong
focal point to advise agencies on improving computer security
practices and ensuring that such practices are implemented.
H.R. 2413 strengthens the role of NIST in providing federal
agencies with these services. The provisions of H.R. 2413 are
entirely consistent with recommendations made by NIST's Private
Sector Advisory Board and the witnesses at our recent hearing.
In addition, the inclusions of Mr. Gordon's provisions on
electronic authentication technologies improves the security of
federal agencies' electronic transactions. More importantly,
these provisions provide a framework that will enable federal
agencies to begin to effectively implement the Government
Paperwork Elimination Act, which requires them to begin using
electronic authentication technologies.
I would also request that Chairwoman Morella continue to
work with us to clarify Section 7 of this bill. This language
is unduly broad and could be interpreted to prevent NIST from
working with industry to develop test beds and guidelines
related to electronic commerce and computer security. For
example, the language as drafted could be interpreted to
prevent NIST from developing the follow-on to the Digital
Encryption Standard, or DES. The current Digital Encryption
Standard is widely used in industry, and NIST's work in this
area has strong industry support.
No one on this Committee supports the concept of federal
standards that industry must follow, and neither does NIST.
Although the concept behind this section is well-intentioned,
as drafted it would limit NIST's activities to support
industry's development of electronic commerce and computer
security. H.R. 2413 would strengthen the overall security of
federal computer systems and their electronic transactions.
This bill establishes a blueprint for the Federal
Government to become a model for good computer security
practices. I fully support this legislation and urge my
colleagues to support this well-crafted bill.
I want to thank you, Chairwoman Morella, and with your
indulgence I would like to yield the balance of my time to the
distinguished Member from Tennessee, who has invested a great
deal of his time and energy into crafting this legislation and
enhancing and improving the language in it, Representative Bart
Gordon of Tennessee.
Chairwoman Morella. The distinguished Member from Tennessee
is recognized.
Mr. Gordon. Thank you, Mr. Barcia, for the good job you
have done, and Chairwoman Morella, on this bill, and thank you
for yielding to me. I also want to thank the staff for all the
work they have put into this bill.
I know most of you are sitting on the edge of your seats,
waiting for this electronic authentication technology bill to
pass. But for the ones of you who may not have been following
it, let me give you a quick update.
Some years ago we passed the Government Paperwork
Elimination Act. That is going to allow us to reduce a lot of
paperwork within the government so that agencies can
communicate with each other, up and down and across,
electronically. However, we neglected to set any kind of--I
hate to use the word ``standards''--but ability for them to do
so in a way that there is continuity. It doesn't help if
Department of Agriculture at different levels have different
types of authentication so that they can't communicate with
each other. And so what this will do, it would allow NIST to
set up a framework, just simply guidelines, so that the
agencies will know that particular types of--hopefully--
software, off the shelf, will allow them to communicate with
their own agencies as well as others, and also allow them to
set up an appropriate level of security. Obviously, routine
work takes less security needs than other things.
So I think it will help us to really, truly eliminate
paperwork and allow some continuity, and I thank you for
working with me on this provision.
Chairwoman Morella. I thank you, Mr. Gordon, for your
contribution to this bill.
[The statement of Hon. Debbie Stabenow follows:]
I don't think anyone else has any opening statements, so we
will move as quickly as possible.
As we now consider H.R. 2413, I ask unanimous consent that
the bill be considered as read and open to amendment at any
point, and I ask members to proceed with the amendments in the
order on the roster. And therefore, in our desire to move
ahead, I am going to offer an amendment, a Manager's Amendment,
a bipartisan Manager's Amendment, crafted in careful
consideration with the Ranking Member Barcia.
The Clerk will report the amendment.
The Clerk. Amendment to H.R. 2413, offered by Mrs. Morella
and Mr. Barcia----
Chairwoman Morella. I ask unanimous consent to dispense
with the reading.
I recognize myself for five minutes, but I will take less
time than that to explain the amendment.
In cooperation with the Ranking Member Barcia, I am pleased
to offer the bipartisan amendment that has been crafted to
improve the bill. According to the General Accounting Office
and other computer security experts, there is a dire need for
agencies to realize their computer security vulnerabilities and
to take immediate action to address them.
The amendment tasks NIST to utilize their computer security
expertise to assess existing information security programs of
federal agencies, and then to make recommendations to improve
their security. What NIST would do is report to Congress
annually on the information security status of our federal
agencies. We found this to be very, very important.
NIST would also document on the process and progress of
agencies to implement recorded and recommended security
improvements.
[The amendment offered by Mrs. Morella and Mr. Barcia
follows:]
Chairwoman Morella. The rest of my statement I am going to
submit for the record, but frankly, it enhances the role of
NIST in protecting the information security of federal
agencies.
[The statement of Mrs. Morella follows:]
Chairwoman Morella. It doesn't shift any responsibility
away from the agencies, but will also allow for some oversight.
Finally, the amendment makes certain changes to Section 6
of the bill, as recommended by the Computer Systems Security
and Privacy Advisory Board and NIST. I urge all members to
support this bipartisan amendment.
At this point I want to recognize the Ranking Member of the
Subcommittee, Mr. Barcia, to speak on behalf of the amendment.
