National Institute of Standards and Technology and the National Security Agency's Memorandum of Understanding on Implementing the Computer Security Act of 1987

GAO discussed the memorandum of understanding between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) regarding the implementation of the Computer Security Act of 1987. GAO noted that, under the memorandum: (1) NIST was responsible for appointing a computer security and privacy advisory board, applying NSA security guidelines to the extent they were consistent with requirements for protecting sensitive information, recognizing NSA-certified ratings of systems without requiring additional evaluation, and developing standards for protecting sensitive unclassified data; (2) NSA was responsible for providing NIST with technical guidelines regarding security and technology research, responding to NIST requests on all cryptography matters, establishing standards and endorsing products for application to secure military systems, and assessing hostile intelligence threats against federal information systems; and (3) NIST and NSA agreed to jointly review agencies' security plans, exchange technical standards and guidelines, avoid duplicative effort, exchange work plans, and establish a technical working group. GAO believes that the memorandum may provide NSA with more than the legislatively intended consultative role in securing federal agency handling of sensitive, unclassified information, since the memorandum does not adequately specify NIST authority over NSA responsibilities and involvement in NIST functions.