NIST Auditing Bill Undergoes Changes
The House Committee on Science, Space, and Technology has made changes to the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R. 1224). As first introduced, the bill proposed to expand the National Institute of Standards and Technology’s (NIST’s) role to include auditing of federal agencies’ cyber and information security standards.
In response to the initial bill, the Information Security and Privacy Advisory Board[1] (ISPAB) sent a letter addressing the proposal for NIST to take on an auditing function. ISPAB wrote, “[e]ven if this authority were restricted to federal agencies, private sector stakeholders might be less inclined to collaborate with NIST if they suspect its guidance could later become a regulatory standard with compliance requirements.” ISPAB further noted that federal Inspectors General (IGs) have the authority to conduct information security audits and greater attention should be devoted to training IGs on federal information security requirements and methodologies.
In taking this and other critiques into account, the modified bill would no longer require NIST to act as an auditor directly. Instead, it mandates that NIST work with IGs to “provide technical assistance and other expert input for each evaluation…[to] directly support the audit…with determinations and recommendations for inclusion in each such evaluation.” NIST would also help provide training to IGs and other independent external auditors.
In addition to promoting mandatory implementation of NIST’s Cybersecurity Framework, the bill proposes to amend the National Institute of Standards and Technology Act’s statement of NIST’s mission[2] to include: “emphasizing the principle that expanding cybersecurity threats require engineering security from the beginning of an information system’s life cycle, building more trustworthy and secure components and systems from the start, and applying well-defined security design principles throughout.”
At a hearing on October 25, 2017, Chairman Lamar Smith (R-TX), one of the bill’s cosponsors, stated that the Committee on Science, Space, and Technology hopes to bring the bill to the House floor for a vote.
This bill, with its revised proposals, comes at a fluid time, where NIST is increasingly influential on government and private sector security approaches. For example, NIST is expected to release updates to Draft Version 1.1 of the Cybersecurity Framework in the near future; the agency announced plans to develop guidance on Internet of Things (IoT) cybersecurity and privacy risks for federal agencies, with draft guidance expected in early 2018; and engagement continues on reducing the threat posed by automated and distributed (e.g., botnets) attacks, which was called for by the President’s Executive Order on Cybersecurity.
[1] The Information Security and Privacy Advisory Board was created by the Computer Security Act of 1987 (P.L. 10-235) and is charged with advising certain agencies on information security and privacy issues related to Federal Government information systems.