Before we do that, I want to note the presence of a
recording quorum.
Mr. Barcia.
Mr. Barcia. I want to thank Chairwoman Morella for her
thorough but concise explanation of the en bloc amendment. I,
too, have a more lengthy statement to make in support of the en
bloc amendment, and I certainly would urge my colleagues to
support the amendment.
I would just like to, on the record, though, however, say
that I do have one small reservation. This amendment increases
NIST's responsibilities to assist agencies in protecting their
information systems without providing any additional funding to
carry out these additional responsibilities. Discussions with
the General Accounting Office indicate that security checks of
civilian agencies' information systems would cost around $4.8
million per year. If this Committee is serious about
strengthening this role in this area, we must provide the
resources to enable them to carry out the responsibilities. The
issue of inadequate resources has been the major concern of
NIST's Advisory Board from its beginning.
I would hope that Chairwoman Morella would work with us in
a bipartisan way, as she has in the past, to help resolve this
issue before we proceed to the full Committee level.
With those brief remarks, I want to say I fully support the
en bloc amendment, and in the interest of time will not touch
on the strong recommendations I have in terms of the other
language that has been worked out. I just wanted to go on the
record with that one reservation I have about the resources
being there to carry out the responsibilities we're assigning.
[The statement of Mr. Barcia follows:]
Chairwoman Morella. Thank you, Mr. Barcia. I think
everybody knows that NIST is located in my District, and I,
along with this Committee, have been a strong advocate for it.
As H.R. 2413 moves forward to the full Science Committee for
consideration, I intend to work with our Ranking Member and
with Chairman Sensenbrenner to identify additional funding for
NIST to carry out the important responsibilities required under
the bill. I think it is a very important point that you bring
up.
I wonder if there is any discussion on the amendment?
[No response.]
Chairwoman Morella. If no, the vote occurs on the
amendment. All in favor, say aye.
[Chorus of ayes.]
Chairwoman Morella. Opposed, no.
[No response.]
Chairwoman Morella. The yeas have it. The amendment is
agreed to.
Any further amendments?
[No response.]
Chairwoman Morella. Hearing none, the question is on the
bill, H.R. 2413, as amended. All those in favor will say aye.
[Chorus of ayes.]
Chairwoman Morella. All those opposed will say no.
[No response.]
Chairwoman Morella. In the opinion of the Chair the ayes
have it.
Mr. Barcia.
Mr. Barcia. Yes, Madam Chairwoman. I move that the
Subcommittee favorably report H.R. 2413, as amended, to the
full Committee, and that the Chairwoman take all such necessary
steps to bring the bill before the full Committee for
consideration.
Further, I ask unanimous consent that the staff be
instructed to make all necessary technical and conforming
changes to the bill.
Chairwoman Morella. The Subcommittee has heard the motion.
Those in favor will say aye.
[Chorus of ayes.]
Chairwoman Morella. Those opposed, no.
[No response.]
Chairwoman Morella. The ayes have it. The motion is agreed
to. Without objection, the motion to reconsider is laid upon
the table.
I move that members have two subsequent calendar days in
which to submit supplemental, minority, or additional views on
the measure. Without objection, the motion is adopted.
Mr. Barcia had raised section 7. It was pointed out to me
that--I wanted to just have the record show that section 7 is
necessary because there is a great deal of concern by the
private sector that the Federal Government is interested in
setting standards that would be forced upon the private sector.
And it wasn't long ago when NIST and the National Security
Agency were involved in the Federal Government's so-called
``Clipper Chip'' initiative, and in that case the Federal
Government attempted to set a standard in a manner that gave
them the keys to otherwise private information.
So I am going to include further response to your question
of section 7 for the record.
[Information to be supplied follows:]
Chairwoman Morella. That being the case, the bill is
approved by this Subcommittee in a very expeditious and wise
fashion, and it will be reported to the full Committee, and
staff have the authority to do what has to be done to bring it
to the full Committee for its deliberate and expeditious
passage.
I thank the Subcommittee. You have been just great. There
is now a vote on the Journal, and the Subcommittee is now
adjourned.
[Whereupon, at 10:51 a.m., the Subcommittee was adjourned,
to reconvene at the call of the Chair.]
XX. Proceedings of the Full Committee Markup
BUSINESS MEETING
----------
WEDNESDAY, JULY 26, 2000
House of Representatives,
Committee on Science,
Washington, DC.
The committee met, pursuant to call, at 2:04 p.m. in room
2318, Rayburn House Office Building, Hon. F. James
Sensenbrenner, Jr. (chairman of the committee) presiding.
Chairman Sensenbrenner. We will now go back to H.R. 2413,
the Computer Security Enhancement Act of 1999, as amended by
the Subcommittee on Technology.
This bill has been introduced by myself, Mr. Gordon, Mrs.
Morella, and Mr. Kuykendall. The legislation strengthens the
National Institute of Standards and Technology's historical
role in computer security that was established by the Computer
Security Act of 1987, Public Law 100-235, and updates the act
to give NIST the tools it needs to ensure that appropriate
attention and effort is concentrated on securing our Federal
information technology infrastructure.
