Bill Seeks Metrics for NIST Cybersecurity FrameworkProposed Legislation Also Calls for Template on How to Implement the Framework
Legislation calling on the National Institute of Standards and Technology to develop outcome metrics to demonstrate the effectiveness of the NIST Cybersecurity Framework is scheduled to be considered - and likely amended - at a markup session of the House Science, Space and Technology Committee on March 1.
The measure, known as the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017, would require NIST to develop outcome-based and quantifiable metrics in coordination with a public-private workgroup within six months of enactment of the legislation.
Since the framework's publication in 2014, Internet Security Alliance CEO Larry Clinton has been a champion of getting NIST to develop metrics. "We are three years in and don't have any objective data indicating that it has actually changed anybody's behavior, that behavior has resulted in the improvement of security and whether the expenditures to reach those levels of security are cost-justified," Clinton says.
Are Metrics Achievable?
Cybersecurity expert Herbert Lin questions whether it's possible to develop viable metrics for the framework. "Outcome metrics for cybersecurity have eluded cybersecurity people for 40 years," says Lin, senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation. "If they can do this, more power to them, but I'm not holding my breath."
Lin, who served on President Barack Obama's Commission on Enhancing National Cybersecurity, says it's difficult to create outcome metrics because security is hard to define in cyber. "In a building code, you have physics, and there is an experiment you can do. You can shake the building," he says. "No similar thing exists in computers because computers are general purpose devices. What you may regard as a security flaw, I may consider as a feature. Is it a security flaw to have access over the internet? That's an interesting question. I don't know how to answer that."
The purpose of the bill is to help federal agencies, which would be required to use the metrics, in analyzing and assessing the effectiveness of the framework in protecting their information assets. Though federal agencies are required to follow NIST guidance, it's also been adopted voluntarily by many private-sector organizations.
Protecting Critical Infrastructure
Obama signed an executive order in 2013 directing NIST to develop the cybersecurity framework as a guide for protecting the nation's critical infrastruture, which is mostly privately owned, from cyberattacks. NIST published the first version of the framework a year later, in February 2014. It's been widely adopted by organizations within and outside of the U.S. federal government.
A draft version of the NIST Cybersecurity Framework, Assessment and Auditing Act also calls for NIST to develop a template on how organizations should use the framework and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements. In addition, the bill would require NIST to describe how the framework aligns with or augments existing agency cybersecurity practices.
Clinton says such guidance would prove useful, especially to smaller businesses that lack the resources to implement the framework. which offers nearly 100 ways to help secure critical IT. "Smaller companies need to know what they ought to do," Clinton says. "Having a supermarket of options is very cumbersome for them, and as a result, we are not seeing an uptick of the smaller companies [adopting the framework] that we hoped for, and frankly, we need."
Collaboration with Private Sector
The proposed legislation calls for establishing, within three months of its enactment, a working group to develop the metrics in coordination with the private sector. The working group's members would include representatives of the White House Office of Science and Technology Policy and other "appropriate" federal agencies.
Congressional panels amend and modify legislation in markup sessions. Once amended, the panel members usually vote on whether to advance the bill. The NIST Cybersecurity Framework, Assessment and Auditing Act, if approved by the committee, would be forwarded to the full House of Representatives, where Republican leaders will decide if and when the bill will come up for a vote.