Is FISMA why NSA influenced NIST?

keyhole digital

Documents leaked by Edward Snowden revealed that the National Security Agency weakened computer security standards set by the National Institute of Standards and Technology, and it might have been changes to the Federal Information Security Management Act that allowed it to happen.

The Computer Security Act of 1987 originally was supposed to limit the NSA's ability to control certain government systems, but that changed 15 years later when FISMA was enacted, privacy activists charge.

"In 2002 FISMA rewrote the NSA-NIST consulting provisions. ... It was a very nuanced language-change," Amie Stepanovich, director of the Electronic Privacy Information Center's Domestic Surveillance Project, said Oct. 1. "If you read carefully in the definitions, it appears to make it easier to influence standards and to influence in a way that preserves the NSA's ability to collect information."

Criticism has mounted in recent months as documents continue to emerge outlining the NSA's covert activities, including spying on Americans through information that Internet security providers were forced to hand over. Sources say that news of the NSA's activities has been harmful to the IT security community, including to businesses.

"It's disappointing because there's a tremendous amount of expertise, particularly at the NSA, that people would like to be able to have inform [in a positive way] how we keep ourselves secure," Alan Davidson, visiting scholar at the Massachusetts Institute of Technology, said at an event at the Information Technology Innovation Foundation in Washington. "This has really undermined the trust in this community of people who build secure systems, and it's going to be really difficult for anybody to trust the NSA to be involved in any of these kinds of conversations for a long time."

It is not clear if, how or when public trust in the NSA or even NIST will be restored, but Stepanovich seemed to believe it is possible.

"I think NIST has done a good job establishing itself, despite its interactions with NSA, as somebody who can lead the setting of standards not only in the U.S. but throughout the world, but there are definitely some things that have to change," she said.

Among those things are significantly improved transparency in communication between NSA and NIST, and between NSA and other agencies. Much of that communication stays secret under a provision in the Freedom of Information Act, and both that law and FISMA also need to change, Stepanovich said.

"I think we need to reexamine that standard and see when interagency communications should be disclosed, because it's really put into place quite often to keep out of the public eye information that might be embarrassing to the government," she said, adding that there also should be limitations of when the NSA and NIST are allowed to communicate. "We need to greatly limit and expressly provide when the NSA can communicate with NIST to begin with. Not only do we need transparency when they do consult, but we need to make sure they can't consult in order to preserve their own ability to collect information."

News of the NSA's involvement in NIST standards also has a negative impact on standards-setting itself, as well as security as a whole, according to Kevin Bankston, director of the Free Expression Project at the Center for Democracy and Technology.

"Subverting standards is cheating in the worst way – it not only subverts the standards themselves, but subverts the ability to have standards at all. It makes us not competitive and makes us less secure against the NSA and everything else," Bankston said.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected