NIST's Growing Influence5 Government Cybersecurity Challenges in 2010: Part 5
Congress thinks that the National Institute of Standards and Technology does such a good job in creating guidance to secure government information systems that it wants NIST to do more. The Cybersecurity Enhancement Act that's before the House would increase the role of NIST in developing international cybersecurity technical standards. The measure also charges NIST with creating IT security awareness and education campaigns for the public, improving the interoperability of identity management systems to encourage more widespread use and developing an IT security checklist for agencies to use before acquiring IT wares. And the various FISMA and cybersecurity governance legislation being drafted would give NIST the lead in developing new ways to judge the real-time security of government systems.
"I feel compelled to welcome these responsibilities, only because the need is so critical, so urgent," said Patrick Gallagher, NIST's new director. "One of the reasons cybersecurity is at the top of everyone's priority list is that information technology is so foundational to everything else. Cybersecurity is a key component as well."
Gallagher pointed out that the 109-year-old NIST has its roots in measurement. "One thing I like about it for NIST, and why it fits so well, is that we tend to focus on the standard development piece for NIST because how FISMA was written," Gallagher said.
"But, of course, NIST is a measurement laboratory," he said. "The real goal here is to have security standards that are reduced to practice, that are put into meaningful use. And, therein lies the real measurement piece: How do you measure in a meaningful way security performance, how do you measure in a meaningful way risk, because the NIST standards are risk-based standards. That's really where our technical activities are focused. Congress has supported NIST and I expect that to continue. There's a lot of the legislative interest on the Hill that is really focused on making sure that the right agencies are involved and their roles are clear and they have the resources to carry out these mandates."
And, to tackle these new goals, NIST may consider some type of restructuring. Gallagher said he has asked his top managers to reassess NIST's organizational structure, a move that soon could lead to its first reorganization in nearly two decades.
In 2009, NIST Information Technology Laboratory Director Cita Furlani proposed a reorganization of the IT Lab to, in her view, provide better synergy among its various division to promote cybersecurity. She withdrew the plan after some NIST stakeholders objected that the IT Lab reorganization would weaken its Computer Security Division. Despite the setback, Gallagher praised Furlani's efforts, and suggested the matter could be addressed again this year.
Some stakeholders want NIST to elevate the Computer Security Division to lab status, putting it on par with the IT Lab, an idea endorsed Rep. David Wu, who chairs a House panel with NIST oversight. "It's a very important field that deserves a profile and the increase in access of both to senior management and to resources," Wu said. But with 10 labs, Gallagher said NIST already has too many; besides, creating a Computer Security Lab could harm the synergistic relations between the division and the IT Lab.