Lawmakers Back Down from Pushing NIST into Cyber Auditing Role


The cyber standards agency will now assist inspectors general in cyber audits.

House Science Committee lawmakers have pared back a controversial bill that would have tasked the government’s cyber standards agency with auditing federal agencies’ cyber protections.

Under the revised bill, the National Institute of Standards and Technology would assist agency inspectors general with those security audits but wouldn’t perform the audits themselves.

The updated bill responds to comments from “a number of stakeholders and experts, both inside and outside government,” a committee spokesperson said. The bill was sponsored by Rep. Ralph Abraham, R-La., and Chairman Lamar Smith, R-Texas, among others.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Critics worried the new auditing responsibility would take away from NIST’s other cyber responsibilities, which includes establishing best practice guides for industry as well as tackling long-term issues such as quantum computing.

They also worried the bill would harm NIST’s position as a neutral cyber adviser to agencies.

“The thing you hear from a lot of people is that NIST is viewed as an honest broker, not as an auditor, so there’s no fear factor in talking to NIST,” Chris Boyer, the chair of a NIST information security advisory panel and an executive vice president at AT&T told Nextgov before the bill was pared back.

Under the updated bill, NIST would be required to create a template for how agencies could adopt the institutes’ 2014 cybersecurity framework.

That framework was initially developed for industry but President Donald Trump ordered federal agencies to adopt it as well in May.

The bill also requires NIST to assist the Office of Management and Budget and the Office of Science and Technology Policy in writing an annual report about overall agency adoption of the framework.