Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Security and Privacy Advisory Board ISPAB

Documentation


Charter Banner

ISPAB Charter for 2024-2026.

Annual Report Banner

ISPAB Annual Report for Fiscal Year 2023

ISPAB Annual Report for Fiscal Year 2022

ISPAB Annual Report for Fiscal Year 2021

ISPAB Annual Report for Fiscal Year 2020

ISPAB Annual Report for Fiscal Year 2019

Annual reports for 1995 - 2018 are found on the GSA web page at: Federal Advisory Committee Act (FACA) . When you reach the site, please select “The Annual Report of the President on Federal Advisory Committees – 1972-1998.” (http://www.facadatabase.gov/rpt/printedannualreports.asp) To view reports and information, please select “SEARCH” the third tab from left/second from right, and enter “Information Security” and “current” to view current report on the Information Security and Privacy Advisory Board. From this page, you can also view past committee history by selecting “Committee History” on right corner of the top of this page.

To view ISPAB Annual Reports from 1989-1995.

A report on the ISPAB is also included in NIST Computer Security Division Annual Report every year.

Back To Top

Recommendations and Resolutions

March 2023

Support and Recommendation for Software Bill of Materials (SBOM)
The ISPAB supports and commends the Administration’s ongoing and increasing efforts to address the relentless and increasingly sophisticated cybersecurity threats our Nation faces which includes recent actions to improve the security and integrity of the software supply chain through initiatives such as SBOM.

Letter to Dr. Locascio, Undersecretary of Commerce for Standards Management and Technology and the Director of the National Institute of Standards and Technology (NIST), the Honorable Alejandro Mayorkas, Secretary, United States Department of Homeland Security, and Ms. Jen Easterly, Director, CISA, Department of Homeland Security.

Response received from Ms. Jen Easterly, Director, CISA, Department of Homeland Security.

December 2021

Recommendation on Executive Order (EO) 14028 "Improving the Nation's Cybersecurity" 
ISPAB submitted a letter to NIST, DHS, and OMB expressing concern about the magnitude of effort that the EO will require from government agencies and private sector along with an inquiry regarding implementation guidance.

Letter to Dr. James Olthoff, Performing the Non-Exclusive Functions and Duties of the Undersecretary of Commerce for Standards and Technology and Director, NIST, the Honorable Alejandro Mayorkas, Secretary, United States Department of Homeland Security, and Ms. Shalanda D. Young, Acting Director, Office of Management and Budget.

Recommendation to Increase Staffing to Meet NIST's Privacy Initiatives (Resubmitted from October 2020)
ISPAB submitted a letter to NIST encouraging adding additional staffing to it's Privacy Program in order to meet the growing demand for privacy guidance and engagement.

Letter to Dr. James Olthoff, Performing the Non-Exclusive Functions and Duties of the Undersecretary of Commerce for Standards and Technology and Director, NIST.

Letter received in response to Recommendations to Increase Staffing to Meet NIST's Privacy Initiative from Dr. James Olthoff, Performing the Non-Exclusive Functions and Duties of the Undersecretary of Commerce for Standards and Technology and Director, NIST.

March 2021

Recommendation for Further Security Training and Education by the National Initiative for Cybersecurity Education (NICE) 
ISPAB submitted a letter to NIST encouraging NICE to work with education and training providers to ensure job-appropriate security education and training to align with the Workforce Framework for Cybersecurity (NICE Framework).

Letter to Dr. James Olthoff, Performing the Non-Exclusive Functions and Duties of the Undersecretary of Commerce for Standards and Technology and Director, NIST.

Recommendation Encouraging Government to participate in the Open Source Security Foundation (OSSF)
ISPAB submitted a letter to NIST encouraging the Director to encourage government agencies and contractors that depend on Open Source Software (OSS) to join and participate in the Open Source Security Foundation (OSSF).

Letter to Dr. James Olthoff, Performing the Non-Exclusive Functions and Duties of the Undersecretary of Commerce for Standards and Technology and Director, NIST.

