In the American Innovation and Competitiveness Act, which President Barack Obama signed into law on Jan. 4, among the requirements Congress gave the National Institute of Standards and Technology is one that on the surface seems simple, but could be the missing piece to a long-standing cybersecurity challenge.
Lawmakers instructed NIST “to evaluate the effectiveness and sufficiency of, and challenges to, federal agencies’ implementation of standards and guidelines developed under this section and policies and standards promulgated under section 11331 of title 40, United States Code.”
Basically, Congress is telling NIST to take a deep dive into how agencies understand and use the special publications and Federal Information Processing Standards for cybersecurity that it produces.
Charles Romine, the director of NIST’s IT lab, said at the recent Information Security and Privacy Advisory Board (ISPAB) meeting in Washington that NIST will look for gaps in its techniques for providing security and identify deficiencies that NIST or other agencies find in its standards.
“Our approach is to work in collaboration with agencies to identify areas where implementation may be subject to improvements,” Romine said. “We are not looking at this as an entrée into the traditional role of inspectors generals or the Government Accountability Office. It’s something we are not equipped to do and it’s not our area of expertise. Really the question of whether our guidelines are effective is a dialogue with other agencies about the sufficiency of our guidance and how well it’s suiting out needs. We will use it as a feedback loop.”
Romine said after he spoke at the ISPAB meeting, NIST hasn’t begun putting together its strategy for meeting the congressional mandate, but would in the coming months.
Romine told the board that NIST needs to get more clarity from Congress on their expectations.
“What we are looking for is feedback from agencies on the utility of the guidance we provide and areas where we can work with agencies to improve that guidance so it’s more actionable and so they improve their risk management overall,” he said.
More importantly, what this review will help do is help NIST, and hopefully lawmakers, further understand the challenges agencies and auditors have with the institute’s broad-based guidance.
For what seems like the last 15 years, there has been this uneasy balancing act agency chief information officers and chief information security officers have faced with making risk-based decisions while also facing what some may say is unfair scrutiny from auditors.
Alan Paller, the director of research for the SANS Institute, has been a vocal critic of how the Federal Information Security Management Act (FISMA) has been interpreted by agencies and auditors and then translated into NIST guidance.
“In the hands of a person super-interested in cyber, the NIST guidance are great tools, and as long as you have a good relationship with your IG you can do anything,” he said. “But if the relationship between the IT security folks and the IG is antagonistic, the guidelines become the battleground. NIST is allowing substantial interpretations and that can exacerbate that problem between an IG and agency. This is why the most important thing is for these guys to be on the same page.”
There are plenty of examples of this around government, including a recent disagreement over the continuous diagnostics and mitigation (CDM) program at the Interior Department.
Paller said until CISOs and other cyber workers are seen as mission enablers instead of something to get around or through, any guidance, whether from NIST or from the White House, will be more difficult to implement.
Even after all of the major breaches in the public and private sectors, there are some federal executives who don’t recognize the role of cybersecurity.
“There are still a lot of pockets who see cyber folks as cost centers that are not necessarily adding immediate value to mission,” said Greg Touhill, the former federal CISO. “They are diminishing in number and a lot of folks are looking for the sweet spot for articulating the return on investment around cybersecurity.”
Touhill said the federal IGs are starting to come around in terms of understanding the need for operational and business owners and agency cyber workers to make risk-based tradeoffs.
“In the five months I was federal CISO, I had two meetings with the Council of Inspectors General on Integrity and Efficiency (CIGIE) folks. I met with Kathleen [Tighe, IG at Education] of the IT committee and then met with CIGIE as a whole body where we talked about the risk framework to make sure we were leveraging resources and best practices,” he said. “I know that when I was at DHS, Andy Ozment [former assistant secretary of the office of cybersecurity and communications at DHS] would have a formal engagement once a year with CIGIE too to talk about cyber metrics. We certainly provided a lot of support through National Cybersecurity and Communications Integration Center (NCCIC) by sharing best practices and individual examiners would come to us asking for the current state of best practice, and vulnerabilities and weaknesses they should keep an eye out for.”
Touhill said as that relationship developed over the last few years, the federal CISO Committee under the CIO Council decided to perform agency-wide cyber risk assessments by June 1.
“We will assess our agencies based on how we were doing with the cyber framework and the five functional areas, identify, protect, detect, respond and recover,” he said. “Following a risk assessment, agencies then can find gaps and brief up the new agency leaders about where their vulnerabilities exist and that could better inform the budget process and make sure the leadership has a better assessment of overall risk.”
Agencies would be smart to include the IGs in conducting the assessments and share the final analyses with NIST as part of their congressionally-mandated research.
“NIST needs to ask agency IT developers, operations and the IG if they interpret and prioritize the guidance in the same way,” Paller said. “Since no two agencies are the same, that’s why NIST wrote the guidance so broadly. The goal is whether when you just look at one agency, does everyone at that one agency all have the same priority list? The reason agencies struggle with implementing NIST guidance is this reason.”
The discussion at the ISPAB comes just as Congress is considering giving NIST auditing responsibilities.
The House Space, Science and Technology Committee approved Rep. Ralph Abraham’s (R-La.) NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 on March 1.
The bill, H.R. 1224, would require NIST in the first six months after the legislation becomes law to “complete an initial assessment of the cybersecurity preparedness of the agencies” based on information security standards in the cybersecurity framework as well as other work done or reports published by other federal agencies or officials.
Romine was clear during the ISPAB meeting that he didn’t see NIST in the role of auditor or oversight body. While the future of bill remains uncertain, NIST’s review of its cyber standards has the potential to change the way the government looks at cybersecurity and would make this legislation moot.