March 10, 2017
The House Science Committee will mark up a bill that would give the National Institute of Standards and Technology (NIST) a more active role in assessing other agencies’ digital defenses. The NIST Cybersecurity Framework, Assessment and Auditing Act of 2017 (H.R. 1224) would direct the technical standards agency to prepare new metrics for evaluating agencies’ cyber protections and require regular NIST audits of high-risk agencies. It would also “prompt” agencies to adopt NIST’s cybersecurity risk-management framework, which large companies have adopted in recent years. Rep. Ralph Abraham (R-La.) introduced the bill Monday, along with House Science Committee Chairman Lamar Smith.
It’s unclear how the bill will be received at NIST, where employees pride themselves on friendly relations with other agencies and do not want to be seen as overseers. Requiring NIST to assess other agencies’ compliance with its framework could pose challenges. But the Science Committee, which has held hearings on data breaches at numerous agencies, believes the legislation could help stem the tide of embarrassing and damaging government hacks. “Given all of [those breaches] and the certainty that there will be more of the same attempted,” a Republican committee aide said in a briefing with reporters, “it seems to us that we’re at a point where the first priority should no longer be maintaining everyone’s comfort zone.”
If it became law, the bill would be a natural complement to President Trump’s cybersecurity executive order, the latest public draft of which requires agencies to use NIST’s framework. “We don’t have the jurisdiction to require agencies to use the framework,” said the Republican committee aide. “This is helping that process, should it occur.” As for why the bill gave new responsibilities to NIST and not the Department of Homeland Security or the Office of Management and Budget — the other two agencies statutorily responsible for the government’s digital defenses — the aide said Congress was disappointed with how OMB and DHS executed their missions. “It’s fair to say,” argued the aide, “that only one [agency] — NIST — has performed its responsibilities in a timely and effective way, as Congress intended.”
The regulation allows institutions to “modulate their approach based on their individual needs versus the one-size-fits-all approach that many older regulations take,” Grossman said. The mandatory risk assessment needs to be “comprehensive and structured” so it can be used to develop a compliance plan.
In the face of industry complaints over the first draft, regulators took a more tailored approach in the final regulation. However, the regulation “is going to take some significant compliance efforts because of its highly prescriptive nature,” Krotoski said.
The risk assessment requirement, among other timing aspects, is inconsistent, though. Some parts of the regulation that depend on the risk assessment require compliance within 180 days—nine months before the risk assessment needs to take place, Chabinsky said.
“As a result, covered entities should consider starting their risk assessments earlier than the regulation allows or risk getting caught in a catch-22,” he said.
C-Suite on Notice
The board, or an equivalent governing body, will need to sign off on a statement assuring that they have reviewed all documents demonstrating that the organization is in compliance with the regulation.
The regulation forces C-Suite executives back into the loop and gives them responsibility over cybersecurity preparedness, Grossman said. But in order to perform this duty, organizations are going to need to hire forensic and technical experts to guide them, Krotoski said.
“The biggest beneficiaries of this regulation may not be consumers, but rather the insurers, cybersecurity firms, newly established CISOs, and legal adviser that will be needed to drive compliance,” Chabinsky said.