
From the U.S. Code Online via GPO Access
[wais.access.gpo.gov]
[Laws in effect as of January 23, 2000]
[Document not affected by Public Laws enacted between
  January 23, 2000 and December 4, 2001]
[CITE: 40USC1441]

 
             TITLE 40--PUBLIC BUILDINGS, PROPERTY, AND WORKS
 
              CHAPTER 25--INFORMATION TECHNOLOGY MANAGEMENT
 
 SUBCHAPTER I--RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY
 
                     Part C--Other Responsibilities
 
Sec. 1441. Responsibilities regarding efficiency, security, and 
        privacy of Federal computer systems
        

(a) Standards and guidelines

                            (1) Authority

        The Secretary of Commerce shall, on the basis of standards and 
    guidelines developed by the National Institute of Standards and 
    Technology pursuant to paragraphs (2) and (3) of section 278g-3(a) 
    of title 15, promulgate standards and guidelines pertaining to 
    Federal computer systems. The Secretary shall make such standards 
    compulsory and binding to the extent to which the Secretary 
    determines necessary to improve the efficiency of operation or 
    security and privacy of Federal computer systems. The President may 
    disapprove or modify such standards and guidelines if the President 
    determines such action to be in the public interest. The President's 
    authority to disapprove or modify such standards and guidelines may 
    not be delegated. Notice of such disapproval or modification shall 
    be published promptly in the Federal Register. Upon receiving notice 
    of such disapproval or modification, the Secretary of Commerce shall 
    immediately rescind or modify such standards or guidelines as 
    directed by the President.

                      (2) Exercise of authority

        The authority conferred upon the Secretary of Commerce by this 
    section shall be exercised subject to direction by the President and 
    in coordination with the Director to ensure fiscal and policy 
    consistency.

(b) Application of more stringent standards

    The head of a Federal agency may employ standards for the cost-
effective security and privacy of sensitive information in a Federal 
computer system within or under the supervision of that agency that are 
more stringent than the standards promulgated by the Secretary of 
Commerce under this section, if such standards contain, at a minimum, 
the provisions of those applicable standards made compulsory and binding 
by the Secretary of Commerce.

(c) Waiver of standards

    The standards determined under subsection (a) of this section to be 
compulsory and binding may be waived by the Secretary of Commerce in 
writing upon a determination that compliance would adversely affect the 
accomplishment of the mission of an operator of a Federal computer 
system, or cause a major adverse financial impact on the operator which 
is not offset by Government-wide savings. The Secretary may delegate to 
the head of one or more Federal agencies authority to waive such 
standards to the extent to which the Secretary determines such action to 
be necessary and desirable to allow for timely and effective 
implementation of Federal computer system standards. The head of such 
agency may redelegate such authority only to a Chief Information Officer 
designated pursuant to section 3506 of title 44. Notice of each such 
waiver and delegation shall be transmitted promptly to Congress and 
shall be published promptly in the Federal Register.

(d) Definitions

    In this section, the terms ``Federal computer system'' and 
``operator of a Federal computer system'' have the meanings given such 
terms in section 278g-3(d) of title 15.

(Pub. L. 104-106, div. E, title LI, Sec. 5131, Feb. 10, 1996, 110 Stat. 
687.)

                          Codification

    Section is comprised of section 5131 of Pub. L. 104-106. Subsec. (e) 
of section 5131 of Pub. L. 104-106 amended sections 3504 and 3518 of 
Title 44, Public Printing and Documents.


