The National Institute of Standards and Technology (NIST) would work with critical infrastructure ISACs and sector coordinating councils to develop voluntary cybersecurity standards and best practices under new legislation offered in the Senate last week.
As proposed by Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) and ranking Republican John Thune of South Dakota, the “Cybersecurity Act” (S. 1353) would direct NIST to develop “a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks” to critical infrastructure as defined under the USA Patriot Act. The bill specifies that the legislation should not be interpreted to confer any new regulatory authority on any state, federal or local government agency.
S. 1353 would require NIST to promote the standards through a public awareness campaign to “increase the understanding” of state and local governments of possible methods to address cyber vulnerabilities, but the agency would not have any power to require or encourage implementation of the standards. This scaled-back approach could allay the concerns stakeholder groups raised about earlier proposals that could provide a backdoor route to binding cybersecurity regulations.
Speaking at a Senate hearing last week, Sen. Thune suggested that S. 1353 could eventually be folded into a larger Senate cybersecurity bill that includes information sharing components and industry liability protections, if other Senate committees are able to approve their own proposals. The Commerce Committee is expected to vote on the bill this week.