This article first appeared on CyberScoop.
Under a bill approved Wednesday by a House committee, the National Institutes of Standards and Technology would show federal agencies how to implement the Cybersecurity Framework that it developed for companies that own and operate critical industries.
For agencies that adopt the framework, it would supplant traditional compliance with federal information security rules.
The House Science Committee approved the legislation, known as the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R. 1224), by a 19-14 vote, with a single Democrat crossing the aisle to vote with the majority.
The bill is aimed to “promote the use of the NIST framework by federal agencies,” a committee aide told CyberScoop. “It directs NIST to produce guidelines” for the agencies on how to implement the framework, which was designed, with significant industry input, to be a flexible and voluntary set of guidelines that companies could use to assess and manage their cybersecurity risks.
“The aim is to improve cybersecurity readiness and defenses of federal networks,” the aide said. But the bill cannot mandate agencies to use the framework, because the Science Committee only has jurisdiction over NIST. A bill from the House Oversight and Government Reform or Homeland Security Committees would be needed for that.
“We’ve been in touch with our colleagues on the other committees” with cybersecurity oversight, said the aide, adding that discussions were at an early stage — “We’re basically filling them in on what we’ve been doing,” he said.
An executive order would do the job, too. The draft cybersecurity EO that Trump administration officials have been circulating, for instance, would mandate agencies to adopt the NIST framework. But that draft has been circulating for weeks with no sign of any action, and its future is unclear.
The Science Committee bill would also mandate NIST to first assess and then audit agencies’ use of the framework using “outcome based metrics and testing.”
“Ultimately, the framework ought to supplant the current [cybersecurity] requirements under [the Federal Information Security Modernization Act, or] FISMA,” said the aide, calling the framework “a more 21st century approach.”
“The framework is a good tool for risk management [and] … for harmonizing and aligning all these [cybersecurity] requirements,” said the aide. “To avoid layering on new rules and security measures, we think this should eventually supplant FISMA.”
“From our perspective,” the aide concluded, “That would be a significant improvement.”
But NIST’s auditing role was a sticking point for committee Democrats. “I do not remember any expert ever recommending that NIST be given the responsibility to conduct annual cybersecurity audits of other agencies. NIST is not an auditing agency. They have no such history, expertise, or capacity,” said ranking Democrat Eddie Bernice Johnson of Texas.
She opposed the bill, along with 13 of the committees 14 other Democrats.
The aide said the next move was up to the House leadership. “Everyone is extremely keenly focused on what the next steps are in cybersecurity legislation,” he said, adding “We do not have a date certain” for the bill to get to the floor.