Review - HR 4609 Introduced – NIST for the Future Act

Last month, Rep Stevens introduced HR 4609, the National Institute of Standards and Technology (NIST) for the Future Act of 2021. This reauthorization bill includes language providing NIST with specific cybersecurity responsibilities.

On July 27^th, the House Science, Space, and Technology Committee held a markup hearing that included the consideration of HR 4609. Substitute language was offered that included minor wording changes to cyber security responsibility language. There were fourteen other amendments adopted before the substitute language was adopted by voice vote. One of those amendments would require NIST to develop tools and guidance to “enable software developers and operators to identify, assess, and manage cyber risks over the full lifecycle of software products.”

With the bipartisan support seen for this bill in Committee, and considering that this is a perennial legislative requirement, this bill will move to the full House. I suspect that it will be considered under the suspension of the rules process; limited debate, no floor amendments and requiring a supermajority to pass. It will almost certainly pass with significant bipartisan support.

For more details on the language of the bill and its amendments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4609-introduced - subscription required.

HR 6229 Introduced – NIST Reauthorization

Last month Rep. Comstock (R,VA) introduced HR 6229, the National Institute of Standards and Technology (NIST) Reauthorization Act of 2018. The bill would provide authorization for NIST for both FY 2018 and FY 2019. The bill was adopted by a voice vote in a mark-up hearing by the Committee on Space, Science, and Technology on June 27^th, 2018 with one amendment. The bill contains a number of cybersecurity provisions.

Cybersecurity

Section 4 of the bill addresses the NIST cybersecurity programs. Most of it deals with support for the cybersecurity operations of agencies of the Federal government, but paragraph (c) addresses the cybersecurity research activities of NIST. These include:

• The development of research and engineering capabilities to provide practical solutions, including measurement techniques and engineering toolkits, to solve cybersecurity challenges such as human factors, identity management, network security, privacy, and software;

• Investment in tools to help private and public-sector organizations measure their cybersecurity, manage their risks and ensure workforce preparedness for new cybersecurity challenges; and

• Investment in programs to prepare the United States with strong cybersecurity and encryption technologies to apply to emerging technologies such as artificial intelligence, the internet of things, and quantum computing.

Section 7 of the bill addresses NIST research activity associated with the internet of things (IoT). It specifically addresses cybersecurity in two subparagraphs:

• The development of new tools and methodologies for cybersecurity of the internet of things; and

• The development and publication of new cybersecurity tools, encryption methods, and best practices for internet of things security.

None of the research requirements mentioned above include specific authorization for funding, so NIST will have to fund this research out of existing programs.

Committee Amendment

Rep. Comstock (R,VA) introduced the only amendment to HR 6229 to be considered by the Committee. It increased the authorized FY 2019 spending for NIST from $1.115 to $1.125 trillion dollars. It allocated all of that the funding increase to spending for industrial technology services; increased from $145 million to $155 million. It also removed the sub-allocation amounts in that account for the Manufacturing Extension Partnership and Manufacturing Innovation programs.

Moving Forward

This bill will move forward to the floor of the House. It will probably be considered under the suspension of the rules provisions with limited debate and no floor amendments. It will receive wide bipartisan support.

Commentary

It was disappointing to me to see no specific mention of industrial control system cybersecurity in the NIST research agenda while IoT received equal billing with cybersecurity and quantum information science. This is not implying that ICS cybersecurity research will not be conducted by NIST, just that Congress still does not see ICS cybersecurity as a priority. I expected better from the Science, Technology, and Space Committee.

On a nit-picking side note. There had been one other amendment proposed to this bill, but it was withdrawn by its author, Rep. Tonko (D,NY), presumably in favor of the Comstock amendment. Tonko’s version would have reduced the overall R&D authorization by $10 million to $840 million while increasing the industrial technology services account to the same $150 million set in the Comstock amendment. Tonko, however, would have allocated all of that increase to the Manufacturing Innovation Program.

The administrative problem with both of these amendments is that neither says where the additional $10 million for industrial technology services would come from. Comstock did not increase the R&D authorization and Tonko actually would have reduced it. Thus, both amendments would require NIST to reduce funding for other existing (but not specifically authorized) programs to provide the additional funding required.

Bills Introduced – 07-06-16

With both the House and Senate in session yesterday there were 38 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 5634 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2017, and for other purposes. Rep. Carter, John R. [R-TX-31]

HR 5639 To update the National Institute of Standards and Technology Act, and for other purposes. Rep. Moolenaar, John R. [R-MI-4]

HR 5643 To amend the Homeland Security Act of 2002 to provide for active shooter and mass casualty incident response assistance, and for other purposes. Rep. Duckworth, Tammy [D-IL-8] 

The DHS spending bill is being introduced awfully late in the session, particularly for an election year. It is unlikely to receive consideration as a stand-alone bill. Still it will be interesting to see what is included in the Committee Report on this bill.

The NIST authorization bill will be covered only if it includes specific provisions related to cybersecurity, particularly control system security.

The active shooter bill will probably not be mentioned again, but I am hoping that it will have at least some sort of provision requiring the Department to address the unique aspects of active shooter situations at chemical storage/production facilities.

HR 5035 Introduced – NIST Authorization

As I mentioned earlier Rep. Bucshon (R,IN) the Chair of the Subcommittee on Research and Technology of the House Science, Space and Technology Committee, introduced HR 5035, the NIST Reauthorization Act of 2014. This is the two-year re-authorization of the National Institute of Standards and Technology.

Cybersecurity

There is only one place in this bill where cybersecurity activities are specifically addressed. Section 12 of the bill would amend 15 USC 278g-3, the Computer Standards Program. This section of the USC provides for NIST being responsible for setting standards for the security of government computer systems (not including ‘national security systems) and the information within those systems.

The only change made to this section is the removal of the words “the National Security Agency” from §278g-3(c)(1). This section currently requires the Director to “consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accountability Office, and the Secretary of Homeland Security) to assure” that proper appropriate information security policies, procedures, and techniques are used by government agencies.

Apparently this revision was put into place because of Snowden revelations that NIST recommended less than adequate encryption standards under recommendations of NSA. If this is the reason, the crafters of this language are taking very limited action against the NSA because section only applies to the security of government systems and not NIST standards that would be used by the private sector.

Even with government IT security, this amendment to §278g-3 only deals with lower security standards associated with government IT systems not associated with national security systems. Paragraph (b) of the section still requires NIST to coordinate with NSA to establish guidelines “for identifying an information system as a national security system consistent with applicable requirements for national security systems” {§278g-3(b)(3)}.

There are almost certainly other mentions of working with NSA in 15 USC Chapter 7 {for example §278g-4(a)(3)} that could have also been addressed if Congress was serious about severing ties between NIST and NSA. So this amendment is a symbolic congressional wrist slap of the NSA with no real consequences.

Moving Forward

According to the Majority Leader’s web site, HR 5035 will be considered by the House on Monday under suspension of the rules. Barring some unforeseen circumstance, this should mean that the bill will pass with a minimum of fuss and bother, very little debate and no amendments. It is likely to get equally swift and cursory attention in the Senate.