💾 Archived View for gemini.spam.works › mirrors › textfiles › law › csa87.law captured on 2020-10-31 at 17:27:55.

View Raw

More Information

-=-=-=-=-=-=-




        101 STAT. 1724                   PUBLIC LAW 100-235--JAN. 8, 1988
                                                                                     
        Public Law 100-235
        100th Congress
        
                                     AN ACT                                     
        
        To provide  for a computer standards program within the  National 
             Bureau of Standards, to provide for Government-wide computer 
             security,  and to provide for the training in security  mat-
             ters  of persons who are involved in the management,  opera-
             tion,  and  use of Federal computer systems, and  for  other 
             purposes.
        
             Be it enacted by the Senate and House of Representatives  of 
        the United States of America in Congress assembled,
        
        SECTION 1. SHORT TITLE.
             This  Act  may  be cited as the "Computer  Security  Act  of 
        1987".
        
        SEC. 2. PURPOSE.
        
             (a)  In General.--The Congress declares that  improving  the 
        security and privacy of sensitive information in Federal computer 
        systems is in the public interest, and hereby creates a means for 
        establishing minimum acceptable security practices for such  sys-
        tems,  without  limiting the scope of security  measures  already 
        planned or in use.
             (b) Specific Purposes.--The purposes of this Act are--
                       (1)  by  amending  the Act of March  3,  1901,  to 
                  assign to the National Bureau of Standards responsibil-
                  ity for developing standards and guidelines for Federal 
                  computer systems, including responsibility for develop-
                  ing standards and guidelines needed to assure the cost-
                  effective security and privacy of sensitive information 
                  in  Federal computer systems, drawing on the  technical 
                  advice and assistance (including work products) of  the 
                  National  Security  Agency,  where  appropriate;
                       (2) to provide for promulgation of such  standards 
                  and guidelines by amending section 111(d) of the Feder-
                  al Property and Administrative Services Act of 1949;
                       (3) to require establishment of security plans  by 
                  all operators of Federal computer systems that  contain 
                  sensitive information; and
                       (4) to require mandatory periodic training for all 
                  persons  involved in management, use, or  operation  of 
                  Federal computer systems that contain sensitive  infor-
                  mation.
        
        SEC. 3. ESTABLISHMENT OF COMPUTER STANDARDS PROGRAM.
        
             The Act of March 3, 1901 (15 U.S.C. 271-278h), is amended--
                       (1) in section 2(f), by striking out "and" at  the 
                  end  of paragraph (18), by striking out the  period  at 






                  the end of paragraph (19) and inserting in lieu thereof: 
                  ";  and",  and by inserting after  such  paragraph  the 
                  following:
                       "(20) the study of computer systems (as that  term 
                  is defined in section 20(d) of this Act) and their  use 
                  to control machinery and processes.";
                       (2) by redesignating section 20 as section 22, and 
                  by  inserting after section 19 the following  new  sec-
                  tions:
             "Sec. 20. (a) The National Bureau of Standards shall--
                       "(1)  have  the mission of  developing  standards, 
                  guidelines,  and associated methods and techniques  for 
                  computer systems;
                       "(2) except as described in paragraph (3) of  this 
                  subsection  (relating to security  standards),  develop 
                  uniform  standards and guidelines for Federal  computer 
                  systems, except those systems excluded by section  2315 
                  of title 10, United States Code, or section 3502(2)  of 
                  title 44, United States Code;
                       "(3)  have responsibility within the Federal  Gov-
                  ernment for developing technical, management, physical, 
                  and  administrative  standards and guidelines  for  the 
                  cost-effective security and privacy of sensitive infor-
                  mation in Federal computer systems except--
                                 "(A)  those systems excluded by  section 
                       2315  of title 10, United States Code, or  section 
                       3502(2) of title 44, United States Code; and
                                 "(B)  those systems which are  protected 
                       at all times by procedures established for  infor-
                       mation  which  has  been  specifically  authorized 
                       under  criteria established by an Executive  order 
                       or  an  Act of Congress to be kept secret  in  the 
                       interest of national defense or foreign policy,
                  the  primary purpose of which standards and  guidelines 
                  shall be to control loss and unauthorized  modification 
                  or disclosure of sensitive information in such  systems 
                  and to prevent computer-related fraud and misuse;
                       "(4)  submit  standards and  guidelines  developed 
                  pursuant to paragraphs (2) and (3) of this  subsection, 
                  along  with recommendations as to the extent  to  which 
                  these  should  be made compulsory and binding,  to  the 
                  Secretary  of Commerce for promulgation  under  section 
                  111(d)  of  the  Federal  Property  and  Administrative 
                  Services Act of 1949;
                       "(5)  develop guidelines for use by  operators  of 
                  Federal computer systems that contain sensitive  infor-
                  mation  in training their employees in security  aware-
                  ness  and  accepted security practice, as  required  by 
                  section 5 of the Computer Security Act of 1987; and
                       "(6) develop validation procedures for, and evalu-
                  ate  the  effectiveness of,  standards  and  guidelines 
                  developed  pursuant to paragraphs (1), (2), and (3)  of 
                  this subsection through research and liaison with other 
                  government and private agencies.
             "(b)  In fulfilling subsection (a) of this section, the  Na-






