On June 7, 2016, the House of Representatives’ Committee on Appropriations (the “Committee”) reported out a funding bill that would fund the National Institute of Standards and Technology (“NIST”) to work with the retail industry to promote cybersecurity measures specific to the retail industry, as well as to continue its work managing and standardizing security practices for the “Internet of Things.”
The Committee’s report, H. Rep. 114-605, calls on NIST to “to build on its existing industry-sector focused work to create a retail-specific cybersecurity initiative and partner, as appropriate, with academic entities and national leaders in retail cybersecurity and retail supply chain management and logistics.” Retailers’ cybersecurity profiles have been a subject of the Committee’s concern in reviewing past appropriations as well. For fiscal year 2016, the Committee addressed NIST’s National Cybersecurity Center of Excellence specifically, encouraging it to develop “use cases and tools [for the retail sector] in partnership with retailers and universities.” NIST ’s budget request for fiscal year 2017 did not specifically outline new programs targeted at retailers or their suppliers, but its initiatives will likely include continuing work on multifactor authentication for e-commerce and non-PCI sensitive data.
The June 7 Committee report also commended NIST’s work to secure the network of physical consumer products, vehicles and industrial equipment known as the Internet of Things. In May, NIST released the final draft of its first Framework for Cyber-Physical Systems. If the framework sees adoption, it could provide a consistent basis for discussing, comparing, and ultimately improving connected devices’ security. In this sense, the framework dovetails with another cybersecurity initiative included in the President Obama’s final budget, the Cybersecurity Assurance Program, which would test and certify the security of Internet of Things endpoints.
NIST has emerged as a leading source of coordination and guidance on the federal government’s cybersecurity priorities. To date, the agency’s most significant cybersecurity initiative has been its 2014 Cybersecurity Critical Infrastructure Framework, which has already been cited as a best practice in industry and influenced other regulators’ approaches. The Committee’s appropriations vote this month suggests that Congress trusts NIST to expand on its industry-specific and framework-based successes in the coming year.
Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.
