House considers bill to give more power in security policy to NIST

The Senate will consider a bill to give the National Institute of Standards and
Technology a bigger role in federal systems security.


The House passed the Computer Security Enhancement Act last year, but it was only
earlier this month that the Senate Commerce, Science and Transportation Committee sent HR
1903 to the floor for a vote.


The Senate committee approved the House bill without changes and will pass it if a
government shutdown doesn’t prevent its passage, Senate staff members said.


The bill strengthens the role of the Commerce Department’s NIST. Lawmakers first
gave NIST overarching authority for government systems security in the 1987 Computer
Security Act.


Under the 1987 bill, NIST took the lead in developing voluntary security standards and
technical guidelines for computer security in civilian agencies. It gets technical
assistance from the National Security Agency.


The new bill would strengthen NIST’s role and give it several new functions.


For one thing, the bill encourages the use of commercially available security products
and would give NIST the authority to test and evaluate products to determine if they meet
government needs. NIST would also, if requested, run vulnerability tests on agency systems
and coordinate federal responses to systems breaches.


The bill emphasizes security of publicly accessible computer systems, for example,
civilian agency Web sites, which are a prime target for hackers, said Ed Roback, a
computer scientist with NIST.


The bill would also direct the National Research Council of the National Academy of
Sciences to study public-key infrastructures for use by individuals, businesses and
government.


PKI technology relies on a dual system of public and private keys, where senders
control the authenticity of the message using private keys. Only those with designated
public keys can access the encrypted data. The IRS and Postal Service have started
developing PKIs.


The research council study would assess the technology needed to support far-reaching
PKIs and the interoperability, scalability and integrity of private and public entities at
the heart of PKIs.


NIST would also help set standards, guidelines and methods for PKI technology.  

inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above