[ISN] Infosec research bill amended

From: InfoSec News (isnat_private)
Date: Wed May 22 2002 - 01:44:15 PDT

  • Next message: InfoSec News: "RE: [ISN] Alert issued for China's next cyber attack"

    http://www.fcw.com/fcw/articles/2002/0520/web-cyber-05-21-02.asp
    
    By Diane Frank 
    May 21, 2002 
     
    The Senate Commerce, Science and Transportation Committee passed a 
    bill May 16 that would add millions to federal information security 
    research funding and - thanks to a last-minute amendment - establish 
    regularly updated baseline security standards for agencies.
    
    Researchers in industry and academia have praised the Cyber Security 
    Research and Development Act (S. 2182) since it was introduced in the 
    Senate this year and in the House at the end of last year. 
    
    Working through the National Science Foundation and the National 
    Institute of Standards and Technology, the bill would inject more than 
    $900 million into security research, grants, training and education 
    during five years. Such investment is something educators and 
    researchers have often called for in recent years.
    
    The amendment, offered by Sens. Ron Wyden (D-Ore.) and John Edwards 
    (D-N.C.), raised the level of the research funding almost $100 million 
    from the original level. It also created a new Office of Information 
    Security Programs within NIST to consolidate that agency's security 
    research management.
    
    The amendment also added a provision that caused some concern from 
    industry: a requirement for NIST to establish "benchmark security 
    standards" for federal agencies. Those standards would be developed in 
    conjunction with industry, academia, the Office of Management and 
    Budget and the federal CIO Council, and would be reviewed and updated 
    at least every six months.
    
    The standards would be "a baseline minimum security configuration for 
    specific computer hardware or software components, an operational 
    procedure or practice, or organizational structure that increases the 
    security of the information technology assets of a department or 
    agency," according to the amendment.
    
    The Business Software Alliance and the Information Technology 
    Association of America each issued a statement after the bill passed, 
    opposing the language calling for standards. According to both 
    organizations' statements, establishing such standards would hinder 
    efforts to quickly respond to changing security threats and could 
    possibly spill over to impose standards on the private sector.
    
    However, the committee had no intention to set technology-specific 
    standards that could stand in the way of innovation or new 
    technologies, according to one staff member who asked not to be named. 
    
    The bill now goes to the full Senate for consideration. The House 
    version of the bill passed the full House in February.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 22 2002 - 04:10:50 PDT