New opportunities for NIST

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/1202/news-home1-12-02-02.asp

By Diane Frank 
Dec. 2, 2002

Both the Homeland Security Act of 2002 and the E-Government Act of
2002 include provisions that attempt to raise the profile of
cybersecurity initiatives. Central to each bill is a potentially
larger role for the National Institute for Standards and Technology.

NIST has developed security guidance for years, but agencies are not
required to follow it because the secretary of the Commerce Department
has rarely used the authority granted in the Computer Security Act of
1987 to make NIST's standards and guidance mandatory.

Underscoring the importance of security, the e-government bill
reaffirms that authority and "a lot of us hope that the secretary will
use that authority more extensively than in the past," said Franklin
Reeder, chairman of the federal Computer Systems Security and Privacy
Advisory Board.

The bill "stresses the importance of this set of responsibilities" and
could be important as NIST follows through on new requirements in both
the e-gov and homeland security acts to develop and revise performance
measures for agencies' security policies and programs, said Ed Roback,
director of NIST's Computer Security Division.

Federal security could improve if the secretary should decide to make
additional NIST guidance and standards mandatory, but such a decision
could also have drawbacks, said Sallie McDonald, assistant
commissioner for information assurance and critical infrastructure
protection at the General Services Administration. "But you don't get
people's cooperation for the right reasons," and involuntary
compliance could lead to agencies just checking off another
requirement box instead of using the guidelines to improve their
security management, she said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.