Can NIST be the Savior of Federal Cybersecurity?

The National Institute of Standards and Technology (NIST) is the organization of choice for the government’s efforts to meet an increasingly sophisticated cybersecurity challenge with a piece of legislation proposing to give NIST an auditor role.The NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R.1224), introduced Rep. Ralph L. Abraham (R-La.) in March 2017, passed the House Science committee and it has been characterized as one of the most significant congressional moves this year. However, NIST doesn’t want the role, and not everyone is enthusiastic. For good reason too, since the contents of the bill are troublesome and risk diminishing the trust that NIST has painstakingly built over the course of its years of existence by forcing an auditing function on the standard-setting organization. There are other steps that Congress and NIST can take to improve federal cybersecurity including a renewed focus on investing in people and making NIST’s Cybersecurity Framework more accessible.

NIST has long been tasked with developing safeguards and guidelines for a variety of industries and technologies including the use of information and communications technology across public and private sectors. Formed as a non-regulatory body, NIST acts as “industry’s national laboratory” and aims to support industrial innovation and competition. NIST issues standards, guidelines, and metrics to help federal agencies and U.S.-based organizations protect their information and information systems. Generally speaking, complying with the security standards set by NIST also helps agencies meet the requirements of other information security regulation. NIST security standards are crafted using various publications and industry best practices. As such, NIST maintains a close working relationship with federal agencies and industry leaders alike and issues information security guidelines that can be customized for specific sectors and uses.

One such guideline is the Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity—also known as the Cybersecurity Framework—prepared and published in 2014. The Cybersecurity Framework outlines how organizations can assess and manage their “cybersecurity risk… without placing additional regulatory requirements on businesses.” Approximately 30 percent of U.S. organizations now use the Cybersecurity Framework, and that number could reach 50 percent by 2020. Prepared with existing information, security regulations and best practices in mind, the body of the document emphasizes that the framework is “not a one-size-fits-all approach to managing cybersecurity risk,” and NIST “encourages the private sector to determine its conformity needs.”Just like the global ecosystem of cyber risk and threats, the NIST Cybersecurity Framework is a constantly evolving body of work with a draft update announced in 2017.

As the significant adoption rate shows, the Cybersecurity Framework is valued by the private sector. The proposed bill is an indication that Congress wants the federal government to value it the same. The question remaining is whether forcing an auditing function on NIST is an effective way to implement the controls in the federal government. The House Science Committee’s proposal suggests it is. But experts are not convinced.

In May 2017, NIST published the Cybersecurity Framework Implementation Guidance for Federal Agencies, which outlines how federal agencies could integrate the security practices laid out in the Cybersecurity Framework with existing federal regulations. Colloquially known as “framework meets FISMA” the document aims to “unify NIST’s risk management documents into a singular approach for federal agencies.” An attempt at introducing a customized approach to implementation for the executive branch, the new federal guide was published a day after President Trump’s Cybersecurity Executive Order which mandated that all executive agencies use the Cybersecurity Framework to manage their cybersecurity risk. Furthermore, the Executive Order requires agency heads to provide a risk management report which, among other things, will “describe the agency’s action plan to implement the Framework.” These reports are due on August 9.

With the tide already turning in favor of elevating the Cybersecurity Framework to a federal compliance standard, proponents of the proposed legislation argue that NIST is in the unique position of having the technical expertise and credibility to ensure compliance with government-wide standards. Bodies like IRS and FBI have their own information safety regulations, and while the general consensus favors consolidation of federal audits and intersecting regulations, it’s unclear that NIST is the best agency for this role. After all, FISMA “designates DHS as the operational lead for Federal cybersecurity” and requires each agency to conduct self-assessments of their information security programs and priorities, in addition to annual FISMA audits conducted by Inspector Generals and reported to the Office of Management and Budget. However, among other challenges, DHS is plagued by a shortage of cyber talent among its ranks with its chief information security officer Paul Beckman voicing concerns about the outdated hiring process

But as Cliff Shannon, staff director for the House Science, Space and Technology Committee’s research and technology panel, recently told a NIST advisory board that, “If DHS were doing credible audits, we would not be having this conversation.” There is some logic in Shannon’s statement, but forcing an auditing function on NIST is shortsighted and ignores the historical factors that have led to the agency’s effectiveness. At the core of this effectiveness: trust.

Throughout its long history, the standard setting body has carved out an unique spot in the federal enterprise as a credible and transparent broker. An advisory agency for the cybersecurity community, NIST welcomes comments and feedback to its documents from industry leaders, federal agencies, as well as state and local officials. Some argue that giving NIST an oversight role would sour the relationships it has with the cybersecurity community and industry more broadly.

As the recent history of notable data breaches illustrates, the federal government has a lot of work to do on managing its cyber risk. Adoption of the Cybersecurity Framework is a step in the right direction, but the House Science bill forcing a regulatory function on NIST is unlikely to be the best way to resolve the challenges with implementing the Framework. For instance, the establishment of a federal audit to assess agencies’ compliance with the Cybersecurity Framework is one of the good ideas to come out from the bill. In fact, such an audit would increase the adoption of the framework across the government—so long as the auditing agency isn’t NIST.

With some organizations asking NIST to provide clearer implementation instructions to agency IT officials, the path to expanding Framework adoption also lies in bolstering and improving the Framework to make it more accessible. Furthermore, Congress should look to bolster DHS and its cyber personnel in order to improve the agency’s cyber capabilities and technical credibility. What’s more is that despite its shortcomings, the proposed bill seems to have started a conversation about ways to improve the federal cybersecurity infrastructure—which is exactly what the cybersecurity community needs.