The National Institute of Standards and Technology (NIST) is the organization of choice for the government’s efforts to meet an increasingly sophisticated cybersecurity challenge with a piece of legislation proposing to give NIST an auditor role.The NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R.1224), introduced Rep. Ralph L. Abraham (R-La.) in March 2017, passed the House Science committee and it has been characterized as one of the most significant congressional moves this year. However, NIST doesn't want the role, and not everyone is enthusiastic. For good reason too, since the contents of the bill are troublesome and risk diminishing the trust that NIST has painstakingly built over the course of its years of existence by forcing an auditing function on the standard-setting organization. There are other steps that Congress and NIST can take to improve federal cybersecurity including a renewed focus on investing in people and making NIST’s Cybersecurity Framework more accessible.
NIST has long been tasked with developing safeguards and guidelines for a variety of industries and technologies including the use of information and communications technology across public and private sectors. Formed as a non-regulatory body, NIST acts as “industry’s national laboratory” and aims to support industrial innovation and competition. NIST issues standards, guidelines, and metrics to help federal agencies and U.S.-based organizations protect their information and information systems. Generally speaking, complying with the security standards set by NIST also helps agencies meet the requirements of other information security regulation. NIST security standards are crafted using various publications and industry best practices. As such, NIST maintains a close working relationship with federal agencies and industry leaders alike and issues information security guidelines that can be customized for specific sectors and uses.
One such guideline is the Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity—also known as the Cybersecurity Framework—prepared and published in 2014. The Cybersecurity Framework outlines how organizations can assess and manage their “cybersecurity risk… without placing additional regulatory requirements on businesses.” Approximately 30 percent of U.S. organizations now use the Cybersecurity Framework, and that number could reach 50 percent by 2020. Prepared with existing information, security regulations and best practices in mind, the body of the document emphasizes that the framework is “not a one-size-fits-all approach to managing cybersecurity risk,” and NIST “encourages the private sector to determine its conformity needs.”Just like the global ecosystem of cyber risk and threats, the NIST Cybersecurity Framework is a constantly evolving body of work with a draft update announced in 2017.
As the significant adoption rate shows, the Cybersecurity Framework is valued by the private sector. The proposed bill is an indication that Congress wants the federal government to value it the same. The question remaining is whether forcing an auditing function on NIST is an effective way to implement the controls in the federal government. The House Science Committee’s proposal suggests it is. But experts are not convinced.
In May 2017, NIST published the Cybersecurity Framework Implementation Guidance for Federal Agencies, which outlines how federal agencies could integrate the security practices laid out in the Cybersecurity Framework with existing federal regulations. Colloquially known as “framework meets FISMA” the document aims to “unify NIST’s risk management documents into a singular approach for federal agencies.” An attempt at introducing a customized approach to implementation for the executive branch, the new federal guide was published a day after President Trump’s Cybersecurity Executive Order which mandated that all executive agencies use the Cybersecurity Framework to manage their cybersecurity risk. Furthermore, the Executive Order requires agency heads to provide a risk management report which, among other things, will “describe the agency's action plan to implement the Framework.” These reports are due on August 9.
With the tide already turning in favor of elevating the Cybersecurity Framework to a federal compliance standard, proponents of the proposed legislation argue that NIST is in the unique position of having the technical expertise and credibility to ensure compliance with government-wide standards. Bodies like IRS and FBI have their own information safety regulations, and while the general consensus favors consolidation of federal audits and intersecting regulations, it’s unclear that NIST is the best agency for this role. After all, FISMA “designates DHS as the operational lead for Federal cybersecurity” and requires each agency to conduct self-assessments of their information security programs and priorities, in addition to annual FISMA audits conducted by Inspector Generals and reported to the Office of Management and Budget. However, among other challenges, DHS is plagued by a shortage of cyber talent among its ranks with its chief information security officer Paul Beckman voicing concerns about the outdated hiring process
But as Cliff Shannon, staff director for the House Science, Space and Technology Committee’s research and technology panel, recently told a NIST advisory board that, “If DHS were doing credible audits, we would not be having this conversation." There is some logic in Shannon’s statement, but forcing an auditing function on NIST is shortsighted and ignores the historical factors that have led to the agency’s effectiveness. At the core of this effectiveness: trust.
Throughout its long history, the standard setting body has carved out an unique spot in the federal enterprise as a credible and transparent broker. An advisory agency for the cybersecurity community, NIST welcomes comments and feedback to its documents from industry leaders, federal agencies, as well as state and local officials. Some argue that giving NIST an oversight role would sour the relationships it has with the cybersecurity community and industry more broadly.
As the recent history of notable data breaches illustrates, the federal government has a lot of work to do on managing its cyber risk. Adoption of the Cybersecurity Framework is a step in the right direction, but the House Science bill forcing a regulatory function on NIST is unlikely to be the best way to resolve the challenges with implementing the Framework. For instance, the establishment of a federal audit to assess agencies’ compliance with the Cybersecurity Framework is one of the good ideas to come out from the bill. In fact, such an audit would increase the adoption of the framework across the government—so long as the auditing agency isn’t NIST.