Recommendation on Secure Software Configurations
ISPAB submitted a letter to DHS, NIST, and OMB recommending that NIST and DHS develop technical approaches for products that are configurable to ensure they are secure and usable, as well as incentivization strategies to ensure secure configurations are supported by product developers and implemented by users.

Letter to the Honorable Alejandro Mayorkas, Secretary, Department of Homeland Security,
              Dr. James Olthoff, Performing the Non-Exclusive Functions and Duties of the Undersecretary of  Commerce for Standards and Technology and Director, NIST,
              Ms. Shalanda D. Young, Acting Director, Office of Management and Budget.
 

October 2020

Recommendation to Increase Staffing to Meet NIST's Privacy Initiatives
ISPAB submitted a letter to NIST encouraging adding additional staffing to it's Privacy Program in order to meet the growing demand for privacy guidance and engagement.

Letter to Dr. Walter Copan, Undersecretary of Commerce for Standards and Technology and Director, NIST.

June 2020

Concern for Insensitive Language in Technology and Security Standards
ISPAB submitted a letter to NIST expressing concern regarding many technology and security standards that may contain insensitive language.

Letter to Dr. Walter Copan, Undersecretary of Commerce for Standards and Technology and Director, NIST.

Response from Dr. Walter Copan, Undersecretary of Commerce for Standards and Technology and Director, NIST

 

  October 2019

Concern Regarding Delay in Publishing NIST SP 800-53, Revision 5
ISPAB submitted a letter to NIST and OMB expressing concern regarding the delay in publishing NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations.

Letter to Dr. Walter Copan, Undersecretary of Commerce for Standards and Technology and Director, NIST, and the Honorable Mick Mulvaney, Director, U.S. Office of Management and Budget.                  

 

July 2017

Maintaining Current NIST Authorities; NIST's Privacy Engineering Program
ISPAB submitted a letter to NIST and OMB regarding greater attention to training Inspector Generals on federal information security requirements and to support efforts to build and privacy engineering collaboration space.

Letter to Kent Rochford, Acting Undersecretary of Commerce and Acting Director, NIST, and the Honorable Mick Mulvaney, Director, U.S. Office of Management and Budget.

 

April 2017

Government Website Security, Federal Bug Bounty Programs, Voting as Critical Infrastructure, Distributed Denial of Service Attacks
Letter -- ISPAB submitted a letter to the Acting Undersecretary of Commerce and Director, NIST, and to the Director, OMB relating to views of the board in areas of concern, priority and emphasis that are worthy of further exploration to ensure the security of Federal IT systems and our voting infrastructure.

 

November 2016

President's Cybersecurity National Action Plan (CNAP)
ISPAB sends a letter to NIST and OMB regarding the President's Cybersecurity National Action Plan (CNAP) and plans for the transition to the incoming Administration. The letter offers the Board's view of several privacy and security issues that we believe should be priorities for the next Administration.

Letter to The Honorable Shaun Donovan, Director, U.S. Office of Management and Budget, Washington, DC and also addressed to The Honorable Dr. Willie E. May, Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

April 2016Edit

FIPS 140 and use of ISO/IEC 19790
ISPAB submitted a recommendation letter to Director, NIST, relating to NIST’s plans to update FIPS 140 (Federal Information Processing Standard Publication 140-2 Security Requirements for Cryptographic Modules) and the specific use of International Standard, ISO/IEC 19790 Information technology – Security techniques – Security requirements for cryptographic modules

Letter to The Honorable Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

Letter: The Director of NIST responded to the Chair, ISPAB

 

January 2016

Quantum Computing
Letter: The Director of NIST responded to the Chair, ISPAB, on recommendation letter submitted in October 2015 relating to quantum computing.

October 2015

Quantum Computing
Letter: ISPAB submitted a recommendation letter to Director, NIST, and Director, Office of Management and Budget, relating to quantum computing. The letter was approved by the ISPAB at the meeting in October 2015.

 

July 2015

Realignment within NIST's ITL - adding another division devoted to cybersecurity
A letter addressed to Dr. Willie E. May to endorse the realignment within ITL to add another Division devoted to cybersecurity.

