Cryptography's Role In Securing The Information Society

                Appendix N   Continued

[N.1.5 commences p. 551.]
__________________________________________________________________



         N.1.5 Computer Security Act of 1987


Sec. 1. Short Title.

     The Act may be cited as the "Computer Security Act of 1987".


Sec. 2. Purpose.

     (a) IN GENERAL.--The Congress declares that improving the
security and privacy of sensitive information in Federal computer
systems is in the public interest, and hereby creates a means for
establishing minimum acceptable security practices for such
systems, without limiting the scope of security measures already
planned or in use.

     (b) SPECIFIC PURPOSES.--The purposes of this Act are--

(1) by amending the Act of March 3,1901, to assign to the National
Bureau of Standards responsibility for developing standards and
guidelines for Federal computer systems, including responsibility
for developing standards and guidelines needed to assure the
cost-effective security and privacy of sensitive information in
Federal computer systems, drawing on the technical advice and
assistance (including work products) of the National Security
Agency, where appropriate;

(2) to provide for promulgation of such standards and guidelines
by amending section 111(d) of the Federal Property and
Administrative Services Act of 1949;

(3) to require establishment of security plans by all operators of
Federal computer systems that contain sensitive information; and

(4) to require mandatory periodic training for all persons
involved in management, use, or operation of Federal computer
systems that contain sensitive information.


Sec. 3. Establishment of computer standards program.

     The Act of March 3,1901, (15 U.S.C. 271-278h), is amended--

     (1) in section 2(f), by striking out "and" at the end of
paragraph (18), by striking out the period at the end of paragraph
(19) and inserting in lieu thereof: "; and", and by inserting
after such paragraph the following:

"(20) the study of computer systems (as that term is defined in
section 20(d) of this Act) and their use to control machinery and
processes.";

     (2) by redesignating section 20 as section 22, and by
inserting after section 19 the following new sections:

"SEC. 20. (a) The National Bureau of Standards shall--

"(1) have the mission of developing standards, guidelines, and
associated methods and techniques for computer systems; [552]

"(2) except as described in paragraph (3) of this subsection
(relating to security standards), develop uniform standards and
guidelines for Federal computer systems, except those systems
excluded by section 2315 of title 10, United States Code, or
section 3502(2) of title 44, United States Code.

"(3) have responsibility within the Federal Government for
developing technical, management, physical, and administrative
standards and guidelines for the cost-effective security and
privacy of sensitive information in Federal computer systems
except--

"(A) those systems excluded by section 2315 of title 10, United
States Code, or section 3502(2) of title 44, United States Code;
and

"(B) those systems which are protected at all times by procedures
established for information which has been specifically authorized
under criteria established by an Executive Order or an Act of
Congress to be kept secret in the interest of national defense or
foreign policy, the primary purpose of which standards and
guidelines shall be to control loss and unauthorized modification
or disclosure of sensitive information in such systems and to
prevent computer-related fraud and misuse;

"(4) submit standards and guidelines developed pursuant to
paragraphs (2) and (3) of this subsection, along with
recommendations as to the extent to which these should be made
compulsory and binding, to the Secretary of Commerce for
promulgation under section 111(d) of the Federal Property and
Administrative Services Act of 1949;

"(5) develop guidelines for use by operators of Federal computer
systems that contain sensitive information in training their
employees in security awareness and accepted security practice, as
required by section 5 of the Computer Security Act of 1987; and

"(6) develop validation procedures for, and evaluate the
effectiveness of, standards and guidelines developed pursuant to
paragraphs (1), (2), and (3) of this subsection through research
and liaison with other government and private agencies.


