The Congress and the Executive Branch orchestrate the development of Federal computer security and IRM responsibilities through legislation and administrative requirements. Relevant law encompasses a wide range of issues, ranging from privacy and the implementation of standards to Government performance and concerns for national security.
Social, Political, and Legal Developments, 1932-1949Edit
Many of the current legal developments in Federal Government computer security can be traced to a period ranging from President Roosevelt's New Deal to the onset of the Cold War, when information requests between government and other parties increased in reaction to the need for governmental services. These political and social changes continue to significantly influence the debate today over standards and guidelines for computer security of Federal Government information technology (IT).
Three significant legal developments are worth noting. First, the Congress created the Office of Management and Budget, which has significant IRM oversight responsibility, in response to the need to manage information exchanges between the Government and the people.
Second, the Congress established the General Services Administration in 1949 by passing the Federal Property and Administrative Services Act to centralize procurement responsibilities. The Congress and the Executive Branch traditionally use the Federal Government's ability to link procurement to security; the GSA's contributions to Federal Government computer security are therefore quite significant.
Third, the Truman Administration’s creation of the National Security Agency in 1952 laid the foundation for the emergence of a significant actor in the development of standards and guidelines. NSA is well known for its focus on, and expertise in, creating mechanisms to protect access to classified materials. Current law restricts NSA's jurisdiction over the creation of computer security guidelines and standards to classified and national security systems only.
Centralized to Decentralized Government Management, 1949-1999 Edit
Congressional legislation during the past 35 years has wavered between centralized IRM and decentralized models recommending interagency cooperation for more complex matters. Passage of the Brooks Automatic Data Processing Act in 1965 (Brooks Act) further conferred upon GSA Government-wide responsibility for the acquisition of IT. Congress repealed the Brooks Act with passage of the Information Technology Management Reform Act (renamed the Clinger-Cohen Act of 1996), requiring agencies to take responsibility for core business functions, including a wide range of computer security and information resource management requirements.
Critical Infrastructure Protection, 1996–1999 Edit
The Clinton Administration carefully studied the Federal Government's growing dependencies on critical infrastructures, both internally and externally, with the private sector and state and local governments. In July 1996, the President's Commission on Critical Infrastructure Protection (PCCIP) was formed to advise and assist the President of the United States by recommending a national strategy for protecting and assuring critical infrastructures from physical and cyber threats. The President signed Presidential Decision Directive 63 (PDD-63) in May 1998, incorporating many of the PCCIP's recommendations.
Principal Themes Edit
Three themes characterized Congressional, Executive Branch, and regulatory activity and thinking in this era: (1) tensions between security and public access to information; (2) efficiency and Government-wide information resources management; and (3) critical infrastructure protection.
Tension: Security vs. Access to Data Edit
The first core issue emerges from the development of standards and guidelines to improve the security of sensitive information in Federal computer systems and to open access to information held by the Government. This tension results from two competing necessities—the need to restrict access to certain, generally classified, information affecting national security; and the need to guarantee access to other types of data (e.g., consumer information) intended to be widely disseminated for public benefit. President Reagan issued National Security Decision Directive 145 (NSDD-145) in response to the growing threat of foreign exploitation of computer-based information systems in the Government. Data deemed vulnerable by NSDD-145 included classified and certain other sensitive-but-unclassified (SBU) information remitted by Federal computers or telecommunications systems, including agricultural, industrial, and commercial data. NSDD-145 assigned to the National Security Agency the responsibility for developing standards and guidelines to protect these types of data.
In response, Congress effectively rescinded NSDD-145 by expanding power in civilian government and restricting the NSA's authority to develop Federal standards and guidelines as a means of best resolving the tensions between security and access.
An Expanded Role for the National Institute of Standards and Technology (NIST): Sensitive but Unclassified Information.
Congress feared that the Administration was seeking not simply to protect classified information, national security, and other unclassified information held by the Government, but also to control access to information in private sector systems. Congress subsequently passed the Computer Security Act of 1987, which replaced NSDD-145 as U.S. Government policy.
The Computer Security Act established a system for creating uniform standards and guidelines to protect information in Federal computer systems. NIST was given the responsibility of protecting the privacy of SBU information. NSA retained control of standards development covering all classified systems, but its role was limited by the Computer Security Act to providing technical assistance to NIST.
