WASHINGTON – The U.S. House Committee on Science, Space, and Technology approved H.R. 1224, the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017.  The bill was introduced by Research and Technology Subcommittee Vice Chairman Ralph Abraham (R-La.) and cosponsored by full Committee Chairman Lamar Smith (R-Texas), full Committee Vice Chairman Frank Lucas (R-Okla.), Research and Technology Chairwoman Barbara Comstock (R-Va.), and Energy Subcommittee Vice Chairman Steve Knight (R-Calif.).

Chairman Smith: “Protecting millions of Americans’ confidential tax, health and other personal information is a top priority for our committee.  H.R. 1224, the NIST Cybersecurity Framework, Assessment, and Auditing Act, makes critical reforms to enable NIST to make secure the private information of our citizens and federal agencies.

“H.R. 1224 will help agencies better defend against the type of attacks that hit the Office of Personnel Management (OPM), the Internal Revenue Service (IRS) and the Federal Deposit Insurance Corporation (FDIC).  The OPM attack led to the theft of confidential information of 26 million current and former federal employees.  The FDIC hacks, which may be ongoing, threaten everything from large-scale manipulation of our entire financial system to looting individuals’ checking, savings, and retirement accounts. And at the IRS, 2016 tax-refund fraud is projected to set a new record at $21 billion.

“Unless we take new and more effective steps to prevent cyber-attacks by foreign criminals and unfriendly governments, our economy and national security are at risk.  H.R. 1224 takes those steps, and for that, I would like to thank Congressman Abraham for his tireless work on this important legislation.”

Background

NIST, the National Institute of Standards and Technology, is within the committee’s jurisdiction.

H.R. 1224 takes steps to promote federal use of the NIST Cybersecurity Framework by providing guidance that federal agencies may use to incorporate the Framework into information security risk management efforts.  NIST is also to establish and chair a federal working group to develop quantifiable metrics to help federal agencies analyze and assess the effectiveness of using the Framework.  H.R. 1224 further directs NIST to complete an initial assessment of the cybersecurity preparedness of priority federal agencies, followed by individual cybersecurity audits of these federal agencies with accompanying audit reports. H.R. 1224 promotes federal use of the risk-based approach developed in the NIST Cybersecurity Framework, which has been voluntarily embraced by leading private sector organizations to manage their cybersecurity risks.  Federal agencies continue to rely on technical standards developed under the Federal Information Security Management Act, which some experts describe as bureaucratic box-checking. 

Last month, the Research and Technology Subcommittee held a hearing titled “Strengthening U.S. Cybersecurity Capabilities.” During the 114th Congress, the Science Committee held a dozen hearings related to oversight and policy aspects of federal cybersecurity issues, including the examination of data breaches at the Office of Personnel Management, the Internal Revenue Service and the Federal Deposit Insurance Corporation.   

H.R. 1224 reflects recommendations discussed during the hearing two weeks ago, as well as what the Committee learned in its many cybersecurity hearings last Congress.

Text of the bill and letters of support can be viewed here.