informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/law/csa87.law

462 lines
27 KiB
Plaintext
Raw Permalink Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
101 STAT. 1724 PUBLIC LAW 100-235--JAN. 8, 1988
Public Law 100-235
100th Congress
AN ACT
To provide for a computer standards program within the National
Bureau of Standards, to provide for Government-wide computer
security, and to provide for the training in security mat-
ters of persons who are involved in the management, opera-
tion, and use of Federal computer systems, and for other
purposes.
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Computer Security Act of
1987".
SEC. 2. PURPOSE.
(a) In General.--The Congress declares that improving the
security and privacy of sensitive information in Federal computer
systems is in the public interest, and hereby creates a means for
establishing minimum acceptable security practices for such sys-
tems, without limiting the scope of security measures already
planned or in use.
(b) Specific Purposes.--The purposes of this Act are--
(1) by amending the Act of March 3, 1901, to
assign to the National Bureau of Standards responsibil-
ity for developing standards and guidelines for Federal
computer systems, including responsibility for develop-
ing standards and guidelines needed to assure the cost-
effective security and privacy of sensitive information
in Federal computer systems, drawing on the technical
advice and assistance (including work products) of the
National Security Agency, where appropriate;
(2) to provide for promulgation of such standards
and guidelines by amending section 111(d) of the Feder-
al Property and Administrative Services Act of 1949;
(3) to require establishment of security plans by
all operators of Federal computer systems that contain
sensitive information; and
(4) to require mandatory periodic training for all
persons involved in management, use, or operation of
Federal computer systems that contain sensitive infor-
mation.
SEC. 3. ESTABLISHMENT OF COMPUTER STANDARDS PROGRAM.
The Act of March 3, 1901 (15 U.S.C. 271-278h), is amended--
(1) in section 2(f), by striking out "and" at the
end of paragraph (18), by striking out the period at
the end of paragraph (19) and inserting in lieu thereof:
"; and", and by inserting after such paragraph the
following:
"(20) the study of computer systems (as that term
is defined in section 20(d) of this Act) and their use
to control machinery and processes.";
(2) by redesignating section 20 as section 22, and
by inserting after section 19 the following new sec-
tions:
"Sec. 20. (a) The National Bureau of Standards shall--
"(1) have the mission of developing standards,
guidelines, and associated methods and techniques for
computer systems;
"(2) except as described in paragraph (3) of this
subsection (relating to security standards), develop
uniform standards and guidelines for Federal computer
systems, except those systems excluded by section 2315
of title 10, United States Code, or section 3502(2) of
title 44, United States Code;
"(3) have responsibility within the Federal Gov-
ernment for developing technical, management, physical,
and administrative standards and guidelines for the
cost-effective security and privacy of sensitive infor-
mation in Federal computer systems except--
"(A) those systems excluded by section
2315 of title 10, United States Code, or section
3502(2) of title 44, United States Code; and
"(B) those systems which are protected
at all times by procedures established for infor-
mation which has been specifically authorized
under criteria established by an Executive order
or an Act of Congress to be kept secret in the
interest of national defense or foreign policy,
the primary purpose of which standards and guidelines
shall be to control loss and unauthorized modification
or disclosure of sensitive information in such systems
and to prevent computer-related fraud and misuse;
"(4) submit standards and guidelines developed
pursuant to paragraphs (2) and (3) of this subsection,
along with recommendations as to the extent to which
these should be made compulsory and binding, to the
Secretary of Commerce for promulgation under section
111(d) of the Federal Property and Administrative
Services Act of 1949;
"(5) develop guidelines for use by operators of
Federal computer systems that contain sensitive infor-
mation in training their employees in security aware-
ness and accepted security practice, as required by
section 5 of the Computer Security Act of 1987; and
"(6) develop validation procedures for, and evalu-
ate the effectiveness of, standards and guidelines
developed pursuant to paragraphs (1), (2), and (3) of
this subsection through research and liaison with other
government and private agencies.
