A House panel on Wednesday voted along party lines (19-14) to approve a bill that directs theĀ National Institute of Standards and Technology (NIST) to “audit” federal agencies’ compliance with NIST’s cybersecurity framework.
A brief summary of the legislation, via The Hill:
The legislation would direct NIST to develop metrics for evaluating federal agenciesā cybersecurity and submit an initial assessment and regular audits to Congress on cybersecurity measures put in place by federal agencies.
It would also set up guidance for federal agencies to incorporate the NIST cyber framework and establish working groups in the federal and private sectors to help public and private entities use the framework.
Lawmakers seem to all agree that NIST should develop metrics to prove the effectiveness of its Cybersecurity Framework, which some agencies have already adopted. Outside experts seem less convinced that effective metrics can be created, because “security” can be so difficult to define.
Things get murkier when it comes to the part of the legislation allowing NIST to conduct audits. From Data Breach Today:
At the committee’s markup session, Democratic members – led by ranking member Rep. Eddie Bernice Johnson of Texas – said NIST is ill-equipped to conduct audits, saying the assessments should be performed by the Government Accountability Office or Department of Homeland Security. “Speaking to what may be the strangest part of this bill, I do not remember any expert ever recommending that NIST be given the responsibility to conduct annual cybersecurity audits of other agencies,” Johnson said, citing testimony at a Feb. 14 hearing on cybersecurity readiness conducted by the panel’s Subcommittee on Research and Technology. “NIST is not an auditing agency.”
At that subcommittee hearing, Charles Romine, NIST’s information technology laboratory director, testified that the institute does not assess, audit or test agency security implementations or have oversight authority under the Federal Information Security and Management Act, the law that governs federal government information security. “Congress recognized that placing such responsibilities on NIST would impede and ultimately defeat its ability to work with federal agency and private sector stakeholders to develop standards, guidelines and practices in the open, transparent and collaborative manner Congress intended,” he said.
The markup of the bill can be viewed here.
Further reading: