NIST Suspends IT Lab Reorganization

Should Computer Security Division Become NIST's 11th Lab?
NIST Suspends IT Lab Reorganization
As the National Institute of Standards and Technology placed a hold a proposed reorganization of its Information Technology Laboratory (ITL), critics of the plan proposed making the lab's Computer Security Division (CSD) a lab itself.

"We have received expressions of both support and concern from various stakeholders," IT Lab Director Cita Furlani said Thursday in testimony before the House Science and Technology Subcommittee on Technology and Innovation. "We are seriously considering this input and plan to re-evaluate how to ensure that our structure is as flexible and efficient as possible in meeting the many challenges and opportunities ahead.."

Under the proposed reorganization, unveiled in August, the director of the lab's Computer Security Division would have been elevated to a position within the IT Lab director's office, serving as ITL's cybersecurity adviser. The proposal would have encouraged more multidisciplinary collaboration among NIST units in developing cybersecurity programs and guidance, a move some critics saw as weakening the CSD brand.

In her testimony, Sun Microsystems Distinguished Engineer Susan Landau (above left) said that synergy is best achieved by keeping members of the Computer Security Division together. "While spreading security across an IT support organization might be useful, the same is not true for an organization doing research," Landau said. "Dividing different groups supporting CSD's mission will be detrimental to the work CSD does. Ultimately the effect will be to weaken CSD's impact on federal civilian security."

Cornell University Computer Science Professor Fred Schneider cautioned NIST to not sully in a reorganization the Computer Security Division's brand, which he characterized as a valuable asset. "This, in turn, has enabled CSD to recruit an outstanding staff, despite the scarcity of computer experts and despite competition for their services - with considerably better compensation - from the private sector," Schneider said. "A CSD reorganization that erodes the CSD brand by eliminating the name or by diffusing the organization's efforts into a larger pool of computer science activities should therefore not be undertaken lightly."

Landau and Schneider suggested CSD become NIST 11th laboratory, placing it higher in the NIST organizational chart. NIST operates 10- laboratories that are responsible for conducting research and developing measurements and standards in a wide variety of disciplines, including IT, building and fire research, nanoscale science, physics and manufacturing engineering.

"A NIST laboratory-level computer security organization would provide the correct level of independence for such an organization," Landau said. "The director would be in a better position to provide the policy guidance needed in discussions related to computer security and privacy. ... In elevating CSD to a laboratory within NIST, CSD's branding is retained. This is important to the effective filling of the CSD mission."

Furlani expressed surprise that the critics didn't see the synergy between cybersecurity and IT. "The idea of separating cybersecurity (from) information technology is hard for me to understand because of the intertwined nature of the two," Furlani said.

Not all witnesses voiced opposition to the proposed reorganization. Wyatt Starnes, CEO of IT compliance solutions provider SignaCert, said he trusted NIST management to determine how best to deploy its resources. "NIST has realized that its cyber-assurance method and best practices are increasingly a horizontal, cross agency issue, and its core competencies should not remain in a silo within NIST," he said. "If this is the case, I applaud NIST for adjusting to changing needs, and my only advice perhaps would be a bit more advance marketing and communication of changes up, down and across the NIST constituencies."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.