B-231257, Sep 8, 1988

B-231257, Sep 8, 1988

MISCELLANEOUS TOPICS - Federal Administrative/Legislative Matters - Information disclosure - Statutory regulations - Computer equipment/services - Security safeguards DIGEST: Office of General Counsel memorandum to IMTEC discussing key terms of the Computer Security Act of 1987, which requires federal agencies to protect against the unauthorized modification of disclosure of sensitive information in their computer systems. Public Law 100-235, January 8, 1988, 100 Stat. 1724. The key terms that are addressed are: (1) federal agency, (2) computer system, (3) Federal computer system, and (4) sensitive information. Computer Security Act of 1987 (B-231257; Code 510306)

Group Director, IMTEC - David G. Gill:

Computer Security Act of 1987 (B-231257; Code 510306):

This responds to your request for a legal analysis of the Computer Security Act of 1987, focusing on what agencies are required to do in order to comply with the Act's requirements, and on the intended meaning and application of certain terms contained in that Act. We understand that our analysis is necessary to provide IMTEC with audit criteria for its review of agencies' implementation and compliance with the Computer Security Act, as requested by the Chairmen of the Committee on Government Operations and the Committee on Science, Space and Technology, respectively, House of Representatives.

As we discussed and agreed to, perhaps the best way we can respond to your request is to address the meaning and application of the Act's key terms in this memorandum, and then address other questions dealing with the Act's requirements (e.g., the Commerce Department's responsibilities for implementing the Act) as they arise during the course of IMTEC's review. We also plan to work closely with IMTEC on the development of its questionnaires which are to be sent to agencies.

The key terms that this memorandum addresses are: (1) federal agency, (2) computer system, (3) Federal computer system, and (4) sensitive information. In this regard, the Computer Security Act briefly requires federal agencies to protect against the unauthorized modification or disclosure of sensitive information in their computer systems.

I. Background: The Computer Security Act of 1987 (the Act), Public Law 100-235, January 8, 1988, 101 STAT. 1724, was enacted in order to improve the security and privacy of sensitive information contained in Federal computer systems. To achieve this purpose the Act, among other things, provides for the establishment of a computer standards program, under which the National Bureau of Standards (NBS) has the responsibility within the federal government for developing technical, management, physical and administrative standards and guidelines for the security and privacy of sensitive information in federal computer systems. NBS is required to submit any such standards and guidelines to the Secretary of Commerce for issuance. The Act also:

-- provides for the establishment of a Computer System Security and Privacy Advisory Board within the Commerce Department,

-- provides for the establishment of a formal training program for operators of federal computer systems that contain sensitive information, and

-- requires agencies to identify computer systems that contains sensitive information and establish a plan for the security and privacy of such systems.

II. Key Definitions:

1. Federal agency: For purposes of determining what agencies are covered by the Act, the term "Federal agency" is defined by reference to section 3(b) of the Federal Property and Administrative Services Act (FPAS) of 1949 (see section 3 of the Computer Security Act, inserting a new section 20 to the National Bureau of Standards Acts, as well as section 7 of the Computer Security Act). Section 3(b) of the FPAS, 40 U.S.C. 472(b), as amended, defines "federal agency" to mean "any executive agency or any establishment in the legislative or judicial branch of the Government (except the Supreme Court, the Senate, the House of Representatives, and the Architect of the Capitol ...)." We should point out that this same definition applies for purposes of the Brooks Act, 40 U.S.C. 759, as amended, which governs the acquisition of automatic data processing equipment by Federal agencies.

