Congress Confirms NIST’s Role in Cybersecurity – and the Continuation of the Cybersecurity Framework

The Cybersecurity Enhancement Act of 2014 (CEA) was passed by the House and the Senate on December 11^th, and signed by the President on the 18^th. The bill formalizes the role of the National Institute for Standards and Technology (NIST) in continuing to develop the voluntary Cybersecurity Framework. Through five “titles,” the bill includes provisions to promote cybersecurity research, private/public sector collaboration on cybersecurity, education and awareness and technical standards, which includes a federal cloud computing strategy. Title I of the CEA, entitled “Public-Private Collaboration on Cybersecurity,” amends the NIST Act to permit the Secretary of Commerce, through the Director of NIST, to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure – this would be the Cybersecurity Framework. It requires the Director of NIST to coordinate continuously with, and incorporate the industry expertise of, relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations.  It also requires the Director of NIST to consult with the heads of agencies with national security responsibilities, sector-specific agencies, state and local governments, governments of other nations, and international organizations. The bill directs the Director of NIST to identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help identify, assess, and manage cyber risks. The approach must also include methodologies to mitigate impacts on business confidentiality, protect individual privacy and civil liberties, incorporate voluntary consensus standards and industry best practices, align with international standards, and prevent duplication of regulatory processes. Title II of the CEA, entitled “Cybersecurity Research and Development,” directs the National Science and Technology Council (NSTC) and the Networking and Information Technology Research and Development Program (NITRDP) to, among other things, develop and update quadrennially, a federal cybersecurity research and development strategic plan to guide the overall direction of federal cybersecurity and information assurance research and development for information technology and networking systems.  It requires the heads of certain federal agencies and departments to assist in developing the strategic plan and to meet cybersecurity objectives.  The objectives include, among other things, determining how to design and build complex software-intensive systems that are secure when first deployed; determining how to test and verify that software and hardware is free of significant known security flaws; determining how to test and verify that software and hardware obtained from a third party correctly implements the represented functionality; determining how to guarantee the privacy of an individual when personally identifiable information is stored in distributed systems or transmitted over networks; determining how to build new protocols to enable robust security on the Internet; determining how to identify the origin of a message transmitted over the Internet; determining how to address insider threats; and determining how to protect information stored using cloud computing or transmitted through wireless services. Title II not only requires the strategic plan to include certain contents, but it also directs the NSTC and the NITRDP to solicit recommendations and advice from certain stakeholders, including private industry and academia. In fostering cybersecurity research, Title II requires the Director of NIST to support research that develops, evaluates, disseminates and integrates new cybersecurity practices and concepts into the core curriculum of computer science programs and other programs which may include future software developers. Similarly, the Director of NIST is required to develop new models for professional development of faculty involved in cybersecurity education.  The Director is also required to develop and revise security automation standards, reference materials and checklists that minimize security risks associated with technology used within the federal government. Title III of the CEA, entitled “Education and Workforce Development,” directs the Department of Commerce, the National Science Foundation (NSF), and the Secretary of Department of Homeland Security (DHS), in consultation with the Director of the Office of Management and Budget (OMB), to support competitions and challenges to recruit individuals to perform information infrastructure security duties or to stimulate cybersecurity innovations. Title IV of the CEA, entitled “Cybersecurity Awareness and Preparedness,” directs the Director of NIST to continue coordinating a national cybersecurity awareness and preparedness campaign to increase public awareness and understanding of cybersecurity risks, including the dissemination of cybersecurity technical standards and best practices, supporting education programs, and promoting initiatives to evaluate workforce needs.  It also requires NIST to develop a strategic plan to guide federal activities in support of the efforts, and it directs NIST to transmit the strategic plan to Congress every five years. Title V of the CEA, entitled “Advancement of Cybersecurity Technical Standards,” requires the Director of NIST to ensure the coordination of federal agencies in the development of international technical standards related to information security and, within one year of the enactment of the CEA, to develop and submit to Congress a plan for ensuring federal agency coordination. It also requires the Director of NIST, in coordination with OMB and other stakeholders, to develop and encourage the implementation of a comprehensive strategy for the use of cloud computing services by the federal government. Finally, it requires the Director of NIST to continue a program to support the development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, to improve interoperability among identity management technologies, to strengthen authentication methods of identity management systems, to improve privacy protection in identity management systems, and to improve the usability of identity management systems.   Please contact Christin McMeley with any inquiries at 202.973.4264.