NIST's budget woes

National Institute of Standards and Technology report

After a year-long study, members of a federal advisory board have concluded that funding for computer security activities at the National Institute of Standards and Technology is inadequate and is delaying progress toward solving urgent cybersecurity problems.

A report on the study conducted by the Information Security and Privacy Advisory Board states that insufficient funds have forced officials in NIST's Computer Security Division to reduce their involvement in a security product certification program for federal agencies.

The report, "The Case for Adequate Funding," also suggests that research on wireless, radio frequency identification, voice-over-IP and other new technologies is lagging because of the funding shortfall.

In addition, it cites delays in developing guidelines for retrofitting the control systems of critical infrastructures, such as oil pipelines, with cryptographic security modules.

The board's report suggests that funding for the NIST division "has not kept pace with the growing demand for cybersecurity guidelines and standards as a result of the government's and the nation's growing reliance on information technology."

The board, which derives its statutory authority from the Federal Information Security Management Act (FISMA) of 2002,

advises NIST officials, the Commerce Department secretary and the director of the Office of Management and Budget on information security and privacy issues pertaining to federal information systems.

The report states that federal civilian agencies spend about $2 billion annually on computer security. In fiscal 2004, NIST's Computer Security Division had a budget of $15.1 million and 53 full-time employees. Lawmakers have not yet passed an appropriations bill for NIST's fiscal 2005 budget.

Many government and private-sector security experts said they agree with the report's conclusion that new security requirements, especially those included in FISMA, have created a bigger demand for security guidelines and that funding for NIST's Computer Security Division is inadequate.

"The funding issue at NIST has been a continuing and chronic problem since the passage of the Computer Security Act [of 1987], which gave NIST a lot of authority and responsibility but never gave them the financial resources," said Lynn McNulty, director of government affairs for the International Information Systems Security Certification Consortium Inc. and associate director for computer security at NIST from 1988 to 1995.

Others familiar with the report agree that budget constraints are limiting the ability of NIST's computer security experts to provide practical guidelines in many new areas.

In some respects, however, NIST's cybersecurity experts may be their own worst enemy when it comes to getting a bigger piece of the budget pie. They have a reputation for efficiency and independence, two qualities that are lacking in other standards bodies, many of which are dominated by vendors with self-interested motives, said Paul Proctor, vice president for security and risk strategies at the Meta Group Inc.

"They're getting a lot done at NIST with relatively minimal funding," he said, in part because NIST's technical experts don't waste energy on political squabbles that hinder other standards groups. "They're able to be efficient because they don't have those types of concerns."