The National Institute of Standards and Technology will first take stock of work they’ve already done and may not ultimately develop new standards to meet its obligations under an executive order issued in May responding to a string of major breaches into federal and critical infrastructure networks.
“Our preliminary look at fulfilling the requirements within the executive order will be to identify existing guidance or even specifics within existing guidance that we can call out and consolidate for use by the agencies,” said Matthew Scholl, chief of the Computer Security Division at NIST’s Information Technology Laboratory. “We want to identify and cite work that exists, rather than create new work.”
Scholl testified before House Science Committee panels Tuesday along with Vijay D’Souza, director of information technology and cybersecurity at the Government Accountability Office, on how the government can improve software supply chains. The issue is at the fore following the SolarWinds compromise which had cascading impacts, including for federal agencies, as hackers were able to distribute malware disguised as a legitimate software update coming from the commonly used IT management company.
Rep. Jay Obernolte, R-Calif., ranking member of Science’s Subcommittee on Investigations and Oversight, noted that the May 12 executive order intstructs NIST to either identify or develop standards and best practices to inform guidance for agencies going forward. He asked Scholl which of the two NIST is leaning toward.
Scholl said after conducting an inventory of current publications, “we will work with both our industry and our interagency partners to see if there are any critical gap areas in that existing work, and then that will form the nucleus for any new created items that we'll have to make. The timelines are sho ..