Members of the House of Representatives Science Committee modified a bill that would have made the National Institute of Standards and Technology (“NIST”) responsible for auditing federal agencies’ cybersecurity protections. Under the revised bill, NIST would instead support agency inspectors general with security audits in lieu of performing the audits themselves.
The bill was updated in response to comments from “a number of stakeholders and experts, both inside and outside government,” according to a committee spokesperson. In particular, critics feared that the new auditing responsibility would interfere with NIST’s role as a neutral advisor to federal agencies and would detract from NIST’s existing objectives, such as establishing best practice guides for industry.
Under the current version of the bill, NIST is also tasked with developing a guide on how federal agencies could implement its Cybersecurity Framework, which provides guidance on preventing, detecting, and responding to cyber-attacks. While the Framework was published as voluntary guidance targeting organizations in the critical infrastructure community, President Trump ordered federal agencies to adopt and use the Framework via an executive order released in May. Finally, the bill would require NIST to assist both the Office of Management and Budget as well as the Office of Science and Technology Policy in writing an annual report about the adoption of the Framework.
The proposed legislation is sponsored by Committee Chairman Rep. Lamar Smith (R-Texas), Rep. Ralph Abraham (R-Louisiana), and others.