NIST gets new cyber powers under House bill

A House panel approved legislation that would add new cybersecurity auditing and reporting duties to the National Institute of Standards and Technology and the White House science office.

Shutterstock image (by Den Rise): Security services and protection concept; businesswoman displays a padlock, symbol of security.

Despite some concerns over funding and cybersecurity reporting redundancy, the House Science Committee moved a bill that would give the National Institute of Standards and Technology and the White House's science office more active roles in monitoring how federal agencies and the private sector use the cybersecurity framework.

Under the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, NIST would assess federal agency cybersecurity capabilities within six months of the bill's enactment and perform full audits of cybersecurity at those agencies cybersecurity within two years.

Also within that initial six months, NIST would provide guidance to the Office of Management and Budget, the White House's Office of Science and Technology Policy and federal  agencies on how to implement its 2014 Cybersecurity Framework.

The bill would also tap OSTP to develop a public/private working group that would develop implementation models and measurement tools for federal agencies and private entities to implement NIST's framework. Additionally, it would produce annual reports on the framework's implementation in the federal government and among private entities.

The bill passed the committee by a 19-14 vote, largely along party lines. Rep. Dan Lipinski (D-Ill.) was the lone Democrat to back the measure.

Committee Chairman Rep. Lamar Smith, (R-Texas) called the legislation "common sense." He said it not only aims to leverage NIST's development of cybersecurity standards and guidelines, it would allow the agency to "go further" evaluating and assessing federal agencies' compliance. He said NIST is the home of the experts that developed the framework under the Federal Security Modernization Act, as well as the framework itself.

He contended the measure won't make NIST an enforcement agency.

"The bill does not give the agency authority to exact fines, issue injunctions, or pursue further proceedings beyond assessing, auditing, and reporting," he said.

However, ranking member Rep. Eddie Bernice Johnson, (D-Texas) said the measure duplicates the federal cybersecurity monitoring duties of the Department of Homeland Security and OMB for no good reason.

NIST, she said, has "steadfastly maintained that they're the wrong agency" for the duties in the bill.

"The majority has inserted a new agency into a policy and subject matter in which they have no expertise and no business being part of," she said. Additionally, she said NIST won't get the "tens of millions of dollars" to support FISMA cybersecurity audits.

"I remain thoroughly baffled by the legislation," she said.

One group of large commercial interests, the Internet Security Alliance, applauded the legislation. In a March 1 statement, the ISA called the bill "a step in the right direction" that taps "NIST to define what constitutes use of the NIST Cybersecurity Framework and develop outcome-based and quantifiable metrics to help federal agencies analyze and assess the effectiveness of the framework."

ISA president Larry Clinton said, "Given the increasing severity of the cyber threat, it is essential that we clarify basic elements of the Framework, such as defining what it means to use the Framework and what it means to be effective. This bill takes the important first steps to resolve these problems and allows the private sector the opportunity to voluntarily follow as they see fit."