Infosec research bill amended
Senate committee passes funding bill, with amendment to establish baseline security standards for agencies
The Senate Commerce, Science and Transportation Committee passed a bill May 16 that would add millions to federal information security research funding and — thanks to a last-minute amendment — establish regularly updated baseline security standards for agencies.
Researchers in industry and academia have praised the Cyber Security Research and Development Act (S. 2182) since it was introduced in the Senate this year and in the House at the end of last year.
Working through the National Science Foundation and the National Institute of Standards and Technology, the bill would inject more than $900 million into security research, grants, training and education during five years. Such investment is something educators and researchers have often called for in recent years.
The amendment, offered by Sens. Ron Wyden (D-Ore.) and John Edwards (D-N.C.), raised the level of the research funding almost $100 million from the original level. It also created a new Office of Information Security Programs within NIST to consolidate that agency's security research management.
The amendment also added a provision that caused some concern from industry: a requirement for NIST to establish "benchmark security standards" for federal agencies. Those standards would be developed in conjunction with industry, academia, the Office of Management and Budget and the federal CIO Council, and would be reviewed and updated at least every six months.
The standards would be "a baseline minimum security configuration for specific computer hardware or software components, an operational procedure or practice, or organizational structure that increases the security of the information technology assets of a department or agency," according to the amendment.
The Business Software Alliance and the Information Technology Association of America each issued a statement after the bill passed, opposing the language calling for standards. According to both organizations' statements, establishing such standards would hinder efforts to quickly respond to changing security threats and could possibly spill over to impose standards on the private sector.
However, the committee had no intention to set technology-specific standards that could stand in the way of innovation or new technologies, according to one staff member who asked not to be named.
The bill now goes to the full Senate for consideration. The House version of the bill passed the full House in February.
NEXT STORY: Letters to the editor