(7) State governments are particularly well-suited to play a role in enhancing digital identity solutions used by both the public and private sectors, given the role of State governments as the issuers of driver’s licenses and other identity documents commonly used today.
(8) The public and private sectors should collaborate to deliver solutions that promote confidence, privacy, choice, equity, accessibility, and innovation. The private sector drives much of the innovation around digital identity in the United States and has an important role to play in delivering digital identity solutions.
(9) The bipartisan Commission on Enhancing National Cybersecurity has called for the Federal Government to “create an interagency task force directed to find secure, user-friendly, privacy-centric ways in which agencies can serve as 1 authoritative source to validate identity attributes in the broader identity market. This action would enable Government agencies and the private sector to drive significant risk out of new account openings and other high-risk, high-value online services, and it would help all citizens more easily and securely engage in transactions online.”.
(10) It should be the policy of the Federal Government to use the authorities and capabilities of the Federal Government, in coordination with State, local, Tribal, and territorial partners and private sector innovators, to enhance the security, reliability, privacy, equity, accessibility, and convenience of consent-based digital identity solutions that support and protect transactions between individuals, government entities, and businesses, and that enable people in the United States to prove who they are online.
In this Act:
(1) APPROPRIATE NOTIFICATION ENTITIES.—The term “appropriate notification entities” means—
(A) the President;
(B) the Committee on Homeland Security and Governmental Affairs of the Senate; and
(C) the Committee on Oversight and Reform Accountability of the House of Representatives.
(2) DIGITAL IDENTITY VERIFICATION.—The term “digital identity verification” means a process to verify the identity or an identity attribute of an individual accessing a service online or through another electronic means.
(3) DIRECTOR.—The term “Director” means the Director of the Task Force.
(4) FEDERAL AGENCY.—The term “Federal agency” has the meaning given the term in section 102 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122).
(5) IDENTITY ATTRIBUTE.—The term “identity attribute” means a data element associated with the identity of an individual, including, the name, address, or date of birth of an individual.
(6) IDENTITY CREDENTIAL.—The term “identity credential” means a document or other evidence of the identity of an individual issued by a government agency that conveys the identity of the individual, including a driver’s license or passport.
(7) SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.
(8) TASK FORCE.—The term “Task Force” means the Improving Digital Identity Task Force established under section 4(a).
SEC. 4. IMPROVING DIGITAL IDENTITY TASK FORCE.
(a) Establishment.—There is established in the Executive Office of the President a task force to be known as the “Improving Digital Identity Task Force”.
(b) Purpose.—The purpose of the Task Force shall be to establish and coordinate a government-wide effort to develop secure methods for Federal, State, local, Tribal, and territorial agencies to improve access and enhance security between physical and digital identity credentials, particularly by promoting the development of digital versions of existing physical identity credentials, including driver’s licenses, e-Passports, social security credentials, and birth certificates, to—
(1) protect the privacy and security of individuals;
(2) support reliable, interoperable digital identity verification in the public and private sectors; and
(3) in achieving paragraphs (1) and (2), place a particular emphasis on—
(A) reducing identity theft and fraud;
(B) enabling trusted transactions; and
(C) ensuring equitable access to digital identity verification.
(1) IN GENERAL.—The Task Force shall have a Director, who shall be appointed by the President.
(2) POSITION.—The Director shall serve at the pleasure of the President.
(3) PAY AND ALLOWANCES.—The Director shall be compensated at the rate of basic pay prescribed for level II of the Executive Schedule under section 5313 of title 5, United States Code.
(4) QUALIFICATIONS.—The Director shall have substantive technical expertise and managerial acumen that—
(A) is in the business of digital identity management, information security, or benefits administration;
(B) is gained from not less than 1 organization; and
(C) includes specific expertise gained from academia, advocacy organizations, or the private sector.
(5) EXCLUSIVITY.—The Director may not serve in any other capacity within the Federal Government while serving as Director.
(6) TERM.—The term of the Director, including any official acting in the role of the Director, shall terminate on the date described in subsection (k).
(1) FEDERAL GOVERNMENT REPRESENTATIVES.—The Task Force shall include the following individuals or the designees of such individuals:
(A) The Secretary.
(B) The Secretary of the Treasury.
(C) The Director of the National Institute of Standards and Technology.
(D) The Director of the Financial Crimes Enforcement Network.
(E) The Commissioner of Social Security.
(F) The Secretary of State.
(G) The Administrator of General Services.
(H) The Director of the Office of Management and Budget.
(I) The Postmaster General of the United States Postal Service.
(J) The National Cyber Director.
(K) The Attorney General.
(L) The heads of other Federal agencies or offices as the President may designate or invite, as appropriate.