Letter to The Honorable Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

July 2015

Department of Commerce Review Risk Management Process
A letter to Dr. Willie E. May in recommending the US Department of Commerce to review the internal risk management process, especially for the export control program.

Letter to The Honorable Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

November 2014

Mobile Device and Derived Credentials
A letter was submitted to Director, OMB with copy to Acting Director, National Institute of Standards and Technology, recommending the review and re-issuance of OMB memorandum M-06-16, in order to enable new remote work scenarios that are efficient, usable, and secure. This is based on the understanding of the difficulty of authenticating from mobile devices to access government systems.

Letter to The Honorable Shaun Donovan, Director, U.S. Office of Management and Budget, Washington, DC with copy to Dr. Willie E. May, Acting Director, National Institute of Standards and Technology.

 

January 2014

NIST Cybersecurity Framework
A letter was submitted to Director, OMB and the Under Secretary of Commerce for Standards and Technology, Director, National Institute of Standards and Technology, recommending the inclusion of a privacy methodology consistent with the Fair Information Practice Principles (FIPPs). The letter also commended on NIST’s work and collaboration in drafting the preliminary framework.

Letter to The Honorable Sylvia Mathews Burwell, Director, U.S. Office of Management and Budget, Washington, DC. and 
Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology; Director, National Institute of Standards and Technology

 

January 2014

NIST Cryptographic Standards
After reviewing NIST cryptographic standards at the Board’s December 2013 meeting, the Board submitted a letter to Director, OMB and the Under Secretary of Commerce for Standards and Technology, Director, National Institute of Standards and Technology, commending on NIST’s encryption standards development process and NIST’s interest in exploring new institutional partnerships to build on the credibility of its program.

Letter to The Honorable Sylvia Mathews Burwell, Director, U.S. Office of Management and Budget, Washington, DC. and 
Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology; Director, National Institute of Standards and Technology

 

June 2013

Submission of comments to FDA draft guidance entitled ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” 
In response to FDA’s draft guidance issued on June 14, 2013, ISPAB submitted the recommendation letter sent to OMB in April 2012 as comments.

Letter to Division of Dockets Management (HFA 305), Food and Drug Administration, Rockville, MD.

 

June 2013

NIST Cybersecurity Framework
A letter submitted to the Under Secretary of Commerce for Standards and Technology, Director, National Institute of Standards and Technology, recommending that NIST, DHS, and the sector agencies to engage the leadership of NIPP SCC’s and GCC’s in the creation of the Framework.

Letter to The Honorable Patrick Gallagher, Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

March 2013

NIST Special Publication 800-53 Revision 4
The letter submitted to the Deputy Director, US Office of Management and Budget, describing the reasons for ISPAB support for the adoption of this publication.

Letter to The Honorable Jeffery Zients, Deputy Director, U.S. Office of Management and Budget, Washington, DC.

 

February 2013

Privacy and Civil Liberties Oversight Board (PCLOB)
A letter of recommendation was submitted to the Deputy Director, US Office of Management and Budget, and the Under Secretary of Commerce for Standards and Technology, Director, National Institute of Standards and Technology. The letter conveys the ISPAB’s support for establishing the PCLOB so that it can serve the role intended in the President’s Executive Order (EO) on Improving Critical Infrastructure Cybersecurity.

Letter to The Honorable Jeffery Zients, Deputy Director, U.S. Office of Management and Budget, Washington, DC.

 

July 2012

The letter of recommendations submitted to the Deputy Director, US Office of Management and Budget, relating to the discussion on sharing information on cyber threats and indicators.

Letter to The Honorable Jeffery Zients, Acting Director, U.S. Office of Management and Budget, Washington, DC.

 

April 2012

The letter provides recommendations to the Deputy Director, US Office of Management and Budget, of the risks of outdated computer operating systems used by Federal Agencies.

Letter to The Honorable Jeffery Zients, Acting Director, U.S. Office of Management and Budget, Washington, DC.

 

April 2012

The letter provides recommendations to the Deputy Director, US Office of Management and Budget, of the importance of maintaining security in medical devices.

