House considers bill to give more power in security policy to NIST
- By Merry Mayer
- Oct 19, 1998
The Senate will consider a bill to give the National Institute of Standards and
Technology a bigger role in federal systems security.
The House passed the Computer Security Enhancement Act last year, but it was only
earlier this month that the Senate Commerce, Science and Transportation Committee sent HR
1903 to the floor for a vote.
The Senate committee approved the House bill without changes and will pass it if a
government shutdown doesnt prevent its passage, Senate staff members said.
The bill strengthens the role of the Commerce Departments NIST. Lawmakers first
gave NIST overarching authority for government systems security in the 1987 Computer
Under the 1987 bill, NIST took the lead in developing voluntary security standards and
technical guidelines for computer security in civilian agencies. It gets technical
assistance from the National Security Agency.
The new bill would strengthen NISTs role and give it several new functions.
For one thing, the bill encourages the use of commercially available security products
and would give NIST the authority to test and evaluate products to determine if they meet
government needs. NIST would also, if requested, run vulnerability tests on agency systems
and coordinate federal responses to systems breaches.
The bill emphasizes security of publicly accessible computer systems, for example,
civilian agency Web sites, which are a prime target for hackers, said Ed Roback, a
computer scientist with NIST.
The bill would also direct the National Research Council of the National Academy of
Sciences to study public-key infrastructures for use by individuals, businesses and
PKI technology relies on a dual system of public and private keys, where senders
control the authenticity of the message using private keys. Only those with designated
public keys can access the encrypted data. The IRS and Postal Service have started
The research council study would assess the technology needed to support far-reaching
PKIs and the interoperability, scalability and integrity of private and public entities at
the heart of PKIs.
NIST would also help set standards, guidelines and methods for PKI technology.