                            Computer Security

    Pub. L. 100-235, Secs. 1, 2, 5-8, Jan. 8, 1988, 101 Stat. 1724, 
1729, as amended by Pub. L. 104-106, div. E, title LVI, Sec. 5607(b), 
Feb. 10, 1996, 110 Stat. 701; Pub. L. 105-85, div. A, title X, 
Sec. 1073(h)(4), Nov. 18, 1997, 111 Stat. 1907, provided that:
``SECTION 1. SHORT TITLE.
    ``This Act [enacting sections 278g-3 and 278g-4 of Title 15, 
Commerce and Trade, amending section 759 of this title and section 272 
of Title 15, and enacting provisions set out as a note under section 271 
of Title 15] may be cited as the `Computer Security Act of 1987'.
``SEC. 2. PURPOSE.
    ``(a) In General.--The Congress declares that improving the security 
and privacy of sensitive information in Federal computer systems is in 
the public interest, and hereby creates a means for establishing minimum 
acceptable security practices for such systems, without limiting the 
scope of security measures already planned or in use.
    ``(b) Specific Purposes.--The purposes of this Act are--
        ``(1) by amending the Act of March 3, 1901 [15 U.S.C. 271 et 
    seq.], to assign to the National Bureau of Standards responsibility 
    for developing standards and guidelines for Federal computer 
    systems, including responsibility for developing standards and 
    guidelines needed to assure the cost-effective security and privacy 
    of sensitive information in Federal computer systems, drawing on the 
    technical advice and assistance (including work products) of the 
    National Security Agency, where appropriate;
        ``(2) to provide for promulgation of such standards and 
    guidelines;
        ``(3) to require establishment of security plans by all 
    operators of Federal computer systems that contain sensitive 
    information; and
        ``(4) to require mandatory periodic training for all persons 
    involved in management, use, or operation of Federal computer 
    systems that contain sensitive information.
``SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
    ``(a) In General.--Each Federal agency shall provide for the 
mandatory periodic training in computer security awareness and accepted 
computer security practice of all employees who are involved with the 
management, use, or operation of each Federal computer system within or 
under the supervision of that agency. Such training shall be--
        ``(1) provided in accordance with the guidelines developed 
    pursuant to section 20(a)(5) of the National Bureau of Standards Act 
    (as added by section 3 of this Act) [15 U.S.C. 278g-3(a)(5)], and in 
    accordance with the regulations issued under subsection (c) of this 
    section for Federal civilian employees; or
        ``(2) provided by an alternative training program approved by 
    the head of that agency on the basis of a determination that the 
    alternative training program is at least as effective in 
    accomplishing the objectives of such guidelines and regulations.
    ``(b) Training Objectives.--Training under this section shall be 
started within 60 days after the issuance of the regulations described 
in subsection (c). Such training shall be designed--
        ``(1) to enhance employees' awareness of the threats to and 
    vulnerability of computer systems; and
        ``(2) to encourage the use of improved computer security 
    practices.
    ``(c) Regulations.--Within six months after the date of the 
enactment of this Act [Jan. 8, 1988], the Director of the Office of 
Personnel Management shall issue regulations prescribing the procedures 
and scope of the training to be provided Federal civilian employees 
under subsection (a) and the manner in which such training is to be 
carried out.
``SEC. 6. ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY AND 
        PRIVACY.
    ``(a) Identification of Systems That Contain Sensitive 
Information.--Within 6 months after the date of enactment of this Act 
[Jan. 8, 1988], each Federal agency shall identify each Federal computer 
system, and system under development, which is within or under the 
supervision of that agency and which contains sensitive information.
    ``(b) Security Plan.--Each such agency shall, consistent with the 
standards, guidelines, policies, and regulations prescribed pursuant to 
section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441), 
establish a plan for the security and privacy of each Federal computer 
system identified by that agency pursuant to subsection (a) that is 
commensurate with the risk and magnitude of the harm resulting from the 
loss, misuse, or unauthorized access to or modification of the 
information contained in such system. Such plan shall be subject to 
disapproval by the Director of the Office of Management and Budget. Such 
plan shall be revised annually as necessary.
``SEC. 7. DEFINITIONS.
    ``As used in this Act, the terms `computer system', `Federal 
computer system', `operator of a Federal computer system', `sensitive 
information', and `Federal agency' have the meanings given in section 
20(d) of the National Bureau of Standards Act (as added by section 3 of 
this Act) [15 U.S.C. 278g-3(d)].
``SEC. 8. RULES OF CONSTRUCTION OF ACT.
    ``Nothing in this Act, or in any amendment made by this Act, shall 
be construed--
        ``(1) to constitute authority to withhold information sought 
    pursuant to section 552 of title 5, United States Code; or
        ``(2) to authorize any Federal agency to limit, restrict, 
    regulate, or control the collection, maintenance, disclosure, use, 
    transfer, or sale of any information (regardless of the medium in 
    which the information may be maintained) that is--
            ``(A) privately-owned information;
            ``(B) disclosable under section 552 of title 5, United 
        States Code, or other law requiring or authorizing the public 
        disclosure of information; or
            ``(C) public domain information.''

                  Section Referred to in Other Sections

    This section is referred to in section 1412 of this title; title 15 
section 278g-3; title 44 sections 3504, 3518.
