How Congress and NIST Can Help Organizations Better Manage Cyber Risk

On Aug. 25, the Biden administration announced a new public-private initiative to improve the nation’s cybersecurity. The White House directed the National Institute for Standards and Technology (NIST) to partner with industry and other stakeholders to develop a new framework to “improve the security and integrity of the technology supply chain.”

The White House’s announcement represents the federal government’s growing focus on how the standards-setting agency can help provide cybersecurity guidance for organizations to improve their cybersecurity risk management. In July, President Biden announced an executive action requiring NIST and the Department of Homeland Security to establish “cybersecurity performance goals” for critical infrastructure.

Also in July, members of the House Science, Space, and Technology Committee introduced bipartisan legislation, the NIST for the Future Act, to reauthorize the critical agency. Chairwoman Eddie Bernice Johnson described the legislative proposal as “a comprehensive reauthorization of the agency that will help ensure NIST has the authorities and resources it needs to carry out its mission.”

The reauthorization bill would update NIST’s authorities and responsibilities for developing standards and identifying best practices for cybersecurity and privacy. Specifically, the legislation would expand NIST’s current legal authorities to include new responsibilities involving supply chain management and software development, cloud computing, and privacy protection.

These are all appropriate updates to NIST’s mission and responsibilities. But as Congress reauthorizes NIST, lawmakers should answer security experts’ recommendation that NIST’s cybersecurity framework and best practices should be prioritized and evaluated in a meaningful way to help organizations better manage cybersecurity risks.

Background on the NIST Cybersecurity Framework

In 2013, President Barack Obama issued executive order 13636 (“Improving Critical Infrastructure Cybersecurity”) requiring NIST to create a voluntary cybersecurity framework for critical infrastructure owners and operators. The order outlined how “[t]he Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

At the time, the Obama administration’s decision to establish and promote the use of a voluntary framework through NIST was welcomed by industry and many experts in the cybersecurity community. It marked a departure of a more “top down” and regulatory approach that was considered and ultimately voted down on Capitol Hill during the 112th Congress. Many Republican lawmakers warned that the federal government was ill equipped to regulate and enforce cybersecurity standards. Further, they reasoned that the regulatory process would be too slow and costly to address the dynamic nature of technological innovation and changing cyber threats.

NIST released the Cybersecurity Framework Version 1.0 a year later in February 2014. The guidance was focused on five core cybersecurity functions—“identify, protect, detect, respond, and recover”—and included a list of nearly 100 subcategories of actions that organizations should take or consider to manage cybersecurity risk. NIST described the core functions as “not a checklist” but, rather, “key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk.” But many observers have described the framework, which was updated in 2018, as the former—a long list of cybersecurity actions that organizations should take to improve their risk management.

Open Questions About the Framework’s Prioritization, Use and Cost-Effectiveness

For many organizations, fulfilling all of the framework’s recommended actions, expanded to more than 100 in 2018, is often unrealistic, particularly for smaller organizations with limited resources as well as those under active attack.

In 2017, former FBI senior executive Steven Chabinsky described the framework during Senate testimony as “a thoughtful, elegant, and simply stated document.” But Chabinsky compared its long list of high-level security recommendations to a theoretical list of requirements for a lunar landing—“Rocket ship required to reach the moon is established,” as Chabinksy argued, is much easier said than done. For many organizations, achieving each of the requirements of the NIST cybersecurity framework may also be impossible due to limited resources and other factors.

Some cybersecurity experts have called for the NIST framework to be prioritized and evaluated to identify which actions are most cost-effective to manage cyber risk. The Internet Security Alliance (ISA), which is a multisector trade association (where I once worked), has pointed out that many organizations won’t be able to use the framework unless it makes business sense to do so. ISA’s public comment to NIST in 2013 reiterated the point: “NIST’s potential audience for this document will not adopt/map/adhere to the Framework unless decision makers can be convinced that it will either make their lives easier or there is some value/advantage to doing so.” And, “accordingly, there should be some thought around making it easy.”

Further, both the Obama administration’s 2013 executive order and the bipartisan Cybersecurity Enhancement Act of 2014 stated that the framework should be “prioritized, flexible, repeatable, performance-based, and cost-effective.” But to date, NIST has not provided clear recommendations about which actions should be prioritized or provided metrics to evaluate how taking them was reducing cyber risks.

In 2020, the Government Accountability Office (GAO) published a review of the NIST framework as mandated by the Cybersecurity Enhancement Act of 2014. The review found that most of the sector-specific agencies, which oversee the nation’s critical infrastructure, have “not developed methods to determine the level and type of adoption” of the framework or “reported on sector-wide improvements” based on its use. In other words, it’s unclear to what extent it is being used and what level of protection its implementation has achieved. The GAO warned that “[u]ntil they do so, the extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown.”

