NIST's budget woes

National Institute of Standards and Technology report

After a year-long study, members of a federal advisory board have concluded that funding for computer security activities at the National Institute of Standards and Technology is inadequate and is delaying progress toward solving urgent cybersecurity problems.

A report on the study conducted by the Information Security and Privacy Advisory Board states that insufficient funds have forced officials in NIST's Computer Security Division to reduce their involvement in a security product certification program for federal agencies.

The report, "The Case for Adequate Funding," also suggests that research on wireless, radio frequency identification, voice-over-IP and other new technologies is lagging because of the funding shortfall.

In addition, it cites delays in developing guidelines for retrofitting the control systems of critical infrastructures, such as oil pipelines, with cryptographic security modules.

The board's report suggests that funding for the NIST division "has not kept pace with the growing demand for cybersecurity guidelines and standards as a result of the government's and the nation's growing reliance on information technology."

The board, which derives its statutory authority from the Federal Information Security Management Act (FISMA) of 2002,

advises NIST officials, the Commerce Department secretary and the director of the Office of Management and Budget on information security and privacy issues pertaining to federal information systems.

The report states that federal civilian agencies spend about $2 billion annually on computer security. In fiscal 2004, NIST's Computer Security Division had a budget of $15.1 million and 53 full-time employees. Lawmakers have not yet passed an appropriations bill for NIST's fiscal 2005 budget.

Many government and private-sector security experts said they agree with the report's conclusion that new security requirements, especially those included in FISMA, have created a bigger demand for security guidelines and that funding for NIST's Computer Security Division is inadequate.

"The funding issue at NIST has been a continuing and chronic problem since the passage of the Computer Security Act [of 1987], which gave NIST a lot of authority and responsibility but never gave them the financial resources," said Lynn McNulty, director of government affairs for the International Information Systems Security Certification Consortium Inc. and associate director for computer security at NIST from 1988 to 1995.

Others familiar with the report agree that budget constraints are limiting the ability of NIST's computer security experts to provide practical guidelines in many new areas.

In some respects, however, NIST's cybersecurity experts may be their own worst enemy when it comes to getting a bigger piece of the budget pie. They have a reputation for efficiency and independence, two qualities that are lacking in other standards bodies, many of which are dominated by vendors with self-interested motives, said Paul Proctor, vice president for security and risk strategies at the Meta Group Inc.

"They're getting a lot done at NIST with relatively minimal funding," he said, in part because NIST's technical experts don't waste energy on political squabbles that hinder other standards groups. "They're able to be efficient because they don't have those types of concerns."

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group