New opportunities for NIST

Both the Homeland Security Act of 2002 and the E-Government Act of 2002 include provisions that attempt to raise the profile of cybersecurity initiatives. Central to each bill is a potentially larger role for the National Institute for Standards and Technology.

NIST has developed security guidance for years, but agencies are not required to follow it because the secretary of the Commerce Department has rarely used the authority granted in the Computer Security Act of 1987 to make NIST's standards and guidance mandatory.

Underscoring the importance of security, the e-government bill reaffirms that authority and "a lot of us hope that the secretary will use that authority more extensively than in the past," said Franklin Reeder, chairman of the federal Computer Systems Security and Privacy Advisory Board.

The bill "stresses the importance of this set of responsibilities" and could be important as NIST follows through on new requirements in both the e-gov and homeland security acts to develop and revise performance measures for agencies' security policies and programs, said Ed Roback, director of NIST's Computer Security Division.

Federal security could improve if the secretary should decide to make additional NIST guidance and standards mandatory, but such a decision could also have drawbacks, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. "But you don't get people's cooperation for the right reasons," and involuntary compliance could lead to agencies just checking off another requirement box instead of using the guidelines to improve their security management, she said.


  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected