Under a tentative agreement between members of the high-tech industry and key senators, federal agencies would be required to use a checklist for cybersecurity risk developed by the National Institute of Standards and Technology (NIST).
The agreement represents a compromise on language in a bill, S. 2182, offered by Sen. Ron Wyden, D-Ore., to increase cybersecurity research, coordinate research efforts of government, academia and industry, and educate more cybersecurity researchers in the future. S. 2182 would provide $978 million in grant funds to create research programs at NIST and the National Science Foundation.
The Wyden bill is the Senate version of the House-passed H.R. 3394, introduced by House Science Committee Chairman Sherwood Boehlert, R-N.Y. The Senate version would have to be reconciled with Boehlert's version. Senators are hopeful they can get agreement without having to go to formal conference with the House on the bill, one staffer said.
The language in question is based on a bill, S. 1900, offered by Sen. John Edwards, D-N.C., that would have required agencies to adopt benchmark security standards developed by NIST.
But several members of the tech industry, particularly the Business Software Alliance and the Information Technology Association of America, expressed concern that the standards would be overly restrictive. Both trade associations have signed off on the new version, sources said.
The modified language specifically states that NIST would develop a checklist instead of establishing benchmark standards. But this approach still will help ensure federal agencies improve cybersecurity practices, an aide to Edwards said Monday.
"It gets everyone up to speed by forcing them to look at this checklist," the Edwards aide said. "A lot of agencies lack the resources to do security checks themselves. This means NIST will do it for them."
But while agencies would have to use the checklist, the adoption of best practices included in the bill would not be mandatory, the aide noted. However, if agencies choose not to follow the NIST best practices, they would have to explain their alternative. Reporting on cybersecurity efforts is a requirement under the Government Information Security Reform Act (GISRA), which is up for renewal this year.
The Wyden-Edwards substitute amendment contains another provision different from the House version, drawing from another Edwards bill, S. 1901. The provision sets up a scholarship program to increase the number of faculty teaching cybersecurity courses at the university level, and provides funding to universities to establish online courses.