COMPUTER SECURITY ACT OF 1987

                   Public Law 100-235 (H.R. 145)

                          January 8, 1988

 

SECTION 1.  SHORT TITLE

 

  The Act may be cited as the "Computer Security Act of 1987".

 

SEC. 2  PURPOSE

 

  (a)  IN GENERAL.-The Congress declares that improving the security

and privacy of sensitive information in Federal computer systems is

in the public interest, and hereby creates a means for establishing

minimum acceptable security practices for such systems, without

limiting the scope of security measures already planned or in use.

 

  (b)  SPECIFIC PURPOSES.-The purposes of this Act are--

    

     (1) by amending the Act of March 3, 1901, to assign to the

National Bureau of Standards responsibility for developing standards

and guidelines for Federal computer systems, including responsibility

for developing standards and guidelines needed to assure the

cost-effective security and privacy of sensitive information in

Federal computer systems, drawing on the technical advice and

assistance (including work products) of the National Security Agency,

where appropriate;

 

     (2) to provide for promulgation of such standards and guidelines

by amending section 111(d) of the Federal Property and Administrative

Services Act of 1949;

 

     (3) to require establishment of security plans by all operators

of Federal computer systems that contain sensitive information; and

 

     (4) to require mandatory periodic training for all persons

involved in management, use, or operation of Federal computer systems

that contain sensitive information.

 

 

SEC. 3.  ESTABLISHMENT OF COMPUTER STANDARDS PROGRAM.

 

  The Act of March 3, 1901, (15 U.S.C. 271-278h), is amended--

 

     (1) in section 2(f), by striking out "and" at the end of

paragraph (18), by striking out the period at the end of paragraph

(19) and inserting in lieu thereof:  "; and", and by inserting after

such paragraph the following:

 

     "(20) the study of computer systems (as that term is defined in

section 20(d) of this Act) and their use to control machinery and

processes.";

 

     (2) by redesignating section 20 as section 22, and by inserting

after section 19 the following new sections: "SEC. 20.  (a)  The

National Bureau of Standards shall--

 

     "(1) have the mission of developing standards, guidelines, and

associated methods and techniques for computer systems;

 

     "(2) except as described in paragraph (3) of this subsection

(relating to security standards), develop uniform standards and

guidelines for Federal computer systems, except those systems

excluded by section 2315 of title 10, United States Code, or section

3502(2) of title 44, United States Code.

 

     "(3) have responsibility within the Federal Government for

developing technical, management, physical, and administrative

standards and guidelines for the cost-effective security and privacy

of sensitive information in Federal computer systems except--

 

          "(A)  those systems excluded by section 2315 of  title 10,

United States Code, or section 3502(2) of title 44, United States

Code; and

 

          "(B)  those systems which are protected at all times by

procedures established for information  which has been specifically

authorized under criteria established by an Executive Order or an Act

of Congress to be kept secret in the interest of national defense or

foreign policy,

 

	The primary purpose of which standards and guidelines shall

be to control loss and unauthorized modification or disclosure of

sensitive information in such systems and to prevent computer-related

fraud and misuse;

 

     "(4) submit standards and guidelines developed pursuant to

paragraphs (2) and (3) of this subsection, along with recommendations

as to the extent to which these should be made compulsory and

binding, to the Secretary of Commerce for promulgation under section

111(d) of the Federal Property and Administrative Services Act of

1949;

 

     "(5) develop guidelines for use by operators of Federal computer

systems that contain sensitive information in training their

employees in security awareness and accepted security practice, as

required by section 5 of the Computer Security Act of 1987; and

 

     "(6) develop validation procedures for, and evaluate the

effectiveness of, standards and guidelines developed pursuant to

paragraphs (1), (2), and (3) of this subsection through research and

liaison with other government and private agencies.

