
From the U.S. Code Online via GPO Access
[wais.access.gpo.gov]
[Laws in effect as of January 2, 2001]
[Document not affected by Public Laws enacted between
  January 2, 2001 and January 28, 2002]
[CITE: 15USC278g-3]

 
                      TITLE 15--COMMERCE AND TRADE
 
        CHAPTER 7--NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
 
Sec. 278g-3. Computer standards program


(a) Development of standards, guidelines, methods, and techniques for 
        computer systems

    The Institute shall--
        (1) have the mission of developing standards, guidelines, and 
    associated methods and techniques for computer systems;
        (2) except as described in paragraph (3) of this subsection 
    (relating to security standards), develop uniform standards and 
    guidelines for Federal computer systems, except those systems 
    excluded by section 2315 of title 10 or section 3502(9) of title 44;
        (3) have responsibility within the Federal Government for 
    developing technical, management, physical, and administrative 
    standards and guidelines for the cost-effective security and privacy 
    of sensitive information in Federal computer systems except--
            (A) those systems excluded by section 2315 of title 10 or 
        section 3502(9) of title 44; and
            (B) those systems which are protected at all times by 
        procedures established for information which has been 
        specifically authorized under criteria established by an 
        Executive order or an Act of Congress to be kept secret in the 
        interest of national defense or foreign policy,

    the primary purpose of which standards and guidelines shall be to 
    control loss and unauthorized modification or disclosure of 
    sensitive information in such systems and to prevent computer-
    related fraud and misuse;
        (4) submit standards and guidelines developed pursuant to 
    paragraphs (2) and (3) of this subsection, along with 
    recommendations as to the extent to which these should be made 
    compulsory and binding, to the Secretary of Commerce for 
    promulgation under section 1441 of title 40;
        (5) develop guidelines for use by operators of Federal computer 
    systems that contain sensitive information in training their 
    employees in security awareness and accepted security practice, as 
    required by section 5 of the Computer Security Act of 1987; and
        (6) develop validation procedures for, and evaluate the 
    effectiveness of, standards and guidelines developed pursuant to 
    paragraphs (1), (2), and (3) of this subsection through research and 
    liaison with other government and private agencies.

(b) Technical assistance and implementation of standards developed

    In fulfilling subsection (a) of this section, the Institute is 
authorized--
        (1) to assist the private sector, upon request, in using and 
    applying the results of the programs and activities under this 
    section;
        (2) as requested, to provide to operators of Federal computer 
    systems technical assistance in implementing the standards and 
    guidelines promulgated pursuant to section 1441 of title 40;
        (3) to assist, as appropriate, the Office of Personnel 
    Management in developing regulations pertaining to training, as 
    required by section 5 of the Computer Security Act of 1987;
        (4) to perform research and to conduct studies, as needed, to 
    determine the nature and extent of the vulnerabilities of, and to 
    devise techniques for the cost-effective security and privacy of 
    sensitive information in Federal computer systems; and
        (5) to coordinate closely with other agencies and offices 
    (including, but not limited to, the Departments of Defense and 
    Energy, the National Security Agency, the General Accounting Office, 
    the Office of Technology Assessment, and the Office of Management 
    and Budget)--
            (A) to assure maximum use of all existing and planned 
        programs, materials, studies, and reports relating to computer 
        systems security and privacy, in order to avoid unnecessary and 
        costly duplication of effort; and
            (B) to assure, to the maximum extent feasible, that 
        standards developed pursuant to subsection (a)(3) and (5) of 
        this section are consistent and compatible with standards and 
        procedures developed for the protection of information in 
        Federal computer systems which is authorized under criteria 
        established by Executive order or an Act of Congress to be kept 
        secret in the interest of national defense or foreign policy.

(c) Protection of sensitive information

    For the purposes of--
        (1) developing standards and guidelines for the protection of 
    sensitive information in Federal computer systems under subsections 
    (a)(1) and (a)(3) of this section, and
        (2) performing research and conducting studies under subsection 
    (b)(5) \1\ of this section,
---------------------------------------------------------------------------
    \1\ See References in Text note below.

the Institute shall draw upon computer system technical security 
guidelines developed by the National Security Agency to the extent that 
the Institute determines that such guidelines are consistent with the 
requirements for protecting sensitive information in Federal computer 
systems.

(d) Definitions

    As used in this section--
        (1) the term ``computer system''--
            (A) means any equipment or interconnected system or 
        subsystems of equipment that is used in the automatic 
        acquisition, storage, manipulation, management, movement, 
        control, display, switching, interchange, transmission, or 
        reception, of data or information; and
            (B) includes--
                (i) computers;
                (ii) ancillary equipment;
                (iii) software, firmware, and similar procedures;
                (iv) services, including support services; and
                (v) related resources;

        (2) the term ``Federal computer system'' means a computer system 
    operated by a Federal agency or by a contractor of a Federal agency 
    or other organization that processes information (using a computer 
    system) on behalf of the Federal Government to accomplish a Federal 
    function;
        (3) the term ``operator of a Federal computer system'' means a 
    Federal agency, contractor of a Federal agency, or other 
    organization that processes information using a computer system on 
    behalf of the Federal Government to accomplish a Federal function;
        (4) the term ``sensitive information'' means any information, 
    the loss, misuse, or unauthorized access to or modification of which 
    could adversely affect the national interest or the conduct of 
    Federal programs, or the privacy to which individuals are entitled 
    under section 552a of title 5 (the Privacy Act), but which has not 
    been specifically authorized under criteria established by an 
    Executive order or an Act of Congress to be kept secret in the 
    interest of national defense or foreign policy; and
        (5) the term ``Federal agency'' has the meaning given such term 
    by section 472(b) of title 40.