Letter to The Honorable Jeffery Zients, Acting Director, U.S. Office of Management and Budget, Washington, DC.

 

February 2012

The letter provides recommendations to the Under Secretary of Commerce for Standards and Technology for raising national awareness in future Cybersecurity Awareness Months.

Letter to The Honorable Patrick Gallagher, Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

November 2011

The letter is requesting the Under Secretary of Commerce for Standards and Technology to review a paper presented by Dr. Fred Schneider. Dr. Schneider's work, done in collaboration with Deirdre Mulligan, discusses the need to build a shared understanding of cyber security doctrine as a key underpinning of cyber policy and practice.

Letter to The Honorable Patrick Gallagher, Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

March 2011

The letter offers recommendations to the Under Secretary re. goals for a research program to support NSTIC.

Letter to The Honorable Patrick Gallagher, Under Secretary of Commerce for Standards and Technology, Director, NIST, Gaithersburg, MD.

 

September 2010

The letter provides initial recommendations to OMB re. leadership for Initiative 8 of the Comprehensive National Cybersecurity Initiative, regarding Cyber Education. This is intended to help NIST, OMB, and the Administration in addressing certain gaps to enhance the chances for success at the outset of its leadership for this key national program.

Letter to The Honorable Jeffery Zients, Acting Director, U.S. Office of Management and Budget, Washington, DC.

 

January 2010

This letter offers recommendations of the Information Security and Privacy Advisory Board to OMB regarding some difficult technical problems concerning security and privacy for access to patient data. It discusses two technical areas that have particular importance in IT for healthcare delivery in building trustworthy computing systems.

Letter to The Honorable Peter Orszag, Director, Office of Management and Budget.

 

October 2009

This letter offers recommendations of the Information Security and Privacy Advisory Board to the NIST ITL Director on their proposed reorganization, and specifically those elements of the reorganization that would impact the Computer Security Division and NIST’overall role regarding Federal agency information security.

Letter to Ms. Cita Furlani, Director, Information Technology Laboratory, National Institute of Standards and Technology.

 

May 2009

This letter offers recommendations of the Information Security and Privacy Advisory Board to OMB regarding updating privacy law and policy in light of technological change.

Letter to The Honorable Peter Orszag, Director, Office of Management and Budget.

 

December 2008

Einstein Program Letter:
This letter offers recommendations of the Information Security and Privacy Advisory Board to OMB regarding the Einstein Program.

Letter to The Honorable Jim Nussle, Director, Office of Management and Budget.

 

July 2008

FISMA Letter:
This letter offers recommendations of the Information Security and Privacy Advisory Board to OMB regarding the efficacy of security metrics in regard to FISMA.

Letter to The Honorable Jim Nussle, Director, Office of Management and Budget.

 

July 2008

EBK Letter:
This letter offers recommendations of the Information Security and Privacy Advisory Board to OMB regarding the information Security Essential Body of Knowledge (EBK) project.

Letter to The Honorable Karen Evans, Administrator for Electronic Government and Information Technology, Office of Management and Budget.

 

September 2007

COOP Letter:
This letter offers recommendations of the Information Security and Privacy Advisory Board, that OMB and NIST work with DHS and other involved agencies to issue guidance on incorporating sound security and privacy practices into emergency response.

Letter to The Honorable Karen Evans, Administrator for Electronic Government and Information Technology, Office of Management and Budget.

 

September 2007

REAL ID Letter:
This letter offers the comments and advice of the Information Security and Privacy Advisory Board's, concept of the issues and views on the Real ID program’s use of encryption.

Letter to The Honorable Karen Evans, Administrator for Electronic Government and Information Technology, Office of Management and Budget.

 

June 2006

Subject: This letter offers the comments and advice of the Information Security and Privacy Advisory Board, on progress of the National Information Assurance Program (NIAP) review since its initiation in mid-2004. It provided recommendations on the key issues with NIAP.

Letter to The Honorable Rob Portman, Director, Office of Management and Budget.