 

  "(b) In fulfilling subsection (a) of this section, the National

Bureau of Standards is authorized--

 

     "(1) to assist the private sector, upon request, in using and

applying the results of the programs and activities under this

section;

 

     "(2) to make recommendations, as appropriate, to the

Administrator of General Services on policies and regulations

proposed pursuant to section 111(d) of the Federal Property and

Administrative Services Act of 1949;

 

     "(3) as requested, to provide to operators of Federal computer

systems technical assistance in implementing the standards and

guidelines promulgated pursuant to section 111(d) of the Federal

Property and Administrative Services Act of 1949;

 

     "(4) to assist, as appropriate, the Office of Personnel

Management in developing regulations pertaining to training, as

required by section 5 of the Computer Security Act of 1987;

 

     "(5) to perform research and to conduct studies, as needed, to

determine the nature and extent of the vulnerabilities of, and to

devise techniques for the cost effective security and privacy of

sensitive information in Federal computer systems; and

 

     "(6) to coordinate closely with other agencies and offices

(including, but not limited to, the Departments of Defense and

Energy, the National Security Agency, the General Accounting Office,

the Office of Technology Assessment, and the Office of Management and

Budget)--

 

          "(A) to assure maximum use of all existing and planned

programs, materials, studies, and reports relating to computer

systems security and privacy, in order to avoid unnecessary and

costly duplication of effort; and

 

        "(B) to assure, to the maximum extent feasible, that

standards developed pursuant to subsection (a) (3) and (5) are

consistent and compatible with standards and procedures developed for

the protection of information in Federal computer systems which is

authorized under criteria established by Executive order or an Act of

Congress to be kept secret in the interest of national defense or

foreign policy.

 

  "(c) For the purposes of--

 

     "(1) developing standards and guidelines for the protection of

sensitive information in Federal computer systems under subsections

(a)(1) and (a)(3), and

 

     "(2) performing research and conducting studies under subsection

(b)(5), the National Bureau of Standards shall draw upon computer

system technical security guidelines developed by the National

Security Agency to the extent that the National Bureau of Standards

determines that such guidelines are consistent with the requirements

for protecting sensitive information in Federal computer systems.

 

  "(d) As used in this section--

 

     "(1) the term computer system'--

 

          "A) means any equipment or interconnected system or

subsystems of equipment that is used in the  automatic acquisition,

storage, manipulation, management, movement, control, display,

switching, 	interchange, transmission, or reception, of data or

information; and

 

          "(B) includes--

 

               "(i) computers;

 

               "(ii) ancillary equipment;

 

               "(iii) software, firmware, and similar procedures;

 

               "(iv) services, including support services; and

 

               "(v) related resources as defined by regulations

issued by the Administrator for General Services pursuant to section

111 of the Federal Property and Administrative Services Act of 1949;

 

          "(2) the term 'Federal computer system'--

 

          "(A) means a computer system operated by a Federal agency

or by a contractor of a Federal agency or other organization that

processes information (using a computer system) on behalf  of the

Federal Government to accomplish a Federal function; and

 

          "(B) includes automatic data processing equipment as that

term is defined in section 111(a)(2) of the Federal Property and

Administrative Services Act of 1949;

 

          "(3) the term 'operator of a Federal computer system'

means a Federal agency, contractor of a Federal agency, or other

organization that processes information using a computer  system on

behalf of the Federal Government to accomplish a Federal function;

 

          "(4) the term 'sensitive information' means any

information, the loss, misuse, or unauthorized access  to or

modification of which could adversely affect the national interest or

the conduct of Federal  programs, or the privacy to which individuals

are entitled under section 552a of title 5, United 	States Code

(the Privacy Act), but which has not been specifically authorized

under criteria established by an Executive order or an Act of

Congress to be kept secret in the interest of national defense or

foreign policy; and

 

          "(5) the term 'Federal agency' has the meaning given such

term by section 3(b) of the Federal Property and Administrative

Services Act of 1949.

 

  "SEC. 21.  (a) There is hereby established a Computer System

Security and Privacy Advisory Board within the Department of

Commerce.  The Secretary of Commerce shall appoint the chairman of

the Board.  The Board shall be composed of twelve additional members

appointed by the Secretary of Commerce as follows:

 

          "(1) four members from outside the Federal Government who

are eminent in the computer or telecommunications industry, at lease

one of whom is representative of small or medium sized companies in

such industries;

 

          "(2) four members from outside the Federal Government who

are eminent in the fields of computer or  telecommunications

technology, or related disciplines, but who are not employed by or

representative of a producer of computer or telecommunications

equipment; and

 

          "(3) four members from the Federal Government who have

computer systems management experience, including experience in

computer systems security and privacy, at least one of whom shall be

from the National Security Agency.