"(b) In fulfilling subsection (a) of this section, the Na-
tional Bureau of Standards is authorized--
"(1) to assist the private sector, upon request,
in using and applying the results of the programs and
activities under this section;
"(2) to make recommendations, as appropriate, to
the Administrator of General Services on policies and
regulations proposed pursuant to section 111(d) of the
Federal Property and Administrative Services Act of
1949;
"(3) as requested, to provide to operators of
Federal computer systems technical assistance in imple-
menting the standards and guidelines promulgated pursu-
ant to section 111(d) of the Federal Property and
Administrative Services Act of 1949;
"(4) to assist, as appropriate, the Office of
Personnel Management in developing regulations pertain-
ing to training, as required by section 5 of the Com-
puter Security Act of 1987;
"(5) to perform research and to conduct studies,
as needed, to determine the nature and extent of the
vulnerabilities of, and to devise techniques for the
cost effective security and privacy of sensitive infor-
mation in Federal computer systems; and
"(6) to coordinate closely with other agencies and
offices (including, but not limited to, the Departments
of Defense and Energy, the National Security Agency,
the General Accounting Office, the Office of Technology
Assessment, and the Office of Management and Budget)--
"(A) to assure maximum use of all existing
and planned programs, materials, studies, and
reports relating to computer systems security and
privacy, in order to avoid unnecessary and costly
duplication of effort; and
"(B) to assure, to the maximum extent feasi-
ble, that standards developed pursuant to subsec-
tion (a) (3) and (5) are consistent and compatible
with standards and procedures developed for the
protection of information in Federal computer
systems which is authorized under criteria estab-
lished by Executive order or an Act of Congress to
be kept secret in the interest of national defense
or foreign policy.
"(c) For the purposes of--
"(1) developing standards and guidelines for the
protection of sensitive information in Federal computer
systems under subsections (a)(1) and (a)(3), and
"(2) performing research and conducting studies
under subsection (b)(5),
the National Bureau of Standards shall draw upon computer system
technical security guidelines developed by the National Security
Agency to the extent that the National Bureau of Standards deter-
mines that such guidelines are consistent with the requirements
for protecting sensitive information in Federal computer systems.
"(d) As used in this section--
"(1) the term 'computer system'--
"(A) means any equipment or interconnected
system or subsystems of equipment that is used in
the automatic acquisition, storage, manipulation,
management, movement, control, display, switching,
interchange, transmission, or reception, of data
or information; and
"(B) includes--
"(i) computers;
"(ii) ancillary equipment;
"(iii) software, firmware, and similar
procedures;
"(iv) services, including support serv-
ices; and
"(v) related resources as defined by
regulations issued by the Administrator for
General Services pursuant to section 111 of
the Federal Property and Administrative
Services Act of 1949;
"(2) the term 'Federal computer system'--
"(A) means a computer system operated by a
Federal agency or by a contractor of a Federal
agency or other organization that processes infor-
mation (using a computer system) on behalf of the
Federal Government to accomplish a Federal func-
tion; and
"(B) includes automatic data processing
equipment as that term is defined in section
111(a)(2) of the Federal Property and Administra-
tive Services Act of 1949;
"(3) the term 'operator of a Federal computer
system' means a Federal agency, contractor of a Federal
agency, or other organization that processes informa-
tion using a computer system on behalf of the Federal
Government to accomplish a Federal function;
"(4) the term 'sensitive information' means any
information, the loss, misuse, or unauthorized access
to or modification of which could adversely affect the
national interest or the conduct of Federal programs,
or the privacy to which individuals are entitled under
section 552a of title 5, United States Code (the Priva-
cy Act), but which has not been specifically authorized
under criteria established by an Executive order or an
Act of Congress to be kept secret in the interest of
national defense or foreign policy; and
"(5) the term 'Federal agency' has the meaning
given such term by section 3(b) of the Federal Property
and Administrative Services Act of 1949.