In addition, Congress established the Computer Systems Security Privacy Advisory Board (CSSPAB) as a public advisory board in the Computer Security Act of 1987. The Board is composed of twelve members, in addition to the Chairperson, who are recognized experts in the fields of computer and telecommunications systems security and technology. The CSSPAB advises the Secretary of Commerce and the Director of NIST.
Warner Amendment: SBU National Security Systems.
One year later, in 1988, Congress passed the Warner Amendment to the Brooks Act. This Amendment, which Congress linked to policies covering procurement rules, defines certain specific types of SBU IT that must be treated as classified technology. The amendment thus carved out a limited area of jurisdiction for NSA over SBU IT.
The Warner Amendment generally covers the function, operation, or use of information technology in any of the following:
- Intelligence activities
- Cryptographic activities related to national security
- The direct command and control of military forces
- Equipment that is an integral part of a weapon or weapons system
- IT that is critical to military or intelligence missions
During Congressional debates covering the Paperwork Reduction Act, and later with passage of the Clinger-Cohen Act, Congress explicitly excluded from NIST and OMB the authority to create and manage standards development for Warner Amendment categories, defined as "national security systems." Certain other types of national security/emergency preparedness IT exclusions from OMB oversight responsibilities are more clearly defined below.
National Security Directive 42 (NSD-42) and the National Security Telecommunications Information Systems Security Committee (NSTISSC).
In July 1990, the Bush Administration, in direct compliance with the Computer Security Act, issued National Security Directive 42 (NSD-42), which created the National Security Telecommunications Information Systems Security Committee (NSTISSC). The NSTISSC includes 21 departments and agencies from the civilian, intelligence, law enforcement, and defense communities. The NSTISSC provides a forum for discussion of policy issues and sets national policy. Through its issuance system, the NSTISSC also promulgates direction, operational procedures, and guidance for the security of national security systems.
OMB Oversight and Circular A-130, Appendix. III.
Law and policy covering standards development have not changed significantly since the Computer Security Act, with one exception. In the Paperwork Reduction Act, and subsequently in the Clinger-Cohen Act of 1996, Congress required OMB to take on greater responsibility for overseeing the development and management of Federal computer security issues. These responsibilities include the full range of IT concerns, such as privacy (public access to, and protection of, data held by the Government), vulnerability and risk assessments, and efficiency of Federal Government and private sector information exchanges.
Efficiency and Governmentwide Information Management Edit
The second core issue incorporates several IRM themes, including: (1) Government efforts to improve performance and results in use of IT; (2) reducing the burden of information collection on the public and maximizing the use of information collected from the public; and (3) constructing a Government-wide IRM model that allows for both decentralized decision making and responsibility and multiple-agency coordination of such IRM areas as large procurements, research and development, and budget efforts.
Many of these IRM challenges have been debated in Congress and the Administration throughout the 1990s and are incorporated into three legislative authorities: the Clinger-Cohen Act of 1996, the Paperwork Reduction Act of 1995, and the Government Performance and Results Act of 1993 (GPRA). President Clinton required implementation of these laws in Executive Order 13011, Federal Information Technology.
Improving Performance and Results.
To improve the efficiency and effectiveness of Federal programs, Congress passed the Government Performance and Results Act of 1993 (GPRA). GPRA established a system to set goals for program performance and to measure results. OMB was charged with implementing GPRA, which includes IRM programs and practices. Clinger-Cohen and Executive Order 13011 both mandate that agencies set goals, measure performance, and report on progress to improve efficiency and effectiveness of operations through the use of IT.
Reducing the Burden, Increasing Efficiency.
The Paperwork Reduction Act of 1995 is one of the most significant legislative initiatives affecting Government-wide IRM practices. The Act's roots can be traced to the exponential growth in paperwork caused by the proliferation of New Deal agencies and missions at the onset of World War II.
The Paperwork Reduction Act addresses concerns over appropriate dissemination and collection of information between the Government and the public. It also:
- Directs all Federal agencies to obtain OMB review and approval of plans to collect information from the public and industry.