        tional Bureau of Standards is authorized--
                       "(1)  to assist the private sector, upon  request, 
                  in  using and applying the results of the programs  and 
                  activities under this section;
                       "(2)  to make recommendations, as appropriate,  to 
                  the  Administrator of General Services on policies  and 
                  regulations proposed pursuant to section 111(d) of  the 
                  Federal  Property  and Administrative Services  Act  of 
                  1949;
                       "(3)  as  requested, to provide  to  operators  of 
                  Federal computer systems technical assistance in imple-
                  menting the standards and guidelines promulgated pursu-
                  ant  to  section  111(d) of the  Federal  Property  and 
                  Administrative Services Act of 1949;
                       "(4)  to  assist, as appropriate,  the  Office  of 
                  Personnel Management in developing regulations pertain-
                  ing  to training, as required by section 5 of the  Com-
                  puter Security Act of 1987;
                       "(5)  to perform research and to conduct  studies, 
                  as  needed, to determine the nature and extent  of  the 
                  vulnerabilities  of, and to devise techniques  for  the 
                  cost effective security and privacy of sensitive infor-
                  mation in Federal computer systems; and
                       "(6) to coordinate closely with other agencies and 
                  offices (including, but not limited to, the Departments 
                  of  Defense and Energy, the National  Security  Agency, 
                  the General Accounting Office, the Office of Technology 
                  Assessment, and the Office of Management and Budget)--
                            "(A)  to assure maximum use of  all  existing 
                       and  planned  programs,  materials,  studies,  and 
                       reports relating to computer systems security  and 
                       privacy, in order to avoid unnecessary and  costly 
                       duplication of effort; and
                            "(B) to assure, to the maximum extent  feasi-
                       ble, that standards developed pursuant to  subsec-
                       tion (a) (3) and (5) are consistent and compatible 
                       with  standards and procedures developed  for  the 
                       protection  of  information  in  Federal  computer 
                       systems which is authorized under criteria  estab-
                       lished by Executive order or an Act of Congress to 
                       be kept secret in the interest of national defense 
                       or foreign policy.
             "(c) For the purposes of--
                       "(1)  developing standards and guidelines for  the 
                  protection of sensitive information in Federal computer 
                  systems under subsections (a)(1) and (a)(3), and
                       "(2)  performing research and  conducting  studies 
                  under subsection (b)(5),
        the National Bureau of Standards shall draw upon computer  system 
        technical security guidelines developed by the National  Security 
        Agency to the extent that the National Bureau of Standards deter-
        mines  that such guidelines are consistent with the  requirements 
        for protecting sensitive information in Federal computer systems.
             "(d) As used in this section--
                  "(1) the term 'computer system'--






