From: New America
With President Trump’s executive order mandating federal agencies to adopt the Cybersecurity Framework and a new bill by House Republicans proposing to give NIST an oversight role, a look at where NIST started and where it might go.
By Hande Guven
The National Institute of Standards and Technology (NIST) is the organization of choice for the government’s efforts to meet an increasingly sophisticated cybersecurity challenge with a piece of legislation proposing to give NIST an auditor role.The NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R.1224), introduced Rep. Ralph L. Abraham (R-La.) in March 2017, passed the House Science committee and it has been characterized as one of the most significant congressional moves this year. However, NIST doesn’t want the role, and not everyone is enthusiastic. For good reason too, since the contents of the bill are troublesome and risk diminishing the trust that NIST has painstakingly built over the course of its years of existence by forcing an auditing function on the standard-setting organization. There are other steps that Congress and NIST can take to improve federal cybersecurity including a renewed focus on investing in people and making NIST’s Cybersecurity Framework more accessible.
NIST has long been tasked with developing safeguards and guidelines for a variety of industries and technologies including the use of information and communications technology across public and private sectors. Formed as a non-regulatory body, NIST acts as “industry’s national laboratory” and aims to support industrial innovation and competition. NIST issues standards, guidelines, and metrics to help federal agencies and U.S.-based organizations protect their information and information systems. Generally speaking, complying with the security standards set by NIST also helps agencies meet the requirements of other information security regulation. NIST security standards are crafted using various publications and industry best practices. As such, NIST maintains a close working relationship with federal agencies and industry leaders alike and issues information security guidelines that can be customized for specific sectors and uses.