A House bill that would have put the National Institute of Standards and Technology in charge of auditing agency cybersecurity practices was amended to place that responsibility in the hands of agency inspectors general, a move which a policy expert said will give the bill a better chance of passage.
“I would think this amendment would increase the likelihood of passage,” said Marcus Christian, partner in the law firm Mayer Brown’s Litigation and Dispute Resolution practice and White Collar Defense and Compliance group. “I think that it’s important to have a capable body conducting these audits.”
Originally the bill, H.R. 1224, the “NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017,” would have required NIST to conduct audits of agency implementation of the NIST cybersecurity framework.
According to Rep. Lamar Smith, R-Texas, though NIST has done a great job creating and updating standards within that framework, NIST lacks authority to enforce those standards. And the Office of Management and Budget, which is responsible for assuring federal agency compliance under the Federal Information Security Management Act, lacks the cybersecurity expertise to do so effectively.
NIST officials have in the past expressed discomfort with their agency moving into the auditing and compliance space, as it could damage the agency’s reputation as an independent standards-setting body.
Conversely, IGs already conduct audits under FISMA, which Christian said is “not such a great leap” to the responsibilities outlined in the bill.
“Inspectors general are a better resource for regularly assessing the compliance and sufficiency of federal agencies’ cybersecurity defenses. Under FISMA, the IGs already perform annual audits of all major aspects of agencies’ operations. The IGs also have statutory authority to compel agencies to produce needed information and to comply with indicated improvement and remedial actions,” wrote Smith in the bill’s committee report to Congress. “What the IGs lack is crucial internal expertise for assessing cybersecurity issues. H.R. 1224, however, takes advantage of NIST’s singular cybersecurity expertise. As originally reported by the committee, H.R. 1224 would have directed NIST to conduct separate annual cybersecurity audits of federal agencies. After subsequent discussions with the Committee on Oversight and Government Reform, however, agreement was reached on a better approach that is reflected in the legislation to be considered by the full House.”
The bill now requires NIST to provide guidance for federal agencies to incorporate their Framework for Improving Critical Infrastructure into their information security risk management efforts, as well as establish a working group to create metrics for agencies to assess their risk and write a report on agency adoption rates.
“NIST won’t be venturing into an area it hasn’t been in the past,” Christian said. “I think this helps NIST to remain in that role.”
The legislation has been voted favorably out of the House Science, Space and Technology committee and awaits votes on the House floor.
“This legislation stems from urgent need. The status quo of U.S. government cybersecurity is demonstrably inadequate and growing worse,” wrote Smith. “The national and economic security of the United States, and the security of Americans’ personally identifiable information ― held in trust by various federal departments and agencies ― have been threatened by persistent cyberattacks. As the sophistication and frequency of cyberattacks by nation-states and nefarious cyber actors increases, so too does the threat to our economy, critical and virtual infrastructure, and national security.”