Infosec research bill amended

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0520/web-cyber-05-21-02.asp

By Diane Frank 
May 21, 2002 
 
The Senate Commerce, Science and Transportation Committee passed a 
bill May 16 that would add millions to federal information security 
research funding and - thanks to a last-minute amendment - establish 
regularly updated baseline security standards for agencies.

Researchers in industry and academia have praised the Cyber Security 
Research and Development Act (S. 2182) since it was introduced in the 
Senate this year and in the House at the end of last year. 

Working through the National Science Foundation and the National 
Institute of Standards and Technology, the bill would inject more than 
$900 million into security research, grants, training and education 
during five years. Such investment is something educators and 
researchers have often called for in recent years.

The amendment, offered by Sens. Ron Wyden (D-Ore.) and John Edwards 
(D-N.C.), raised the level of the research funding almost $100 million 
from the original level. It also created a new Office of Information 
Security Programs within NIST to consolidate that agency's security 
research management.

The amendment also added a provision that caused some concern from 
industry: a requirement for NIST to establish "benchmark security 
standards" for federal agencies. Those standards would be developed in 
conjunction with industry, academia, the Office of Management and 
Budget and the federal CIO Council, and would be reviewed and updated 
at least every six months.

The standards would be "a baseline minimum security configuration for 
specific computer hardware or software components, an operational 
procedure or practice, or organizational structure that increases the 
security of the information technology assets of a department or 
agency," according to the amendment.

The Business Software Alliance and the Information Technology 
Association of America each issued a statement after the bill passed, 
opposing the language calling for standards. According to both 
organizations' statements, establishing such standards would hinder 
efforts to quickly respond to changing security threats and could 
possibly spill over to impose standards on the private sector.

However, the committee had no intention to set technology-specific 
standards that could stand in the way of innovation or new 
technologies, according to one staff member who asked not to be named. 

The bill now goes to the full Senate for consideration. The House 
version of the bill passed the full House in February.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.