Leaders on both sides of the aisle appear to agree that cybersecurity is, and must continue to be, a key focus of national security planning and risk assessment.
But there’s a split already apparent under the new Trump administration, involving the National Institute of Standards and Technology. NIST isn’t usually mired in partisan politics, but nor is NIST a regulatory agency— and that is becoming the gist of the issue.
On March 1, a Congressional committee approved a measure that would have NIST “evaluate and audit federal agencies’ adoption of the cybersecurity and technology guidelines,” according to The Hill publication.
NIST first published their cybersecurity guidelines in 2014, a project begun at the behest of the president at the time, and have continually updated them ever since. The goal is “to develop a voluntary framework to help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid.”
But the mission was never regulatory. Republicans cited the proposed bill as a way to shake up how cybersecurity issues are currently handled. And the bill appears to align with draft guidelines circulating out of the White House, that call for NIST guidelines to form a framework for evaluating the cybersecurity plans of federal agencies.
But Democrats, and along with cyber experts, note that NIST isn’t a regulatory agency. It’s one thing to publish suggestions and guidelines, but a completely different level of engagement and budget to take on the development of security metrics, plus active oversight of a host of federal agencies. Should that not fall under the Office of Management and Budget or the Department of Homeland Security?
The bill’s requirements ”jibe with some elements of a draft cybersecurity executive order that would mandate that agencies adopt the NIST framework,” notes a story in Nextgov. “It would conflict, however, with NISTs general policy that the framework should be an advisory document… rather than a strict set of rules.”
Additionally, some feel that OMB and Homeland Security already do some of the monitoring laid out in the bill — an unnecessary duplication.
The draft federal guidelines would use NIST frameworks specifically for risk assessment, requiring federal agency heads to use that framework and report back to the OMB within 90 days of the passing of the new requirements. Risk assessment remains the first step toward closing any loopholes or strengthening weak spots. But many agencies have already engaged in some of this work. And just as the NIST framework isn’t meant to be a series of benchmarks, it’s also not meant to be a strict set of metrics against with to measure all government risk. That’s not what it was created for.
We applaud the executive office for making this a leadership issue that agency heads will be required to oversee. Doing so recognizes that cybersecurity and risk in the global supply chain are seen as core agency issues, and not just something that can be left to subordinates. NIST has created a great universal standard.
But we agree that NIST conducting audits turns an advisory agency into a compliance one, shifting their viewpoint away from risk management, where their input is sorely needed, and repositioning NIST as a compliance organization. We need to focus on potential risks and how to function in this new inter-connected world, not offer checklists for agency heads that hackers aren’t about to abide by.
Cybersecurity and supply chain threats demand new ways of thinking about enforcement and risk assessments. Forcing this work into old-school models of assessments, on an agency not equipped or funded for the work, could backfire.
Establishing a framework, and holding agency leadership accountable for management of the risks of their organizations, is a move in the right direction.