Computer Security Act of 1987

Summary

The Computer Security Act of 1987 was the first act passed by Congress that specifically required federal agencies (other than those generally involved in military and intelligence activities; today known as “national security systems”) to adopt and implement computer security protections.

The Computer Security Act was largely the codification into law of the Office of Management and Budget (OMB) Circular A-130, Appendix III, which was issued in 1985.

Section-by-Section Analysis

The following sections summarize the contents of each section of the Act.

Section 1. Short Title

The title of the “Computer Security Act of 1987” is stated, with the full title being:

To provide for a computer standards program within the National Bureau of Standards, to provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes.

Section 2. Purpose

Section 2 of the Computer Security Act defines its purpose as “improving the security and privacy of sensitive information in Federal computer systems” and as “establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use.”

Further, the following specific purposes of the Act were defined:

  1. Designating the National Bureau of Standards (NBS), now known as the National Institute of Standards and Technology (NIST), the responsibility for developing computer security and privacy standards and guidelines for computer systems that process sensitive information;
  2. To promulgate such standards;
  3. The require that security plans be established by all operators of Federal computer systems that contain sensitive information”; and
  4. To require mandatory periodic training for all persons involved with computer systems that process sensitive information.

Section 3. Establishment of Computer Standards Program

Establishment of Standards and Responsibilities

Section 2 assigns NIST the mission and responsibility of “the study of computer systems” and “the development of standards, guidelines, and associated methods and techniques for computer systems.” However, NIST’s authority is not extended to systems that involve, generally, military and intelligence systems.1

NIST was to “submit standards and guidelines” developed under the authority of the Computer Security Act to the Secretary of the Department of Commerce, who was provided the authority to make the NIST-developed standards binding on agencies.

NIST was to develop guidelines for the use of computer systems, to include security awareness training.

NIST was to develop “validation procedures” that could be used to “evaluate the effectiveness of” NIST’s standards and guidelines.

NIST was authorized to:

  1. Assist the private sector, upon request, in applying the results of NIST’s standards and guidance;
  2. Make recommendations to the Administrator of the General Services Administration (GSA) on policies and regulations pursuant to Section 111(d) of the Brooks Act;
  3. As requested, provide to operators of Federal computer systems technical assistance in implementing NIST’s standards and guidelines;
  4. Assist, as appropriate, the Office of Personnel Management (OPM) in developing regulations regarding security training, the regulations being those promulgated in accordance with Section 5 of the CSA;
  5. Perform research and studies to determine the nature and extent of vulnerabilities and how to address them; and
  6. Coordinate with other agencies (such as the Department of Defense and National Security Agency) to assure the maximum use of all existing and planned computer security information, to avoid duplication of effort; and to assure that the standards developed in accordance with the CSA are consistent and compatible with standards and procedures developed for national security systems.

Definitions

Computer systemAny equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information; and includes (i) computers; (ii) ancillary equipment; (iii) software, firmware, and similar procedures; (iv) services, including support services; and (v) related resources as defined by regulations issued by the Administrator for General Services pursuant to section 111 of the Federal Property and Administrative Services Act of 1949.
Federal computer systemA computer system operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer system) on behalf of the Federal Government to accomplish a Federal function, and includes automatic data processing equipment as that term is defined in section 111(a)(2) of the Federal Property and Administrative Services Act of 1949.
Operator of a Federal computer systemA Federal agency, contractor of a Federal agency, or other organization that processes information using a computer system on behalf of the Federal Government to accomplish a Federal function.
Sensitive informationAny information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
Federal agencyThe meaning referred to in section 3(b) of the Federal Property and Administrative Services Act of 1949.

Establishment of Computer System Security and Privacy Advisory Board

The Computer System Security and Privacy Advisory Board was established within the Department of Commerce. The board comprised 12 members:

  1. Four who were outside the federal government but are “eminent in the computer or telecommunications industry,” at least one of whom represents a small or medium-sized business;
  2. Four who were outside the federal government who are “eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunications equipment”; and
  3. Four members of the federal government with computer management experience, at least one of whom is from the NSA.

