The House Science, Space and Technology Committee has amended legislation that would institute audits to track how agencies are implementing a key cybersecurity framework mandated by the Trump administration.
The legislation, introduced by Rep. Ralph Abraham (R-La.) with backing from committee Chairman Lamar Smith (R-Texas), is designed to promote the use of a lauded cybersecurity framework produced by the National Institute of Standards and Technology (NIST), a nonregulatory body within the Department of Commerce.
The original bill would have made NIST responsible for conducting audits of agencies’ cybersecurity posture in order to assess how well they are meeting the standards, a detail that prompted some criticism. However, the modification proposed this week would instead place this responsibility with the inspectors general within agencies, who already have the statutory authority to conduct such audits.
{mosads}The changes to the legislation were first reported by Politico.
A committee aide told The Hill that the change was the result of discussions between Smith and Rep. Trey Gowdy (R-S.C.), who chairs the House Oversight and Government Reform Committee that has oversight of agency inspectors general.
NIST produces cybersecurity guidelines that are optional for the private sector and, until earlier this year, the federal government. But the cybersecurity executive order signed by President Trump in May mandated that every agency use the NIST framework and report back to the Department of Homeland Security (DHS) and the White House on plans to implement the framework.
The legislation advanced out of the House Science, Space and Technology Committee in a party-line vote back in March, though Democrats and others have criticized the provision that put NIST in charge of conducting the audits.
“The majority has inserted an entirely new federal agency into a policy matter in which they have no expertise and no business being part of,” ranking member Rep. Eddie Bernice Johnson (D-Texas) said in March. “This is a massive underfunded mandate levied on an agency which is already overtasked.”
The original bill would require NIST to encourage the use of its framework across the federal government and establish a working group of federal representatives from the Office of Management and Budget (OMB) and other agencies to produce metrics to help track implementation. It would also make NIST responsible for assessing agencies’ initial cybersecurity and subsequently conduct audits of agencies to assess how well they are meeting the standards.
The proposed modification, however, would no longer require NIST itself to complete the audits. Instead, it says NIST “shall provide technical assistance and other expert input for each evaluation under this section and shall directly support the audit or other analytical examination” that will be in the hands of agency inspectors general.
A committee aide said that while agency auditors would take the lead, NIST would still have “significant input” in the audit process.
The original legislation was introduced in February and is viewed as a compliment to the provision in the May 11 executive order.