Let me point out that this bill is not a knee-jerk reaction
to recent well-publicized computer security problems. In the
last Congress, this bill passed the House and was cleared by a
Senate Committee without opposition or amendment but was unable
to reach the Senate Floor before the 105th Congress adjourned.
Improving the information security of Federal civilian agencies
has been an oversight priority of the Science Committee and I
am now pleased that H.R. 2413 will play an important role in
this effort.
[A copy of the bill H.R. 2413 follows:]
Chairman Sensenbrenner. I will now recognize the gentleman
from Texas, Mr. Hall, for his opening statement on this bill.
The gentleman is recognized for five minutes.
Mr. Hall. Thank you, Mr. Chairman. Before I yield to Mr.
Gordon, I would like to compliment him, Mrs. Morella, and
others for their very hard work on the question of computer
security. This has been a very important topic for the
Committee for about 15 years, and dating back to when this
Committee worked with Congressman Jack Brooks to enact the
first computer security law dealing with federally owned
computers.
H.R. 2413 brings our computer security efforts into the
Internet age by working to upgrade security of Federal computer
systems and networks. Thanks to the ideas of Mr. Gordon and to
others, it will also permit the Federal Government to advance
e-commerce and e-government by providing for secure electronic
authentication technology.
I plan to support the Morella-Gordon amendment in the
nature of a substitute and I urge my colleagues to do so.
I yield the balance of my time to Congressman Bart Gordon.
And before Mr. Gordon reports, I will yield to Mr. Barcia.
[The prepared statement of Mr. Hall follows:]
Statement of Hon. Ralph M. Hall
Mr. Chairman, before, I yield to Mr. Barcia, the Technology
Subcommittee Ranking Member, I would like to complement him,
Mrs. Morella, and Mr. Gordon for their hard work on the
question of computer security. This has been an important topic
for the Committee for 15 years or more, dating to when this
Committee worked with Congressman Jack Brooks to enact the
first computer security law dealing with Federally-owned
computers.
H.R. 2413 brings our computer security efforts into the
Internet age by working to upgrade security of Federal computer
systems and networks. Thanks to the ideas of Mr. Gordon, it
also will permit the Federal government to advance e-Commerce
and e-Government by providing for secure electronic
authentication technologies.
I plan to support the Morella-Gordon amendment in the
nature of a substitute and urge my colleagues to do so as well.
I yield the balance of my time to Congressman Barcia.
Mr. Barcia. Thank you very much, Ranking Member Hall.
Mr. Chairman, I will be very brief. H.R. 2413, the Computer
Security Enhancement Act, represents more than four years of
effort by the Technology Subcommittee. During the past two
years, the Subcommittee has examined the impact of computer
viruses and the lack of good computer security practices at
Federal agencies. H.R. 2413 strengthens the role of NIST in
providing Federal agencies with needed advice on good security
practices.
The provisions of H.R. 2413 are entirely consistent with
recommendations made by NIST's private sector advisory board
and the witnesses who testified at our hearings. The inclusion
of Mr. Gordon's provisions on electronic authentication
technologies also serves to improve the security of Federal
agencies' electronic transactions. In addition, the provisions
provide a framework to enable Federal agencies to effectively
implement the Government Paperwork Elimination Act, which
requires agencies to begin using electronic authentication
technologies.
H.R. 2413 will strengthen the overall security of Federal
computer systems and their electronic transactions. This bill
establishes a blueprint for the Federal Government to become a
model for good computer security and authentication practices.
The Technology Subcommittee reported this bill with unanimous
support.
I also want to say that I support the amendment in the
nature of a substitute to be offered by Representatives Gordon
and Morella, and I would urge all of my colleagues to support
this bill. And once again I thank the Chair of the Subcommittee
for all of her diligent work on this issue and the hearings
that were held as well as Congressman Gordon. And I yield my
time back.
Chairman Sensenbrenner. You have got two minutes left.
Mr. Hall. I yield back my time, sir.
Chairman Sensenbrenner. Okay. Time is yielded back.
Without objection, other members may insert opening
statements at this point in the record.
The Chair is aware of only one amendment in the nature of a
substitute by Mrs. Morella and Mr. Gordon. And at this point,
the Chair recognizes the gentlewoman from Maryland.
Mrs. Morella. Thank you, Mr. Chairman. And I do have an
amendment at the desk.
Chairman Sensenbrenner. The Clerk will report the
amendment.
The Clerk. Amendment in the nature of a substitute to H.R.
2413, offered by Mrs. Morella and Mr. Gordon.
Mrs. Morella. Mr. Chairman, I move that the amendment be
considered as read.
Chairman Sensenbrenner. Without objection. And the
gentlewoman is recognized for five minutes.
Mrs. Morella. Thank you. I am pleased to offer this
bipartisan amendment to improve H.R. 2413. It has been crafted
in cooperation with Congressman Bart Gordon.
First of all, Mr. Chairman, I want to thank you and Mr.
Hall for bringing this bill up. I want to thank Mr. Barcia for
continuing the legacy that began with Mr. Gordon and myself.