How Organizations Could Use a Prioritized Cybersecurity Framework

There is growing recognition in the private sector that organizations must address cybersecurity as an enterprise risk management issue, rather than as a simple technology problem to be solved by the chief information security officer or information technology managers. In short, directors and business leaders must consider cybersecurity as a factor across many lines of an organization’s activities and must thoughtfully apply resources to appropriately manage risk.

Organizations have access to a growing number of tools that can help them manage their cyber risk—from technologies intended to mitigate vulnerabilities to analytical services that measure cyber risk to insurance offerings that some organizations may choose to purchase to transfer risk. There’s also an emerging market of companies that provide independent or third-party assessments of organizations’ cybersecurity posture and risk management.

A prioritized NIST cybersecurity framework, or even external evaluation of the framework’s cost-effectiveness, could help inform private-sector efforts to both improve cyber risk management as well as support the growing market of services working to analyze, assess, and mitigate cyber risks. For organizations with limited resources, simply providing some order to the framework’s checklist of 100 security recommendations could help an organization begin to improve its security posture in a cost-effective manner by focusing on the actions that would do the most to reduce risk.

President Biden’s Executive Actions

In late July, the White House announced a new executive action aimed to improve critical infrastructure cybersecurity. Biden directed the Department of Homeland Security and NIST to establish “cybersecurity performance goals” for critical infrastructure owners and operators.

In statements to the press, the Biden administration explained that the move could be a precursor to a push for new authority to regulate cybersecurity on Capitol Hill. A senior administration official commented at the briefing that “the administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.”

Requiring NIST to establish “performance goals” could address these long-standing concerns and help organizations better manage cyber risk by understanding which actions are most important. For example, the White House issued clear guidance to the private sector to answer the growing ransomware threat in June. In an open letter to corporate executives and business leaders, Deputy Assistant to the President Anne Neuberger urged organizations to take five specific actions to protect against the actions of ransomware. “We’ve selected a small number of highly impactful steps to help you focus and make rapid progress on driving down risk,” Neuberger wrote.

But the prospect of future mandates and tying forthcoming “performance goals” to new cybersecurity regulations would likely draw opposition from industry and many lawmakers on Capitol Hill. Counterarguments to an increased regulatory approach will likely include that the compliance burden of new regulations will be costly and counterproductive. Moreover, the federal regulatory process, with its lengthy rulemaking and comment periods, is ill suited for a complex and dynamic technological challenge like cybersecurity.

Federal agencies already have the authority to regulate many of the critical infrastructure sectors, but these authorities haven’t always been used effectively or even exercised. The Department of Homeland Security, through the Transportation Security Administration, has had the authority to regulate pipeline security for more than a decade. But Homeland Security only recently used this power following the Colonial Pipeline ransomware incident.

The Biden administration’s new initiative requires NIST to develop a new framework to improve the security and integrity of technology supply chains. The White House announcement explained that “the approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software.” The statement further announced that “Microsoft, Google, IBM, Travelers, and Coalition [have] committed to participating in this NIST-led initiative.” As this new public-private partnership moves forward, providing prioritized and specific guidance for organizations could significantly improve the value of the forthcoming guidance.

How Congress and NIST Can Help Organizations Better Manage Cyber Risk

The Biden administration and Congress could use the ongoing reauthorization of NIST to better inform critical infrastructure owners and operators and other organizations about how to improve their cybersecurity posture, including by improving supply chain risk management. Congress could include the following provisions in the NIST For the Future Act.

First, Congress should require NIST to prioritize the actions described in the cybersecurity framework, consistent with current law. The committee could amend the legislation to add a reporting requirement, including any new frameworks or goals that are developed. Alternatively, the bill could be modified to clarify what Congress means by “prioritized” to create a specific requirement for NIST to answer.

Second, Congress could include a provision in the legislation to require an external review of the NIST framework and its implementation to help organizations better understand its cost-effectiveness. Demonstrating how specific security measures will reduce cyber risk would likely increase its adoption by critical infrastructure owners and operators as well as other organizations. Rather than tasking GAO with this responsibility, Congress should consider giving the responsibility for this audit to a national lab or to the National Academies of Sciences to provide an independent and authoritative assessment from beyond the legislative branch.

The nation’s growing cyber threats require a proactive approach. The Biden administration deserves credit for working to provide clearer guidance to the government’s partners on the front lines of the ongoing global cyber conflict. But the White House and lawmakers on Capitol Hill should be cautious about pursuing a new regulatory framework, which will likely face significant resistance and, if successful, would probably take years to implement.

Requiring NIST to clarify how organizations should use existing and future cybersecurity guidance would be a timely and overdue action to improve the nation’s cyber defenses that should attract broad support.