NIST Must Audit Federal Cybersecurity Because DHS Isn’t, Hill Staffer Says


The House Science Committee forwarded legislation requiring the government’s cyber standards agency to conduct audits as well.

A senior House science committee staffer Friday defended controversial legislation expanding the authorities of the government’s cybersecurity standards agency, saying it’s necessary because other agencies aren’t stepping up to the job.

The bill, which passed the committee nearly entirely with Republican support earlier this month, would direct the National Institute of Standards and Technology to audit agencies’ cyber protections within two years, giving priority to the most at-risk agencies.

That means giving to NIST a responsibility that normally would belong to the Homeland Security Department, committee Democrats and other critics of the bill say.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

But DHS does not currently conduct rigorous public audits of agencies’ cyber postures and practices, Cliff Shannon, subcommittee staff director for the House Science, Space and Technology Committee’s research and technology panel, told a NIST advisory board.

If they were, “we wouldn’t be having this conversation,” he said.  

“Not to disparage the Department of Homeland Security, but assurances they will get around to it are kind of under the heading of ‘the check is in the mail,’” Shannon told NIST’s Information Security and Privacy Advisory Board. “With federal agencies continuing to be vulnerable and under attack, it just doesn’t seem that this is a situation where Congress ought to accept ‘the check is in the mail.’”

Shannon acknowledged the new responsibilities would take NIST “out of its comfort zone” by assigning audit responsibilities to an agency that prides itself on setting standards that are primarily advisory.

“The situation in which the federal government finds itself right now is such that we need to take steps to start curing vulnerabilities rather than talking about whose turf it should be or whose comfort zone should be [honored],” he said.

The bill would jibe well with a NIST effort to describe how the cybersecurity framework the institute developed for the private sector can be applied to federal agencies’ cybersecurity requirements, Shannon said.

A draft version of a long-delayed Trump administration executive order on cybersecurity would also make the NIST framework mandatory for federal agencies.

There’s no plan yet for when the NIST bill will reach the House floor, Shannon told reports after the meeting, though he said it would be difficult to reach the floor before the fall. Nor are there solid plans to introduce companion legislation in the Senate, he said.

The bill could still be tweaked, he said, either to win over Democratic votes or to soothe jurisdictional tensions with other committees.

A cross-committee push to reauthorize DHS—and smooth out the rough edges of the hodgepodge department’s original 2002 creation—could also lead to some changes in the NIST bill if it was folded inside of it, Shannon said.

“What we’re not prepared to do,” he said, “is just step aside and allow events to continue on their course, because the current course seems to be dangerous and irresponsible.”