(Mar. 3, 1901, ch. 872, Sec. 20, as added Pub. L. 100-235, Sec. 3(2), 
Jan. 8, 1988, 101 Stat. 1724; amended Pub. L. 100-418, title V, 
Sec. 5115(a)(1), Aug. 23, 1988, 102 Stat. 1433; Pub. L. 104-106, div. E, 
title LVI, Sec. 5607(a), Feb. 10, 1996, 110 Stat. 701; Pub. L. 105-85, 
div. A, title X, Sec. 1073(h)(1), Nov. 18, 1997, 111 Stat. 1906.)

                       References in Text

    Section 5 of the Computer Security Act of 1987, referred to in 
subsecs. (a)(5) and (b)(3), is section 5 of Pub. L. 100-235, Jan. 8, 
1988, 101 Stat. 1729, which is set out as a note under section 1441 of 
Title 40, Public Buildings, Property, and Works.
    Subsection (b)(5) of this section, referred to in subsec. (c)(2), 
was redesignated subsec. (b)(4) by Pub. L. 104-106, div. E, title LVI, 
Sec. 5607(a)(2)(C), Feb. 10, 1996, 110 Stat. 701.


                            Prior Provisions

    A prior section 20 of act Mar. 3, 1901, ch. 872, was renumbered 
section 22 and is classified to section 278h of this title.


                               Amendments

    1997--Subsecs. (a)(4), (b)(2). Pub. L. 105-85 made technical 
amendment to reference in original act which appears in text as 
reference to section 1441 of title 40.
    1996--Subsec. (a)(2), (3)(A). Pub. L. 104-106, Sec. 5607(a)(1)(A), 
substituted ``section 3502(9) of title 44'' for ``section 3502(2) of 
title 44''.
    Subsec. (a)(4). Pub. L. 104-106, Sec. 5607(a)(1)(B), substituted 
``section 1441 of title 40'' for ``section 759(d) of title 40''.
    Subsec. (b)(2). Pub. L. 104-106, Sec. 5607(a)(2)(A), (C), 
redesignated par. (3) as (2) and struck out former par. (2) which read 
as follows: ``to make recommendations, as appropriate, to the 
Administrator of General Services on policies and regulations proposed 
pursuant to section 1441 of title 40;''.
    Subsec. (b)(3). Pub. L. 104-106, Sec. 5607(a)(2)(C), redesignated 
par. (4) as (3). Former par. (3) redesignated (2).
    Pub. L. 104-106, Sec. 5607(a)(2)(B), substituted ``section 1441 of 
title 40'' for ``section 759(d) of title 40''.
    Subsec. (b)(4) to (6). Pub. L. 104-106, Sec. 5607(a)(2)(C), 
redesignated pars. (4) to (6) as (3) to (5), respectively.
    Subsec. (d)(1)(B)(v). Pub. L. 104-106, Sec. 5607(a)(3)(A), struck 
out ``as defined by regulations issued by the Administrator for General 
Services pursuant to section 759 of title 40'' after ``related 
resources''.
    Subsec. (d)(2). Pub. L. 104-106, Sec. 5607(a)(3)(B), substituted 
``system' '' for ``system'--'', struck out ``(A)'' before ``means'', 
substituted ``function;'' for ``function; and'', and struck out subpar. 
(B) which read as follows: ``includes automatic data processing 
equipment as that term is defined in section 759(a)(2) of title 40;''.
    1988--Pub. L. 100-418 substituted ``Institute'' for ``National 
Bureau of Standards'' in introductory provisions of subsecs. (a) and (b) 
and wherever appearing in closing provisions of subsec. (c).


                    Effective Date of 1996 Amendment

    Amendment by Pub. L. 104-106 effective 180 days after Feb. 10, 1996, 
see section 5701 of Pub. L. 104-106, set out as an Effective Date note 
under section 1401 of Title 40, Public Buildings, Property, and Works.


                            Computer Security

    Nothing in amendment by Pub. L. 100-235 which enacted this section 
to be construed to constitute authority to withhold information sought 
under section 552 of Title 5, Government Organization and Employees, or 
to authorize any Federal agency to limit, restrict, regulate, or control 
collection, maintenance, disclosure, use, transfer, or sale of any 
information that is privately owned information, disclosable under 
section 552 of Title 5 or other law requiring or authorizing public 
disclosure of information, or public domain information, see section 8 
of Pub. L. 100-235, set out as a note under section 1441 of Title 40, 
Public Buildings, Property, and Works.

                  Section Referred to in Other Sections

    This section is referred to in sections 272, 278g-4 of this title; 
title 40 sections 1412, 1441; title 44 section 3504.