This bill, as you mentioned, has passed in the previous
Congress and here it is back again, a new enhanced version
which we hope will get through the House and through the
Senate.
Over the past two years, the Technology Subcommittee, we
have had a series of computer security hearings, including a
specific legislative hearing focusing on this bill. As amended,
H.R. 2413 authorizes $9 million in fiscal year 2001, and $9.5
million in fiscal year 2002 for the National Institute of
Standards and Technology. What these funds would do is they
would allow NIST to promote the use of commercially available
off-the-shelf security products by Federal agencies, have an
independent advisory board review NIST's computer security and
privacy protection efforts and make recommendations, create a
fellowship program in the field of computer security to address
IT worker shortages, establish an expert review team to assist
agencies to identify and fix existing information security
vulnerabilities.
Mr. Chairman, while no single piece of legislation can
fully protect our Federal civilian computer systems, we really
feel that H.R. 2413 is a necessary step in the right direction.
It has already been favorably reported by the Technology
Subcommittee, endorsed by the Information Technology
Association of America, and I strongly urge all members to
support this amendment and this important legislation.
You know, we took care of the Y2K computer glitch but that
had a terminal period of January 1st and February 29th of this
year. But computer security goes beyond, and it is
international in scope, and this legislation is a good step
toward trying to remediate that terrible problem. And I yield
back, Mr. Chairman.
[The statement on the amendment in the nature of a
substitute offered by Mrs. Morella follows:]
I am pleased to offer this bipartisan amendment to improve H.R.
2413 that has been crafted in cooperation with Congressman Bart Gordon.
Over the past two years, the Technology Subcommittee has held a
series of computer security hearings, including a specific legislative
hearing focusing on the bill.
As amended, H.R. 2413 authorizes $9 million in FY 2001 and $9.5
million in FY 2002 for the National Institute of Standards and
Technology.
The funds would allow NIST to:
Promote the use of commercially available off-the-shelf
security products by federal agencies, an initiative strongly
supported by the Information Technology Association of America
and others;
Increase privacy protection by giving an independent advisory
boards more responsibility and resources to review NIST's
computer security efforts and to make recommendations;
Support the development of a well trained workforce by
creating a fellowship program in the field of computer
security;
Study the efforts of the Federal government to develop a
secure, interoperable electronic infrastructure; and finally,
Establish an expert review team to assist agencies to
identify and fix existing information security vulnerabilities.
The General Accounting Office and other computer security experts
have all recognized the need for H.R. 2413.
Mr. Chairman, while no single piece of legislation can fully
protect our federal civilian computer systems; H.R. 2413 is a necessary
step in the right direction.
It has already been favorably reported by the Technology
Subcommittee and I strongly urge all members to support this amendment
to this important legislation.
Thank you.
committee on science full committee markup, july 26, 2000--amendment
roster for h.r. 2413, computer security enhancement act of 1999
No. and sponsor, description, results:
1. Mrs. Morella and Mr. Gordon, amendment to H.R. 2413, adopted by
a voice vote.
______
Amendment in the Nature of a Substitute H.R. 2413 Offered by Mrs.
Morella and Mr. Gordon
Strike all after the enacting clause and insert the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Computer Security Enhancement Act of
2000''.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--The Congress finds the following:
(1) The National Institute of Standards and Technology has
responsibility for developing standards and guidelines needed
to ensure the cost-effective security and privacy of sensitive
information in Federal computer systems.
(2) The Federal Government has an important role in ensuring
the protection of sensitive, but unclassified, information
controlled by Federal agencies.
(3) Technology that is based on the application of
cryptography exists and can be readily provided by private
sector companies to ensure the confidentiality, authenticity,
and integrity of information associated with public and private
activities.
(4) The development and use of encryption technologies by
industry should be driven by market forces rather than by
Government imposed requirements.
(b) Purposes.--The purposes of this Act are to--
(1) reinforce the role of the National Institute of Standards
and Technology in ensuring the security of unclassified
information in Federal computer systems; and
(2) promote technology solutions based on private sector
offerings to protect the security of Federal computer systems.
SEC. 3. VOLUNTARY STANDARDS FOR PUBLIC KEY MANAGEMENT INFRASTRUCTURE.
Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)) is amended--
(1) by redesignating paragraphs (2), (3), (4), and (5) as
paragraphs (3), (4), (8), and (9), respectively; and
(2) by inserting after paragraph (1) the following new
paragraph:
``(2) upon request from the private sector, to assist in
establishing voluntary interoperable standards, guidelines, and
associated methods and techniques to facilitate and expedite
the establishment of non-Federal management infrastructures for
public keys that can be used to communicate with and conduct
transactions with the Federal Government;''.
SEC. 4. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.
Section 20(b) of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3(b)), as amended by section 3 of this Act, is
further amended by inserting after paragraph (4), as so redesignated by
section 3(1) of this Act, the following new paragraphs:
``(5) except for national security systems, as defined in
section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide
guidance and assistance to Federal agencies for protecting the
security and privacy of sensitive information in interconnected
Federal computer systems, including identification of
significant risks thereto;
``(6) to promote compliance by Federal agencies with existing
Federal computer information security and privacy guidelines;
``(7) in consultation with appropriate Federal agencies,
assist Federal response efforts related to unauthorized access
to Federal computer systems;''.
