Cyber Advisory Board Gives Thumbs Down to NIST Oversight Role

A government cybersecurity advisory board plans to caution lawmakers and executive branch officials against requiring the government’s cyber standards agency to audit other agencies’ cyber protections.

The recommendation from the National Institute of Standards and Technology’s advisory board comes after the House Science, Space and Technology Committee approved legislation in March tasking NIST with making those audits. The letter, however, will address the issue more broadly and not refer directly to the legislation, board members said.

NIST has traditionally shied away from taking on an auditing role, which could complicate its current mission as a neutral adviser to agencies on cybersecurity and other issues.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“When you give any organization audit authority, there is, therein, an incentive to find problems and what that then does is, perhaps, cause some—particularly industry stakeholders—to wonder how we can maintain [NIST’s] objective, unbiased relationship [with agencies and industry],” said board member Greg Garcia, an executive vice president at Signal Group, who volunteered to write the first draft of the letter.

The letter also will note that adding additional responsibilities to NIST’s docket will likely reduce attention to the agency’s main cybersecurity standards-setting and education missions, Garcia said.

Those missions may already be struggling with reduced resources. President Donald Trump’s proposed budget would reduce funding for NIST information technology research overall by 13 percent and cut cyber research 9 percent.

The House Science bill, titled the NIST Cybersecurity Framework, Assessment and Auditing Act, does not have any money attached at this point, but the Congressional Budget Office estimates the bill will cost $48 million to implement over four years.

The bill does not have a Senate counterpart.

The letter will go to leaders at NIST, the Homeland Security and Commerce departments and to the Office of Management and Budget. It will go out in about a month after board members agree on the language, said Chairman Chris Boyer, an assistant vice president at AT&T.

Outgoing board member Toby Levin, a former director of privacy policy at DHS, will draft a separate portion of the letter promoting NIST’s work integrating privacy protections into cybersecurity engineering, board members agreed.

The group’s next series of meetings in October will include a full-day briefing on the White House’s IT modernization efforts outlined in the president’s May executive order, board members agreed.

Board member Jeffrey Greene, a senior policy counsel at Symantec, suggested also including a session with an FBI representative focused on the Trump administration’s position on encryption.