New opportunities for NIST

Both the Homeland Security Act of 2002 and the E-Government Act of 2002 include provisions that attempt to raise the profile of cybersecurity initiatives. Central to each bill is a potentially larger role for the National Institute for Standards and Technology.

NIST has developed security guidance for years, but agencies are not required to follow it because the secretary of the Commerce Department has rarely used the authority granted in the Computer Security Act of 1987 to make NIST's standards and guidance mandatory.

Underscoring the importance of security, the e-government bill reaffirms that authority and "a lot of us hope that the secretary will use that authority more extensively than in the past," said Franklin Reeder, chairman of the federal Computer Systems Security and Privacy Advisory Board.

The bill "stresses the importance of this set of responsibilities" and could be important as NIST follows through on new requirements in both the e-gov and homeland security acts to develop and revise performance measures for agencies' security policies and programs, said Ed Roback, director of NIST's Computer Security Division.

Federal security could improve if the secretary should decide to make additional NIST guidance and standards mandatory, but such a decision could also have drawbacks, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. "But you don't get people's cooperation for the right reasons," and involuntary compliance could lead to agencies just checking off another requirement box instead of using the guidelines to improve their security management, she said.