SEC. 5. COMPUTER SECURITY IMPLEMENTATION.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3) is further amended--
(1) by redesignating subsections (c) and (d) as subsections
(e) and (f), respectively; and
(2) by inserting after subsection (b) the following new
subsection:
``(c)(1) In carrying out subsection (a)(2) and (3), the Institute
shall--
``(A) emphasize the development of technology-neutral policy
guidelines for computer security practices by the Federal
agencies;
``(B) promote the use of commercially available products,
which appear on the list required by paragraph (2), to provide
for the security and privacy of sensitive information in
Federal computer systems;
``(C) develop qualitative and quantitative measures
appropriate for assessing the quality and effectiveness of
information security and privacy programs at Federal agencies;
``(D) perform evaluations and tests at Federal agencies to
assess existing information security and privacy programs;
``(E) promote development of accreditation procedures for
Federal agencies based on the measures developed under
subparagraph (C);
``(F) if requested, consult with and provide assistance to
Federal agencies regarding the selection by agencies of
security technologies and products and the implementation of
security practices; and
``(G)(i) develop uniform testing procedures suitable for
determining the conformance of commercially available security
products to the guidelines and standards developed under
subsection (a)(2) and (3);
``(ii) establish procedures for certification of private
sector laboratories to perform the tests and evaluations of
commercially available security products developed in
accordance with clause (i); and
``(iii) promote the testing of commercially available
security products for their conformance with guidelines and
standards developed under subsection (a)(2) and (3).
``(2) The Institute shall maintain and make available to Federal
agencies and to the public a list of commercially available security
products that have been tested by private sector laboratories certified
in accordance with procedures established under paragraph (1)(G)(ii),
and that have been found to be in conformance with the guidelines and
standards developed under subsection (a)(2) and (3).
``(3) The Institute shall annually transmit to the Congress, in an
unclassified format, a report containing--
``(A) the findings of the evaluations and tests of Federal
computer systems conducted under this section during the 12
months preceding the date of the report, including the
frequency of the use of commercially available security
products included on the list required by paragraph (2);
``(B) the planned evaluations and tests under this section
for the 12 months following the date of the report; and
``(C) any recommendations by the Institute to Federal
agencies resulting from the findings described in subparagraph
(A), and the response by the agencies to those
recommendations.''.
SEC. 6. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by this Act, is further amended by
inserting after subsection (c), as added by section 5 of this Act, the
following new subsection:
``(d)(1) The Institute shall solicit the recommendations of the
Computer System Security and Privacy Advisory Board, established by
section 21, regarding standards and guidelines that are being
considered for submittal to the Secretary in accordance with subsection
(a)(4). The recommendations of the Board shall accompany standards and
guidelines submitted to the Secretary.
``(2) There are authorized to be appropriated to the Secretary
$1,030,000 for fiscal year 2001 and $1,060,000 for fiscal year 2002 to
enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues related to
computer security, privacy, and cryptography and to convene public
meetings on those subjects, receive presentations, and publish reports,
digests, and summaries for public distribution on those subjects.''.
SEC. 7. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION STANDARDS.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by this Act, is further amended by
adding at the end the following new subsection:
``(g) The Institute shall not promulgate, enforce, or otherwise adopt
standards, or carry out activities or policies, for the Federal
establishment of encryption standards required for use in computer
systems other than Federal Government computer systems.''.
SEC. 8. MISCELLANEOUS AMENDMENTS.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3), as amended by this Act, is further amended--
(1) in subsection (b)(8), as so redesignated by section 3(1)
of this Act, by inserting ``to the extent that such
coordination will improve computer security and to the extent
necessary for improving such security for Federal computer
systems'' after ``Management and Budget)'';
(2) in subsection (e), as so redesignated by section 5(1) of
this Act, by striking ``shall draw upon'' and inserting in lieu
thereof ``may draw upon'';
(3) in subsection (e)(2), as so redesignated by section 5(1)
of this Act, by striking ``(b)(5)'' and inserting in lieu
thereof ``(b)(8)''; and
(4) in subsection (f)(1)(B)(i), as so redesignated by section
5(1) of this Act, by inserting ``and computer networks'' after
``computers''.
SEC. 9. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759
note) is amended--
(1) by striking ``and'' at the end of paragraph (1);
(2) by striking the period at the end of paragraph (2) and
inserting in lieu thereof ``; and''; and
(3) by adding at the end the following new paragraph:
``(3) to include emphasis on protecting sensitive information
in Federal databases and Federal computer sites that are
accessible through public networks.''.
SEC. 10. COMPUTER SECURITY FELLOWSHIP PROGRAM.
There are authorized to be appropriated to the Secretary of Commerce
$500,000 for fiscal year 2001 and $500,000 for fiscal year 2002 for the
Director of the National Institute of Standards and Technology for
fellowships, subject to the provisions of section 18 of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-1), to
support students at institutions of higher learning in computer
security. Amounts authorized by this section shall not be subject to
the percentage limitation stated in such section 18.