"(b) In fulfilling subsection (a) of this section, the National
Bureau of Standards is authorized--

"(1) to assist the private sector, upon request, in using and
applying the results of the programs and activities under this
section;

"(2) to make recommendations, as appropriate, to the Administrator
of General Services on policies and regulations proposed pursuant
to section 111(d) of the Federal Property and Administrative
Services Act of 1949;

"(3) as requested, to provide to operators of Federal computer
systems technical assistance in implementing the standards and
guidelines promulgated pursuant to section 111(d) of the Federal
Property and Administrative Services Act of 1949; "(4) to assist,
as appropriate, the Office of Personnel Management in developing
regulations pertaining to training, as required by section 5 of
the Computer Security Act of 1987;

"(5) to perform research and to conduct studies, as needed, to
determine the nature and extent of the vulnerabilities of, and to
devise techniques for the cost [553] effective security and
privacy of sensitive information in Federal computer systems; and

"(6) to coordinate closely with other agencies and offices
(including, but not limited to, the Departments of Defense and
Energy, the National Security Agency, the General Accounting
Office, the Office of Technology Assessment, and the Office of
Management and Budget)--

"(A) to assure maximum use of all existing and planned programs,
materials, studies, and reports relating to computer systems
security and privacy, in order to avoid unnecessary and costly
duplication of effort; and

"(B) to assure, to the maximum extent feasible, that standards
developed pursuant to subsection (a) (3) and (5) are consistent
and compatible with standards and procedures developed for the
protection of information in Federal computer systems which is
authorized under criteria established by Executive order or an Act
of Congress to be kept secret in the interest of national defense
or foreign policy.


"(c) For the purposes of--

"(1) developing standards and guidelines for the protection of
sensitive information in Federal computer systems under
subsections (a)(1) and (a)(3), and

"(2) performing research and conducting studies under subsection
(b)(5), the National Bureau of Standards shall draw upon computer
system technical security guidelines developed by the National
Security Agency to the extent that the National Bureau of
Standards determines that such guidelines are consistent with the
requirements for protecting sensitive information in Federal
computer systems.


"(d) As used in this section-- 

"(1) the term 'computer system'--

"(A) means any equipment or interconnected system or subsystems of
equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display, switching,
interchange, transmission, or reception, of data or information;
and

"(B) includes-- 

"(i) computers; 

"(ii) ancillary equipment; 

"(iii) software, firmware, and similar procedures; 

"(iv) services, including support services; and

"(v) related resources as defined by regulations issued by the
Administrator for General Services pursuant to section 111 of the
Federal Property and Administrative Services Act of 1949;

"(2) the term 'Federal computer system'--

"(A) means a computer system operated by a Federal agency or by a
contractor of a Federal agency or other organization that
processes information (using a computer system) on behalf of the
Federal Government to accomplish a Federal function; and

"(B) includes automatic data processing equipment as that term is
defined in section 111(a)(2) of the Federal Property and
Administrative Services Act of 1949; "(3) the term 'operator of a
Federal computer system' means a Federal agency, contractor of a
Federal agency, or other organization that processes information
[554] using a computer system on behalf of the Federal Government
to accomplish a Federal function;

"(4) the term 'sensitive information' means any information, the
loss, misuse, or unauthorized access to or modification of which
could adversely affect the national interest or the conduct of
Federal programs, or the privacy to which individuals are entitled
under section 552a of title 5, United States Code (the Privacy
Act), but which has not been specifically authorized under
criteria established by an Executive order or an Act of Congress
to be kept secret in the interest of national defense or foreign
policy; and

"(5) the term 'Federal agency' has the meaning given such term by
section 3(b) of the Federal Property and Administrative Services
Act of 1949.


"SEC. 21. (a) There is hereby established a Computer System
Security and Privacy Advisory Board within the Department of
Commerce. The Secretary of Commerce shall appoint the chairman of
the Board. The Board shall be composed of twelve additional
members appointed by the Secretary of Commerce as follows: "(1)
four members from outside the Federal Government who are eminent
in the computer or telecommunications industry, at least one of
whom is representative of small or medium sized companies in such
industries;

"(2) four members from outside the Federal Government who are
eminent in the fields of computer or telecommunications
technology, or related disciplines, but who are not employed by or
representative of a producer of computer or telecommunications
equipment; and

"(3) four members from the Federal Government who have computer
systems management experience, including experience in computer
systems security and privacy, at least one of whom shall be from
the National Security Agency.

