Information Security and Privacy Advisory Board (ISPAB)

The Information Security and Privacy Advisory Board (ISPAB) was originally created by the Computer Security Act of 1987 (P.L. 100-235) as the Computer System Security and Privacy Advisory Board. As a result of Public Law 107-347, The E-Government Act of 2002, Title III, The Federal Information Security Management Act of 2002, the Board’s name was changed and its mandate was amended.

Scope and Objectives of the Information Security and Privacy Advisory Board (ISPAB)

• Identify emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy;
• Advise the National Institute of Standards and Technology (NIST), the Secretary of Commerce and the Director of the Office of Management and Budget on information security and privacy issues pertaining to Federal Government information systems, including thorough review of proposed standards and guidelines developed by NIST.
• Annually report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency and the appropriate committees of the Congress.
• The Board’s authority does not extend to private sector systems or federal systems which process classified information.

The stated objectives of NIAP are to meet the needs of government and industry for cost-effective evaluation of Information Technology (IT) products and to improve the availability of evaluated IT products. NIAP has failed to accomplish these objectives. NIAP has been focusing on meeting the needs of the government intelligence community.

It needs to re-focus its efforts on the security needs of other government agencies and the needs of the private sector. Getting the National Institute of Standards and Technology re-engaged fully will be critical to the future success of the NIAP by representing the security interests of the private sector and the rest of the government (NCSP, p. E-2).

The membership of the Board consists of twelve members and a Chairperson. The Secretary of Commerce appoints the Chairperson, and the Director of NIST will appoint all Board members. The Board meets quarterly throughout the year and all meetings are open to the public. The Board invites public comments on its activities and the objectives the Board should undertake.

The cyber security program of the National Institute of Standards and Technology’s Computer
Security Division (CSD) performs a vital function in helping protect the critical information
systems not only of the civilian (non-defense) side of the Federal Government but also of the
nation as a whole. Legislation enacted by Congress in recent years such as the Federal
Information Security Management Act (FISMA) and the Cyber Security R&D Act suggests that
the Congress recognizes this function, but the programs authorized in these laws require
adequate funding.

Documentation

Annual Reports

All Annual reports after 1995 are found on the GSA web page at: Federal Advisory Committee Act (FACA) . When you reach the site, click on FACA Database (Version 1 – 1997 – 2013) which is the data that was added from the fall of 1997 through May of 2013. To view reports and information beyond May 2013, please select “SEARCH” the third tab from left/second from right, and enter “Information Security” to reach the page for Information Security and Privacy Advisory Board to view reports.

There is an annual report included in NIST Computer Security Division Annual Report, and the ISPAB report for 2013 can be found on pages 30 – 32 of NIST Special Publication 800-170, Computer Security Division 2013 Annual Report