New opportunities for NIST

Both the Homeland Security Act of 2002 and the E-Government Act of 2002 include provisions that attempt to raise the profile of cybersecurity initiatives. Central to each bill is a potentially larger role for the National Institute for Standards and Technology.

NIST has developed security guidance for years, but agencies are not required to follow it because the secretary of the Commerce Department has rarely used the authority granted in the Computer Security Act of 1987 to make NIST's standards and guidance mandatory.

Underscoring the importance of security, the e-government bill reaffirms that authority and "a lot of us hope that the secretary will use that authority more extensively than in the past," said Franklin Reeder, chairman of the federal Computer Systems Security and Privacy Advisory Board.

The bill "stresses the importance of this set of responsibilities" and could be important as NIST follows through on new requirements in both the e-gov and homeland security acts to develop and revise performance measures for agencies' security policies and programs, said Ed Roback, director of NIST's Computer Security Division.

Federal security could improve if the secretary should decide to make additional NIST guidance and standards mandatory, but such a decision could also have drawbacks, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. "But you don't get people's cooperation for the right reasons," and involuntary compliance could lead to agencies just checking off another requirement box instead of using the guidelines to improve their security management, she said.

Featured

  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected