Bill OK'd to Enhance NIST Cybersecurity RoleCodifying Process That Created the Cybersecurity Framework
Years before the federal government issued the cybersecurity framework last February, Sen. Jay Rockefeller offered legislation to establish a process for the government to develop IT security best practices with advice from industry that critical infrastructure operators could voluntarily adopt.
On Dec. 11, nearly six years after proposing the legislation, both houses of Congress passed on voice votes the Cybersecurity Enhancement Act of 2014. That bill, expected to be signed by President Obama, would formalize cybersecurity as one of the National Institute of Standards and Technology's priority areas of focus. Sponsored by Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee, the bill would direct NIST to continue to facilitate industry-driven processes for developing voluntary cybersecurity standards for critical infrastructure as it did when it created the cybersecurity framework.
"For years, I have said that cyber-attacks pose one of the gravest threats to our national and economic security. Now, with the passage of the Commerce Committee's cybersecurity legislation, protecting our information networks is a top priority for the federal government," says Rockefeller, a West Virginia Democrat who's retiring after 30 years in the Senate. "NIST and our research agencies will have a leading role in this effort, and the authority to work closely with the private sector to identify and reduce cyber-risks."
Act's Other Provisions
The bill also authorizes the federal government to support cybersecurity research, raise public awareness of cyber-risks and improve the nation's cybersecurity workforce. However, the legislation provides no funding for these initiatives. Separate authorization bills would need to be enacted to pay for the programs authorized by the act.
"This bill will ensure a voluntary partnership between the government and private sector to protect the computer systems Americans rely on every day," says co-sponsor John Thune, R-S.D, the committee's ranking member who assumes the panel's chairmanship when Republicans become the majority in the Senate in January. "It will also focus efforts to find longer-term solutions to cyberthreats through research, education and workforce development. There is much work still to be done to safeguard cyberspace, so I look forward to the president signing this bill into law without delay."
Sending a Signal to Industry
With cybersecurity already a NIST priority, as evidenced by its publication of the cybersecurity framework, the Cybersecurity Enhancement Act would codify existing practices. Still, enacting the bill sends a signal to industry of the significance of adopting practices to safeguard critical IT, says Jacob Olcott, a former Senate Commerce Committee counsel.
"It's an important message from the U.S. government that suggests multiple branches of government have agreed that this framework is important national policy issue," says Olcott, a principal at risk-management adviser Good Harbor Consulting.
Other key provisions of the bill would:
- Direct the Office of Science and Technology Policy to develop, and update every three years, a federal cybersecurity research and development plan to meet IT security objectives, including how to guarantee individual privacy, verify third-party software and hardware, address insider threats, determine the origin of messages transmitted over the Internet and protect information stored using cloud computing or transmitted through wireless services;
- Amend existing law to permit National Science Foundation grants to be awarded for research into a wide range of information security subject areas, including software assurance, trusted computing, reducing vulnerabilities proactively, insider threats, privacy, systems and information recovery and cloud infrastructure;
- Direct NIST to continue coordinating a national cybersecurity awareness and preparedness campaign;
- Direct the departments of Commerce and Homeland Security and the National Science Foundation to support cyber competitions and challenges that can be used to identify prospective IT security talent that the government could recruit; and
- Authorize the Office of Personnel Management to support internships or other work experience in the federal government for the winners of cyber competitions and challenges.
Capping a 30-Year Senate Career
Passage of the act is a fitting finish to the Senate career of Rockefeller, who's retiring at the end of the year. "Sen. Rockefeller was one of the first members of Congress to fully appreciate the cyberthreats and spent a significant amount of his time and efforts working on legislation and oversight and other avenues to increase U.S. cybersecurity," Olcott says.
Olcott credits Rockefeller, whose committee has oversight over NIST and the Federal Communications Commission, with spurring the administration to develop the cybersecurity framework as well as the FCC to require broadcasters to adopt cybersecurity practices. "He's got a pretty good record," he says.