Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Ron Ross’s patience is wearing thin. The fellow at the National Institute of Standards and Technology, who by all intents and purposes is the godfather of federal cybersecurity standards, is waiting for the final approval of Special Publication 800-53, revision 5 by the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget.
The fifth iteration of that seminal publication, which since 2013 has been downloaded or accessed on NIST’s website more than 20 million times, is the release switch for a half a dozen other critical cybersecurity and privacy documents from NIST.
“When you get a chance to see revision five in final draft, the things we are adding are unbelievable and will help you immensely as you go forward in the 21st century,” Ross said at the recent 930Gov conference sponsored by the Digital Government Institute. “It’s just over there waiting for the final review to be completed. Once that happens, that information will go out for a final public review and that will open up about six other publications, which are waiting on that content. It’s kind of a bottleneck right now. Hopefully it will get resolved soon.”
The problem is OIRA has been reviewing the documents since January—an extraordinary long time by all accounts.
OIRA’s part of this process is larger than ever before because NIST expanded and integrated privacy controls throughout the entire document instead of just in an appendix.
At the same time, Ross said less than 2% of all information in revision 5 is privacy related so for it to take nine months is trying to say the least.
Ross and other experts don’t question OIRA’s involvement, especially since the office’s role in overseeing federal privacy requirements is well understood. Still, nine months is ridiculous.
A disagreement among agencies?
Susan Dudley, a former OIRA administrator under President George W. Bush and now director of the George Washington University Regulatory Studies Center, said based on her experience in running the office for almost two years if a document is taking this long there’s a disagreement among agencies.
“One of the hats OIRA wears is coordinating across the government. So if this is a cornerstone of several other documents, there could be if there is an issue with this one document that people want to make sure they get it right, especially if it influences other policies,” Dudley said in an interview. “I imagine there are a lot of cooks in the kitchen, which is not necessarily a bad thing. If different agencies are using this guidance, they have a legitimate reason to be involved in how it will affect them.”
At the same time, Dudley said it’s unusual for an agency to speak publicly about delays from OIRA.
This is why Ross’s decision to come out publicly about the bottleneck and it the impact it’s having on federal cybersecurity is important to highlight. Ross played the role of neutral career government executive saying he’s not sure what’s taking so long and has not tried to reach out to OIRA.
But his message was clear: It sure would be nice if they hurried up.
OIRA’s bottleneck is causing NIST to wait to get comments on six publications that all will provide more context and understanding for public and private sector cyber experts and companies.
For instance, SP-800-171, revision 2 is for protecting controlled, unclassified information must wait for the 20 new family of controls in 800-53, Rev 5 before going out for public comment.
Another one, SP 800-171 B is for addressing advanced persistent threats, which is brand new for agencies and vendors.
A third and fourth ones are SP-800-53 A and B—A is creating new security assessment procedures and B is developing new baseline controls for systems.
“The other thing we’ve done with Revision 5 is we’ve integrated a lot of our systems security engineering guidance. We have controls now for security design and system security engineering so you can actually use controls in procurements when you are going out for new systems to make sure the systems have the right requirements for protecting those systems, not after they are delivered to you, but you send them out in the RFPS so that industry can produce the technologies and systems we need to better protect our systems,” Ross said. “Revision 5 has a tremendous amount of content in it and it’s just waiting to pop.”
Cyber isn’t the only regs delayed
While Ross wouldn’t offer any opinion, some experts could easily say OIRA’s delay is hurting federal cyber efforts.
SP 800-171 revision 1 impacted more than 65,000 contractors and more than 1 million contracts within DoD alone. The Federal Acquisition Regulations Council is adding the requirements in Revision 2 for all federal contracts and grants.
SP 800-171 B will add more rigor to the requirements to protecting data particularly against nation state attacks.
“In record time, we produced those additional, enhanced requirements,” Ross said. “This has about 30-plus new requirements that deal with specifically stopping the advanced persistent threat. These are some of the best ones we’ve ever done.”
NIST received about 600 comments on that draft and it will go final later in 2019 once 800-53 Revision 5 is done.
OIRA’s slow pace isn’t impacting only NIST’s special publications. The FAR Council has seen few new final rules over the last two years.
In 2017, OIRA finalized no new procurement regulations. Today, there are 49 FAR Council rules, including 14 in the final stage, under consideration, which is up from 45 in December 2018.
Dudley said the Trump administration’s requirement to get rid of two rules for every new one proposed has slowed down the pace of regulations dramatically.
She said even though the NIST cyber publication wouldn’t fall under the 2-for-1 requirement, OIRA’s delay isn’t surprising.
GW found by every statistical measure of OIRA and federal regulations is down over the last two years since Trump took office. The number of “economically significant rules,” the number of “significant final rules” and the “final major rules” published are lower than at any other time over the last 10-plus years.