Panel OKs Plan for NIST to Audit Framework ImplementationHouse of Representatives to Consider Legislation Expanding NIST's Role
A divided House Science, Space and Technology Committee has approved legislation that would expand the National Institute of Standards and Technology into the domain of auditing. The bill calls for NIST to assess federal agency compliance with its cybersecurity framework.
See Also: Ransomware: The Look at Future Trends
At a March 1 committee markup session, members voted mostly along party lines, 19 to 14, to approve the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017. The bill now goes to the full House of Representatives.
The only Democrat to vote with the majority Republicans was Rep. Dan Lipinski of Illinois. Republicans captured Lipinski's vote after the committee approved an amendment he offered that directs NIST to prepare a needs-based plan to carry out its new auditing tasks. Committee Chairman Lamar Smith, R-Texas, noted the auditing responsibilities will require additional resources. "We will address that in a NIST authorization bill this year," he said.
Creating Outcome-Based Metrics
At the heart of the bill are provisions directing NIST to develop outcome-based metrics to demonstrate the effectiveness of the NIST Cybersecurity Framework, a 3-year-old guide published by the institute aimed at protecting the information assets of critical infrastructure providers (see Bill Seeks Metrics for NIST Cybersecurity Framework. The framework has been adopted by many organizations not designated as critical infrastructure, within and outside of the federal government. The bill also would require federal agencies to implement the cybersecurity framework.
None of the committee members objected to the provisions directing NIST to develop outcome metrics. But at the committee's markup session, Democratic members - led by ranking member Rep. Eddie Bernice Johnson of Texas - said NIST is ill-equipped to conduct audits, saying the assessments should be performed by the Government Accountability Office or Department of Homeland Security. "Speaking to what may be the strangest part of this bill, I do not remember any expert ever recommending that NIST be given the responsibility to conduct annual cybersecurity audits of other agencies," Johnson said, citing testimony at a Feb. 14 hearing on cybersecurity readiness conducted by the panel's Subcommittee on Research and Technology. "NIST is not an auditing agency."
At that subcommittee hearing, Charles Romine, NIST's information technology laboratory director, testified that the institute does not assess, audit or test agency security implementations or have oversight authority under the Federal Information Security and Management Act, the law that governs federal government information security. "Congress recognized that placing such responsibilities on NIST would impede and ultimately defeat its ability to work with federal agency and private sector stakeholders to develop standards, guidelines and practices in the open, transparent and collaborative manner Congress intended," he said.
"Who Better ... Than NIST?
At the markup session, neither Chairman Smith nor the bill's sponsor, Rep. Ralph Abraham, R-La., directly addressed why NIST should conduct the audits. But Smith characterized NIST as "a global leader in cybersecurity knowledge, scientific standards-setting and research and analysis of federal agencies' cybersecurity readiness. ... Who better to determine if an agency is following these recognized standards than NIST?"
Smith, though, was adamant that NIST would not become an enforcement agency. "The bill does not give the agency authority to exact fines, issue injunctions, or pursue further proceedings beyond assessing, auditing and reporting," he said.
The committee approved another amendment that eliminated a provision that would have established of a public-private working group to develop specific framework implementation models and measurement tools that private entities can use to adopt the framework. Abraham explained that public participation was not necessary because the bill only applies to federal agencies.
Another amendment adds the Office of Management and Budget as a member of the federal work group that will work with NIST to develop outcome-based and quantifiable metrics.