"(b) The duties of the Board shall be--

"(1) to identify emerging managerial, technical, administrative,
and physical safeguard issues relative to computer systems
security and privacy;

"(2) to advise the Bureau of Standards and the Secretary of
Commerce on security and privacy issues pertaining to Federal
computer systems; and

"(3) to report its findings to the Secretary of Commerce, the
Director of the Office of Management and Budget, the Director of
the National Security Agency, and the appropriate Committees of
the Congress.


"(c) The term of office of each member of the Board shall be four
years, except that--

"(1) of the initial members, three shall be appointed for terms of
one year, three shall be appointed for terms of two years, three
shall be appointed for terms of three years, and three shall be
appointed for terms of four years; and

"(2) any member appointed to fill a vacancy in the Board shall
serve for the remainder of the term for which his predecessor was
appointed.


"(d) The Board shall not act in the absence of a quorum, which
shall consist of seven members.


"(e) Members of the Board, other than full-time employees of the
Federal Government while attending meetings of such committees or
while otherwise performing [ 555] duties at the request of the
Board Chairman while away from their homes or a regular place of
business, may be allowed travel expenses in accordance with
subchapter I of chapter 57 of title 5, United States Code.


"(f) To provide the staff services necessary to assist the Board
in carrying out its functions, the Board may utilize personnel
from the National Bureau of Standards or any other agency of the
Federal Government with the consent of the head of the agency.


"(g) As used in this section, the terms 'computer system' and
'Federal computer system' have the meanings given in section 20(d)
of this Act."; and

     (3) by adding at the end thereof the following new section:

"SEC. 23. This Act may be cited as the National Bureau of
Standards Act."


Sec. 4. Amendment to Brooks Act.

     Section 111(d) of the Federal Property and Administrative
Services Act of 1949 (40 U.S.C. 759(d)) is amended to read as
follows:

"(d)(1) The Secretary of Commerce shall, on the basis of standards
and guidelines developed by the National Bureau of Standards
pursuant to section 20(a) (2) and (3) of the National Bureau of
Standards Act, promulgate standards and guidelines pertaining to
Federal computer systems, making such standards compulsory and
binding to the extent to which the Secretary determines necessary
to improve the efficiency of operation or security and privacy of
Federal computer systems. The President may disapprove or modify
such standards and guidelines if he determines such action to be
in the public interest. The President's authority to disapprove or
modify such standards and guidelines may not be delegated. Notice
of such disapproval or modification shall be submitted promptly to
the Committee on Government Operations of the House of
Representatives and the Committee on Governmental Affairs of the
Senate and shall be published promptly in the Federal Register.
Upon receiving notice of such disapproval or modification, the
Secretary of Commerce shall immediately rescind or modify such
standards or guidelines as directed by the President.


"(2) The head of a Federal agency may employ standards for the
cost effective security and privacy of sensitive information in a
Federal computer system within or under the supervision of that
agency that are more stringent than the standards promulgated by
the Secretary of Commerce, if such standards contain, at a
minimum, the provisions of those applicable standards made
compulsory and binding by the Secretary of Commerce.


"(3) The standards determined to be compulsory and binding may be
waived by the Secretary of Commerce in writing upon a
determination that compliance would adversely affect the
accomplishment of the mission of an operator of a Federal computer
system, or cause a major adverse financial impact on the operator
which is not offset by government-wide savings. The Secretary may
delegate [556] to the head of one or more Federal agencies
authority to waive such standards to the extent to which the
Secretary determines such action to be necessary and desirable to
allow for timely and effective implementation of Federal computer
systems standards. The head of such agency may redelegate such
authority only to a senior official designated pursuant to section
3506(b) of title 44, United States Code. Notice of each such
waiver and delegation shall be transmitted promptly to the
Committee on Government Operations of the House of Representatives
and the Committee on Governmental Affairs of the Senate and shall
be published promptly in the Federal Register.


