40 U.S.C.
United States Code, 2001 Edition
Title 40 - PUBLIC BUILDINGS, PROPERTY, AND WORKS
CHAPTER 25 - INFORMATION TECHNOLOGY MANAGEMENT
SUBCHAPTER I - RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY
Part C - Other Responsibilities
Sec. 1441 - Responsibilities regarding efficiency, security, and privacy of Federal computer systems
From the U.S. Government Publishing Office, www.gpo.gov

§1441. Responsibilities regarding efficiency, security, and privacy of Federal computer systems

(a) Standards and guidelines

(1) Authority

The Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 278g–3(a) of title 15, promulgate standards and guidelines pertaining to Federal computer systems. The Secretary shall make such standards compulsory and binding to the extent to which the Secretary determines necessary to improve the efficiency of operation or security and privacy of Federal computer systems. The President may disapprove or modify such standards and guidelines if the President determines such action to be in the public interest. The President's authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.

(2) Exercise of authority

The authority conferred upon the Secretary of Commerce by this section shall be exercised subject to direction by the President and in coordination with the Director to ensure fiscal and policy consistency.

(b) Application of more stringent standards

The head of a Federal agency may employ standards for the cost-effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce.

(c) Waiver of standards

The standards determined under subsection (a) of this section to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determination that compliance would adversely affect the accomplishment of the mission of an operator of a Federal computer system, or cause a major adverse financial impact on the operator which is not offset by Government-wide savings. The Secretary may delegate to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective implementation of Federal computer system standards. The head of such agency may redelegate such authority only to a Chief Information Officer designated pursuant to section 3506 of title 44. Notice of each such waiver and delegation shall be transmitted promptly to Congress and shall be published promptly in the Federal Register.

(d) Definitions

In this section, the terms “Federal computer system” and “operator of a Federal computer system” have the meanings given such terms in section 278g–3(d) of title 15.

(Pub. L. 104–106, div. E, title LI, §5131, Feb. 10, 1996, 110 Stat. 687.)

Codification

Section is comprised of section 5131 of Pub. L. 104–106. Subsec. (e) of section 5131 of Pub. L. 104–106 amended sections 3504 and 3518 of Title 44, Public Printing and Documents.

Computer Security

Pub. L. 100–235, §§1, 2, 5–8, Jan. 8, 1988, 101 Stat. 1724, 1729, as amended by Pub. L. 100–418, title V, §5115(c), Aug. 23, 1988, 102 Stat. 1433; Pub. L. 104–106, div. E, title LVI, §5607(b), Feb. 10, 1996, 110 Stat. 701; Pub. L. 105–85, div. A, title X, §1073(h)(4), Nov. 18, 1997, 111 Stat. 1907, provided that:

“SECTION 1. SHORT TITLE.

“This Act [enacting sections 278g–3 and 278g–4 of Title 15, Commerce and Trade, amending section 759 of this title and section 272 of Title 15, and enacting provisions set out as a note under section 271 of Title 15] may be cited as the ‘Computer Security Act of 1987’.

“SEC. 2. PURPOSE.

“(a) In General.—The Congress declares that improving the security and privacy of sensitive information in Federal computer systems is in the public interest, and hereby creates a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use.

“(b) Specific Purposes.—The purposes of this Act are—

“(1) by amending the Act of March 3, 1901 [15 U.S.C. 271 et seq.], to assign to the National Institute of Standards and Technology responsibility for developing standards and guidelines for Federal computer systems, including responsibility for developing standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems, drawing on the technical advice and assistance (including work products) of the National Security Agency, where appropriate;

“(2) to provide for promulgation of such standards and guidelines;

“(3) to require establishment of security plans by all operators of Federal computer systems that contain sensitive information; and

“(4) to require mandatory periodic training for all persons involved in management, use, or operation of Federal computer systems that contain sensitive information.

“SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

“(a) In General.—Each Federal agency shall provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency. Such training shall be—

“(1) provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the National Bureau of Standards Act [now National Institute of Standards and Technology Act] (as added by section 3 of this Act) [15 U.S.C. 278g–3(a)(5)], and in accordance with the regulations issued under subsection (c) of this section for Federal civilian employees; or

“(2) provided by an alternative training program approved by the head of that agency on the basis of a determination that the alternative training program is at least as effective in accomplishing the objectives of such guidelines and regulations.

“(b) Training Objectives.—Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed—

“(1) to enhance employees’ awareness of the threats to and vulnerability of computer systems; and

“(2) to encourage the use of improved computer security practices.

“(c) Regulations.—Within six months after the date of the enactment of this Act [Jan. 8, 1988], the Director of the Office of Personnel Management shall issue regulations prescribing the procedures and scope of the training to be provided Federal civilian employees under subsection (a) and the manner in which such training is to be carried out.

“SEC. 6. ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS SECURITY AND PRIVACY.

“(a) Identification of Systems That Contain Sensitive Information.—Within 6 months after the date of enactment of this Act [Jan. 8, 1988], each Federal agency shall identify each Federal computer system, and system under development, which is within or under the supervision of that agency and which contains sensitive information.

“(b) Security Plan.—Each such agency shall, consistent with the standards, guidelines, policies, and regulations prescribed pursuant to section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441), establish a plan for the security and privacy of each Federal computer system identified by that agency pursuant to subsection (a) that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in such system. Such plan shall be subject to disapproval by the Director of the Office of Management and Budget. Such plan shall be revised annually as necessary.

“SEC. 7. DEFINITIONS.

“As used in this Act, the terms ‘computer system’, ‘Federal computer system’, ‘operator of a Federal computer system’, ‘sensitive information’, and ‘Federal agency’ have the meanings given in section 20(d) of the National Bureau of Standards Act [now National Institute of Standards and Technology Act] (as added by section 3 of this Act) [15 U.S.C. 278g–3(d)].

“SEC. 8. RULES OF CONSTRUCTION OF ACT.

“Nothing in this Act, or in any amendment made by this Act, shall be construed—

“(1) to constitute authority to withhold information sought pursuant to section 552 of title 5, United States Code; or

“(2) to authorize any Federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information (regardless of the medium in which the information may be maintained) that is—

“(A) privately-owned information;

“(B) disclosable under section 552 of title 5, United States Code, or other law requiring or authorizing the public disclosure of information; or

“(C) public domain information.”

Section Referred to in Other Sections

This section is referred to in section 1412 of this title; title 15 section 278g–3; title 44 sections 3504, 3518, 3533.