SEC. 11. STUDY OF PUBLIC KEY INFRASTRUCTURE BY THE NATIONAL RESEARCH
COUNCIL.
(a) Review by National Research Council.--Not later than 90 days
after the date of the enactment of this Act, the Secretary of Commerce
shall enter into a contract with the National Research Council of the
National Academy of Sciences to conduct a study of public key
infrastructures for use by individuals, businesses, and government.
(b) Contents.--The study referred to in subsection (a) shall--
(1) assess technology needed to support public key
infrastructures;
(2) assess current public and private plans for the
deployment of public key infrastructures;
(3) assess interoperability, scalability, and integrity of
private and public entities that are elements of public key
infrastructures;
(4) make recommendations for Federal legislation and other
Federal actions required to ensure the national feasibility and
utility of public key infrastructures; and
(5) address such other matters as the National Research
Council considers relevant to the issues of public key
infrastructure.
(c) Interagency Cooperation With Study.--All agencies of the Federal
Government shall cooperate fully with the National Research Council in
its activities in carrying out the study under this section, including
access by properly cleared individuals to classified information if
necessary.
(d) Report.--Not later than 18 months after the date of the enactment
of this Act, the Secretary of Commerce shall transmit to the Committee
on Science of the House of Representatives and the Committee on
Commerce, Science, and Transportation of the Senate a report setting
forth the findings, conclusions, and recommendations of the National
Research Council for public policy related to public key
infrastructures for use by individuals, businesses, and government.
Such report shall be submitted in unclassified form.
(e) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary of Commerce $450,000 for fiscal year
2001, to remain available until expended, for carrying out this
section.
SEC. 12. PROMOTION OF NATIONAL INFORMATION SECURITY.
The Under Secretary of Commerce for Technology shall--
(1) promote an increased use of security techniques, such as
risk assessment, and security tools, such as cryptography, to
enhance the protection of the Nation's information
infrastructure;
(2) establish a central repository of information for
dissemination to the public to promote awareness of information
security vulnerabilities and risks; and
(3) promote the development of the national, standards-based
infrastructure needed to support government, commercial, and
private uses of encryption technologies for confidentiality and
authentication.
SEC. 13. ELECTRONIC AUTHENTICATION INFRASTRUCTURE.
(a) Electronic Authentication Infrastructure.--
(1) Guidelines and standards.--Not later than 18 months after
the date of the enactment of this Act, the Director, in
consultation with industry and appropriate Federal agencies,
shall develop electronic authentication infrastructure
guidelines and standards for use by Federal agencies to assist
those agencies to effectively select and utilize electronic
authentication technologies in a manner that is--
(A) adequately secure to meet the needs of those
agencies and their transaction partners; and
(B) interoperable, to the maximum extent possible.
(2) Elements.--The guidelines and standards developed under
paragraph (1) shall include--
(A) protection profiles for cryptographic and
noncryptographic methods of authenticating identity for
electronic authentication products and services;
(B) a core set of interoperability specifications for
the Federal acquisition of electronic authentication
products and services; and
(C) validation criteria to enable Federal agencies to
select cryptographic electronic authentication products
and services appropriate to their needs.
(3) Coordination with national policy panel.--The Director
shall ensure that the development of guidelines and standards
with respect to cryptographic electronic authentication
products and services under this subsection is carried out in
consultation with the National Policy Panel for Digital
Signatures established under subsection (e).
(4) Revisions.--The Director shall periodically review the
guidelines and standards developed under paragraph (1) and
revise them as appropriate.
(b) Listing of Validated Products.--Not later than 30 months after
the date of the enactment of this Act, and thereafter, the Director
shall maintain and make available to Federal agencies and to the public
a list of commercially available electronic authentication products,
and other such products used by Federal agencies, evaluated as
conforming with the guidelines and standards developed under subsection
(a).
(c) Specifications for Electronic Certification and Management
Technologies.--
(1) Specifications.--The Director shall, as appropriate,
establish core specifications for particular electronic
certification and management technologies, or their components,
for use by Federal agencies.
(2) Evaluation.--The Director shall advise Federal agencies
on how to evaluate the conformance with the specifications
established under paragraph (1) of electronic certification and
management technologies, developed for use by Federal agencies
or available for such use.
(3) Maintenance of list.--The Director shall maintain and
make available to Federal agencies a list of electronic
certification and management technologies evaluated as
conforming to the specifications established under paragraph
(1).
(d) Reports.--Not later than 18 months after the date of the
enactment of this Act, and annually thereafter, the Director shall
transmit to the Congress a report that includes--
(1) a description and analysis of the utilization by Federal
agencies of electronic authentication technologies; and
(2) an evaluation of the extent to which Federal agencies'
electronic authentication infrastructures conform to the
guidelines and standards developed under subsection (a)(1).
(e) National Policy Panel for Digital Signatures.--
(1) Establishment.--Not later than 90 days after the date of
the enactment of this Act, the Under Secretary shall establish
a National Policy Panel for Digital Signatures. The Panel shall
be composed of government, academic, and industry technical and
legal experts on the implementation of digital signature
technologies, State officials, including officials from States
which have enacted laws recognizing the use of digital
signatures, and representative individuals from the interested
public.
