Draft Bill Targets NIST Cybersecurity Framework Metrics Development
Draft legislation on the National Institute of Standards and Technology’s Cybersecurity Framework set for a House Science Committee markup Wednesday may result in long-anticipated progress in creating cybersecurity metrics, industry stakeholders said in interviews. House Science said it plans to mark up the NIST Cybersecurity Framework, Assessment and Auditing Act Wednesday. The markup is set to begin at 10 a.m. in 2318 Rayburn. Rep. Ralph Abraham, R-La., planned to file the bill late Monday, an aide told us.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The draft bill would require NIST to develop guidance for the Office of Management and Budget, Office of Science and Technology and other federal agencies to use to incorporate the Cybersecurity Framework “into their information security risk management efforts, including practices related to compliance.” NIST’s guidance should indicate to agencies how the framework “aligns with or augments existing agency practices” and must “identify areas of conflict or overlap between the Framework and existing cybersecurity requirements, including gap areas where additional policies, standards, guidelines, or programs may be needed,” the draft said. NIST would be required to “complete an initial assessment of the cybersecurity preparedness” of federal agencies within six months of the bill’s enactment. Each agency’s audit would assess if cybersecurity standards “are being met,” the draft said.
Abraham’s bill would direct NIST to form a public-private working group that would develop specific framework “implementation models and measurement tools that private entities can use to adopt” the framework. The NIST-formed group would be required to develop “outcome-based metrics that quantify the effectiveness and benefits of the Framework to enable private entities to voluntarily analyze and assess their individual corporate cybersecurity risks.” OSTP would be required to issue an annual report on the framework’s effectiveness and the rate of private sector adoption of the framework. NIST is collecting comments on its draft v1.1 of the original 2014 framework that includes a new section on developing effective cybersecurity metrics (see 1701100084).
The legislation could be the push needed to finally make progress in creating effective cybersecurity metrics, stakeholders said. “Governments all over the world have been grappling with figuring out if the implementation of cybersecurity measures are actually working and how well they are working,” said Venable cybersecurity and telecom lawyer Jamie Barnett. “This bill directs NIST towards measurement.” Abraham’s legislation appears to track with a portion of the Commission on Enhancing National Cybersecurity’s December recommendations, which included a call for NIST to create a framework metrics working group, said a cybersecurity lobbyist. CENC recommendations emphasized need for increased promotion of the NIST framework’s use in both the federal government and private sector (see 1612020050). The agency didn’t comment.
The bill is a “step in the right direction” since “we still really have no independent or objective data” on the framework’s efficacy almost three years after its launch, said Internet Security Alliance President Larry Clinton. Effective framework metrics are “absolutely critical” since “anecdotal descriptions of various uses of the framework” are “not adequate at this stage to generate the sort of broad-based voluntary adoption that we would hope for,” Clinton said. He said the proposed working group is “very similar” to an ISA proposal that called for sector coordinating councils to similarly develop framework metrics.
ISA is pushing for the bill-proposed working group to also assess the cost-effectiveness of the NIST framework since “in order to have a sustainable voluntary cybersecurity program we need to find out and publicize not only what is effective but what is cost-effective,” Clinton said. “Industry will naturally adopt practices that are cost-effective. But if we find there are elements of the framework that are effective but cost-prohibitive, then we need to find market incentives to promote those practices.”