P.L. 100–235, Approved January 8, 1988 (101 Stat. 1724)

Computer Security Act of 1987

*    *    *    *    *    *    *

SEC. 5. [40 U.S.C. 759 note]  FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

(a)  In General.—Each Federal agency shall provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency. Such training shall be—

(1)  provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the National Bureau of Standards Act[377] (as added by section 3 of this Act), and in accordance with the regulations issued under subsection (c) of this section for Federal civilian employees; or

(2)  provided by an alternative training program approved by the head of that agency on the basis of a determination that the alternative training program is at least as effective in accomplishing the objectives of such guidelines and regulations.

(b)  Training Objectives.—Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed—

(1)  to enhance employees’ awareness of the threats to and vulnerability of computer systems; and

(2)  to encourage the use of improved computer security practices.

*    *    *    *    *    *    *

SEC. 6. [40 U.S.C. 759 note]  ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY AND PRIVACY.

(a)  Identification of Systems That Contain Sensitive Information.—Within 6 months after the date of enactment of this Act, each Federal agency shall identify each Federal computer system, and system under development, which is within or under the supervision of that agency and which contains sensitive information.

(b)  Security Plan.—Within one year after the date of enactment of this Act, each such agency shall, consistent with the standards, guidelines, policies, and regulations prescribed pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949, establish a plan for the security and privacy of each Federal computer system identified by that agency pursuant to subsection (a) that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in such system. Copies of each such plan shall be transmitted to the National Bureau of Standards[378] and the National Security Agency for advice and comment. A summary of such plan shall be included in the agency’s five-year plan required by section 3505 of title 44, United States Code. Such plan shall be subject to disapproval by the Director of the Office of Management and Budget. Such plan shall be revised annually as necessary.

SEC. 7. [40 U.S.C. 759 note]  DEFINITIONS.

As used in this Act, the terms “computer system”, “Federal computer system”, “operator of a Federal computer system”, “sensitive information”, and “Federal agency” have the meanings given in section 20(d) of the National Bureau of Standards Act (as added by section 3 of this Act).

SEC. 8. [40 U.S.C. 759 note]  RULES OF CONSTRUCTION OF ACT.

Nothing in this Act, or in any amendment made by this Act, shall be construed—

(1)  to constitute authority to withhold information sought pursuant to section 552 of title 5, United States Code; or

(2)  to authorize any Federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information (regardless of the medium in which the information may be maintained) that is—

(A)  privately-owned information;

(B)  disclosable under section 552 of title 5, United States Code, or other law requiring or authorizing the public disclosure of information; or

(C)  public domain information.

*    *    *    *    *    *    *

[Internal References.—SSAct Titles II, IV, XI, XVI (SSI), XVIII, and XIX headings have footnotes referring to P.L. 100-235.]



[377]  P.L. 100-418, §5115(a)(2), renamed this Act the “National Institute of Standards and Technology Act”.

[378]  P.L. 100-418, §5115(c), deems this a reference to the National Institute of Standards and Technology.