COMPUTER SECURITY ACT
PL 100-235
SECTION 1. SHORT TITLE.
This Act (enacting sections 278g-3 and 278g-4 of Title 15,
Commerce and Trade, amending section 759 of this title and section
272 of Title 15, and enacting provisions set out as a note under
section 271 of Title 15) may be cited as the 'Computer Security Act
of 1987'.
SEC. 2. PURPOSE.
(a) In General. - The Congress declares that improving the
security and privacy of sensitive information in Federal computer
systems is in the public interest, and hereby creates a means for
establishing minimum acceptable security practices for such
systems, without limiting the scope of security measures already
planned or in use.
(b) Specific Purposes. - The purposes of this Act are -
(1) by amending the Act of March 3, 1901 (15 U.S.C. 271 et
seq.), to assign to the National Bureau of Standards
responsibility for developing standards and guidelines for
Federal computer systems, including responsibility for developing
standards and guidelines needed to assure the cost-effective
security and privacy of sensitive information in Federal computer
systems, drawing on the technical advice and assistance
(including work products) of the National Security Agency, where
appropriate;
(2) to provide for promulgation of such standards and
guidelines by amending section 111(d) of the Federal Property and
Administrative Services Act of 1949 (40 U.S.C. 759(d));
(3) to require establishment of security plans by all
operators of Federal computer systems that contain sensitive
information; and
(4) to require mandatory periodic training for all persons
involved in management, use, or operation of Federal computer
systems that contain sensitive information.
SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
(a) In General. - Each Federal agency shall provide for the
mandatory periodic training in computer security awareness and
accepted computer security practice of all employees who are
involved with the management, use, or operation of each Federal
computer system within or under the supervision of that agency.
Such training shall be -
(1) provided in accordance with the guidelines developed
pursuant to section 20(a)(5) of the National Bureau of Standards
Act (as added by section 3 of this Act) (15 U.S.C. 278g-3(a)(5)),
and in accordance with the regulations issued under subsection
(c) of this section for Federal civilian employees; or
(2) provided by an alternative training program approved by
the head of that agency on the basis of a determination that the
alternative training program is at least as effective in
accomplishing the objectives of such guidelines and regulations.
(b) Training Objectives. - Training under this section shall be
started within 60 days after the issuance of the regulations
described in subsection (c). Such training shall be designed -
(1) to enhance employees' awareness of the threats to and
vulnerability of computer systems; and
(2) to encourage the use of improved computer security
practices.
(c) Regulations. - Within six months after the date of the
enactment of this Act (Jan. 8, 1988), the Director of the Office of
Personnel Management shall issue regulations prescribing the
procedures and scope of the training to be provided Federal
civilian employees under subsection (a) and the manner in which
such training is to be carried out.
SEC. 6. ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY
AND PRIVACY.
(a) Identification of Systems That Contain Sensitive
Information. - Within 6 months after the date of enactment of this
Act (Jan. 8, 1988), each Federal agency shall identify each Federal
computer system, and system under development, which is within or
under the supervision of that agency and which contains sensitive
information.
(b) Security Plan. - Within one year after the date of
enactment of this Act (Jan. 8, 1988), each such agency shall,
consistent with the standards, guidelines, policies, and
regulations prescribed pursuant to section 111(d) of the Federal
Property and Administrative Services Act of 1949 (40 U.S.C.
759(d)), establish a plan for the security and privacy of each
Federal computer system identified by that agency pursuant to
subsection (a) that is commensurate with the risk and magnitude of
the harm resulting from the loss, misuse, or unauthorized access to
or modification of the information contained in such system.
Copies of each such plan shall be transmitted to the National
Bureau of Standards and the National Security Agency for advice and
comment. A summary of such plan shall be included in the agency's
five-year plan required by section 3505 of title 44, United States
Code. Such plan shall be subject to disapproval by the Director of
the Office of Management and Budget. Such plan shall be revised
annually as necessary.
SEC. 7. DEFINITIONS.
As used in this Act, the terms 'computer system', 'Federal
computer system', 'operator of a Federal computer system',
'sensitive information', and 'Federal agency' have the meanings
given in section 20(d) of the National Bureau of Standards Act (as
added by section 3 of this Act) (15 U.S.C. 278g-3(d)).
SEC. 8. RULES OF CONSTRUCTION OF ACT.
Nothing in this Act, or in any amendment made by this Act,
shall be construed -
(1) to constitute authority to withhold information sought
pursuant to section 552 of title 5, United States Code; or
(2) to authorize any Federal agency to limit, restrict,
regulate, or control the collection, maintenance, disclosure,
use, transfer, or sale of any information (regardless of the
medium in which the information may be maintained) that is -
(A) privately-owned information;
(B) disclosable under section 552 of title 5, United States
Code, or other law requiring or authorizing the public
disclosure of information; or
(C) public domain information.