The Hill

NIST takes center stage in cyber legislation

capitol dome

In the latest iteration of legislation aimed at strengthening defenses against cyber attacks, a leading role for the National Institute of Standards and Technology in protecting critical infrastructure would be formalized and reinforced, writing into law  what President Obama's executive order directed: NIST's charge to develop a comprehensive cybersecurity framework.

The measure, introduced July 24 by Senate Commerce, Science and Transportation Chairman Jay Rockefeller (D-W.Va.) and backed by ranking member John Thune (R-S.D.), also would include standards, guidelines and best practices for U.S. businesses, including those that oversee operation of critical infrastructure.

NIST's work on the cybersecurity framework already is under way, with an initial version due in October. For the past several months, NIST officials have convened meetings with industry and the general public that will underpin the framework, which relies heavily on private sector participation.


Read the bill

The bill also targets investment in research and development, public awareness and cybersecurity workforce improvement.

"I've always thought this was a great way to emphasize the critical need for a public-private approach when it comes to solving our most pressing cybersecurity issues," Rockefeller said in a statement. "NIST is a jewel of the federal government and it's the right organization to guide this very important work."

At a Commerce Committee hearing July 25, NIST Director Patrick Gallagher outlined some of the agency's background in government standards, technology and collaboration, as well as work done so far on federal cybersecurity efforts.

"There are two roles of NIST. One is the technical depth...that's so important in working with the private sector and remaining neutral," Gallagher said. "But the other role of NIST is coordination of standards in the sense that we're sort of the corporate memory in the government about how to work with the private sector on various standards-setting activities. And [another] role we have is a very natural collaboration role with other federal agencies, and that's been a key part of this effort."

In an effort to speed passage, Rockefeller and Thune left out of their bill a number of provisions that sank previous versions of cybersecurity legislation, including mandatory requirements for industry and incentivization. Rockefeller compared mandatory requirements to seatbelts, in that it's easy enough to develop them, much harder to gain support for requiring their use.

"The question of doing something about it [and] actually finding out the best standard and somehow adhering to that is not inconsequential," he said. "It's not part of what we're doing here, not a part of our bill, but it's something we have to keep in mind."

The bill also does not address formalized or systematic information-sharing between government and industry, but private-sector participation is crucial in both the legislation and NIST's forthcoming framework and ensuing operations.

"Industry leadership is so important because ... the know-how and the capacity are largely in industry, and embracing that is the best way to have an agile process that keeps up with this technology that's evolving very quickly," Gallagher said. "Having an industry-led process vastly increases the chances that the answer is compatible with business. Since the goal here is to put this into use, having a standard on the shelf is not going to help anyone. The more we can align these practices with good business practices, the types of risk management that companies do anyway, the better off this will work."

Gallagher outlined some of what to expect in the forthcoming framework, including a body of best practices emerging from extensive private-sector participation, and a second area with a set of agreed-upon gaps that remain to be addressed.

"The final framework will have a set of best practices and a roadmap for improvement. That's one of the reasons a framework process can't be a once-through," he said, because officials and participants need to be able to go back and see what remains to be improved on. "This can't work if there's not flexibility. The threat environment we're facing and the pace of technological change is [too] rapid and dynamic."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above