House subcommittee enhances computer security bill, NIST's role

Following advice from federal and industry experts, a House subcommittee on Wednesday expanded the role of the National Institute of Standards and Technology in helping to secure federal information systems, requiring more testing and evaluation of systems and annual progress reports on agency security efforts.

The House Science Committee's Technology Subcommittee made the move as part of a modification to the Computer Security Enhancement Act of 1999, which is intended to update NIST's resources to reflect changes in technology and security practices. The original act, passed in 1987, authorized NIST as the lead agency for securing civil agencies' systems but did not take into account the Internet environment, the growing range of threats, and the advances in encryption and other security technologies.

The amended bill, approved on Wednesday by the Technology Subcommittee, would place more emphasis on systems connected across agencies and on NIST's role as an evaluator of commercial products and agency systems and plans. Under the amendment, NIST also would perform evaluations and tests of agency security programs and annually report the results to Congress. NIST also would test, evaluate and provide a list of commercially available security products.

This year, after creating a new version of the bill, the subcommittee called on experts from NIST, the National Security Agency—NIST's partner under the Computer Security Act—the General Accounting Office and several industry groups for advice on how to improve the bill's enhancement provisions.

All of the witnesses who appeared before the subcommittee suggested putting in place a way for Congress to track agencies' progress in implementing security programs and practices and possibly requiring agencies to use products tested and certified by NIST and NSA through the National Information Assurance Partnership program.

The bill would also provide funding to the Computer System Security and Privacy Advisory Board, a group of federal, industry and academic security and privacy experts hosted by NIST. Under the bill, the board would receive more than $2 million over the next two years. The amendment eliminates, however, a requirement included in the earlier version of the bill that NIST not make technology recommendations to the Commerce Department secretary without written recommendation from the board, a requirement that NIST and the board opposed.