(2) Responsibilities.--The Panel shall serve as a forum for
exploring all relevant factors associated with the development
of a national digital signature infrastructure based on uniform
guidelines and standards to enable the widespread availability
and use of digital signature systems. The Panel shall develop--
(A) model practices and procedures for certification
authorities to ensure the accuracy, reliability, and
security of operations associated with issuing and
managing digital certificates;
(B) guidelines and standards to ensure consistency
among jurisdictions that license certification
authorities; and
(C) audit procedures for certification authorities.
(3) Coordination.--The Panel shall coordinate its efforts
with those of the Director under subsection (a).
(4) Administrative support.--The Under Secretary shall
provide administrative support to enable the Panel to carry out
its responsibilities.
(5) Report.--Not later than 1 year after the date of the
enactment of this Act, the Under Secretary shall transmit to
the Congress a report containing the recommendations of the
Panel.
(f) Definitions.--For purposes of this section--
(1) the term ``certification authorities'' means issuers of
digital certificates;
(2) the term ``digital certificate'' means an electronic
document that binds an individual's identity to the
individual's key;
(3) the term ``digital signature'' means a mathematically
generated mark utilizing key cryptography techniques that is
unique to both the signatory and the information signed;
(4) the term ``digital signature infrastructure'' means the
software, hardware, and personnel resources, and the
procedures, required to effectively utilize digital
certificates and digital signatures;
(5) the term ``electronic authentication'' means
cryptographic or noncryptographic methods of authenticating
identity in an electronic communication;
(6) the term ``electronic authentication infrastructure''
means the software, hardware, and personnel resources, and the
procedures, required to effectively utilize electronic
authentication technologies;
(7) the term ``electronic certification and management
technologies'' means computer systems, including associated
personnel and procedures, that enable individuals to apply
unique digital signatures to electronic information;
(8) the term ``protection profile'' means a list of security
functions and associated assurance levels used to describe a
product; and
(9) the term ``Under Secretary'' means the Under Secretary of
Commerce for Technology.
SEC. 14. SOURCE OF AUTHORIZATIONS.
There are authorized to be appropriated to the Secretary of Commerce
$7,000,000 for fiscal year 2001 and $8,000,000 for fiscal year 2002,
for the National Institute of Standards and Technology to carry out
activities authorized by this Act for which funds are not otherwise
specifically authorized to be appropriated by this Act.
Chairman Sensenbrenner. The gentlewoman yields back the
balance of her time.
Is there further discussion on the amendment?
The gentleman from Tennessee.
Mr. Gordon. Mr. Chairman, I move to strike the last word.
Chairman Sensenbrenner. The gentleman is recognized for
five minutes.
Mr. Gordon. Thank you. First, I want to thank Chair Morella
for working in such a bipartisan manner on this amendment.
Primarily, the amendment incorporates comments and
clarifications that we received from the Administration on the
electronic authentication provisions in the bill. However, we
also have strengthened this role in improving security
practices at Federal agencies as well as advising them on the
effective deployment of electronic authentication technologies.
The underlying principle of H.R. 2413 and this amendment is
that they recognize that government and the private sector
computer security needs are similar. This amendment ensures
that the private sector has a strong voice in the development
of any electronic authentication guidelines for use by Federal
agencies and that the agencies rely on commercially available
products and services as much as possible.
I also want to thank Chairman Sensenbrenner for his
leadership on this issue and for working closely with me on the
development of this legislation. We both have been motivated by
the importance that we place on the Science Committee to act on
the broad issue of electronic security. Additionally, I want to
thank Mike Quear for the long and good hours of staff work on
this issue. This has been a good bill, is a good amendment, and
it represents sound policy. I urge my colleagues to support
this amendment.
[The prepared statement of Mr. Gordon follows:]
Statement of Hon. Bart Gordon
Mr. Chairman, First, I want to thank Chair Morella for
working in such a bipartisan manner on this amendment.
Primarily, the amendment incorporates comments and
clarifications that we received from the Administration on the
electronic authentication provisions in the bill.
However, we have also strengthened NIST's role in improving
computer security practices at federal agencies as well as
advising them on the effective deployment of electronic
authentication technologies.
The underlying principle of H.R. 2413 and this amendment is
that they recognize that government and private sector computer
security needs are similar.
This amendment ensures that the private sector has a strong
voice in the development of any electronic authentication
guidelines for use by federal agencies and that agencies rely
on commercially available products and services as much as
possible.
I also want to thank chairman Sensenbrenner for his
leadership on this issue and for working closely with me on the
development of this legislation.
We have both been motivated by the importance that we place
on the Science Committee to act on the broad issue of
electronic security.
This is a good bill, a good amendment and it represents
sound policy. I would urge my colleagues to support this
amendment.
Chairman Sensenbrenner. Does the gentleman yield back?
Mr. Gordon. Yes.
Chairman Sensenbrenner. Further discussion on the
amendment?
Ms. Lofgren. Mr. Chairman.
Chairman Sensenbrenner. The gentlewoman from California.
Ms. Lofgren. I move to strike the last word.
Chairman Sensenbrenner. The gentlewoman is recognized for
five minutes.
