Is FISMA why NSA influenced NIST?

keyhole digital

Documents leaked by Edward Snowden revealed that the National Security Agency weakened computer security standards set by the National Institute of Standards and Technology, and it might have been changes to the Federal Information Security Management Act that allowed it to happen.

The Computer Security Act of 1987 originally was supposed to limit the NSA's ability to control certain government systems, but that changed 15 years later when FISMA was enacted, privacy activists charge.

"In 2002 FISMA rewrote the NSA-NIST consulting provisions. ... It was a very nuanced language-change," Amie Stepanovich, director of the Electronic Privacy Information Center's Domestic Surveillance Project, said Oct. 1. "If you read carefully in the definitions, it appears to make it easier to influence standards and to influence in a way that preserves the NSA's ability to collect information."

Criticism has mounted in recent months as documents continue to emerge outlining the NSA's covert activities, including spying on Americans through information that Internet security providers were forced to hand over. Sources say that news of the NSA's activities has been harmful to the IT security community, including to businesses.

"It's disappointing because there's a tremendous amount of expertise, particularly at the NSA, that people would like to be able to have inform [in a positive way] how we keep ourselves secure," Alan Davidson, visiting scholar at the Massachusetts Institute of Technology, said at an event at the Information Technology Innovation Foundation in Washington. "This has really undermined the trust in this community of people who build secure systems, and it's going to be really difficult for anybody to trust the NSA to be involved in any of these kinds of conversations for a long time."

It is not clear if, how or when public trust in the NSA or even NIST will be restored, but Stepanovich seemed to believe it is possible.

"I think NIST has done a good job establishing itself, despite its interactions with NSA, as somebody who can lead the setting of standards not only in the U.S. but throughout the world, but there are definitely some things that have to change," she said.

Among those things are significantly improved transparency in communication between NSA and NIST, and between NSA and other agencies. Much of that communication stays secret under a provision in the Freedom of Information Act, and both that law and FISMA also need to change, Stepanovich said.

"I think we need to reexamine that standard and see when interagency communications should be disclosed, because it's really put into place quite often to keep out of the public eye information that might be embarrassing to the government," she said, adding that there also should be limitations of when the NSA and NIST are allowed to communicate. "We need to greatly limit and expressly provide when the NSA can communicate with NIST to begin with. Not only do we need transparency when they do consult, but we need to make sure they can't consult in order to preserve their own ability to collect information."

News of the NSA's involvement in NIST standards also has a negative impact on standards-setting itself, as well as security as a whole, according to Kevin Bankston, director of the Free Expression Project at the Center for Democracy and Technology.

"Subverting standards is cheating in the worst way – it not only subverts the standards themselves, but subverts the ability to have standards at all. It makes us not competitive and makes us less secure against the NSA and everything else," Bankston said.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.