Recognizing the increasing use of computers by federal agencies and the vulnerability of computer-stored information, including personal information, to unauthorized access, Congress enacted the "Computer Security Act of 1987." The Act provides for improving the security and privacy of sensitive information in federal computer systems.
The Act was a legislative response to overlapping responsibilities for computer security among several federal agencies, heightened awareness of computer security issues, and concern over how best to control information in computerized or networked form. The Act requires each federal agency to identify their computer systems that contain sensitive information, establish training programs to increase security awareness and knowledge of security practices, and establish a plan for the security and privacy of each computer system with sensitive information.
The Act established a federal government computer security program that would protect all sensitive but unclassified information in federal government computer systems and would develop standards and guidelines to facilitate such protection. Specifically, the Act assigned responsibility for developing government-wide, computer system security standards and guidelines and security-training programs to the National Bureau of Standards now the National Institute of Standards and Technology, or NIST). In carrying out these responsibilities, NIST can draw on the substantial expertise of NSA and other relevant agencies.
The statute also mandates a Computer Systems Security and Privacy Advisory Board within the Department of Commerce to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer system security and privacy, and advise NIST and the Secretary of Commerce on security and privacy issues pertaining to federal computer systems, among other duties.
Additionally, the Act required federal agencies to identify computer systems containing sensitive information, to develop security plans for identified systems, and to provide all employees involved with the management, use, or operation of its computer systems with mandatory periodic training in computer security awareness and accepted computer security practice.
- ↑ The Act defines "sensitive information" to include any unclassified information that, if lost, misused, or accessed or modified without authorization, could adversely affect the national interest, conduct of federal programs, or the privacy to which individuals are entitled under the Privacy Act.
- ↑ Implementation of the Act has been especially controversial regarding the roles of NIST and NSA in standards development. A 1989 memorandum of understanding (MOU) between the Director of NIST and the Director of NSA established the mechanisms of the working relationship between the two agencies in implementing the Act. This memorandum of understanding has been controversial. Observers consider that it appears to cede to NSA much more authority than the Act itself had granted or envisioned, especially considering the House Report accompanying the legislation.