 

January 2005

This letter offers the comments and advice of the Information Security and Privacy Advisory Board, on Section 522 of the Consolidated Appropriations Act of 2005, Division H Transportation/Treasury, which provides for the establishment of statutory Chief Privacy Officers in Federal departments and agencies and prescribes certain actions to meet Federal government privacy management responsibilities.

Letter to The Honorable Joshua Bolten, Director, Office of Management and Budget.

 

August 2004

The Board produced the report "The National Institute of Standards and Technology Computer Security Division: The Case for Adequate Funding" in June 2004. A letter transmitting the final report and Board recommendations for consideration was submitted to the Honorable Joshua B. Bolten, Director of the OMB.

Letter to The Honorable Joshua Bolten, Director, Office of Management and Budget.

 

August 2002

Final Report "Computer System Security and Privacy Advisory Board Findings and Recommendations on Government Privacy Policy Setting and Management," was approved by the Board at their September 17-19, 2002, meeting

Back To Top

White Papers

April 2011

Enabling Distributed Security in Cyberspace Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action

 

January 2003

Questions to Establish Potential Chilling Effects

 

Back To Top

Board Correspondence

September 15, 2004

Subject: Report on funding for the cyber security program at the National Institute of Standards and Technology (NIST) prepared by ISPAB.

Letter to The Honorable Joshua B. Bolten, Director Office of Management and Budget.

 

June 2004

Subject: Request for Board's advice on a list of activities that would be useful for both the Board and NIST to meet our respective statutory responsibilities for FY 2005.

Letter to Mr. Franklin S. Reeder, Chairman, Information Security and Privacy Advisory Board (ISPAB). From Mr. Ed Roback, Division Chief, Computer Security Division, NIST.

 

October 30, 2003

Subject: The issue of agencies using Web-based transactions to provide "e-government" services to members of the public. A key issue was whether (and how) an application might place program code (often referred to as "plug-ins" or "mobile code") into the user's browser.

Letter to The Honorable Joshua B. Bolten, Director Office of Management and Budget.

 

August 20, 2003

Subject: The e-Authentication initiative and the importance of establishing privacy policies and practices as mandatory components of technical models and systems being considered to support e-authentication services.

Letter to The Honorable Joshua B. Bolten, Director Office of Management and Budget.

 

April 8, 2003

Subject: Discussion of considerations the Board feels are important to the ongoing development of the National Strategy to Secure Cyberspace, issued February, 2003.

Letter to The Honorable Mitchell E. Daniels, Jr., Director, Office of Management and Budget.

 

December 20, 2002

Subject: The Board's observations and recommendations on the September draft of the Strategy to Secure Cyberspace.

Letter to Mr. David Howe, Chief of Staff, Office of Cyberspace Security.

 

May 20, 2002

Subject: Final draft of a report of the Computer System Security and Privacy Advisory Board adopted at its March 2002 meeting.

Letter to The Honorable Donald L. Evans, Secretary of Commerce.

 

December 14, 2001

Subject: Support of initiative of the National Security Council and the Partnership for Critical Infrastructure Security to educate home users and small business owners on computer security measures.

Letter to The Honorable Donald L. Evans, Secretary of Commerce.

 

April 9, 2001

Subject: Board's views on the Subcommittee's publication "First Report Card on Computer Security at Federal Departments and Agencies."

Letter to The Honorable Stephen Horn, Chairman, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, House Committee on Government Reform.

Back To Top

ANNUAL REPORTS From 1989-1995

1995

1995 ANNUAL REPORT

 

1994

1994 ANNUAL REPORT

 

1993

1993 ANNUAL REPORT

 

1992

1992 ANNUAL REPORT

 

1991

1991 ANNUAL REPORT

 

1990

1990 ANNUAL REPORT

 

1989

1989 ANNUAL REPORT

 

If you have any questions or need information please e-mail Matthew Scholl.

Contacts

Mr. Matthew Scholl - NIST

Jeff Brewer
Jeffrey.Brewer@nist.gov

Topics

Security and Privacy: general security & privacy

Laws and Regulations: E-Government Act

Activities and Products: groups

Created May 24, 2016, Updated March 18, 2024