Saturday, July 12, 2014

HR 5035 Introduced – NIST Authorization

As I mentioned earlier Rep. Bucshon (R,IN) the Chair of the Subcommittee on Research and Technology of the House Science, Space and Technology Committee, introduced HR 5035, the NIST Reauthorization Act of 2014. This is the two-year re-authorization of the National Institute of Standards and Technology.


There is only one place in this bill where cybersecurity activities are specifically addressed. Section 12 of the bill would amend 15 USC 278g-3, the Computer Standards Program. This section of the USC provides for NIST being responsible for setting standards for the security of government computer systems (not including ‘national security systems) and the information within those systems.

The only change made to this section is the removal of the words “the National Security Agency” from §278g-3(c)(1). This section currently requires the Director to “consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accountability Office, and the Secretary of Homeland Security) to assure” that proper appropriate information security policies, procedures, and techniques are used by government agencies.

Apparently this revision was put into place because of Snowden revelations that NIST recommended less than adequate encryption standards under recommendations of NSA. If this is the reason, the crafters of this language are taking very limited action against the NSA because section only applies to the security of government systems and not NIST standards that would be used by the private sector.

Even with government IT security, this amendment to §278g-3 only deals with lower security standards associated with government IT systems not associated with national security systems. Paragraph (b) of the section still requires NIST to coordinate with NSA to establish guidelines “for identifying an information system as a national security system consistent with applicable requirements for national security systems” {§278g-3(b)(3)}.

There are almost certainly other mentions of working with NSA in 15 USC Chapter 7 {for example §278g-4(a)(3)} that could have also been addressed if Congress was serious about severing ties between NIST and NSA. So this amendment is a symbolic congressional wrist slap of the NSA with no real consequences.

Moving Forward

According to the Majority Leader’s web site, HR 5035 will be considered by the House on Monday under suspension of the rules. Barring some unforeseen circumstance, this should mean that the bill will pass with a minimum of fuss and bother, very little debate and no amendments. It is likely to get equally swift and cursory attention in the Senate.

No comments:

/* Use this with templates/template-twocol.html */