House panel approves cybersecurity framework bill

A House panel on Wednesday approved a bill designed to encourage federal agencies to adopt cybersecurity framework developed by the National Institute of Standards and Technology (NIST). 

The House Committee on Science, Space and Technology approved the bill largely along party lines, despite opposition from Democrats to provisions in the bill requiring NIST to evaluate and audit federal agencies’ adoption of the cybersecurity and technology guidelines.  

Rep. Ralph Abraham (R-La.) introduced the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 earlier this week, couching it as a response to recent high-profile cyber breaches like those at the Office of Personnel Management and IRS.

{mosads}The legislation would direct NIST to develop metrics for evaluating federal agencies’ cybersecurity and submit an initial assessment and regular audits to Congress on cybersecurity measures put in place by federal agencies.

It would also set up guidance for federal agencies to incorporate the NIST cyber framework and establish working groups in the federal and private sectors to help public and private entities use the framework.

“Much as the nature of cyberattacks continue to evolve to reflect the sophistication of the cyber criminals, we in the government must also be willing to evolve to protect Americans and our government,” Abraham, who is vice chair of the subcommittee on research and technology, said in opening remarks Wednesday.

“That evolution starts with thinking outside the box instead of maintaining a business-as-usual approach,” he said. 

Rep. Eddie Bernice Johnson (D-Texas), the committee’s ranking member, argued that NIST should not be responsible for assessing or auditing the adoption of the framework by federal agencies, citing recent testimony from the Government Accountability Office and outside experts.

Johnson also said that the bill “duplicates” priorities already assigned to the Office of Management and Budget and Department of Homeland Security. 

“The majority has inserted an entirely new federal agency into a policy matter in which they have no expertise and no business being part of,” Johnson said Wednesday. “This is massive underfunded mandate levied on an agency which is already overtasked.”

The committee approved the bill in a 19-14 vote, after the adoption of three amendments by voice votes.

The bill could work as a complement to President Trump’s forthcoming executive order on cybersecurity, which is rumored to contain a provision requiring federal agencies to follow NIST’s framework. Trump’s signing of the order was abruptly postponed at the end of January, and it remains unclear when it will be revisited.