"Sec. 21. (a) There is hereby established a Computer System
Security and Privacy Advisory Board within the Department of
Commerce. The Secretary of Commerce shall appoint the chairman of
the Board. The Board shall be composed of twelve additional
members appointed by the Secretary of Commerce as follows:
"(1) four members from outside the Federal Government
who are eminent in the computer or telecommunications indus-
try, at least one of whom is representative of small or
medium sized companies in such industries;
"(2) four members from outside the Federal Government
who are eminent in the fields of computer or telecommunica-
tions technology, or related disciplines, but who are not
employed by or representative of a producer of computer or
telecommunications equipment; and
"(3) four members from the Federal Government who have
computer systems management experience, including experience
in computer systems security and privacy, at least one of
whom shall be from the National Security Agency.
"(b) The duties of the Board shall be--
"(1) to identify emerging managerial, technical, admin-
istrative, and physical safeguard issues relative to comput-
er systems security and privacy;
"(2) to advise the Bureau of Standards and the Secre-
tary of Commerce on security and privacy issues pertaining
to Federal computer systems; and
"(3) to report its findings to the Secretary of Com-
merce, the Director of the Office of Management and Budget,
the Director of the National Security Agency, and the appro-
priate Committees of the Congress.
"(c) The term of office of each member of the Board shall be four
years, except that--
"(1) of the initial members, three shall be appointed
for terms of one year, three shall be appointed for terms of
two years, three shall be appointed for terms of three
years, and three shall be appointed for terms of four years;
and
"(2) any member appointed to fill a vacancy in the
Board shall serve for the remainder of the term for which
his predecessor was appointed.
"(d) The Board shall not act in the absence of a quorum, which
shall consist of seven members.
"(e) Members of the Board, other than full-time employees of the
Federal Government, while attending meetings of such committees
or while otherwise performing duties at the request of the Board
Chairman while away from their homes or a regular place of busi-
ness, may be allowed travel expenses in accordance with subchap-
ter I of chapter 57 of title 5, United States Code.
"(f) To provide the staff services necessary to assist the Board
in carrying out its functions, the Board may utilize personnel
from the National Bureau of Standards or any other agency of the
Federal Government with the consent of the head of the agency.
"(g) As used in this section, the terms 'computer system' and
'Federal computer system' have the meanings given in section
20(d) of this Act."; and
(3) by adding at the end thereof the following new section:
"Sec. 23. This Act may be cited as the National Bureau of
Standards Act.".
SEC. 4. AMENDMENT TO BROOKS ACT.
Section 111(d) of the Federal Property and Administrative
Services Act of 1949 (40 U.S.C. 759(d)) is amended to read as
follows:
"(d)(1) The Secretary of Commerce shall, on the basis of
standards and guidelines developed by the National Bureau of
Standards pursuant to section 20(a) (2) and (3) of the National
Bureau of Standards Act, promulgate standards and guidelines
pertaining to Federal computer systems, making such standards
compulsory and binding to the extent to which the Secretary
determines necessary to improve the efficiency of operation or
security and privacy of Federal computer systems. The President
may disapprove or modify such standards and guidelines if he
determines such action to be in the public interest. The Presi-
dent's authority to disapprove or modify such standards and
guidelines may not be delegated. Notice of such disapproval or
modification shall be submitted promptly to the Committee on
Government Operations of the House of Representatives and the
Committee on Governmental Affairs of the Senate and shall be
published promptly in the Federal Register. Upon receiving notice
of such disapproval or modification, the Secretary of Commerce
shall immediately rescind or modify such standards or guidelines
as directed by the President.
"(2) The head of a Federal agency may employ standards for
the cost effective security and privacy of sensitive information
in a Federal computer system within or under the supervision of
that agency that are more stringent than the standards promulgat-
ed by the Secretary of Commerce, if such standards contain, at a
minimum, the provisions of those applicable standards made com-
pulsory and binding by the Secretary of Commerce.
"(3) The standards determined to be compulsory and binding
may be waived by the Secretary of Commerce in writing upon a
determination that compliance would adversely affect the accom-
plishment of the mission of an operator of a Federal computer
system, or cause a major adverse financial impact on the operator
which is not offset by government-wide savings. The Secretary may
delegate to the head of one or more Federal agencies authority to
waive such standards to the extent to which the Secretary deter-
mines such action to be necessary and desirable to allow for
timely and effective implementation of Federal computer systems
standards. The head of such agency may redelegate such authority
only to a senior official designated pursuant to section 3506(b)
of title 44, United States Code. Notice of each such waiver and
delegation shall be transmitted promptly to the Committee on
Government Operations of the House of Representatives and the
Committee on Governmental Affairs of the Senate and shall be
published promptly in the Federal Register.
