Industry opposes security standards

Original version of S. 2182

The private sector has signaled its opposition to language requiring the National Institute of Standards and Technology to develop benchmark security standards for federal agencies. The wording was added May 17 to a bill passed by the Senate Commerce, Science and Transportation Committee.

Industry representatives said last week, however, that they hope to work with the committee to resolve their opposition to the amendment to the Cyber Security Research and Development Act (S. 2182), which seeks to improve federal information security.

Working through NIST and the National Science Foundation, the act would inject more than $900 million into security research, grants, training and education during five years. A companion bill passed the full House in February.

Educators and researchers have often called for such rates of federal funding in recent years, and researchers in industry and academia have praised the act since it was introduced in the Senate this year and in the House at the end of last year.

The amendment, offered by Sens. Ron Wyden (D-Ore.) and John Edwards (D-N.C.), increased the funding level. But it also added a requirement for NIST to establish benchmark security standards for federal agencies developed in conjunction with industry, academia, the Office of Management and Budget and the CIO Council. Under the amendment, those standards would be reviewed and updated at least every six months.

The standards would be "a baseline minimum security configuration for specific computer hardware or software components, an operational procedure or practice, or organizational structure that increases the security of the information technology assets of a department or agency," according to the amendment.

Other requirements in the amendment include reports by the National Academy of Sciences and the CIO Council (see box).

The Business Software Alliance (BSA) and the Information Technology Association of America (ITAA) oppose the idea of standards. According to both organizations' statements, establishing such standards would hinder efforts to quickly respond to changing security threats and could possibly spill over to impose standards on the private sector.

Officials for both organizations said they are working closely with the committee staff, and BSA officials are "optimistic that we can get something resolved before the bill gets to the floor," said Jeri Clausing, director of public relations for policy at the alliance.

However, only the complete removal of the standards language would be acceptable to ITAA, said Shannon Kellogg, vice president for information security programs at ITAA.

"The bill as originally proposed is something that we've been supportive of," Kellogg said. "But anything that's in the bill that focuses on the standards area is unacceptable."

The committee's intention was not to set technology-specific standards that could block innovation or new technologies, according to a staff member who asked not to be named.

If agencies were not already paying attention to the problem of accountability and standards, and were not already working internally to address those issues, then congressional action might help raise awareness, said Harris Miller, president of ITAA.

But since agencies are in fact taking action on their own, any standards will only cause confusion or harm, he said. Any accountability measures should focus more on performance, and such measures are already included in the bills to reauthorize the Government Information Security Reform Act of 2000, Miller said.

***

Reporting on standards

An amendment to the Cyber Security Research and Development Act submitted by Sens. Ron Wyden (D-Ore.) and John Edwards (D-N.C.) would mandate several studies to determine whether requiring agencies to adopt benchmark security standards would benefit or harm the agencies

. For one report, the National Academy of Sciences would examine the impact of the security standards on agencies. That study, which would have to be completed within three months after the bill becomes law, would look at the following issues:

* The extent to which an agency's security would be improved by the adoption of benchmark standards.

* The operational benefits, costs and consequences of adopting such standards.

* The effect of agencies' different security needs on determining and adopting standards.

The CIO Council would be required to submit a report to Congress within three years providing details on three issues:

* The status of the adoption of benchmark standards at each department and agency.

* The costs associated with such adoption.

* Any barriers to adoption and recommendations for overcoming such barriers.