                            "(A)  means any equipment  or  interconnected 
                       system or subsystems of equipment that is used  in 
                       the automatic acquisition, storage,  manipulation, 
                       management, movement, control, display, switching, 
                       interchange,  transmission, or reception, of  data 
                       or information; and
                            "(B) includes--
                                 "(i) computers;
                                 "(ii) ancillary equipment;
                                 "(iii)  software, firmware, and  similar 
                            procedures;
                                 "(iv) services, including support  serv-
                            ices; and
                                 "(v)  related  resources as  defined  by 
                            regulations  issued by the Administrator  for 
                            General  Services pursuant to section 111  of 
                            the   Federal  Property  and   Administrative 
                            Services Act of 1949;
                       "(2) the term 'Federal computer system'--
                            "(A)  means a computer system operated  by  a 
                       Federal  agency  or by a contractor of  a  Federal 
                       agency or other organization that processes infor-
                       mation (using a computer system) on behalf of  the 
                       Federal  Government to accomplish a Federal  func-
                       tion; and
                            "(B)   includes  automatic  data   processing 
                       equipment  as  that  term is  defined  in  section 
                       111(a)(2) of the Federal Property and  Administra-
                       tive Services Act of 1949;
                       "(3)  the  term 'operator of  a  Federal  computer 
                  system' means a Federal agency, contractor of a Federal 
                  agency,  or other organization that processes  informa-
                  tion  using a computer system on behalf of the  Federal 
                  Government to accomplish a Federal function;
                       "(4)  the term 'sensitive information'  means  any 
                  information,  the loss, misuse, or unauthorized  access 
                  to or modification of which could adversely affect  the 
                  national  interest or the conduct of Federal  programs, 
                  or the privacy to which individuals are entitled  under 
                  section 552a of title 5, United States Code (the Priva-
                  cy Act), but which has not been specifically authorized 
                  under criteria established by an Executive order or  an 
                  Act  of Congress to be kept secret in the  interest  of 
                  national defense or foreign policy; and
                       "(5)  the  term 'Federal agency' has  the  meaning 
                  given such term by section 3(b) of the Federal Property 
                  and Administrative Services Act of 1949.
             "Sec. 21. (a) There is hereby established a Computer  System 
        Security  and  Privacy Advisory Board within  the  Department  of 
        Commerce. The Secretary of Commerce shall appoint the chairman of 
        the  Board.  The  Board shall be composed  of  twelve  additional 
        members appointed by the Secretary of Commerce as follows:
                  "(1)  four members from outside the Federal  Government 
             who are eminent in the computer or telecommunications indus-
             try,  at  least one of whom is representative  of  small  or 






             medium sized companies in such industries;
                  "(2)  four members from outside the Federal  Government 
             who are eminent in the fields of computer or  telecommunica-
             tions  technology, or related disciplines, but who  are  not 
             employed  by or representative of a producer of computer  or 
             telecommunications equipment; and
                  "(3) four members from the Federal Government who  have 
             computer systems management experience, including experience 
             in  computer systems security and privacy, at least  one  of 
             whom shall be from the National Security Agency.
        "(b) The duties of the Board shall be--
                  "(1) to identify emerging managerial, technical, admin-
             istrative, and physical safeguard issues relative to comput-
             er systems security and privacy;
                  "(2)  to advise the Bureau of Standards and the  Secre-
             tary  of Commerce on security and privacy issues  pertaining 
             to Federal computer systems; and
                  "(3)  to report its findings to the Secretary  of  Com-
             merce, the Director of the Office of Management and  Budget, 
             the Director of the National Security Agency, and the appro-
             priate Committees of the Congress.
        "(c) The term of office of each member of the Board shall be four 
        years, except that--
                  "(1)  of the initial members, three shall be  appointed 
             for terms of one year, three shall be appointed for terms of 
             two  years,  three  shall be appointed for  terms  of  three 
             years, and three shall be appointed for terms of four years; 
             and
                  "(2)  any  member appointed to fill a  vacancy  in  the 
             Board  shall serve for the remainder of the term  for  which 
             his predecessor was appointed.
        "(d)  The Board shall not act in the absence of a  quorum,  which 
        shall consist of seven members.
        "(e) Members of the Board, other than full-time employees of  the 
        Federal  Government, while attending meetings of such  committees 
        or while otherwise performing duties at the request of the  Board 
        Chairman while away from their homes or a regular place of  busi-
        ness, may be allowed travel expenses in accordance with  subchap-
        ter I of chapter 57 of title 5, United States Code.
        "(f) To provide the staff services necessary to assist the  Board 
        in  carrying out its functions, the Board may  utilize  personnel 
        from the National Bureau of Standards or any other agency of  the 
        Federal Government with the consent of the head of the agency.
        "(g)  As  used in this section, the terms 'computer  system'  and 
        'Federal  computer  system' have the meanings  given  in  section 
        20(d) of this Act."; and
             (3) by adding at the end thereof the following new  section: 
             "Sec.  23. This Act may be cited as the National  Bureau  of 
             Standards Act.".
        
