Over the objections of most Democrats on the panel, the House Science Committee on March 1 passed a measure that would require a federal standards and measurement agency to lead an effort to assess how well other federal agencies are implementing an existing framework of cyber security best practices and also audit the effectiveness of the framework across the government.
The NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R. 1224) also calls for the National Institute of Standards and Technology (NIST) to lead a federal working group that would work with a public-private working group to “develop outcome-based and quantifiable metrics” to help agencies analyze and assess their respective implementations of the Cybersecurity Framework.
The bill was approved by a vote of 19 to 14 with just one Democrat voting in favor of the measure. No Republicans voted against the bill.
The bill also calls for NIST to provide the White House Office of Science and Technology Policy (OSTP), the White House Office of Management and Budget and “all other federal agencies” guidance for incorporating the Cybersecurity Framework into to their network risk management efforts.
“This commonsense legislation takes advantage of NIST’s unique capabilities to both develop cyber security standards and guidelines, which NIST does now, and go further and evaluate and assess the extent of federal agencies’ compliance with them,” Rep. Lamar Smith (R-Texas), chairman of the committee, said in his opening statement.
NIST in February 2014 published the Cybersecurity Framework, which provides public and private organizations with best practices and standards that can be voluntarily adopted to protect their computer networks. The framework was a collaborative effort between government agencies, the private sector and other stakeholders.
The federal working group that would be established and led by NIST would also include OSTP.
Rep. Eddie Bernice Johnson (D-Texas), the ranking member on the committee, said in her opening remarks that having NIST annually audit the cyber security of other agencies “may be the strangest part of this bill.” She also said that the Government Accountability Office has recommended that the Department of Homeland Security be responsible for “surveys and assessments of the adoption and effectiveness of the Cybersecurity Framework,” adding that, “NIST itself has steadfastly maintained that they are the wrong agency do it, and not just because of limited resources.”
Johnson also that she doesn’t remember anyone recommending that OSTP be given an oversight role related to cyber security.
“The majority has inserted an entirely new agency into a policy matter in which they have no expertise and not business being part of,” Johnson said. In doing so, the bill also duplicates authorities and responsibilities clearly assigned to OMB and DHS in current law.”
Rep. Ralph Abraham (R-La.), author of the bill, said in a statement that GAO has made 2,500 recommendations to federal agencies to strengthen their computer systems yet about 1,000 of the recommendations haven’t been implemented. He added that the committee’s jurisdiction over NIST gives it the ability to add to the agency’s functions related to cyber security, saying the evolving threat of cyber attacks requires “thinking outside the box instead of maintaining a business as usual approach.”
Jeremy Grant, a managing director with the advisory firm The Chertoff Group, told sister publication Defense Daily via an email response for comment that it “would be a colossal mistake” and “disaster” to shift NIST from being a partner in working with the public and private sectors to being an auditor.
“Moreover, it would be a huge diversion of NIST resources,” Grant said. “At a time when industry and government are clamoring for more and better guidance in different areas of cyber security from NIST, this bill would instead pull NIST’s relatively small cyber staff away from those projects and instead focus them on audits. NIST work around its core mission in developing guidance for computer security would be sure to suffer.”
Prior to joining The Chertoff Group, Grant successfully led a White House initiative at NIST to work with the private and public sector, and other stakeholders on developing an identity ecosystem to improve the privacy, security and convenience of online transactions.
DHS is responsible for helping to protect the security of federal civilian information systems. The department provides technology, best practices and other services to the federal civilian government in the area of cyber security.