A bill introduced in the House of Representatives on Monday would give the National Institute of Standards and Technology greater authority to influence the adoption and evaluation of its Cybersecurity Framework by Federal agencies.
“Current practices to protect our Federal cybersecurity systems are insufficient,” said the bill’s sponsor, Rep. Ralph Abraham, R-La. “This bill will help the Federal government implement a consistent, user-friendly framework that each agency can tailor to meet its own unique cybersecurity needs, and it provides the National Institute of Standards and Technology the authority it needs to help ensure our Federal agencies’ cybersecurity systems are up to standard.”
The bill, titled the “NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017,” requires that NIST provide the Office of Management and Budget (OMB) with guidance within six months of the bill’s adoption that agencies can use to incorporate the NIST Cybersecurity Framework into their security posture. NIST will also be required to establish a Federal working group within three months, which will develop metrics for Federal framework effectiveness.
“This common-sense legislation capitalizes on NIST’s unique position as a global leader in cybersecurity knowledge and readiness and takes a long stride in protecting U.S. cybersecurity capabilities,” said Lamar Smith, R-Texas, chairman of the House Science, Space, and Technology Committee.
The bill also requires NIST to develop a schedule of cybersecurity audits for applicable agencies and issue a report of those audits to OMB, the Office of Science and Technology Policy, the Government Accountability Office, the agency being audited, the inspector general of that agency, and members of Congress.
Rep. Eddie Bernice Johnson, D-Texas, noted that many aspects of the bill trace back to a hearing in the Research and Technology subcommittee two weeks ago, which provided recommendations for improving government cybersecurity.
“I do remember the panel unanimously praising NIST’s role in cybersecurity. I also remember discussion about developing a matrix for the adoption of NIST’s cybersecurity framework. Witnesses also discussed requiring Federal agencies to incorporate the framework into their information security programs,” said Johnson. “I can see where Mr. Abraham has attempted to incorporate some aspects of those recommendations into his legislation.”
Johnson added that, despite this, she was “thoroughly baffled” by the assignment of responsibilities in the bill, due to the fact that current law assigns auditing powers to agency inspectors general and that the bill provides for no extra funding so that NIST may conduct necessary audits.
“I specifically remember GAO’s recommendation that Department of Homeland Security and not NIST carry out surveys and assessments of the adoption and effectiveness of the cybersecurity framework. NIST itself has steadfastly maintained that they are the wrong agency to do it, and not just because of limited resources,” said Johnson. “NIST is not an auditing agency. They have no such history, expertise, or capacity. They are a standards and technology agency.”
Rep. Daniel Lipinski, D-Ill., also expressed concern that other agencies, such as the Government Accountability Office, would be better equipped to conduct assessments. He offered an amendment to the bill, which was accepted and would require NIST to develop a plan of how they will accomplish the audits and what resources they might need.
However, Abraham said that, because of the changing nature of cyber threats, the Federal government and its agencies must be willing to change as well.
“It is easy to sit back and state, with the benefit of NIST’s reputation as an exemplary agency, that we should not consider changing the way the Institute operates because of what might happen or how the Institute’s reputation or effectiveness might suffer,” Abraham said.
“This legislation is vital to ensuring our citizens’ information is secure, and I thank Congressman Abraham for his leadership on Federal cybersecurity,” Smith said. “The aftermath of several recent data breaches, including those at OPM, IRS, and FDIC, showed that our Federal government is a top target for cyberattacks. Because the government collects personally identifiable information on all Americans, it is of the utmost importance that our cybersecurity framework is as secure as possible.”
The bill was passed by the House Science Space and Technology Committee on Wednesday and now moves to the House floor.