As I
mentioned earlier Rep. Bucshon (R,IN) the Chair of the Subcommittee on
Research and Technology of the House Science, Space and Technology Committee,
introduced HR
5035, the NIST Reauthorization Act of 2014. This is the two-year
re-authorization of the National Institute of Standards and Technology.
Cybersecurity
There is only one place in this bill where cybersecurity
activities are specifically addressed. Section 12 of the bill would amend 15
USC 278g-3, the Computer Standards Program. This section of the USC
provides for NIST being responsible for setting standards for the security of
government computer systems (not including ‘national security systems) and the
information within those systems.
The only change made to this section is the removal of the
words “the National Security Agency” from §278g-3(c)(1). This section currently
requires the Director to “consult with other agencies and offices (including,
but not limited to, the Director of the Office of Management and Budget, the
Departments of Defense and Energy, the National Security Agency, the Government
Accountability Office, and the Secretary of Homeland Security) to assure” that
proper appropriate information security policies, procedures, and techniques
are used by government agencies.
Apparently this revision was put into place because of
Snowden revelations that NIST recommended less than adequate encryption
standards under recommendations of NSA. If this is the reason, the crafters of
this language are taking very limited action against the NSA because section
only applies to the security of government systems and not NIST standards that
would be used by the private sector.
Even with government IT security, this amendment to §278g-3
only deals with lower security standards associated with government IT systems
not associated with national security systems. Paragraph (b) of the section
still requires NIST to coordinate with NSA to establish guidelines “for
identifying an information system as a national security system consistent with
applicable requirements for national security systems” {§278g-3(b)(3)}.
There are almost certainly other mentions of working with
NSA in 15
USC Chapter 7 {for example §278g-4(a)(3)}
that could have also been addressed if Congress was serious about severing ties
between NIST and NSA. So this amendment is a symbolic congressional wrist slap
of the NSA with no real consequences.
Moving Forward
According to the Majority Leader’s web site, HR 5035 will be
considered by the House on Monday under suspension of the rules. Barring some unforeseen
circumstance, this should mean that the bill will pass with a minimum of fuss
and bother, very little debate and no amendments. It is likely to get equally
swift and cursory attention in the Senate.
Posts
No comments:
Post a Comment