2. Computer system: Section 3 of the Act defines the term "computer system" as meaning:

"(A) ... any equipment or interconnected system or subsystem of equipment that i used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception, of data or information; and

(B) includes-

(i) computers;

(ii) ancillary equipment;

(iii) software, firmware, and similar procedures;

(iv) services, including support services; and

(v) related resources as defined by regulations issued by the Administrator for General Services pursuant to section 111 of the Federal Property and Administrative Services Act of 1949;"

The report issued by the House Committee on Science, Space, and Technology pointed out that the definition of the term "computer system" for purposes of the Computer Security Act is essentially identical to the term "automatic data processing equipment" as used in the Brooks Act (section 111 of the Federal Property Administrative Services Act of 1949, 40 U.S.C. 759(a)(2)(A), as amended). H.R. Rep. No. 100-153, Part 1, at 23 (1987). The Committee also commented that a computer system is described structurally to include traditional hardware as well as functionally to include any equipment or interconnected system used for the designated functions.

Section 3 of the Computer Security Act specifically excludes from the application of any standards and guidelines that NBS may develop, the following computer systems:

"(A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; and

(B) those systems which are protected at all times by procedures established for information which has been specifically authorized under criteria established by an executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, ..."

The first category refers to the so-called Warner Amendment enacted in 1981, 10 U.S.C. 2315, which also appears in the Brooks Act, 40 U.S.C. 759(a)(3), and the Paperwork Reduction Act, 44 U.S.C. 3502(2). That legislation effectively excludes from the coverage of the latter two acts, and now the Computer Security Act, those Department of Defense computer systems that--

(1)involves intelligence activities;

(2) involves cryptologic activities related to national security;

(3) involves the command and control of military forces;

(4) involves equipment that is an integral part of a weapon or weapons system; or

(5) are critical to the direct fulfillment of military or intelligence missions.

The second category refers to information that is specifically authorized to be kept secret pursuant to a statute or executive order, in the interest of national defense or foreign policy.

3. Federal computer system: Section 3 of the Act defines a Federal computer system as including "automatic data processing equipment" as defined in section 111(a)(2) of the Federal Property and Administrative Services Act of 1949, which is the same term discussed above, and also-

"(A) means a computer system operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer system) on behalf of the Federal Government to accomplish a Federal function; ..."

As indicated, the term Federal computer system means a system operated by three distinct groups: (1) federal agencies, (2) contractors of federal agencies, and (3) other organizations that process information using a computer system on behalf of the federal government to accomplish a federal government function. The House Committee on Science, Space, and Technology, in its report on this then proposed legislation, further explained the intended meaning of this latter group as follows:

"... The latter category is limited to cases where there is a direct federal interest. Examples would include state agencies that disburse federal funds, monitor compliance with federal regulations on behalf of the federal government, collect statistical information for the purpose of federal funding decisions, or act in some other way as a direct extension of the federal government ..." H.R. Rep. No. 100 153, Part 1 at 23 (1987).

4. Sensitive information: The Computer Security Act applies to the security and privacy of sensitive information, the latter term being defined in section 3 as follows:

"... the term 'sensitive information' means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; ..."

The House Committee on Science, Space, and Technology, in its report on this legislation, further explained the meaning of sensitive information:

"The term ... is used to limit the kinds of information which are covered by the bill ... Sensitive information is defined as unclassified information which, if lost, misused, accessed or modified in an unauthorized way, could adversely affect the national interest, the conduct of federal programs or the privacy of individuals. Examples include information which if modified, destroyed or disclosed in an unauthorized manner could cause:

Loss of life;

Loss of property or funds by unlawful means;

Violation of personal privacy or civil rights;

Gaining an unfair commercial advantage;

Loss of advanced technology, useful to a competitor;

Disclosure of proprietary information entrusted to the government."

H.R. Rep. No. 100-53, Part 1 at 24 (1987).

The Committee recognized that the definition of sensitive information allows the possibility that some unclassified information may not be sensitive, and noted that each operator must make a determination as to which unclassified information in its possession is sensitive. Finally, the Committee specifically pointed out that sensitive information does not include nor does the bill apply to classified information for which extensive standards-setting authority already exists. (See Executive Order 12065, National Security Information, dated June 28, 1978).