 

  "(b) The duties of the Board shall be--

 

          "(1) to identify emerging managerial, technical,

administrative, and physical safeguard issues relative to computer

systems security and privacy;

 

          "(2) to advise the Bureau of Standards and the Secretary of

Commerce on security and privacy issues pertaining to Federal

computer systems; and

 

          "(3) to report its findings to the Secretary of Commerce,

the Director of the Office of Management and Budget, the Director of

the National Security Agency, and the appropriate Committees of the

Congress.

 

  "(c) The term of office of each member of the Board shall be four

years, except that--

 

          "(1) of the initial members, three shall be appointed for

terms of one year, three shall be appointed for terms of two years,

three shall be appointed for terms of three years, and three shall be

appointed for terms of four years; and

 

          "(2) any member appointed to fill a vacancy in the Board

shall serve for the remainder of the term for which his predecessor

was appointed.

 

  "(d) The Board shall not act in the absence of a quorum, which

shall consist of seven members.

 

  "(e) Members of the Board, other than full-time employees of the

Federal Government while attending meetings of such committees or

while otherwise performing duties at the request of the Board

Chairman while away from their homes or a regular place of business,

may be allowed travel expenses in accordance with subchapter I of

chapter 57 of title 5, United States Code.

 

  "(f) To provide the staff services necessary to assist the Board in

carrying out its functions, the Board may utilize personnel from the

National Bureau of Standards or any other agency of the Federal

Government with the consent of the head of the agency.

 

  "(g) As used in this section, the terms 'computer system' and

'Federal computer system' have the meanings given in section 20(d) of

this Act."; and

 

     "(3) by adding at the end thereof the following new section:

 

  "SEC. 23.  This Act may be cited as the National Bureau of

Standards Act."

 

 

SEC. 4  AMENDMENT TO BROOKS ACT.

 

  Section 111(d) of the Federal Property and Administrative Services

Act of 1949 (40 U.S.C. 759(d)) is amended to read as follows:

 

  "(d)(1) The Secretary of Commerce shall, on the basis of standards

and guidelines developed by the National Bureau of Standards pursuant

to section 20(a) (2) and (3) of the National Bureau of Standards Act,

promulgate standards and guidelines pertaining to Federal computer

systems, making such standards compulsory and binding to the extent

to which the Secretary determines necessary to improve the efficiency

of operation or security and privacy of Federal computer systems.

The President may disapprove or modify such standards and guidelines

if he determines such action to be in the public interest.  The

President's authority to disapprove or modify such standards and

guidelines may not be delegated.  Notice of such disapproval or

modification shall be submitted promptly to the Committee on

Government Operations of the House of Representatives and the

Committee on Governmental Affairs of the Senate and shall be

published promptly in the Federal Register.  Upon receiving notice of

such disapproval or modification, the Secretary of Commerce shall

immediately rescind or modify such standards or guidelines as

directed by the President.

 

  "(2) The head of a Federal agency may employ standards for the cost

effective security and privacy of sensitive information in a Federal

computer system within or under the supervision of that agency that

ar more stringent than the standards promulgated by the Secretary of

Commerce, if such standards contain, at a minimum, the provisions of

those applicable standards made compulsory and binding by the

Secretary of Commerce.

 

  "(3) The standards determined to be compulsory and binding may be

waived by the Secretary of Commerce in writing upon a determination

that compliance would adversely affect the accomplishment of the

mission of an operator of a Federal computer system, or cause a major

adverse financial impact on the operator which is not offset by

government-wide savings.  The Secretary may delegate to the head of

one or more Federal agencies authority to waive such standards to the

extent to which the Secretary determines such action to be necessary

and desirable to allow for timely and effect implementation of

Federal computer systems standards.  The head of such agency may

redelegate such authority only to a senior official designated

pursuant to section 3506(b) of title 44, United States Code.  Notice

of each such waiver and delegation shall be transmitted promptly to

the Committee on Government Operations of the House of

Representatives and the Committee on Governmental Affairs of the

Senate and shall be published promptly in the Federal Register.

