NIST Suspends IT Lab ReorganizationShould Computer Security Division Become NIST's 11th Lab?
"We have received expressions of both support and concern from various stakeholders," IT Lab Director Cita Furlani said Thursday in testimony before the House Science and Technology Subcommittee on Technology and Innovation. "We are seriously considering this input and plan to re-evaluate how to ensure that our structure is as flexible and efficient as possible in meeting the many challenges and opportunities ahead.."
Under the proposed reorganization, unveiled in August, the director of the lab's Computer Security Division would have been elevated to a position within the IT Lab director's office, serving as ITL's cybersecurity adviser. The proposal would have encouraged more multidisciplinary collaboration among NIST units in developing cybersecurity programs and guidance, a move some critics saw as weakening the CSD brand.
In her testimony, Sun Microsystems Distinguished Engineer Susan Landau (above left) said that synergy is best achieved by keeping members of the Computer Security Division together. "While spreading security across an IT support organization might be useful, the same is not true for an organization doing research," Landau said. "Dividing different groups supporting CSD's mission will be detrimental to the work CSD does. Ultimately the effect will be to weaken CSD's impact on federal civilian security."
Cornell University Computer Science Professor Fred Schneider cautioned NIST to not sully in a reorganization the Computer Security Division's brand, which he characterized as a valuable asset. "This, in turn, has enabled CSD to recruit an outstanding staff, despite the scarcity of computer experts and despite competition for their services - with considerably better compensation - from the private sector," Schneider said. "A CSD reorganization that erodes the CSD brand by eliminating the name or by diffusing the organization's efforts into a larger pool of computer science activities should therefore not be undertaken lightly."
Landau and Schneider suggested CSD become NIST 11th laboratory, placing it higher in the NIST organizational chart. NIST operates 10- laboratories that are responsible for conducting research and developing measurements and standards in a wide variety of disciplines, including IT, building and fire research, nanoscale science, physics and manufacturing engineering.
"A NIST laboratory-level computer security organization would provide the correct level of independence for such an organization," Landau said. "The director would be in a better position to provide the policy guidance needed in discussions related to computer security and privacy. ... In elevating CSD to a laboratory within NIST, CSD's branding is retained. This is important to the effective filling of the CSD mission."
Furlani expressed surprise that the critics didn't see the synergy between cybersecurity and IT. "The idea of separating cybersecurity (from) information technology is hard for me to understand because of the intertwined nature of the two," Furlani said.
Not all witnesses voiced opposition to the proposed reorganization. Wyatt Starnes, CEO of IT compliance solutions provider SignaCert, said he trusted NIST management to determine how best to deploy its resources. "NIST has realized that its cyber-assurance method and best practices are increasingly a horizontal, cross agency issue, and its core competencies should not remain in a silo within NIST," he said. "If this is the case, I applaud NIST for adjusting to changing needs, and my only advice perhaps would be a bit more advance marketing and communication of changes up, down and across the NIST constituencies."