- Requires Federal agencies to give the public and industry an opportunity to participate in the agency review process for each proposed information collection effort by providing an opportunity to comment before submission to OMB.
- Improves the quality and use of Federal information, through the use of IT and measures to minimize the human effort and financial costs (burden) necessary to provide the information to meet Federal agency requirements.
The Paperwork Reduction Act reaffirmed the system of managing IT established by the Computer Security Act of 1987; to wit, NIST is charged with development of computer security standards and guidelines covering SBU IT and NSA retains authority for standards development covering classified IT. However, Congress also underscored the importance of the Warner Amendment limitations by restricting OMB’s jurisdiction to management of a limited class of SBU IT, or "national security systems." Thus, management of classified and specifically identified SBU IT for national security systems remain outside the scope of OMB's jurisdiction.
Government-wide IRM Management: OMB.
Congress took further steps to consolidate OMB's significant role in managing Federal computer security and IRM responsibilities in passing the Information Technology Management Reform Act of 1996 (renamed the Clinger-Cohen Act). Congress, in passing the Clinger-Cohen Act, reversed three decades of enforcing minimum computer security requirements through centralized procurement authority. Specifically, the Clinger-Cohen Act repealed Section 111 of the Federal Property and Administrative Services Act of 1949 (40 U.S.C. 759) and the Brooks Act, eliminating the General Services Administration's exclusive authority to acquire computer resources for all of the Federal Government. The Clinger-Cohen Act assigns overall responsibility for the acquisition and management of IT, previously referred to as Federal Information Processing (FIP), in the Federal Government to the Director, Office of Management and Budget (OMB). Although the Brooks Act was repealed, Congress incorporated the Warner Amendment restrictions directly into the Clinger-Cohen Act.
On July 16, 1996, President Clinton issued Executive Order 13011, creating the CIO Council and directing Executive Branch agencies to implement each of the laws discussed in this section. The Executive Order requires agencies to:
- Significantly improve the management of their information systems.
- Refocus IT management to support directly their strategic missions.
- Establish clear accountability for information resources management activities.
- Cooperate in the use of IT to improve the productivity of Federal programs.
- Establish an interagency support structure, the CIO Council.
OMB Circular A-130, Management of Federal Resources, specifically Appendix III, Security of Federal Automated Information Resources, is the principal administrative vehicle for implementing these IRM laws and polices. A-130, which was initially written in 1985, sets out Federal agency requirements for adhering to information security standards developed by NIST in accordance with the Computer Security Act. In 1996, A-130 was specifically designed to place responsibility for information security with the individual agency Chief Information Officers (CIOs). The enforcement of A-130 requires the reporting of "material weaknesses" in information security through an OMB budgetary review process.
Critical Infrastructure Protection.
After the bombing of the Murrah Federal Building in Oklahoma City in 1995, the Attorney General formed a working group to address physical and, for the first time, cyber threats to the nation's critical infrastructure facilities. The Critical Infrastructure Working Group (CIWG) reviewed the history of IRM, as well as laws and policies covering terrorism, law enforcement, and national security. The CIWG concluded that there were both civilian and government infrastructures critical to the security of the nation and that further analysis was needed to lay out a long-term strategy for understanding threats, vulnerabilities, and interdependencies.
President's Commission on Critical Infrastructure Protection (PCCIP): Critical Foundations.
In January 1996, the CIWG recommended that an Executive Order be issued to create a President's Commission on Critical Infrastructure Protection to further analyze long-term solutions. The PCCIP, which included commissioners from both government and the private sector, studied shared dependencies on critical infrastructure systems within government, and those shared with the private sector. The PCCIP agenda highlighted the impact and development of computer technologies, which affect all aspects of American commerce and society, including national security.
The Commission's recommendations for further action included the following:
- Establishing new programs to develop national infrastructure protection
- Partnering with the private sector and engaging industry cooperation
- Developing new governmental structures to achieve these goals
Based on its findings, the PCCIP issued an extensive report, Critical Foundations: Protecting America's Infrastructures, in October 1997.
Presidential Decision Directive 63 (PDD-63) and the National Plan: Prioritizing IRM Programs.