(2) STATE, LOCAL, TRIBAL, AND TERRITORIAL GOVERNMENT REPRESENTATIVES.—The Director shall appoint to the Task Force 6 State, local, Tribal, and or territorial government officials who represent agencies that issue identity credentials and who have—
(A) experience in identity technology and services;
(B) knowledge of the systems used to provide identity credentials; or
(C) any other qualifications or competencies that may help achieve balance or otherwise support the mission of the Task Force.
(A) IN GENERAL.—The Director shall appoint to the Task Force 5 nongovernmental experts.
(B) SPECIFIC APPOINTMENTS.—The experts appointed under subparagraph (A) shall include the following:
(i) A member who is a privacy and civil liberties expert.
(ii) A member who is a technical expert in identity verification.
(iii) A member who is a technical expert in cybersecurity focusing on identity verification services.
(iv) A member who represents the identity verification services industry.
(v) A member who represents a party that relies on effective identity verification services to conduct business.
(e) Working Groups.—The Director shall organize the members of the Task Force into appropriate working groups for the purpose of increasing the efficiency and effectiveness of the Task Force, as appropriate.
(f) Meetings.—The Task Force shall—
(1) convene at the call of the Director; and
(2) provide an opportunity for public comment in accordance with section 1009(a)(3) of title 5, United States Code.
(g) Duties.—In carrying out the purpose described in subsection (b), the Task Force shall—
(1) identify Federal, State, local, Tribal, and territorial agencies that issue identity credentials or hold information relating to identifying an individual;
(2) assess restrictions with respect to the abilities of the agencies described in paragraph (1) to verify identity information for other agencies and nongovernmental organizations;
(3) assess any necessary changes in statutes, regulations, or policy to address any restrictions assessed under paragraph (2);
(4) recommend a strategy, based on existing standards, to enable agencies to provide services relating to digital identity verification in a way that—
(A) is secure, protects privacy, and protects individuals against unfair and misleading practices;
(B) prioritizes equity and accessibility;
(C) requires individual consent for the provision of digital identify verification services by a Federal, State, local, Tribal, or territorial agency;
(D) is interoperable among participating Federal, State, local, Tribal, and territorial agencies, as appropriate and in accordance with applicable laws; and
(E) prioritizes technical standards developed by voluntary consensus standards bodies in accordance with section 12(d) of the National Technology Transfer and Advancement Act of 1995 (15 U.S.C. 272 note) and guidance under OMB Circular A–119, entitled “Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities”, or any successor thereto.;
(5) recommend principles to promote policies for shared identity proofing across public sector agencies, which may include single sign-on or broadly accepted attestations;
(6) identify funding or other resources needed to support the agencies described in paragraph (4) that provide digital identity verification, including recommendations with respect to the need for and the design of a Federal grant program to implement the recommendations of the Task Force and facilitate the development and upgrade of State, local, Tribal, and territorial highly-secure interoperable systems that enable digital identity verification;
(7) recommend funding models to provide digital identity verification to private sector entities, which may include fee-based funding models;
(8) determine if any additional steps are necessary with respect to Federal, State, local, Tribal, and territorial agencies to improve digital identity verification and management processes for the purpose of enhancing the security, reliability, privacy, accessibility, equity, and convenience of digital identity solutions that support and protect transactions between individuals, government entities, and businesses; and
(9) undertake other activities necessary to assess and address other matters relating to digital identity verification, including with respect to—
(A) the potential exploitation of digital identity tools or associated products and services by malign actors;
(B) privacy implications; and
(C) increasing access to foundational identity documents.
(h) Prohibition.—The Task Force may not implicitly or explicitly recommend the creation of—
(1) a single identity credential provided or mandated by the Federal Government for the purposes of verifying identity or associated attributes;
(2) a unilateral central national identification registry relating to digital identity verification; or
(3) a requirement that any individual be forced to use digital identity verification for a given public purpose.
(i) Required Consultation.—The Task Force shall closely consult with leaders of Federal, State, local, Tribal, and territorial governments and nongovernmental leaders, which shall include the following:
(1) The Secretary of Education.
(2) The heads of other Federal agencies and offices determined appropriate by the Director.
(3) State, local, Tribal, and territorial government officials focused on identity, such as information technology officials and directors of State departments of motor vehicles and vital records bureaus.
(4) Digital privacy experts.
(5) Civil liberties experts.
(6) Technology and cybersecurity experts.
(7) Users of identity verification services.
(8) Representatives with relevant expertise from academia and advocacy organizations.
(9) Industry representatives with experience implementing digital identity systems.
(10) Identity theft and fraud prevention experts, including advocates for victims of identity theft and fraud.
(1) INITIAL REPORT.—Not later than 180 days after the date of enactment of this Act, the Director shall submit to the appropriate notification entities a report on the activities of the Task Force, including—
(i) implementing the strategy pursuant to subsection (g)(4); and
(ii) methods to leverage digital driver’s licenses, distributed ledger technology, and other technologies; and
(B) summaries of the input and recommendations of the leaders consulted under subsection (i).