Ms. Lofgren. Mr. Chairman, I would like to thank members on
both sides of the aisle for working to address some concerns
that this bill in its original form raised for me. I think that
this amendment in the nature of a substitute offered by Mr.
Gordon and Mrs. Morella is a real step in the right direction
and I am very happy to support it.
I look forward to continuing to work with members on the
Committee Report to this bill to clarify that our intentions
are unanimously benign relative to encryption and key recovery.
In particular, I hope that the report will emphasize that we
are in no manner encouraging the promulgation of third party
encryption key recovery systems into the private sector. In
addition, I hope it will express that we do not intend, the
Federal Government, through the force of its purchasing powers,
one of the world's largest contractors, to impose its
encryption standards and regulations on the companies with
which it does business.
I look forward to working further with my colleagues and I
greatly appreciate their tremendous and well-guided efforts on
this bill to this point, and in particular this bipartisan
amendment. And I yield back.
[The prepared statement of Ms. Lofgren follows:]
Statement of Hon. Zoe Lofgren
Mr. Chairman, I would like to thank Members on both sides
of the aisle for working to address some concerns that this
bill in its original form raised for me. I think that this
amendment in the nature of a substitute offered by Mr. Gordon
and Mrs. Morella is a real step in the right direction, and I
am very happy to support it. I look forward to continuing to
work with Members on the Committee Report to this bill to
clarify that our intentions are unanimously benign relative to
encryption technology.
In particular, I hope that the Report will emphasize that
we are in no manner encouraging the promulgation of third-party
encryption key recovery systems into the private sector. In
addition, I hope it will express that we do not intend the
Federal Government, through the force of its purchasing powers
as one of the world's largest contractors, to impose its
encryption standards and regulations on companies with which it
does business. I look forward to working further with my
colleagues and I greatly appreciate their tremendous and well-
guided efforts on this bill to this point and, in particular,
this bipartisan amendment.
Chairman Sensenbrenner. Will the gentlewoman yield?
Ms. Lofgren. I certainly will, sir.
Chairman Sensenbrenner. The Chair enthusiastically endorses
the request of the gentlewoman from California to put the
language in the Report language so that we can make it quite
clear that this is a cooperative venture rather than a hammer
in the hand of the Federal Government.
Ms. Lofgren. Thank you, Mr. Chairman. I yield back.
Mrs. Morella. Mr. Chairman.
Chairman Sensenbrenner. The gentlewoman from Maryland has
already been recognized on this amendment. Somebody else want
to move to strike the last word?
Mr. Etheridge. I move to strike the last word.
Chairman Sensenbrenner. The gentleman from North Carolina
is recognized for five minutes.
Mr. Etheridge. I yield to the lady from Maryland.
Mrs. Morella. I thank the gentleman for yielding. And I
really only need probably about 30 seconds simply to indicate
that I do understand the concerns that the gentlewoman from
California posed with regard to Section 7. I just want to
reiterate that it was really intended to be a safeguard to
reflect the concerns, what she was offering, the concerns of
the private sector and to reiterate the fact that it is not
intended to prevent NIST from working with industry to develop
voluntary--voluntary encryption standards and guidelines. So I
emphasize on a voluntary basis. I yield back. I thank the
gentleman from North Carolina.
Chairman Sensenbrenner. Further discussion on the
amendment?
[No response.]
Chairman Sensenbrenner. Hearing none, all those in favor of
the amendment in the nature of a substitute by Mrs. Morella and
Mr. Gordon will signify by saying aye.
[Chorus of ayes.]
Chairman Sensenbrenner. Opposed, no.
[No response.]
Chairman Sensenbrenner. The ayes have it, and the amendment
is agreed to.
Are there further amendments to the bill?
[No response.]
Chairman Sensenbrenner. Hearing none, the Chair recognizes
the gentleman from Michigan for purposes of a motion.
Mr. Barcia. Thank you, Mr. Chairman. I move that the
Committee favorably report H.R. 2413, as amended, to the House
with the recommendation that the bill as amended do pass.
Furthermore, I move that staff be instructed to prepare the
legislative report and make necessary technical and conforming
amendments, and that the Chairman take all necessary steps to
bring the bill before the House for consideration.
Chairman Sensenbrenner. You have heard the motion of the
gentleman from Michigan to report the bill favorably. Is there
any discussion on the motion?
[No response.]
Chairman Sensenbrenner. Hearing none, the Chair notes the
presence of a reporting quorum. Those in favor will say aye.
[Chorus of ayes.]
Chairman Sensenbrenner. Opposed, no.
[No response.]
Chairman Sensenbrenner. The ayes appear to have it. The
ayes have it, and the bill is reported favorably.
Without objection, members will have two subsequent
calendar days in which to submit supplemental, minority,
additional, or dissenting views on the measure.
Without objection, the bill will be reported in the form of
a single amendment in the nature of a substitute reflecting
amendments adopted today.
And finally, without objection, pursuant to clause 1 of
Rule 22 of the Rules of the House, the Committee authorizes the
Chairman to offer such motions as may be necessary in the House
to go to conference with the Senate on the bill just reported.
Without objection, these unanimous consents are agreed to.