"(4) The Administrator shall revise the Federal information
resources management regulations (41 CFR ch. 201) to be consistent
with the standards and guidelines promulgated by the Secretary of
Commerce under this subsection.


"(5) As used in this subsection, the terms 'Federal computer
system' and 'operator of a Federal computer system' have the
meanings given in section 20(d) of the National Bureau of
Standards Act.".


Sec. 5. Federal computer system security training.

     (a) In General.--Each Federal agency shall provide for the
mandatory periodic training in computer security awareness and
accepted computer security practice of all employees who are
involved with the management, use, or operation of each Federal
computer system within or under the supervision of that agency.
Such training shall be

(1) provided in accordance with the guidelines developed pursuant
to section 20(a)(5) of the National Bureau of Standards Act (as
added by section 3 of this Act), and in accordance with the
regulations issued under subsection (c) of this section for
Federal civilian employees; or

(2) provided by an alternative training program approved by the
head of that agency on the basis of a determination that the
alternative training program is at least as effective in
accomplishing the objectives of such guidelines and regulations.

     (b) Training Objectives.--Training under this section shall
be started within 60 days after the issuance of the regulations
described in subsection (c). Such training shall be designed--

(1) to enhance employees' awareness of the threats to and
vulnerability of computer systems; and

(2) to encourage the use of improved computer security practices.

     (c) Regulations.--Within six months after the date of the
enactment of this Act, the Director of the Office of Personnel
Management shall issue regulations prescribing the procedures and
scope of the training to be provided Federal civilian employees
under subsection (a) and the manner in which such training is to
be carried out. [557]


Sec. 6. Additional responsibilities for computer systems security
and privacy.

     (a) Identification of systems that contain sensitive
information--Within 6 months after the date of enactment of this
Act, each Federal agency shall identify each Federal computer
system, and system under development, which is within or under the
supervision of that agency and which contains sensitive
information.

     (b) Security Plan.--Within one year after the date of
enactment of this Act, each such agency shall, consistent with the
standards, guidelines, policies, and regulations prescribed
pursuant to section 111(d) of the Federal Property and
Administrative Services Act of 1949, establish a plan for the
security and privacy of each Federal computer system identified by
that agency pursuant to subsection (a) that is commensurate with
the risk and magnitude or the harm resulting from the loss,
misuse, or unauthorized access to or modification of the
information contained in such system. Copies of each such plan
shall be transmitted to the National Bureau of Standards and the
National Security Agency for advice and comment. A summary of such
plan shall be included in the agency's five-year plan required by
section 3505 of title 44, United States Code. Such plan shall be
subject to disapproval by the Director of the Office of Management
and Budget. Such plan shall be revised annually as necessary.


Sec. 7. Definitions.

     As used in this Act, the terms "computer system", "Federal
computer system", "operator of a Federal computer system",
"sensitive information", and "Federal agency" have the meanings
given in section 20(d) of the National Bureau of Standards Act (as
added by section 3 of this Act).


Sec. 8. Rules of construction of act.

     Nothing in this Act, or in any amendment made by this Act,
shall be construed--

     (1) to constitute authority to withhold information sought
pursuant to section 552 of title 5, United States Code; or

     (2) to authorize any Federal agency to limit, restrict,
regulate, or control the collection, maintenance, disclosure, use,
transfer, or sale of any information (regardless of the medium in
which the information may be maintained) that is--

(A) privately-owned information;

(B) disclosable under section 552 of title 5, United States Code,
or other law requiring or authorizing the public disclosure of
information; or

(C) public domain information.


[End N.1.5]

