Senate panel OKs security standards

A bill approved by the Senate Commerce Committee would require federal departments and agencies to adhere to security standards, a proposal opposed by tech industry groups.

Margaret Kane Former Staff writer, CNET News
Margaret is a former news editor for CNET News, based in the Boston bureau.
Margaret Kane
2 min read
The Senate Commerce Committee has approved a bill that would create a set of "best practices" for computer security for federal departments and agencies, among other things.

The standards provision, added to the proposed Cyber Security Research and Development Act late last week by Sen. John Edwards, D-N.C., is a sticking point for industry groups, which say it could pose a threat to national security by encouraging the use of old technology.

The Business Software Alliance (BSA) and the Information Technology Association of America on Friday both issued letters arguing against the addition, which calls for the National Institute of Science and Technology (NIST) to establish security guidelines for federal agencies.

"The way (the provision) is written implies that NIST has to set forth a technical specification. If I were a NIST person looking at that, I would believe I was tasked with saying to agencies, 'You should have this software and this hardware,'" said Mario Correa, director of Internet and network security policy at the BSA.

The problem with specific technical standards, Correa said, is that they could quickly become outdated, posing security threats that could trickle down to the private industry.

"Software developers aren't going to develop two or three variations on a product," he said. "If you have a purchaser as large as the federal government (buying one version), you're going to influence the market."

A representative for Sen. Ron Wyden, D-Ore., the bill's sponsor, said the senator has pledged to work with industry representatives to resolve their concerns.

The bill also authorizes more than $900 million in grants, training and education into computer security. The BSA and the Information Technology Association of America both said they support the rest of the legislation.

The Cyber Security Research and Development Act now heads to the full Senate for approval.

The bill is one of several proposed laws that deal with cybersecurity and homeland defense, including:

  • The Federal Information Security Management Act, currently before the House Science Subcommittee on Environment, Technology and Standards. That bill would replace an existing IT security bill, and, like the Cyber Security Research and Development Act, would require agencies to use best practices for security and give the NIST a larger role in developing those standards. It would also require federal agencies to conduct yearly reviews and audits of information-security practices and to submit the results to the Office of Management and Budget.

  • Science and Technology Emergency Mobilization Act would create a "National Emergency Technology Guard," or NET Guard, composed of volunteers with technology and science expertise available to be mobilized on short notice. It was approved by the Senate Commerce Committee last week.

  • The National Homeland Security and Combating Terrorism Act, scheduled for a hearing before the Senate Committee on Governmental Affairs this week, calls for $200 million to be spent on researching and developing homeland security technologies as part of a new government agency.