With some organizations asking NIST to provide clearer implementation instructions to agency IT officials, the path to expanding Framework adoption also lies in bolstering and improving the Framework to make it more accessible. Furthermore, Congress should look to bolster DHS and its cyber personnel in order to improve the agency’s cyber capabilities and technical credibility. What’s more is that despite its shortcomings, the proposed bill seems to have started a conversation about ways to improve the federal cybersecurity infrastructure—which is exactly what the cybersecurity community needs.
NIST Through the Years
From its origin as the National Bureau of Standards in 1901 to its current role, a brief history of the nation's measurement standards laboratory.
Office of Standard Weights and Measures is founded to oversee the standardization of weights and measures. The office was part of the United States Department of the Treasury.
National Bureau of Standards (NBS) is officially established by the Bureau of Standards Act of March 3, 1901. At its founding, it was part of the U.S. Department of the Treasury but was transferred to the Department of Commerce and Labor in 1903.
NBS is transferred to the Department of Commerce and Labor by the Commerce Department Act of February 14, 1903.
NBS moves once again – this time to the newly named Department of Commerce by the Labor Department act of March 4, 1913. The act reorganized the Department of Commerce and Labor into two separate bodies and transferred the workings of the earlier joint body to the Department of Commerce.
NBS prepares and publishes the first nationwide electrical safety code. Seen as a threat to the independence of the electrical industry, the code was met with resistance from industry leaders who thought the publicity campaign around the code unnecessarily underlined the hazards of electricity.
NBS establishes the National Applied Mathematics Laboratories (NAML).
A team of NIST researchers led by Harold Lyons build the world’s first atomic clock. Although the clock was not accurate enough to be used as a time standard, it set the foundations for one of NIST’s most well-known roles: keeping the official time of the American government.
(Photo: NIST Director Edward Condon (left) and clock inventor Harold Lyons with the first atomic clock. Source: NIST.)
The Bureau completes Standards Electronic Automatic Computer (SEAC). Built by a team headed by Samuel N. Alexander, the SEAC was the only fully functional computer available to U.S. government agencies in 1950. This early electronic computer was “the fastest, general purpose, internally sequenced” electronic computer available at the time and was used to solve more than 50 unique scientific problems for different users from an array of government agencies.
(Photo: NIST employee operating the SEAC keyboard. Source: National Institute of Standards and Technology Digital Collections, Gaithersburg, MD 20899.)
The first image scanner as well as the first digital image is developed at NBS by Russell A. Kirsch as. This pioneering digital image, a scanned and redisplayed photo of Kirsch’s three-month old son Walden, only 176 pixels on one side as well as completely black and white.
(Photo: The first scanned image of researcher Russell Kirsch's son, Walden. Source: National Institute of Standards and Technology Digital Collections, Gaithersburg, MD 20899.)
The Film Optical Sensing Device for Input to Computers (FOSDIC) is developed by NBS for the U.S. Census Bureau. FOSDIC read in microfilmed handmarked documents and converted them into electronic form, essentially automating the massive survey.
(Photo: U.S. Census Bureau employees use FOSDIC to transfer data from paper questionnaires to microfilm. Source: U.S. Census Bureau.)
NBS establishes Center for Computer Sciences and Technology which was tasked with providing research and technical support for the General Services Administration (GSA).
After four years of public requests for proposals for a new cryptoalgorithm, NIST endorses Data Encryption Standard (DES) as the nation’s Advanced Encryption Standard (AES). DES was based on IBM’s patented Lucifer algorithm with some changes to its internal workings and shortening of the code key size.
President Ronald Reagan signs the National Security Decision Directive 145 (NSDD-145), which authorized National Security Agency (NSA) to develop standards and safeguards to protect unclassified information. The directive transferred the responsibility to develop encryption and computer standards from NIST to NSA. A controversial law at the time, NSDD-145 drew privacy concerns from critics.
Congress passes the Computer Security Act of 1987 which provided measures to improve security and privacy of sensitive information on federal computers. The Act designated NIST as the primary body responsible for developing government-wide computer security standards and guidelines as well as security training programs. The Act was controversial in regard to the roles of National Security Agency (NSA) and NIST in standards development as it required NIST to “draw upon computer system technical security guidelines developed by the National Security Agency."
NBS is renamed to National Institute of Standards and Technology (NIST) as a result of advancements in technology and the agency's changing nature.
After years of research and development, NIST-F1 becomes the official standard of time and frequency in the U.S.
NIST replaces the aging DES cryptoalgorithm from 1977 with the Rijndael algorithm as the nation’s Advanced Encryption Standard (AES). AES is used to encrypt sensitive (unclassified) American federal information.
NIST publishes the Framework for Improving Critical Infrastructure Cybersecurity—also known as the Cybersecurity Framework. The framework was developed in collaboration with industry professionals, academics and government agencies to serve as “a voluntary framework to help organizations manage cybersecurity risk in the nation’s critical infrastructure.
NIST announces new proposed update to the Cybersecurity Framework with new details on cyber supply chain risks and measurement methods for cybersecurity. The agency also asks that all comments and feedback on the update be send over to a designated email address by April 10th, 2017.