[ISN] New opportunities for NIST

From: InfoSec News (isnat_private)
Date: Tue Dec 03 2002 - 01:36:56 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "IPSec: Securing VPNs", Carlton Davis"

    By Diane Frank 
    Dec. 2, 2002
    Both the Homeland Security Act of 2002 and the E-Government Act of
    2002 include provisions that attempt to raise the profile of
    cybersecurity initiatives. Central to each bill is a potentially
    larger role for the National Institute for Standards and Technology.
    NIST has developed security guidance for years, but agencies are not
    required to follow it because the secretary of the Commerce Department
    has rarely used the authority granted in the Computer Security Act of
    1987 to make NIST's standards and guidance mandatory.
    Underscoring the importance of security, the e-government bill
    reaffirms that authority and "a lot of us hope that the secretary will
    use that authority more extensively than in the past," said Franklin
    Reeder, chairman of the federal Computer Systems Security and Privacy
    Advisory Board.
    The bill "stresses the importance of this set of responsibilities" and
    could be important as NIST follows through on new requirements in both
    the e-gov and homeland security acts to develop and revise performance
    measures for agencies' security policies and programs, said Ed Roback,
    director of NIST's Computer Security Division.
    Federal security could improve if the secretary should decide to make
    additional NIST guidance and standards mandatory, but such a decision
    could also have drawbacks, said Sallie McDonald, assistant
    commissioner for information assurance and critical infrastructure
    protection at the General Services Administration. "But you don't get
    people's cooperation for the right reasons," and involuntary
    compliance could lead to agencies just checking off another
    requirement box instead of using the guidelines to improve their
    security management, she said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 04:26:48 PST