美国国家标准与技术研究院（National Institute of Standards and Technology，NIST）直属美国商务部，从事物理、生物和工程方面的基础和应用研究，以及测量技术和测试方法方面的研究，提供标准、标准参考数据及有关服务，在国际上享有很高的声誉。
美国众议院科学、空间与技术委员会通过的这项立法为——《2017 NIST网络安全框架、评估和审查法》（NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017）（H.R. 1224），以19：14的投票通过。
这名助理表示，“最终，该框架应该取代当前《联邦信息安全现代化法案》（the Federal Information Security Modernization Act，FISMA）的网络安全要求。”他将该框架称之为“更符合21世纪的方法。”
但是NIST的审查角色是委员会民主党困惑的症结。德克萨斯州民主党人Eddie Bernice Johnson表示，“我不记得任何专家曾建议，让NIST担负起对其它机构执行年度网络安全审查的职责。NIST并非审查机构。他们过去没有这样做过、缺乏专业知识或能力”。她反对该法案。
(Washington, DC) – Today, the House Committee on Science, Space, and Technology is holding a markup of H.R. 1224, the “NIST Cybersecurity Framework Assessment, and Auditing Act of 2017.”
Ranking Member Eddie Bernice Johnson’s (D-TX) opening statement for the record is below.
I understand and sympathize with the Chairman’s desire to move cybersecurity legislation. Cybersecurity is a critically important topic, and one that invites significant press attention. We had a good hearing before the Research & Technology Subcommittee just two weeks ago, during which we heard many good recommendations from widely respected experts. Some of those recommendations fell within our Committee’s jurisdiction, others did not.
I do remember the panel unanimously praising NIST’s role in cybersecurity. I also remember discussion about developing metrics for the adoption of NIST’s Cybersecurity Framework. Witnesses also discussed requiring Federal agencies to incorporate the Framework into their information security programs.
I can see where Mr. Abraham has attempted to incorporate some aspects of those recommendations into his legislation. However, I specifically recall GAO’s recommendation that the Department of Homeland Security, and not NIST, carry out surveys and assessments of the adoption and effectiveness of the Cybersecurity Framework. NIST itself has steadfastly maintained that they are the wrong agency to do it, and not just because of limited resources.
I do not remember a single witness, or a single expert recommendation suggesting that OSTP should be given any role in evaluation or oversight of cybersecurity in the private sector or the Federal government. Perhaps if we substituted OMB or DHS for OSTP everywhere in this bill, it might make more sense. The Majority has inserted an entirely new agency into a policy matter in which they have no expertise and no business being a part of. In doing so, the bill also duplicates authorities and responsibilities clearly assigned to OMB and DHS in current law.
Finally, and speaking to what may be the strangest part of this bill, I do not remember any expert ever recommending that NIST be given the responsibility to conduct annual cybersecurity audits of other agencies. NIST is not an auditing agency.
They have no such history, expertise, or capacity. They are a standards and technology agency. In addition, a single FISMA audit costs between a few hundred thousand to a couple of million dollars, depending on the size and mission of the agency. Nowhere in this bill do we provide NIST with the tens of millions of dollars of additional funding to become the cybersecurity auditing agency of the Federal government. This is a massive unfunded mandate levied on an agency which is already over tasked. Moreover, current law already assigns this very responsibility to agency inspectors general. And no expert I know of has questioned the quality or integrity of the IGs’ work. In fact, IGs know and understand their own agencies’ business operations and information systems infrastructure better than NIST ever will. In short, I remain thoroughly baffled by this proposal in the legislation before us today.
Mr. Chairman, I’ve said this before, and I will say it again here. I stand ready to collaborate and cooperate with you on cybersecurity legislation and oversight. We’ve been able to do so in the past, including for the Cybersecurity Enhancement Act of 2014. However, the bill before us today has a number of controversial new elements which were clearly not vetted with the cybersecurity community or the Administration. I will not support passage today of legislation which will undermine the very agency we are tasking with keeping our cyber infrastructure secure.
I would hope that after this markup, the Majority will take the time to address the concerns that have already been raised in the short time this bill has been publicly available.
I yield back.
易霖博信息安全攻防实验室：本站部分内容来自互联网，版权归原作者所有,如不慎侵害到您的相关权益，请留言告知，我们将尽快处理，谢谢！（Part of the information in our website is from the internet.If by any chance it violates your rights,we will delete it upon notification as soon as possible.Thank you for cooperation.）