SUBCHAPTER IV—ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS
§7461. Definitions
In this subchapter:
(1) Director
The term "Director" means the Director of the National Institute of Standards and Technology.
(2) Institute
The term "Institute" means the National Institute of Standards and Technology.
(
§7462. International cybersecurity technical standards
(a) In general
The Director, in coordination with appropriate Federal authorities, shall—
(1) as appropriate, ensure coordination of Federal agencies engaged in the development of international technical standards related to information system security; and
(2) not later than 1 year after December 18, 2014, develop and transmit to Congress a plan for ensuring such Federal agency coordination.
(b) Consultation with the private sector
In carrying out the activities specified in subsection (a)(1), the Director shall ensure consultation with appropriate private sector stakeholders.
(
§7463. Cloud computing strategy
(a) In general
The Director, in coordination with the Office of Management and Budget, in collaboration with the Federal Chief Information Officers Council, and in consultation with other relevant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the Federal Government.
(b) Activities
In carrying out the strategy described under subsection (a), the Director shall give consideration to activities that—
(1) accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;
(2) advance the development of conformance testing performed by the private sector in support of cloud computing standardization; and
(3) support, in coordination with the Office of Management and Budget, and in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, including activities—
(A) to ensure the physical security of cloud computing data centers and the data stored in such centers;
(B) to ensure secure access to the data stored in cloud computing data centers;
(C) to develop security standards as required under
(D) to support the development of the automation of continuous monitoring systems.
(
§7464. Identity management research and development
(a) In general
The Director shall carry out a program of research to support the development of voluntary, consensus-based technical standards, best practices, benchmarks, methodologies, metrology, testbeds, and conformance criteria for identity management, taking into account appropriate user concerns to—
(1) improve interoperability and portability among identity management technologies;
(2) strengthen identity proofing and verification methods used in identity management systems commensurate with the level of risk, including identity and attribute validation services provided by Federal, State, and local governments;
(3) improve privacy protection in identity management systems; and
(4) improve the accuracy, usability, and inclusivity of identity management systems.
(b) Digital identity technical roadmap
The Director, in consultation with other relevant Federal agencies and stakeholders from the private sector, shall develop and maintain a technical roadmap for digital identity management research and development focused on enabling the voluntary use and adoption of modern digital identity solutions that align with the four criteria in subsection (a).
(c) Digital identity management guidance
(1) In general
The Director shall develop, and periodically update, in collaboration with other public and private sector organizations, common definitions and voluntary guidance for digital identity management systems, including identity and attribute validation services provided by Federal, State, and local governments.
(2) Guidance
The Guidance shall—
(A) align with the four criteria in subsection (a), as practicable;
(B) provide case studies of implementation of guidance;
(C) incorporate voluntary technical standards and industry best practices; and
(D) not prescribe or otherwise require the use of specific technology products or services.
(3) Consultation
In carrying out this subsection, the Director shall consult with—
(A) Federal and State agencies;
(B) industry;
(C) potential end-users and individuals that will use services related to digital identity verification; and
(D) experts with relevant experience in the systems that enable digital identity verification, as determined by the Director.
(
Editorial Notes
Amendments
2022—