Findings from the PCCIP report were subsequently incorporated into PDD-63, Protecting America’s Critical Infrastructures, issued May 22, 1998. These programmatic and policy objectives receive further elaboration in Defending America's Cyberspace: National Plan for the Information Systems Protection.
- ↑ See H.R. Rep. No. 927, 101st Cong., 2nd Sess. 1990, 1990 WL 201562 (Leg. Hist.); Paperwork Reduction and Federal Information Resources Management Act of 1990, House Report No. 101-927, October 23, 1990 [To accompany H.R. 3695].
- ↑ Congress passed the Federal Reports Act of 1942 to authorize the Bureau of the Budget (OMB's predecessor) "to coordinate Federal reporting services, to eliminate duplication and reduce the cost of such services, and to minimize the burdens of furnishing information to Federal agencies." The core of the current law's concern for reducing information collection burdens and improving the management of Federal information resources is found in this 52-year-old statutory mandate. In 1970, the former Bureau of the Budget was reconstituted as the Office of Management and Budget (OMB) in order to strengthen central management leadership and capacity in the Executive Branch.
- ↑ The Hoover Commission, headed by former President Herbert Hoover, was formed in 1947 to recommend to the President and Congress ways to improve administrative activities of the Federal Government. The Hoover Commission recommended establishing an independent "Office of General Services" that would assume the existing responsibilities of several entities, including the Treasury Department, the National Archives establishment, and the Federal Works Agency.
- ↑ The NSA was created by a still-classified Executive Order in 1952. Refer to Executive Order 12333 (U.S. Intelligence Activities) for the basic structure of the U.S. Intelligence Community. This Executive Order delineates the jurisdictional boundaries between the intelligence agencies and provides a legal basis of authority for their activities.
- ↑ Computer Security Act of 1987, Legislative History, House Report No. 100-153 (II) (June 11, 1987); Cong. Record Vol. 133 (1987). NSDD-145 was issued in 1984.
- ↑ Memorandum of Understanding between the Director of the National Institute of Standards and Technology and the Director of the National Security Agency Concerning Implementation of Public Law 100-235 [Computer Security Act] (March 1989).
- ↑ See, for example, OMB Circular A-130, App. III, Security of Federal Automated Information Systems (February 1986) at Section 4(b) (excluding national security emergency preparedness activities conducted in accordance with Executive Order 12472).
- ↑ National Policy for the Security of National Security Telecommunications and Information Systems (supersedes NSDD-145).
- ↑ See, e.g., NSTISSD No. 503, Incident Response and Vulnerability Reporting for National Security Systems (August 30, 1993), which establishes the National Security Information Systems Incident Reporting Program (NSISIP); see also NSTISSI No. 4009, National Information Systems Security (INFOSEC) Glossary (June 5, 1992).
- ↑ Executive Guide: Effectively Implementing the Government Performance and Results Act, United States General Accounting Office, Comptroller of the United States (June 1996), GAO/GGD-96-118.
- ↑ Paperwork Reduction Act of 1995 (P.L. 104-13). For an excellent background history on the Paperwork Reduction Act of 1995, review the legislative history.
- ↑ Paperwork Reduction and Federal Information Resources Management Act of 1990, House Report No. 101-927 (October 23, 1990) (Discussion and Background Section). Congress initially addressed reducing the burden of Government demands on the public through the Federal Records Act, which created the Management and Budget Office in 1929. Congress further centralized management of paperwork collection and dissemination in the Paperwork Collection Act of 1980, which granted OMB authority to judge whether agency activities were necessary.
- ↑ Paperwork Reduction Act of 1995 Legislative History (Coordination of Federal Information Policy, Section 2).
- ↑ See 10 U.S.C. Section 2315(a) (Warner Amendment).
- ↑ The CIWG also studied threats to the nation’s critical infrastructures from the perspectives of two additional parties—private sector owners and operators of critical infrastructures, and state and local partners, who include "first responders" in emergencies.
- ↑ Executive Order 13010, Critical Infrastructure Protection (July 1996); see Critical Infrastructure Working Group report January 1996. See also Critical Infrastructure Working Group report (January 1996) (FOUO).
- Practices for Securing Critical Information Assets, Appendix B. Overview of Federal Computer Security and Information Resources Management (IRM) Policy, at B-1.