March 1, 2017–A bill that would direct the National Institute of Standards and Technology to assess federal agencies’ compliance with NIST’s cybersecurity framework today cleared a House committee on a largely party-line vote. The House Science, Space, and Technology Committee approved the NIST Cybersecurity Framework, Assessment, and Auditing Act (HR 1224) by a vote of 19-14. Every Democrat on the committee opposed the bill except Rep. Dan Lipinski (D., Ill.).
Democrats objected to requiring NIST to conduct cybersecurity audits of federal agencies. NIST lacks the expertise and resources to conduct such audits, they said. “NIST is not an auditing agency,” said Rep. Eddie Bernice Johnson (D., Texas), the committee’s ranking Democrat. “They have no such history, expertise, or capacity. They are a standards and technology agency.”
“Nowhere in this bill do we provide NIST with the tens of millions of dollars of additional funding to become the cybersecurity auditing agency of the federal government. This is a massive unfunded mandate levied on an agency which is already over-tasked,” Rep. Johnson added. “NIST itself has steadfastly maintained that they are the wrong agency to do it, and not just because of limited resources.”
But Lamar Smith (R., Texas), the committee’s chairman, indicated he would seek to boost NIST’s funding to complete the tasks assigned to it by the bill. “We recognize NIST will need resources to accomplish this work,” he said. “We will address that in a NIST authorization bill this year.”
The author of the bill, Ralph Abraham (R., La.), said data breaches at federal agencies required NIST and other agencies to look for non-traditional solutions. “It is easy to sit back and state, with the benefit of NIST’s reputation as an exemplary agency, that we should not consider changing the way the institute operates because of what might happen or how the institute’s reputation or effectiveness might suffer,” he said.
“But the current state of affairs do not suggest that the best way forward is to keep taking the path of least resistance,” Rep. Abraham said. “Much as the nature of cyber-attacks continue to evolve to reflect the sophistication of the cyber criminals, we in the government must also be willing to evolve to protect Americans and our government. That evolution starts with thinking outside the box instead of maintaining a business-as-usual approach.” – Tom Leithauser, firstname.lastname@example.org