美国众议院科学、空间与技术委员会于周三通过了《网络安全框架》法案。按照此法案规定,美国国家标准与技术研究院(简称NIST)将向联邦机构说明如何实施这个《网络安全框架》(Cybersecurity Framework)。这份框架专为拥有并运营关键行业的公司制定。


NIST百科:

美国国家标准与技术研究院(National Institute of Standards and Technology,NIST)直属美国商务部,从事物理、生物和工程方面的基础和应用研究,以及测量技术和测试方法方面的研究,提供标准、标准参考数据及有关服务,在国际上享有很高的声誉。

NIST的主要任务是:⑴建立国家计量基准与标准;⑵发展为工业和国防服务的测试技术;⑶研制与销售标准服务;⑷提供计量检定和校准服务;⑸参加标准化技术委员会制定标准;⑹进行技术转让,帮助中小型企业开发新产品;此外还承担防火、抗地震技术及应用计算技术等研究工作。


对于采用该框架的机构而言,遵守这项法案,就不必满足联邦信息安全规则的传统合规要求。

美国众议院科学、空间与技术委员会通过的这项立法为——《2017 NIST网络安全框架、评估和审查法》(NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017)(H.R. 1224),以19:14的投票通过。

投票记录

委员会一位助理表示,这项法案旨在推进联邦机构使用NIST《网络安全框架》,NIST将为联邦机构提供实施该框架的指南。该框架是在重要行业投入下制定的,包含一系列灵活的自愿准则供企业用来评估并管理网络安全风险。

这位助理指出,法案旨在提高联邦网络的网络安全准备和防御能力。但是,这项法案不能强制联邦机构使用此框架,因为美国众议院科学、空间与技术委员会只对NIST具有管辖权。众议院监督和政府改革委员会或国土安全委员会可能需要通过一项法案。

他表示,“我们已经与其它委员会的同事讨论网络安全监督,还在初期讨论阶段,我们基本上让他们参与了我们目前正在做的事。”

一份行政令也将奏效。例如,特朗普政府官员拟定的网络安全行政令草案将强制联邦机构采用NIST这个《网络安全框架》。但是,这份草案一直搁置数周,仍无任何要行动的迹象,其未来不明朗。

科学、空间与技术委员会通过的这项法案还将强制NIST首先评估,之后使用基于结果的指标和测试来审查机构对该框架的使用情况。

这名助理表示,“最终,该框架应该取代当前《联邦信息安全现代化法案》(the Federal Information Security Modernization Act,FISMA)的网络安全要求。”他将该框架称之为“更符合21世纪的方法。”

“这份框架是风险管理...协调和调整所有这些网络安全要求的好工具。为了避免新的规则和安全措施重叠,我们认为该框架最终应取代FISMA。”

他总结道,“从我们的观点来看,这将是一个重大改进。”

但是NIST的审查角色是委员会民主党困惑的症结。德克萨斯州民主党人Eddie Bernice Johnson表示,“我不记得任何专家曾建议,让NIST担负起对其它机构执行年度网络安全审查的职责。NIST并非审查机构。他们过去没有这样做过、缺乏专业知识或能力”。她反对该法案。

这名助理表示,下一步举措轮到众议院决定。每个人都非常专注网络安全立法的下一步方案。但我们不确定这项法案的具体确定时间。

NIST最新更新:https://www.nist.gov/cyberframework

附件一网络安全框架PDF

附件二网络安全框架excel

相关新闻

链接:http://democrats.science.house.gov/press-release/ranking-member-johnson-opening-statement-cybersecurity-legislation-markup

(Washington, DC) – Today, the House Committee on Science, Space, and Technology is holding a markup of H.R. 1224, the “NIST Cybersecurity Framework Assessment, and Auditing Act of 2017.”

Ranking Member Eddie Bernice Johnson’s (D-TX) opening statement for the record is below.

I understand and sympathize with the Chairman’s desire to move cybersecurity legislation. Cybersecurity is a critically important topic, and one that invites significant press attention. We had a good hearing before the Research & Technology Subcommittee just two weeks ago, during which we heard many good recommendations from widely respected experts. Some of those recommendations fell within our Committee’s jurisdiction, others did not.

I do remember the panel unanimously praising NIST’s role in cybersecurity. I also remember discussion about developing metrics for the adoption of NIST’s Cybersecurity Framework. Witnesses also discussed requiring Federal agencies to incorporate the Framework into their information security programs.

I can see where Mr. Abraham has attempted to incorporate some aspects of those recommendations into his legislation. However, I specifically recall GAO’s recommendation that the Department of Homeland Security, and not NIST, carry out surveys and assessments of the adoption and effectiveness of the Cybersecurity Framework. NIST itself has steadfastly maintained that they are the wrong agency to do it, and not just because of limited resources.

I do not remember a single witness, or a single expert recommendation suggesting that OSTP should be given any role in evaluation or oversight of cybersecurity in the private sector or the Federal government. Perhaps if we substituted OMB or DHS for OSTP everywhere in this bill, it might make more sense. The Majority has inserted an entirely new agency into a policy matter in which they have no expertise and no business being a part of. In doing so, the bill also duplicates authorities and responsibilities clearly assigned to OMB and DHS in current law.

Finally, and speaking to what may be the strangest part of this bill, I do not remember any expert ever recommending that NIST be given the responsibility to conduct annual cybersecurity audits of other agencies. NIST is not an auditing agency.

They have no such history, expertise, or capacity. They are a standards and technology agency. In addition, a single FISMA audit costs between a few hundred thousand to a couple of million dollars, depending on the size and mission of the agency. Nowhere in this bill do we provide NIST with the tens of millions of dollars of additional funding to become the cybersecurity auditing agency of the Federal government. This is a massive unfunded mandate levied on an agency which is already over tasked. Moreover, current law already assigns this very responsibility to agency inspectors general. And no expert I know of has questioned the quality or integrity of the IGs’ work. In fact, IGs know and understand their own agencies’ business operations and information systems infrastructure better than NIST ever will. In short, I remain thoroughly baffled by this proposal in the legislation before us today.

Mr. Chairman, I’ve said this before, and I will say it again here. I stand ready to collaborate and cooperate with you on cybersecurity legislation and oversight. We’ve been able to do so in the past, including for the Cybersecurity Enhancement Act of 2014. However, the bill before us today has a number of controversial new elements which were clearly not vetted with the cybersecurity community or the Administration. I will not support passage today of legislation which will undermine the very agency we are tasking with keeping our cyber infrastructure secure.

I would hope that after this markup, the Majority will take the time to address the concerns that have already been raised in the short time this bill has been publicly available.

I yield back.

该文章参考e安全新闻:https://www.easyaq.com/news/172073425.shtml并做部分修改

易霖博信息安全攻防实验室:本站部分内容来自互联网,版权归原作者所有,如不慎侵害到您的相关权益,请留言告知,我们将尽快处理,谢谢!(Part of the information in our website is from the internet.If by any chance it violates your rights,we will delete it upon notification as soon as possible.Thank you for cooperation.)