The duties of the Board were:

  1. Identifying emerging control issues relative to computer system security and privacy;
  2. Advising NIST and DOC on security and privacy issues for federal computer systems; and
  3. Reporting its findings to DOC, the Office of Management and Budget (OMB), the National Security Agency (NSA), and “the appropriate committees of the Congress.”

Board members would serve for four-year terms, except that, of the initial board members:

  1. Three would only serve one-year terms;
  2. Three would only serve two-year terms;
  3. Three would only serve three-year terms; and
  4. Three would only serve four-year terms.

Those who would fill board vacancies would only serve out the remainder of the replaced person’s term.

A quorum of the board was defined as seven members. Without a quorum, the board was not allowed to act.

Board members were allowed to claim travel expenses and to utilize personnel from NIST to provide staff services necessary to the board.

Section 4. Amendment to Brooks Act

The Brooks Act (formally referred to as the Federal Property and Administrative Services Act of 1949) was amended to provide the Secretary of the Department of Commerce to make NIST-developed standards and guidelines mandatory for agencies. However, the President “may disapprove or modify such standards or and guidelines if he determines such action is to be in the public interest.”

The heads of agencies are told they “may employ standards” for computer security and privacy “that are more stringent” than the standards promulgated by NIST and the Department of Commerce.

For standards and guidelines that are determined by DOC to be mandatory, the Secretary of DOC may either directly waive the requirement for an agency or delegate such authority to the head of another agency. If such a waiver occurs, a notice must be (1) sent to the Committee on Government Operations of the House of Representative; (2) sent to the Committee of Governmental Affairs in the Senate; and (3) published to the Federal Register.

The Secretary of DOC was to revise the regulations regarding federal information resource management in 41 CFR 201.2

Section 5. Federal Computer System Security Training

Agencies are required to provide “periodic training in computer security awareness and accepted computer security practice” to all employees involved in managing, using, or operating federal computer systems. Specifically, the training must be:

  1. Provided in accordance with NIST’s standards and guidelines and any regulations or
  2. Provided “by an alternate training program approved by the head of that agency on the basis of a determination that the alternative training program is at least as effective in accomplishing the objectives of such guidelines and regulations.”

The objectives of the computer security training was twofold: (1) “to enhance employees’ awareness of the threats to and vulnerability of computer systems,” and (2) “to encourage the use of improved computer security practices.”

Such training was to occur within 60 days of the issuance of the regulations issued in 41 CFR 201.

Section 6. Additional Responsibilities for Computer Systems Security and Privacy

Agencies were required to identify each computer system they own that “contains sensitive information” within six months of law’s enactment.

Agencies were required to “establish a plan for the security and privacy” for each system identified as containing sensitive information. The plan was to be “commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained” in the systems.

Copies of each security plan was to be transmitted to NIST and the National Security Agency (NSA) for advice and comment. A summary of each plan was required to be included in each agency’s five-year plan required by the Paperwork Reduction Act of 1980.3

The security plans were subject to the disapproval by the Director of the Office of Management and Budget (OMB).

Security plans were to be “revised annually as necessary.”

Section 7. Definitions

The Computer Security Act explicitly uses the definitions for the terms “computer system,” “Federal computer system,” “operator of a Federal computer system,” “sensitive information,” and “Federal agency” as defined in section 3 above.

Section 8. Rules of Construction of Act

The Computer Security Act was:

  1. Not to be interpreted as providing an authority to withhold information under the Freedom of Information Act; and
  2. Not to be interpreted as authorizing any agency to “limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information (regardless of the medium in which the information may be maintained)” that is information that is privately owned, disclosable under FOIA or any other law requiring disclosure, or public-domain.
  1. Today, such systems are referred to as national security systems and are referred to as such for the remainder of this page. ↩︎
  2. The regulations in 41 CFR 201 no longer exist. ↩︎
  3. The term “five-year plan” refers to the requirement from the Paperwork Reduction Act of 1985 that agencies maintain five-year strategic plans for meeting their Information Technology (IT) needs. See 44 U.S.C. § 3506. ↩︎