NIST Restructuring Mulled by New DirectorGallagher Looking at All Options to Make NIST More Effective
Patrick Gallagher, in an interview with GovInfoSecurity.com, cautioned that NIST could decide that the current structure should remain, but said all options would be considered, including the possibility of merging some of its 10 laboratories, the major units within NIST.
"The real objective is what's the organizational structure that makes NIST most effective in the face of some very real challenges and needs," said Gallagher, who was confirmed Nov. 5 by the Senate. "I think the country really needs NIST to be responsive, and to be capable and to work effectively with its stakeholder communities. There are a lot of ways doing that, and one of those tools is management structure."
Part of the Department of Commerce, NIST - created in 1901 as the National Bureau of Standards, a name that lasted till 1988 - is organized into 10 laboratories to fulfill its mission to promote American innovation and industrial competitiveness by advancing measurement science, standards and technology. Among its labs is the Information Technology Laboratory, known by the abbreviation ITL, which includes the Computer Security Division, the unit that publishes IT security guidance and standards for federal government agencies.
It was during a discussion of a proposed reorganization of ITL, to better coordinate NIST's cybersecurity responsibilities, that Gallagher raised the possibility of a NIST-wide restructuring.
In August, ITL Director Cita Furlani proposed a reorganization of the laboratory that would have had the head of the Computer Security Division become part of the lab director's office. Furlani said the reorganization plan would have encouraged more multidisciplinary collaboration with other NIST units in developing cybersecurity programs and guidance. But Furlani announced the withdrawal of the ITL reorganization at a Congressional hearing in October after it received mixed reviews from NIST stakeholders. At that hearing, critics of the reorganization plan contended that dividing different groups supporting the Computer Security Division's mission throughout the lab would be detrimental to its work and ultimately would weaken its impact on cybersecurity. And, some of the critics said they supported the idea of creating a separate Computer Security Laboratory because of the pressing need to safeguard government and critical private-sector IT systems and networks.
Gallagher lauded Furlani's efforts and pooh-poohed the idea of creating a separate Computer Security Laboratory.
"Every manager should be striving to make sure their organization is as effective as possible," Gallagher said in the interview. "What Cita was doing was looking at one of the major tools that a manager has, which is your organizational structure optimized for being as effective as possible. It was a very thoughtful proposal. The reality is that many of the cybersecurity activities already spread across various divisions within ITL, and this was the chance to try to create some synergies to make the organization more effective."
But Gallagher said the underwhelming backing of the reorganization plan gave NIST pause, and the proposal was pulled until the agency could evaluate the objections raised. "The goal remains to make ITL as effective as possible," he said. "In fact, that goals applies to all of NIST. Organizational structure, you don't do that lightly, it can be disruptive. You certainly want to have an organization that's structured to be as effective as possible."
Too Many Labs
Gallagher said he would be reluctant to make computer security a separate laboratory. "We have too many laboratories already," he said. "The reality is that anything you do rarely fits neatly within organizational boundary. A lot of what NIST does goes across multiple laboratories as it is. When you're managing that way, you spend a lot of time managing at these interfaces. Creating more interfaces may not be optimal solution."
Would merging one or more labs be considered to reduce the need to manage multiple interfaces? "All options should be on the table," Gallagher replied.
He said there's no timetable to address organizational changes, whether within individual laboratories or NIST as an enterprise. "I've asked our management team to look at it immediately, but I have not set a timeframe for when something would be done because we haven't made a decision that something should be done," Gallagher said. "I think until you assessed and put some options on the table and decide whether your solutions ... whether the cure is worse than the disease ... that it doesn't make sense to be putting out implementation plans which would include deadlines.
"It's just premature at this point to be talking about any specific timing. You also don't want assessments like this to last indefinitely. Just the fact that people (are) looking at things like this can be disruptive with an organization."
Asked if the environment has changed since the early 1990s, when NIST instituted the laboratory organization, to warrant a major restructuring, Gallagher responded:
"Maybe, maybe not. I think the issue isn't so much whether there's something specific externally has changed. The question is when you look at a set of programs and priorities you manage across an institution, as I said, one of the realities is that there is no perfect organizational structure. As a manager, what you are simply deciding is what types of things you want to manage within a given line and which things you're going to manage across the line.
"The fact we haven't looked at this for 20 years tells me it is the time to take an assessment as to whether this is the right structure. We may decide this is exactly right."
Besides ITL, the NIST labs include Building and Fire Research, Center for Nanoscale Science and Technology, Chemical Science and Technology, Electronics and Electrical Engineering, Manufacturing Engineering, Materials Science and Engineering, NIST Center for Neutron Research, Physics and Technology Services.
NIST is headquartered in the Washington suburb of Gaithersburg, Md., and operates a major facility in Boulder, Colo.