12 September 1997 See House report on H.R. 1903: http://jya.com/hr105-242.txt See H.R. 1903 Bill: http://jya.com/hr1903.htm 18 June 1997 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ------------------------------------------------------------------------- Committee on Science, June 19, Subcommittee on Technology, hearing on Computer Security Enhancement Act of 1997, 10 a.m., 2318 Rayburn. ------------------------------------------------------------------------- [Congressional Record: June 17, 1997 (Extensions)] [Page E1231-E1232] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr17jn97-44] THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997 ______ HON. F. JAMES SENSENBRENNER, JR. of wisconsin in the house of representatives Tuesday, June 17, 1997 Mr. SENSENBRENNER. Mr. Speaker, I rise today to introduce H.R. 1903, the Computer Security Enhancement Act of 1997. I would like to thank Technology Subcommittee Chairwoman Constance Morella, and the full committee and subcommittee ranking minority members, Congressmen George Brown and Bart Gordon, for their efforts in crafting a bipartisan bill which should help strengthen computer security throughout the Federal Government. The lack of adequate security for Federal civilian computer systems is a significant problem. Since June 1993, the General Accounting Office [GAO] has issued over 30 reports detailing serious information security weaknesses at Federal agencies. This year, GAO highlighted computer security as a governmentwide, high-risk issue in its high risk series. H.R. 1903 is intended to address this problem by strengthening the National Institute of Standards and Technology's [NIST] historic role in computer security. The bill updates the Computer Security Act of 1987 (P.L. 100-235) to give NIST the tools it needs to ensure that appropriate attention and effort is concentrated on securing our Federal information technology infrastructure. The Computer Security Act gives NIST the lead responsibility for computer security for Federal civilian agencies. The act requires NIST to develop the standards and guidelines needed to ensure cost-effective security and privacy of sensitive information in Federal computer systems. H.R. 1903 updates the act to take into account the evolution of computer networks and their use by both the Federal Government and the private sector. Further, the bill's authorizations are consistent with authorizations that have already passed the House as part of H.R. 1274, the NIST Authorization Act of 1997. Specifically, the bill: Reduces the cost and improves the availability of computer security technologies for Federal agencies by requiring NIST to promote the Federal use of off-the-shelf products for meeting civilian agency computer security needs. Enhances the role of the independent Computer System Security and Privacy Advisory Board in NIST's decisionmaking process. The board, which is made up of representatives from industry, Federal agencies and other outside experts, should assist NIST in its development of standards and guidelines for Federal systems. Requires NIST to develop standardized tests and procedures to evaluate the strength of foreign encryption products. Through such tests and procedures, NIST, with assistance from the private sector, will be able to judge the relative strength of foreign encryption, thereby defusing some of the concerns associated with the export of domestic encryption products. Limits NIST's involvement to the development of standards and guidelines for Federal civilian systems. The bill clarifies that NIST standards and guidelines are to be used for the acquisition of security technologies for the Federal Government and are not intended as restrictions on the production or use of encryption by the private sector. Updates the Computer Security Act to address changes in technology over the last decade. Significant changes in the manner in which information technology is used by the Federal Government has occurred since the enactment of the Computer Security Act. The bill updates the act, taking these changes into account. Establishes a new computer science fellowship program for graduate and undergraduate students studying computer security. The bill sets aside $250,000 a year, for each of the [[Page E1232]] next two fiscal years, to enable NIST to finance computer security fellowships under an existing NIST grant program. Requires the National Research Council to conduct a study to assess the desirability of, and the technology required to, support public key infrastructures. It has been 10 years since Congress passed the Computer Security Act. Over that time, computer technology has changed at a breathtaking rate. The Computer Security Enhancement Act of 1997 will help NIST and the rest of our Federal civilian agencies adapt to those changes. Mr. Speaker, ensuring that our agencies' computer systems as secure is a priority. H.R. 1903 is an important step toward this goal, and I urge all my colleagues to cosponsor this bipartisan bill. ____________________ ------------------------------------------------------------------------- [Congressional Record: June 17, 1997 (Extensions)] [Page E1232] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr17jn97-46] INTRODUCTION OF THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997, H.R. 1903 ______ HON. BART GORDON of tennessee in the house of representatives Tuesday, June 17, 1997 Mr. GORDON. Mr. Speaker, I am pleased to join Chairman Sensenbrenner, Ranking Member Brown, Chairwoman Morella and other members of the Committee on Science in introducing the Computer Security Act of 1997. Not a day that goes by that we don't see some reference to the Internet and the explosive growth of electronic commerce. What was originally envisioned as a network for defense communications and university researchers is now an international communications network of which we are just beginning to realize its potential. Both Office of Technology Assessment and National Research Council reports have identified a major obstacle to the growth of electronic commerce--the lack of the widespread use of encryption products. The bill we are introducing today is the first step to encourage the use of encryption products, both by Federal agencies and the private sector. This in turn will support the growth of electronic commerce. The Computer Security Enhancement Act of 1997, which amends the Computer Security Act of 1987 (P.L. 100-235) builds on the close collaboration and cooperation between the National Institute of Standards and Technology [NIST] and industry to develop standard reference materials and the standards that are key to the seamless commerce we take for granted today. This legislation highlights the need for NIST to expand its activities in the area of electronic commerce. Our legislation also strengthens the NIST's role in coordinating Federal agencies' effort to utilize encryption and digital identification products. It encourages Federal agencies to adopt and use commercially available encryption technologies whenever possible. This legislation allows NIST to evaluate the technical merit of industry claims of the strength of generally available foreign encryption products. Hopefully, this will defuse some of the tension surrounding the issue of export of domestic encryption products. Not only is this legislation consistent with the recommendations of the Office of Technology Assessment and the National Research Council, it is also in-line with a set of resolutions adopted by NIST's Computer System Security and Privacy Advisory Board on June 6, 1997. Finally, I believe this bill is consistent with the goals President's Clinton's upcoming policy announcement on electronic commerce. It has been a pleasure working with Chairwoman Morella on crafting this piece of legislation and I look forward to continuing to work with her to move this bill through the legislative process. ____________________ ------------------------------------------------------------------------- [Congressional Record: June 17, 1997 (Extensions)] [Page E1232] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr17jn97-45] THE COMPUTER SECURITY ENHANCEMENT ACT OF 1997 ______ HON. CONSTANCE A. MORELLA of maryland in the house of representatives Tuesday, June 17, 1997 Mrs. MORELLA. Mr. Speaker, I rise today to join Science Committee Chairman Sensenbrenner and ranking committee and subcommittee members Brown and Gordon in introducing H.R. 1903, The Computer Security Enhancement Act of 1997. H.R. 1903 is designed to improve the security of computer systems throughout the Government. In 1987, Congress passed the Computer Security Act which gave the National Institute of Standards and Technology [NIST] the lead responsibility for developing security standards and technical guidelines for civilian government agency computer systems. H.R. 1903 updates this 10-year-old statute. The networking revolution of the last decade has improved the ability of Federal agencies to process and transfer data. It has also made that same data more vulnerable to corruption and theft. In February, the General Accounting Office [GAO] highlighted computer security as a government-wide, high-risk issue in its high risk series. Concurrent with the release of GAO's high risk report, I held the second in a series of briefing on computer security. During the briefing, members of the Science Committee heard from some of the most respected experts in the field of electronic information security. They all agreed that the Federal Government must do more to secure sensitive electronic data. The Federal Government is not alone in its need to secure electronic information. The corruption of electronic data threatens every sector of our economy. The market for high-quality computer security products is enormous, and the U.S. software and hardware industries are responding. The Federal Government, through NIST, can harness these market forces to improve computer security within Federal agencies at a fraction of the cost of developing its own hardware and software. The Computer Security Enhancement Act of 1997 will assist in this process. The bill reduces the cost and improves the availability of computer security technologies for Federal agencies by requiring NIST to promote the use of off-the-shelf products for meeting civilian agency computer security needs. The bill also enhances the role of the independent Computer System Security and Privacy Advisory Board in NIST's decisionmaking process. The board, which is made up of representatives from industry, federal agencies as well as other outside experts, should assist NIST in its development of standards and guidelines for Federal systems which are compatible with existing private sector technologies. Further, the bill requires NIST to develop standardized tests and procedures to evaluate the strength of foreign encryption products. Through such tests and procedures, NIST, with assistance from the private sector, will be able to judge the relative strength of foreign encryption, thereby defusing some of the concerns associated with the export of domestic encryption products. The bill also clarifies that NIST standards and guidelines are to be used for the acquisition of security technologies for the Federal Government and are not intended as restrictions on the production or use of encryption by the private sector. Additionally, H.R. 1903 addresses the shortage of university students studying computer security. Of the 5500 Ph.D's in computer science awarded over the last 5 years in Canada and the United States, only 16 were in fields related to computer security. To help address such shortfalls, the bill establishes a new computer science fellowship program for graduate and undergraduate students studying computer security. The bill sets aside $250,000 a year, for each of the next two fiscal years, to enable NIST to finance computer security fellowships under an existing NIST grant program. The provisions of the Computer Security Enhancement Act should help maintain a strong domestic computer security industry. A strong industry will not only help our economy but also significantly improve the security of Federal computer systems. Mr. Speaker, H.R. 1903 alone will not solve the Federal Government's computer security problems. It is, however, an important step in the right direction. I commend Chairman Sensenbrenner for crafting a bipartisan bill that should substantially improve computer security for the Federal Government, and I encourage all of my colleagues to join in cosponsoring the Computer Security Enhancement Act of 1997. ____________________ -------------------------------------------------------------------------