 

  "(4) The Administrator shall revise the Federal information

resources management regulations (41 CFR ch. 201) to be consistent

with the standards and guidelines promulgated by the Secretary of

Commerce under this subsection.

 

  "(5) As used in this subsection, the terms 'Federal computer

system' and 'operator of a Federal computer system' have the meanings

given in section 20(d) of the National Bureau of Standards Act.".

 

 

SEC. 5.  FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

 

  (a) In General.--Each Federal agency shall provide for the

mandatory periodic training in computer security awareness and

accepted computer security practice of all employees who are involved

with the management, use, or operation of each Federal computer

system within or under the supervision of that agency. Such training

shall be--

 

       (1) provided in accordance with the guidelines developed

pursuant to section 20(a)(5) of the National Bureau of  Standards Act

(as added by section 3 of this Act), and in accordance with the

regulations issued under subsection (c) of this section for Federal

civilian employees; or

 

       (2) provided by an alternative training program approved by

the head of that agency on the basis of a determination that the

alternative training program is at least as effective in

accomplishing the objectives of such guidelines and regulations.

 

  (b)  TRAINING OBJECTIVES.--Training under this section shall be

started within 60 days after the issuance of the regulations

described in subsection (c).  Such training shall be designed--

 

     (1) to enhance employees' awareness of the threats to and

vulnerability of computer systems; and

    

     (2) to encourage the use of improved computer security

practices.

 

  (c) REGULATIONS.--Within six months after the date of the enactment

of this Act, the Director of the Office of Personnel Management shall

issue regulations prescribing the procedures and scope of the

training to be provided Federal civilian employees under subsection

(a) and the manner in which such training is to be carried out.

 

 

SEC. 6.  ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY

AND PRIVACY.

 

  (a) IDENTIFICATION OF SYSTEMS THAT CONTAIN SENSITIVE INFORMATION-

Within 6 months after the date of enactment of this Act, each Federal

agency shall identify each Federal computer system, and system under

development, which is within or under the supervision of that agency

and which contains sensitive information.

 

  (b) SECURITY PLAN.--Within one year after the date of enactment of

this Act, each such agency shall, consistent with the standards,

guidelines, policies, and regulations prescribed pursuant to section

111(d) of the Federal Property and Administrative Services Act of

1949, establish a plan for the security and privacy of each Federal

computer system identified by that agency pursuant to subsection (a)

that is commensurate with the risk and magnitude or the harm

resulting from the loss, misuse, or unauthorized access to or

modification of the information contained in such system. Copies of

each such plan shall be transmitted to the National Bureau of

Standards and the National Security Agency for advice and comment.  A

summary of such plan shall be included in the agency's five-year plan

required by section 3505 of title 44, United States Code.  Such plan

shall be subject to disapproval by the Director of the Office of

Management and Budget.  Such plan shall be revised annually as

necessary.

 

 

SEC. 7.  DEFINITIONS.

 

  As used in this Act, the terms "computer system", "Federal computer

system", "operator of a Federal computer system", "sensitive

information", and "Federal agency" have the meanings given in section

20(d) of the National Bureau of Standards Act (as added by section 3

of this Act).

 

 

SEC. 8.  RULES OF CONSTRUCTION OF ACT.

 

  Nothing in this Act, or in any amendment made by this Act, shall be

construed--

 

     (1) to constitute authority to withhold information sought

pursuant to section 552 of title 5, United States Code; or

 

     (2) to authorize any Federal agency to limit, restrict,

regulate, or control the collection, maintenance, disclosure, use,

transfer, or sale of any information (regardless of the medium in

which the information may be maintained) that is--

 

          (A)  privately-owned information;

 

          (B)  disclosable under section 552 of title 5, United

States Code, or other law requiring or 	authorizing the public

disclosure of information; or

 

          (C)  public domain information.