New Cyber Bill Strikes Better Balance in Keeping Agencies Accountable

Paul Rosenzweig / Ceara Casterline / October 30, 2017

In an era marked by high-profile cyberattacks and hacks, U.S. government agencies need to be held accountable for implementing adequate security standards to better mitigate those risks.

In May, President Donald Trump issued an executive order requiring federal agencies to assess their own cybersecurity, an assessment that is then reviewed by the Department of Homeland Security and the Office of Management and Budget.

In February, the House Science, Space, and Technology Committee proposed supplemental legislation, the Cybersecurity Framework, Assessment, and Auditing Act.

The initial draft of the bill tasked the National Institute of Standards and Technology with auditing the cybersecurity measures of government agencies. We criticized the proposal because that task is traditionally reserved for the Government Accountability Office or the inspector general of each agency.

In 2014, the institute created a cybersecurity framework compiling a list of best practices from existing industry standards. Today, the framework is the leading tool for assessing cybersecurity.

While there is little disagreement that the National Institute of Standards and Technology did a good job in compiling cybersecurity practices and tools to measure preparedness, the institute is not equipped to audit compliance with those practices, and requiring it to do so would erode the institute’s standing as a neutral arbiter.

For that reason, we were concerned that the proposal might make stakeholders less likely to share information with the institute, since that information might then be used in an audit from the institute.

After taking into consideration feedback from the public and undergoing a review, the House committee made amendments to the bill that addressed these concerns.

Under the updated proposal, which will be brought to the House floor, the National Institute of Standards and Technology would be tasked with working with the inspectors general to perform yearly evaluations. The institute will be responsible for providing an initial assessment of preparedness, providing technical assistance, and making recommendations to improve security.

The Council of the Inspectors General, the organization that oversees inspectors general, in turn would be responsible for providing training and evaluating effectiveness.

This new division of labor is an improvement, as it makes better use of the unique strengths of the National Institute of Standards and Technology and the inspectors general.