- An increase in National Institute of Standards and Technology (NIST) funding for fiscal year 2018 will help support critical public-private efforts to strengthen national cybersecurity, according to HIMSS and other industry stakeholders.
HIMSS and nearly 20 other groups wrote a letter to leaders of the House and Senate Appropriations Subcommittees on Commerce, Justice, Science, and Related Agencies (CJS), stating that the Trump Administration’s proposed budget cuts are troubling.
The proposed budget would cut around $237 million in funding from NIST, nearly a 25 percent decrease from FY2017. Instead, NIST funding should be boosted. The organization’s cybersecurity efforts, including its Cybersecurity Framework, play a key role in cybersecurity approaches for numerous sectors.
Lawmakers should understand that the resources NIST needs to undertake industry-government efforts on cybersecurity, including the voluntary Framework for Improving Critical Infrastructure Cybersecurity, come from the [Scientific and Technical Research and Services] account. Our groups recognize that policymakers need to spend taxpayers’ money wisely, but the framework has been a remarkable success. Cyber stakeholders may not agree with NIST on every information security standard, guideline, or practice that it develops, yet pound for pound and dollar for dollar, few government entities have done as much as NIST to help businesses strengthen their cybersecurity in collaborative ways.
Boosting NIST funding will help in numerous ways, including protecting the Internet of Things, the stakeholders stressed.
The proposed 2018 budget also proposed changes to AHRQ and ONC. AHRQ would be eliminated, while ONC’s budget would be reduced by $22 million, a 36-percent reduction over the previous year.
“When ONC was created, a small minority of physicians and hospitals used health information technology,” the proposal read. “Now that the vast majority of physicians and hospitals have adopted electronic health records through Federal incentive payments, it is time for a renewed, more focused role for ONC.”
Reductions were also proposed for NIH, CDC, FDA, SAMHSA, and CMS.
AHIMA CEO Lynne Thomas Gordon, MBA, RHIA, CAE, FACHE, FAHIMA said in a statement that the proposed ONC cuts were disappointing.
“The bipartisan passage of the Cures Act by Congress last year made clear that investment in our nation’s health IT infrastructure is critically important if we are to advance new drugs and devices and fully realize the benefits of a learning healthcare system,” Gordon said. “ONC is a critical partner in this endeavor.”
The NIST Cybersecurity Framework is often utilized to help organizations across different sectors to prepare for potential cyber threats. In January 2017, NIST released an updated draft of the document that incorporated comments from the December 2015 Request for Information and comments from Cybersecurity Framework Workshop 2016 attendees.
NIST Program Manager for the Cybersecurity Framework Matt Barrett said that the updated version was meant “to refine and enhance the original document and to make it easier to use.”
The idea of cybersecurity risk management was also introduced, which “will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion,” he added.
Even with potential cuts to NIST funding, the Trump Administration is stressing the importance of national cybersecurity measures and the need for better network security and infrastructure security.
In May 2017, an executive order was signed to improve the nation’s overall approach to cybersecurity.
“The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises,” the executive order stated. “In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.”
Risk management measures must also be implemented at different agencies to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.
The NIST Cybersecurity Framework, or “any successor document,” would also be utilized to manage cybersecurity risk, according to the executive order.