Is FISMA why NSA influenced NIST?

keyhole digital

Documents leaked by Edward Snowden revealed that the National Security Agency weakened computer security standards set by the National Institute of Standards and Technology, and it might have been changes to the Federal Information Security Management Act that allowed it to happen.

The Computer Security Act of 1987 originally was supposed to limit the NSA's ability to control certain government systems, but that changed 15 years later when FISMA was enacted, privacy activists charge.

"In 2002 FISMA rewrote the NSA-NIST consulting provisions. ... It was a very nuanced language-change," Amie Stepanovich, director of the Electronic Privacy Information Center's Domestic Surveillance Project, said Oct. 1. "If you read carefully in the definitions, it appears to make it easier to influence standards and to influence in a way that preserves the NSA's ability to collect information."

Criticism has mounted in recent months as documents continue to emerge outlining the NSA's covert activities, including spying on Americans through information that Internet security providers were forced to hand over. Sources say that news of the NSA's activities has been harmful to the IT security community, including to businesses.

"It's disappointing because there's a tremendous amount of expertise, particularly at the NSA, that people would like to be able to have inform [in a positive way] how we keep ourselves secure," Alan Davidson, visiting scholar at the Massachusetts Institute of Technology, said at an event at the Information Technology Innovation Foundation in Washington. "This has really undermined the trust in this community of people who build secure systems, and it's going to be really difficult for anybody to trust the NSA to be involved in any of these kinds of conversations for a long time."

It is not clear if, how or when public trust in the NSA or even NIST will be restored, but Stepanovich seemed to believe it is possible.

"I think NIST has done a good job establishing itself, despite its interactions with NSA, as somebody who can lead the setting of standards not only in the U.S. but throughout the world, but there are definitely some things that have to change," she said.

Among those things are significantly improved transparency in communication between NSA and NIST, and between NSA and other agencies. Much of that communication stays secret under a provision in the Freedom of Information Act, and both that law and FISMA also need to change, Stepanovich said.

"I think we need to reexamine that standard and see when interagency communications should be disclosed, because it's really put into place quite often to keep out of the public eye information that might be embarrassing to the government," she said, adding that there also should be limitations of when the NSA and NIST are allowed to communicate. "We need to greatly limit and expressly provide when the NSA can communicate with NIST to begin with. Not only do we need transparency when they do consult, but we need to make sure they can't consult in order to preserve their own ability to collect information."

News of the NSA's involvement in NIST standards also has a negative impact on standards-setting itself, as well as security as a whole, according to Kevin Bankston, director of the Free Expression Project at the Center for Democracy and Technology.

"Subverting standards is cheating in the worst way – it not only subverts the standards themselves, but subverts the ability to have standards at all. It makes us not competitive and makes us less secure against the NSA and everything else," Bankston said.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group