"(4) The Administrator shall revise the Federal information
resources management regulations (41 CFR ch. 201) to be consist-
ent with the standards and guidelines promulgated by the Secre-
tary of Commerce under this subsection.
"(5) As used in this subsection, the terms 'Federal computer
system' and 'operator of a Federal computer system' have the
meanings given in section 20(d) of the National Bureau of Stand-
ards Act.".
SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
(a) In General.--Each Federal agency shall provide for the
mandatory periodic training in computer security awareness and
accepted computer security practice of all employees who are
involved with the management, use, or operation of each Federal
computer system within or under the supervision of that agency.
Such training shall be--
(1) provided in accordance with the guidelines de-
veloped pursuant to section 20(a)(5) of the National Bureau
of Standards Act (as added by section 3 of this Act), and in
accordance with the regulations issued under subsection (c)
of this section for Federal civilian employees; or
(2) provided by an alternative training program ap-
proved by the head of that agency on the basis of a determi-
nation that the alternative training program is at least as
effective in accomplishing the objectives of such guidelines
and regulations.
(b) Training Objectives.--Training under this section shall
be started within 60 days after the issuance of the regulations
described in subsection (c). Such training shall be designed--
(1) to enhance employees' awareness of the threats to
and vulnerability of computer systems; and
(2) to encourage the use of improved computer security
practices.
(c) Regulations.--Within six months after the date of the
enactment of this Act, the Director of the Office of Personnel
Management shall issue regulations prescribing the procedures and
scope of the training to be provided Federal civilian employees
under subsection (a) and the manner in which such training is to
be carried out.
SEC. 6. ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY
AND PRIVACY.
(a) Identification of Systems That Contain Sensitive Infor-
mation.--Within 6 months after the date of enactment of this Act,
each Federal agency shall identify each Federal computer system,
and system under development, which is within or under the super-
vision of that agency and which contains sensitive information.
(b) Security Plan.--Within one year after the date of enact-
ment of this Act, each such agency shall, consistent with the
standards, guidelines, policies, and regulations prescribed
pursuant to section 111(d) of the Federal Property and Adminis-
trative Services Act of 1949, establish a plan for the security
and privacy of each Federal computer system identified by that
agency pursuant to subsection (a) that is commensurate with the
risk and magnitude of the harm resulting from the loss, misuse,
or unauthorized access to or modification of the information
contained in such system. Copies of each such plan shall be
transmitted to the National Bureau of Standards and the National
Security Agency for advice and comment. A summary of such plan
shall be included in the agency's five-year plan required by
section 3505 of title 44, United States Code. Such plan shall be
subject to disapproval by the Director of the Office of Manage-
ment and Budget. Such plan shall be revised annually as neces-
sary.
SEC. 7. DEFINITIONS.
As used in this Act, the terms "computer system", "Federal
computer system", "operator of a Federal computer system", and
"sensitive information", and "Federal agency" have the meanings
given in section 20(d) of the National Bureau of Standards Act
(as added by section 3 of this Act).
SEC. 8. RULES OF CONSTRUCTION OF ACT.
Nothing in this Act, or in any amendment made by this Act,
shall be construed--
(1) to constitute authority to withhold information
sought pursuant to section 552 of title 5, United States
Code; or
(2) to authorize any Federal agency to limit, restrict,
regulate, or control the collection, maintenance, disclo-
sure, use, transfer, or sale of any information (regardless
of the medium in which the information may be maintained)
that is--
(A) privately-owned information;
(B) disclosable under section 552 of title 5,
United States Code, or other law requiring or authoriz-
ing the public disclosure of information; or
(C) public domain information.
Approved January 8, 1988

Downloaded From P-80 International Information Systems 304-744-2253