NIST's budget woes

National Institute of Standards and Technology report

After a year-long study, members of a federal advisory board have concluded that funding for computer security activities at the National Institute of Standards and Technology is inadequate and is delaying progress toward solving urgent cybersecurity problems.

A report on the study conducted by the Information Security and Privacy Advisory Board states that insufficient funds have forced officials in NIST's Computer Security Division to reduce their involvement in a security product certification program for federal agencies.

The report, "The Case for Adequate Funding," also suggests that research on wireless, radio frequency identification, voice-over-IP and other new technologies is lagging because of the funding shortfall.

In addition, it cites delays in developing guidelines for retrofitting the control systems of critical infrastructures, such as oil pipelines, with cryptographic security modules.

The board's report suggests that funding for the NIST division "has not kept pace with the growing demand for cybersecurity guidelines and standards as a result of the government's and the nation's growing reliance on information technology."

The board, which derives its statutory authority from the Federal Information Security Management Act (FISMA) of 2002,

advises NIST officials, the Commerce Department secretary and the director of the Office of Management and Budget on information security and privacy issues pertaining to federal information systems.

The report states that federal civilian agencies spend about $2 billion annually on computer security. In fiscal 2004, NIST's Computer Security Division had a budget of $15.1 million and 53 full-time employees. Lawmakers have not yet passed an appropriations bill for NIST's fiscal 2005 budget.

Many government and private-sector security experts said they agree with the report's conclusion that new security requirements, especially those included in FISMA, have created a bigger demand for security guidelines and that funding for NIST's Computer Security Division is inadequate.

"The funding issue at NIST has been a continuing and chronic problem since the passage of the Computer Security Act [of 1987], which gave NIST a lot of authority and responsibility but never gave them the financial resources," said Lynn McNulty, director of government affairs for the International Information Systems Security Certification Consortium Inc. and associate director for computer security at NIST from 1988 to 1995.

Others familiar with the report agree that budget constraints are limiting the ability of NIST's computer security experts to provide practical guidelines in many new areas.

In some respects, however, NIST's cybersecurity experts may be their own worst enemy when it comes to getting a bigger piece of the budget pie. They have a reputation for efficiency and independence, two qualities that are lacking in other standards bodies, many of which are dominated by vendors with self-interested motives, said Paul Proctor, vice president for security and risk strategies at the Meta Group Inc.

"They're getting a lot done at NIST with relatively minimal funding," he said, in part because NIST's technical experts don't waste energy on political squabbles that hinder other standards groups. "They're able to be efficient because they don't have those types of concerns."

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group