        SEC. 4. AMENDMENT TO BROOKS ACT.
             Section  111(d) of the Federal Property  and  Administrative 
        Services  Act  of 1949 (40 U.S.C. 759(d)) is amended to  read  as 
        follows:
             "(d)(1)  The  Secretary of Commerce shall, on the  basis  of 






        standards  and  guidelines developed by the  National  Bureau  of 
        Standards  pursuant to section 20(a) (2) and (3) of the  National 
        Bureau  of  Standards Act, promulgate  standards  and  guidelines 
        pertaining  to  Federal computer systems, making  such  standards 
        compulsory  and  binding  to the extent to  which  the  Secretary 
        determines  necessary to improve the efficiency of  operation  or 
        security  and privacy of Federal computer systems. The  President 
        may  disapprove  or modify such standards and  guidelines  if  he 
        determines  such action to be in the public interest. The  Presi-
        dent's  authority  to  disapprove or modify  such  standards  and 
        guidelines  may not be delegated. Notice of such  disapproval  or 
        modification  shall  be submitted promptly to  the  Committee  on 
        Government  Operations  of the House of Representatives  and  the 
        Committee  on  Governmental Affairs of the Senate  and  shall  be 
        published promptly in the Federal Register. Upon receiving notice 
        of  such disapproval or modification, the Secretary  of  Commerce 
        shall immediately rescind or modify such standards or  guidelines 
        as directed by the President.
             "(2)  The head of a Federal agency may employ standards  for 
        the cost effective security and privacy of sensitive  information 
        in  a Federal computer system within or under the supervision  of 
        that agency that are more stringent than the standards promulgat-
        ed by the Secretary of Commerce, if such standards contain, at  a 
        minimum,  the provisions of those applicable standards made  com-
        pulsory and binding by the Secretary of Commerce.
             "(3)  The standards determined to be compulsory and  binding 
        may  be  waived by the Secretary of Commerce in  writing  upon  a 
        determination  that compliance would adversely affect the  accom-
        plishment  of  the mission of an operator of a  Federal  computer 
        system, or cause a major adverse financial impact on the operator 
        which is not offset by government-wide savings. The Secretary may 
        delegate to the head of one or more Federal agencies authority to 
        waive such standards to the extent to which the Secretary  deter-
        mines  such  action to be necessary and desirable  to  allow  for 
        timely  and effective implementation of Federal computer  systems 
        standards. The head of such agency may redelegate such  authority 
        only to a senior official designated pursuant to section  3506(b) 
        of  title 44, United States Code. Notice of each such waiver  and 
        delegation  shall  be transmitted promptly to  the  Committee  on 
        Government  Operations  of the House of Representatives  and  the 
        Committee  on  Governmental Affairs of the Senate  and  shall  be 
        published promptly in the Federal Register.
             "(4) The Administrator shall revise the Federal  information 
        resources management regulations (41 CFR ch. 201) to be  consist-
        ent  with the standards and guidelines promulgated by the  Secre-
        tary of Commerce under this subsection.
             "(5) As used in this subsection, the terms 'Federal computer 
        system'  and  'operator of a Federal computer  system'  have  the 
        meanings given in section 20(d) of the National Bureau of  Stand-
        ards Act.".
        
        SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
        
             (a)  In General.--Each Federal agency shall provide for  the 
        mandatory  periodic training in computer security  awareness  and 






        accepted  computer  security practice of all  employees  who  are 
        involved  with the management, use, or operation of each  Federal 
        computer  system within or under the supervision of that  agency. 
        Such training shall be--
                  (1)  provided  in accordance with  the  guidelines  de-
             veloped pursuant to section 20(a)(5) of the National  Bureau 
             of Standards Act (as added by section 3 of this Act), and in 
             accordance with the regulations issued under subsection  (c) 
             of this section for Federal civilian employees; or
                  (2)  provided  by an alternative training  program  ap-
             proved by the head of that agency on the basis of a determi-
             nation that the alternative training program is at least  as 
             effective in accomplishing the objectives of such guidelines 
             and regulations.
             (b) Training Objectives.--Training under this section  shall 
        be  started within 60 days after the issuance of the  regulations 
        described in subsection (c). Such training shall be designed--
                  (1)  to enhance employees' awareness of the threats  to 
             and vulnerability of computer systems; and
                  (2) to encourage the use of improved computer  security 
             practices.
             (c)  Regulations.--Within six months after the date  of  the 
        enactment  of this Act, the Director of the Office  of  Personnel 
        Management shall issue regulations prescribing the procedures and 
        scope  of the training to be provided Federal civilian  employees 
        under subsection (a) and the manner in which such training is  to 
        be carried out.
        
        SEC. 6. ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY 
        AND PRIVACY.
        
             (a) Identification of Systems That Contain Sensitive  Infor-
        mation.--Within 6 months after the date of enactment of this Act, 
        each Federal agency shall identify each Federal computer  system, 
        and system under development, which is within or under the super-
        vision of that agency and which contains sensitive information.
             (b) Security Plan.--Within one year after the date of enact-
        ment  of  this Act, each such agency shall, consistent  with  the 
        standards,  guidelines,  policies,  and  regulations   prescribed 
        pursuant  to section 111(d) of the Federal Property and  Adminis-
        trative  Services Act of 1949, establish a plan for the  security 
        and  privacy of each Federal computer system identified  by  that 
        agency  pursuant to subsection (a) that is commensurate with  the 
        risk  and magnitude of the harm resulting from the loss,  misuse, 
        or  unauthorized  access to or modification  of  the  information 
        contained  in  such  system. Copies of each such  plan  shall  be 
        transmitted to the National Bureau of Standards and the  National 
        Security  Agency for advice and comment. A summary of  such  plan 
        shall  be  included in the agency's five-year  plan  required  by 
        section 3505 of title 44, United States Code. Such plan shall  be 
        subject  to disapproval by the Director of the Office of  Manage-
        ment  and Budget. Such plan shall be revised annually  as  neces-
        sary.
        
        SEC. 7. DEFINITIONS.






        
             As  used in this Act, the terms "computer system",  "Federal 
        computer  system", "operator of a Federal computer  system",  and 
        "sensitive  information", and "Federal agency" have the  meanings 
        given  in section 20(d) of the National Bureau of  Standards  Act 
        (as added by section 3 of this Act).
        
        SEC. 8. RULES OF CONSTRUCTION OF ACT.
        
             Nothing  in this Act, or in any amendment made by this  Act, 
        shall be construed--
                  (1)  to  constitute authority to  withhold  information 
             sought  pursuant  to section 552 of title 5,  United  States 
             Code; or
                  (2) to authorize any Federal agency to limit, restrict, 
             regulate,  or control the collection,  maintenance,  disclo-
             sure, use, transfer, or sale of any information  (regardless 
             of  the medium in which the information may  be  maintained) 
             that is--
                       (A) privately-owned information;
                       (B)  disclosable  under section 552  of  title  5, 
                  United States Code, or other law requiring or authoriz-
                  ing the public disclosure of information; or
                       (C) public domain information.
        
        Approved January 8, 1988




Downloaded From P-80 International Information Systems 304-744-2253