(A) IN GENERAL.—The Director may submit to the appropriate notification entities interim reports the Director determines necessary to support the work of the Task Force and educate the public.
(B) MANDATORY REPORT.—Not later than the date that is 18 months after the date of enactment of this Act, the Director shall submit to the appropriate notification entities an interim report addressing—
(i) the matters described in paragraphs (1), (2), (4), and (6) of subsection (g); and
(ii) any other matters the Director determines necessary to support the work of the Task Force and educate the public.
(3) FINAL REPORT.—Not later than 180 days before the date described in subsection (k), the Director shall submit to the appropriate notification entities a final report that includes recommendations for the President and Congress relating to any relevant matter within the scope of the duties of the Task Force.
(4) PUBLIC AVAILABILITY.—The Task Force shall make the reports required under this subsection publicly available on a centralized website as an open Government data asset (as defined in section 3502 of title 44, United States Code).
(k) Sunset.—The Task Force shall conclude business on the date that is 3 years after the date of enactment of this Act.
SEC. 5. SECURITY ENHANCEMENTS TO FEDERAL SYSTEMS.
(a) Guidance For Federal Agencies.—Not later than 180 days after the date on which the Director submits the report required under section 4(j)(1), the Director of the Office of Management and Budget shall issue guidance to Federal agencies for the purpose of implementing any recommendations included in such report determined appropriate by the Director of the Office of Management and Budget.
(b) Reports On Federal Agency Progress Improving Digital Identity Verification Capabilities.—
(1) ANNUAL REPORT ON GUIDANCE IMPLEMENTATION.—Not later than 1 year after the date of the issuance of guidance under subsection (a), and annually thereafter, the head of each Federal agency shall submit to the Director of the Office of Management and Budget a report on the efforts of the Federal agency to implement that guidance.
(A) IN GENERAL.—Not later than 45 days after the date of the issuance of guidance under subsection (a), and annually thereafter, the Director shall develop and make publicly available a report that includes—
(i) a list of digital identity verification services offered by Federal agencies;
(ii) the volume of digital identity verifications performed by each Federal agency;
(iii) information relating to the effectiveness of digital identity verification services by Federal agencies; and
(iv) recommendations to improve the effectiveness of digital identity verification services by Federal agencies.
(B) CONSULTATION.—In developing the first report required under subparagraph (A), the Director shall consult the Task Force.
(3) CONGRESSIONAL REPORT ON FEDERAL AGENCY DIGITAL IDENTITY CAPABILITIES.—
(A) REFORM.—Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform Accountability of the House of Representatives a report relating to the implementation and effectiveness of the digital identity capabilities of Federal agencies.
(B) CONSULTATION.—In developing the report required under subparagraph (A), the Director of the Office of Management and Budget shall—
(i) consult with the Task Force; and
(ii) to the greatest extent practicable, include in the report recommendations of the Task Force.
(C) CONTENTS OF REPORT.—The report required under subparagraph (A) shall include—
(i) an analysis, including metrics and milestones, for the implementation by Federal agencies of—
(I) the guidelines published by the National Institute of Standards and Technology in the document entitled “Special Publication 800–63” (commonly referred to as the “Digital Identity Guidelines”), or any successor document; and
(II) if feasible, any additional requirements relating to enhancing digital identity capabilities identified in the document of the Office of Management and Budget entitled “M–19–17” and issued on May 21, 2019, or any successor document;
(ii) a review of measures taken to advance the equity, accessibility, cybersecurity, and privacy of digital identity verification services offered by Federal agencies; and
(iii) any other relevant data, information, or plans for Federal agencies to improve the digital identity capabilities of Federal agencies.
(c) Additional Reports.—On the first March 1 occurring after the date described in subsection (b)(3)(A), and annually thereafter, the Director of the Office of Management and Budget, in consultation with the Director of the National Institute of Standards and Technology, shall include in the report required under section 3553(c) of title 44, United States Code—
(1) any additional and ongoing reporting on the matters described in subsection (b)(3)(C); and
(2) associated information collection mechanisms.
(a) In General.—Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall submit to Congress a report on the estimated potential savings, including estimated annual potential savings, due to the increased adoption and widespread use of digital identification, of—
(1) the Federal Government from averted fraud, including benefit fraud; and
(2) the economy of the United States and consumers from averted identity theft.
(b) Contents.—Among other variables the Comptroller General of the United States determines relevant, the report required under subsection (a) shall include multiple scenarios with varying uptake rates to demonstrate a range of possible outcomes.
Calendar No. 129 |
118th CONGRESS 1st SessionS. 884 |
[Report No. 118–57] |
A BILL |
To establish a Government-wide approach to improving digital identity, and for other purposes. |
July 11, 2023 |
Reported with amendments |