
On August 10, President Biden signed into law highly publicized legislation that will provide over $50 billion worth of support to help boost American semiconductor production in an effort to address the crisis-level computer chip shortage the U.S. has been experiencing. That issue is very important, but there is more to the new law than computer chips.
What is usually referred to in the media as the “CHIPS Act” — much easier to remember than the “Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Fund Act” — is more accurately the “CHIPS and Science Act of 2022.” That’s because, after all the twists and turns (and multiple name changes) for this legislation since early 2021, at the last minute Congress included numerous provisions related to science, including a five-year reauthorization of the National Institute of Standards and Technology (NIST). The non-technical media has focused on the CHIPS issue and not very much on the science aspects of the legislation. And it has paid even less attention to Title II, dealing with NIST, ignoring a subtle but important change Congress made.
That NIST section of the new law definitely has some provisions worth looking at for those in the cybersecurity/technology space. Still, maybe one of the most impactful provisions overall is absolutely buried in the measure as “Section 10246 – Standard Technical Update.” Even the Senate Commerce Committee summary simply says this section “provides several technical and administrative updates to the NIST Act.”
Unpacking the 1,200-plus words of Section 10246, we see that it, among other things, has language essentially allowing NIST to now only have to submit its standards and guidelines to the Secretary of its parent department, the Department of Commerce, for issuance. NIST will no longer have to go through, as prior law required, the Director of the Office of Management and Budget (OMB) to have its standards approved.
That simple change of authority to promulgate standards could have major implications. Until now, requiring NIST standards and guidelines to be sent to OMB for final approval before they could be issued has meant they had to pass muster with the regulatory hawks in the “government management wing” of that agency (i.e., the “M” in OMB). Those officials may not always possess the technical expertise needed to evaluate the content of NIST’s work – but they often can have an inherent skepticism of regulations.
To be clear, OMB has long had responsibility for clearing proposed regulations. However, the fact is NIST does not issue regulations. They issue science-based, technical standards and guidelines — and these are often very technical.
One expert told me that this looks like a de facto recognition by Congress of what NIST brings to the table and an acknowledgement that NIST initiatives should not be held back by OMB’s regulatory review process. The analogy he made was that this is similar to the private sector’s gradual decoupling of cyber (and physical) security from corporate IT or finance & accounting, realizing that security needs to stand on its own. He said it seems Congress, or more accurately whoever in Congress drafted this provision, has had a similar epiphany with respect to what NIST actually does.
So with this change in the law, the NIST technical experts dealing with cybersecurity and other technological standards will not have to fear running the OMB gauntlet to get something approved and out the door. They can make their case with people they know and work with within their own commerce department.
This will also give those in the private sector, who look to NIST for important technical guidance, some degree of reassurance that well-thought-out technical standards, on which they may have provided input to NIST, stand a better chance of not hitting a roadblock at OMB because someone is judging these standards with the same evil-eye scrutiny as regulations. Depending on who is running OMB in future years and their philosophy, that can be a serious evil eye, so this change of authority could have long-lasting implications for NIST initiatives.