NIST Cyber Advisers Anxious Over Auditing Agencies

deepadesigns/Shutterstock.com

The proposed expansion of NIST's mission comes as the agency is quickly working to meet mandates in the cybersecurity executive order.

Members of an advisory board for the government’s cyber standards agency are skeptical about a House bill that would expand that agency’s mission to auditing cybersecurity across the federal government.

That bill, the NIST Cybersecurity Framework Assessment and Auditing Act, would task the National Institute of Standards and Technology with verifying agencies have proper cyber protections in place and reporting on laggards.

The bill passed out of the House Science Committee in March with only Republican support. It has not reached the House floor and does not have a Senate counterpart.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

NIST has historically advised agencies on cybersecurity but not conducted audits, which are typically done by the Government Accountability Office and agency inspectors general.

Members of NIST’s Information Security and Privacy Advisory Board expressed concern about expanding the agency’s mission during a meeting Wednesday—especially during a period of flux as agencies rush to implement new requirements included in a cybersecurity executive order President Donald Trump issued in May.

ISPAB members discussed penning a letter to executive branch officials urging caution about expanding NIST’s traditional mission but did reach a final decision.

A Science Committee staffer told board members in March that NIST should be auditing federal cybersecurity because other agencies are not.

NIST remains on track with a series of reports required by the cybersecurity executive order, officials told board members. Among other requirements, that order directed federal agencies to use the cybersecurity framework NIST developed for the private sector as part of their cybersecurity checklist.

NIST posted draft guidance soon after the president’s order was released that outlines ways agencies could align the cybersecurity framework with their current mandates under the Federal Information Security Management Act. That document is open for public comments through the end of the week.

Public Identity Management Among Likely Cuts in Trump Budget

Trump’s 2018 fiscal year budget request cut funding across NIST’s research components by 13 percent, but cyber research is only down 9 percent, Charles Romine, director of NIST’s Information Technology Laboratory, told board members.

Cybersecurity makes up just over half of the IT lab’s $114 million research budget in the 2018 budget at $60 million. 

NIST’s plan is to organize those cuts to retain funding for major government priorities and to allow dips for programs that are near the end of their life cycle or that are less central to NIST’s main mission, Romine said.

Among programs slated for a likely cut in funding is the Trusted Identities Group, a successor to NIST’s National Strategy for Trusted Identities in Cyberspace, Romine told Nextgov. The Trusted Identities Group funds pilot programs related to online identity verification among other projects.

Parsing the Moderates

This summer, NIST hopes to release the fifth revision of its publication that recommends security controls for federal information systems—the technical title is NIST Special Publication 800-53—Ron Ross, a NIST fellow focused on cybersecurity, told board members.

One update in the new revision, Ross said, is that NIST will recommend that instead of simply categorizing information systems as having low, moderate and high importance for security, the agency will suggest breaking up the moderate level into low-moderate, moderate-moderate and high-moderate levels.

About 70 percent of information systems are categorized as moderate impact, Ross said, so the new division will help agencies make more nuanced decisions about how to balance security, cost and efficiency in those systems, including choosing which ones can be safely migrated to computer clouds.