In 1987, Congress enacted the Computer Security Act of 1987 reaffirming that the National Institute of Standards and Technology (NIST), a division of the Department of Commerce, was responsible for the security of unclassified, non-military government computer systems. Under the law, the role of the National Security Agency (NSA) was limited to providing technical assistance in the civilian security realm. Congress felt that it was inappropriate for a military intelligence agency to have control over the dissemination of unclassified information.
After enactment of the Computer Security Act of 1987, the NSA has sought to undercut NIST's authority. In 1989, NSA signed a Memorandum of Understanding (MOU) with the NIST. According to the MOU both agencies were to share project updates quarterly, as well as project reviews upon request.
The MOU created a NIST/NSA technical working group of three NIST and three NSA representatives to review and analyze technical issues of mutual interest. That working group developed the controversial Clipper Chip and Digital Signature Standard.
The MOU required that NIST request NSA’s assistance on all matters related to cryptographic algorithms, not solely NIST-selected cryptographic matters. If NIST and NSA disagree on an issue, the matter may be appealed to the Secretaries of Commerce and Defense. Unresolved matters may be referred through the National Security Council to the President.
The GAO noted that the MOU made NSA appear to be more influential in NIST’S standard-setting processes relative to cryptographic systems than was intended by the Congress in the Computer Security Act of 1987. It further testified, “The [memorandum] appears to increase the burden of leadership which the Secretary of Commerce must exercise in implementing the Computer Security Act of 1987. . . ."
- ↑ National Institute of Standards and Technology and the National Security Agency's Memorandum of Understanding on Implementing the Computer Security Act of 1987.
- Communications Privacy: Federal Policy and Actions, at 16.
- Electronic Privacy Information Center, Computer Security Act of 1987.