IT MANAGEMENT

Former officials object to NIST plan to redistribute security work

Orginally published Aug. 19 and updated Aug. 21

A proposed reorganization of the National Institute of Standards and Technology’s IT Laboratory has drawn criticism from former NIST officials who are worried that changes in the lab’s Computer Security Division would be a step backward for computer security.

The Computer Security Division has produced standard encryption algorithms, guidance for complying with computer security requirements and established standards for government use of information technology. NIST said the purpose of the reorganization, which has a target completion date of Oct. 1, is to better match the lab’s structure to its mission.

“The proposed reorganization would not include any reduction in force, or major changes in the lab’s core competencies,” NIST said in a statement. “An additional key goal is to strengthen NIST’s cybersecurity efforts.”

But the former officials warn that the move would disrupt an organization that has worked well.

“In our opinion, this proposed reorganization breaks up an organizational component that has effectively provided computer security leadership to the government and the private sector for over 30 years,” they said Aug. 10 in a letter to acting NIST Director Patrick Gallagher. “We believe it is a major mistake to diminish NIST’s computer security program at a time when external support for the program is at an all-time high and when cybersecurity is of vital importance to the economic well-being and security of our nation.”

The letter was signed by Dr. Dennis Branstad, Dr. Stuart Katzke, F. Lynn McNulty and Miles E. Smid, who characterized themselves as founders and past leaders of the division.

NIST said the plan still is in its early stages and that details will be released after it has been approved. But IT Lab Director Cita Furlani said the concerns are baseless.

“NIST has no plans to ‘shutter’ or ‘eliminate’ its Computer Security Division, nor will it redistribute the resources of the group throughout the lab,” she said in a letter to GCN. “Quite to the contrary, my draft proposal would strengthen our cybersecurity efforts and would not ‘break up’ the highly effective team of NIST experts who currently work in the Computer Security Division. The great majority of these staff members would remain together in one unit.”

She said the concern is premature because the internal NIST discussion is in its very early stages.

The IT Lab does research on metrics and standards in a wide range of areas in information technology. Its roots date back 40 years, to the creation of the Center for Computer Science and Technology in what was then the National Bureau of Standards in 1969. The Computer Security Act of 1987 gave NBS responsibility for security unclassified computer systems, and the IT Lab was created by NIST in 1996. Its budget for fiscal 2008 was $97.9 million.

“Many of our vital programs impact national security, such as improving the accuracy and interoperability of biometrics recognition systems and facilitating communications among first responders,” the IT Lab says of its mission. The lab has mandates to provide standards and guidance to agencies under the Federal Information Security Management Act, the Computer Security Research and Development Act, the USA Patriot Act, the Enhanced Border Security Act, and the Help America Vote Act. Much of this work is done in the Computer Security Division.

Among the division’s accomplishments are the Advanced Encryption Standard, standards for Homeland Security Presidential Directive 12 for federal Personal Identity Verification cards, risk management guidance for FISMA compliance and conformance testing for the Federal Information Processing Standards.

A key element in the proposed reorganization would be relocating the chief cybersecurity adviser -- Curt Barker, also currently head of the Computer Security Division -- from the division to the IT Lab central office to provide wider authority to coordinate cybersecurity projects throughout the lab.

“The proposed draft does not change the technical program of work currently performed by the Computer Security Division,” NIST said in a statement.

The former officials said there is no reason to fix what is not broken, and that the plans have been made without public notice and without input from stakeholders outside of NIST, most of whom do not know of the proposed changes. At the least, the changes should be held off until President Barack Obama fills the new position of cybersecurity coordinator, they said.

“We firmly believe that the diffusion of responsibility and leadership that is inherent in this proposal will have a predictably negative effect upon the ultimate effectiveness of the NIST program,” they wrote.

Furlani said the plans are not being rushed and will not be made without additional input.

“Advice will be sought,” she told GCN. “Stakeholders will be consulted. No imminent changes are expected. The Oct. 1 target completion date was discussed internally only and is not a deadline of any kind.”

She said the IT Lab’s is committed to continued advances in computer security. “Cybersecurity is a vital, central mission of our laboratory. Our programs must fully reflect the complex interdisciplinary nature of today’s threats. Any changes ultimately made to management of our cybersecurity programs will be carefully designed to significantly improve and reinforce protection of the nation’s information technology resources.”

Reader Comments

Sun, Sep 13, 2009

The reoriganizaton of the NIST IT Lab is to abdicate its responsibility to be part of the government's team in cybersecurity. The change is to make the lab focus on mathematics and visualization research which is detached from today's National needs in computer security. Sec. Locke needs to instruct the new NIST Director that relevance is in the best interests of the country and the tax payer.

Thu, Aug 20, 2009 Cita Furlani National Institute of Standards and Techology

The above article contains major inaccuracies and misinterpretations. NIST has no plans to “shutter” or “eliminate” its Computer Security Division nor will it redistribute the resources of the group throughout the lab. Quite to the contrary, my draft proposal would strengthen our cybersecurity efforts and would not “break up” the highly effective team of NIST experts who currently work in the Computer Security Division. The great majority of these staff members would remain together in one unit. More to the point, the entire discussion and concern is premature. The article reports on an internal NIST discussion in very early stages. Advice will be sought. Stakeholders will be consulted. No imminent changes are expected. The Oct. 1 target completion date was discussed internally only and is not a deadline of any kind. Cybersecurity is a vital, central mission of our laboratory. Our programs must fully reflect the complex interdisciplinary nature of today’s threats. Any changes ultimately made to management of our cybersecurity programs will be carefully designed to significantly improve and reinforce protection of the nation’s information technology resources. Sincerely, Cita Furlani Director, Information Technology Laboratory National Institute of Standards and Technology

Thu, Aug 20, 2009 Former Bureaucrat

What better way to have no one responsible that may know what they are talking about? Provides good cover for incompetence and politically driven decisions. BRAVO!!!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above