House Science Advances Amended NIST Cybersecurity Framework Bill
The House Science Committee advanced an amended version of the National Institute of Standards and Technology Cybersecurity Framework, Assessment and Auditing Act (HR-1224) on a largely party-line 19-14 vote Wednesday. HR-1224 would require NIST to develop guidance for the Office of Management and Budget, Office of Science and Technology and other federal agencies to use to incorporate the framework into their information security risk management efforts (see 1702270055 and 1702280035).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Chairman Lamar Smith, R-Texas, praised HR-1224 for utilizing “NIST’s unique capabilities to both develop cybersecurity standards and guidelines, which NIST does now, and go further and evaluate and assess the extent of federal agencies’ compliance with them.” Creating “more working groups and guidelines without a determination of whether anyone is using them or using them correctly does not protect our cyber infrastructure,” Smith said. “NIST has the experts who develop the standards and guidelines under the Federal Information Security Modernization Act [FISMA], which apply to the federal government.”
Ranking member Eddie Bernice Johnson, D-Texas, indicated she and other committee Democrats would oppose HR-1224 primarily because the bill would require NIST to audit federal agencies' cybersecurity practices. NIST has “steadfastly maintained that they're the wrong agency” to do audits of agencies' cybersecurity, a job better suited to the OMB or the agencies' inspectors general, Johnson said. “NIST is not an auditing agency.” Rep. Dan Lipinski, D-Ill., was the only Democrat to join the committee's Republicans in voting to advance the bill.
The committee favored HR-1224 because it emphasizes NIST's role at the expense of the Department of Homeland Security and OMB, a committee aide told reporters during a conference call, saying congressional Republicans have been disappointed with how DHS and OMB have performed on implementing cybersecurity policy. Only NIST “has performed its responsibilities in a timely and effective way, as Congress intended,” the aide said. Moving more cybersecurity responsibility to NIST is necessary given the 2015 Office of Personnel Management data breaches and other recent cyber incidents involving federal agencies, which collectively show Republican lawmakers that “we’re at a point where the first priority should no longer be maintaining everyone’s comfort zone,” the aide said. HR-1224 would also complement President Donald Trump's anticipated cybersecurity executive order since that order would be able to require federal agencies to use the NIST framework, the aide told reporters.
House Science approved an amendment from Smith that adds OMB to a federal working group that would develop metrics on agencies' framework use. Johnson opposed that amendment because it doesn't “do anything to fix” the bill's underlying issues, which included calling for the White House Office of Science and Technology Policy to be involved in evaluating federal agencies' use of the NIST framework. No experts have recommended giving OSTP such a role, Johnson said. HR-1224 calls for OSTP to be part of the federal working group.
Johnson also criticized the bill for not addressing how much extra funding NIST will receive for doing what are likely to be expensive audits of the agencies. She noted the high cost of existing audits of agencies' FISMA compliance. Absent specific funding information, the bill would constitute a “massive unfunded mandate” for NIST when that agency is already underfunded, Johnson said. House Science approved an amendment from Lipinski that would direct NIST to develop a plan for carrying out the proposed agency audits that would include a cost estimate and guidance on whether aspects of the audits need to be contracted out.
The committee also cleared an amendment from the legislation's main sponsor Rep. Ralph Abraham, R-La., that struck language that would have directed NIST to form a public-private working group that would develop specific metrics and implementation models for the private sector's use of the NIST framework. Abraham said he originally included the provision in HR-1224 because it appeared to be a “natural extension” of the federal working group. He now believes it's better to propose the private sector working group in a separate bill because HR-1224 is otherwise focused on federal cyber issues.
Rep. Bill Foster, D-Ill., filed but quickly withdrew an amendment calling for full funding of Congress' Office of Technology Assessment, which Congress defunded in 1995. Congress' cybersecurity policy work would “greatly benefit from once again having an office dedicated to giving nonpartisan, technical advice,” the withdrawn amendment said. Rep. Mark Takano, D-Calif., co-sponsored it. Foster withdrew after Smith said it wasn't germane to the bill, but encouraged lawmakers to continue to look at funding an OTA.