Draft bill would codify NIST cybersecurity framework into law


A draft cybersecurity bill being circulated by the Democratic and Republican heads of the Senate Commerce, Science & Transportation Committee would codify in law the cybersecurity framework called for by President Obama in a Feb. 12 executive order.

The draft (.pdf) would require the National Institute of Standards and Technology to develop a "voluntary, industry-led set of standards, guidelines, best practices" that reduces cyber risks for critical infrastructure--essentially what Obama charged NIST with undertaking under the executive order. The draft says the framework should be "flexible, repeatable, performance-based, and cost-effective."

Committee Chairman Jay Rockefeller (D-W.Va.) "believes that businesses will need the certainty of NIST's voluntary, non-regulatory process--as outlined in the draft legislation--once the EO expires," a committee source said.

A preliminary version of the NIST framework is due in October; a final version is meant to be ready by February 2014. The agency released a rough outline of the framework earlier this month.

Not included in the draft Commerce Committee bill is any mechanism for the private sector to share cybersecurity information with the federal government. Contention in the Senate in 2012 over which agencies could receive information under such a mechanism, and to what purposes the government could use the data, played a large role in that chamber's inability to reach a cybersecurity legislation consensus. Similar issues with the House-approved Cyber Intelligence Sharing and Protection Act (H.R. 624) passed by representatives in April may prevent that bill from gaining Senate passage this year, as well.

The committee draft also calls for a national cybersecurity research and development plan to be developed by the Office of Science and Technology Policy, authorizes an existing National Science Foundation-led cyber scholarship-for-service program, and calls on NIST to continue a cybersecurity public awareness campaign.

The committee source said Rockefeller plans to mark up the bill in July, with support from Ranking Member John Thune (R-S.D.).

Senate leadership has asked other committees with jurisdiction over cyber matters to develop bills, as well.

For more:
- download the Commerce Committee draft bill (.pdf)

Related Articles:
House approves CISPA (again)
NIST: Cybersecurity executive order calls for harmonization
NIST releases draft outline of cybersecurity framework