Board calls for more funding for security unit

NIST Computer Security Division

GAITHERSBURG, Md. -- If the United States is to keep up with the ever-growing number of security problems and pitfalls, the government's computer security experts must get more support than the fiscal 2004 budget provides, according to a federal advisory board.

Seven of 13 appropriations bills have stalled as Congress argues over a federal budget that is tight across the board, so the National Institute of Standards and Technology's Computer Security Division is not the only agency still awaiting final word on its fiscal 2004 money. But given the ramp-up in security concerns and awareness, it was a surprise to the Information Security and Privacy Advisory Board to learn that initial estimates of the division's base funding project a decrease from the current year.

The almost $10 million currently slated to go to the division in fiscal 2004 is down from almost $15 million in fiscal 2003. The hit appears even more significant once federal pay raises are taken into account, said Ed Roback, chief of the security division.

A reduction, Roback said, would force the division to slow down or delay projects, such as a certification program for vendors that perform security certification and accreditation so that agencies know they can trust the companies that are telling them to trust their networks.

Roback and others were speaking today at a meeting of the advisory board.

NIST supports not just federal security needs, but also companies, academia and the rest of the world, said Howard Schmidt, a member of the board, and chief information security officer at eBay. The division's standards -- such as the system classification and minimum-security requirement standards currently under development -- are often the basis for international standards efforts, he said.

"It's important for Congress to understand that they're cutting off the knees of the organizations that support everything," said Charisse Castagnoli, a member of the board and vice president for business and development at Layer N Networks. Wireless security, something that NIST and the world are just beginning to tackle, will definitely be affected by reduced capabilities at the division, she said.

The Computer Security Division's base funding doesn't even cover all the salaries for its staff, Roback said. The rest of the money for operating expenses comes from payments from agencies and other NIST divisions for security services, in addition to guidance and standards, he said. These services include the Computer Security Expert Assist Team (CSEAT), which evaluates agencies' networks and security controls.

Other board members expressed their concern that working with appropriators to increase the funding will be an even harder battle now than before. With the Office of Management and Budget saying that agencies are improving their security practices and Rep. Adam Putnam (R-Fla.) recently releasing a security report card that brings the governmentwide security score up from an F to a D, appropriators may incorrectly think that the division is doing fine with the money it has, said Rebecca Leng, deputy assistant inspector general for information technology and computer security at the Transportation Department.