---------- Forwarded message ---------- Date: Wed, 18 Jun 1997 09:59:27 -0700 (PDT) From: Declan McCullagh <declan@well.com> To: fight-censorship@vorlon.mit.edu Subject: House Science hearing TOMORROW on NIST computer security act ---------- Forwarded message ---------- Date: Fri, 13 Jun 1997 17:11:03 -0400 From: "Farmer, Donna" <Donna.Farmer@mail.house.gov> To: declan Subject: Computer Security Enhancement Act of 1997 Subcommittee on Technology Legislative Hearing on the Computer Security Enhancement Act of 1997 Thursday, June 19th 1997 10:00 AM to 12:00 Noon 2318 Rayburn House Office Building The Honorable Gary Bachula Stephen T. Walker Acting Under Secretary for Technology President and CEO Technology Administration Trusted Information Systems, Inc. Department of Commerce Glenwood, MD Washington, DC James Bidzos Whitfield Diffie President & CEO Distinguished Engineer Redwood City, CA Sun Microsystems Mountain View, CA Marc Rotenberg Director Electronic Privacy Information Center Washington, DC .. Hearing Purpose: The Hearing will focus on the provisions of the Computer Security Enhancement Act of 1997. The bill amends the Computer Security Act of 1987 (P.L. 100-235). The Computer Security Act 1987of gave NIST the lead responsibility for computer security for Federal civilian agencies. The act requires NIST to develop the standards and guidelines needed to ensure cost-effective security and privacy of sensitive information in Federal computer systems. Background: The Computer Security Enhancement Act will strengthen the National Institute of Standards and Technology's (NIST's ) historic role in computer security established by the Computer Security Act. The bill updates the decade-old act while giving NIST the tools it requires to ensure that appropriate attention and effort is concentrated on securing our Federal information technology infrastructure. What the Bill Does: The Computer Security Enhancement Act updates the Computer Security Act to take into account the evolution of computer networks and their use by both the Federal Government and the private sector. Specifically, the security enhancement act: 1. Requires NIST to promote the acquisition of off-the-shelf products for meeting civilian agency computer security needs. This measure should reduce the cost and improve the availability of computer security technologies to Federal agencies. 2. Increases the input of the independent Computer System Security and Privacy Advisory Board into NIST's decision-making process. The board, which is made up of representatives from industry, federal agencies and other outside experts, should assist NIST in its development of standards and guidelines for Federal systems. 3. Requires NIST to develop standardized tests and procedures to evaluate the strength of foreign encryption products. Through such tests and procedures, NIST, with assistance from the private sector, will be able to judge the relative strength of foreign encryption, thereby defusing some of the concerns associated with the export of domestically produced encryption products. 4. Limits NIST's involvement to the development of standards and guidelines for Federal civilian systems and not for the private sector. The bill clarifies that NIST standards and guidelines are to be used for the acquisition of security technologies for the Federal government and are not intended as restrictions on the production or use of encryption by the private sector. 5. Updates the Computer Security Act to address changes in technology over the last decade. Significant changes in the manner in which information technology is used by the Federal government have occurred since the enactment of the Computer Security Act. The bill updates the Act, taking these changes into account. 6. Establishes a new computer science fellowship program for graduate and undergraduate students studying computer security. The bill sets aside $250,000 a year, for each of the next two fiscal years, to enable NIST to finance computer security fellowships under an existing NIST grant program. 7. Requires the National Research Council to conduct a study to assess the desirability of, and the technology required to, support public key infrastructures.