COMPUTER SECURITY ACT OF 1986

Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 99TH CONGRESS REPT. 99-753 2d Session I HOUSE OF REPRESENTATIVES I Part 1 Mr. FUQUA, from the Committee on Science and Technology, submitted the following REPORT together with ADDITIONAL AND DISSENTING VIEWS [To accompany H.R. 2889 which on June 27, 1985, was referred jointly to the Com- mittee on Science and Technology and the Committee on Government Operations] [Including cost estimate of the Congressional Budget Office] The Committee on Science and Technology, to whom was re- ferred the bill (H.R. 2889) to amend the Act establishing the Na- tional Bureau of Standards to provide for a computer security re- search program within such Bureau, and to provide for the train- ing of Federal employees who are involved in the management, op- eration, and use of automated information processing systems, having considered the same, report favorably thereon with amend- ments and recommend that the bill as amended do pass. The amendments are as follows: Strike out all after the enacting clause and insert in lieu thereof the following: SECTION 1. SHORT TITLE. This Act may be cited as the "Computer Security Act of 1986". SEC. 2. PURPOSE. (a) IN GENERAL.-The Congress declares that improving the security and privacy of sensitive information in Federal computer systems is in the public interest, anc. hereby creates a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures already planned or in use. (b) SPECIFIC PURPOSES.-The purposes of this Act are- (1) to assign to the National Bureau of Standards responsibility for developing standards and guidelines for Federal computer systems, including standards and guidelines needed to assure the cost-effective security and privacy of sensi- 71-0060 Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 tive information in Federal computer systems, by amending the Act of March 3, 1901; (2) to provide for promulgation of such standards and guidelines by amending section 111(f) of the Federal Property and Administrative Services Act of 1949; (3) to require establishment of security plans by all operators of Federal com- puter systems that contain sensitive information; and (4) to require mandatory periodic training for all persons involved in manage- ment, use, or operation of Federal computer systems that contain sensitive in- formation. SEC. 3. ESTABLISHMENT OF COMPUTER STANDARDS PROGRAM. The Act of March 3, 1901 (15 U.S.C. 271-278h), is amended- (1) in section 2(f), by striking out "and" at the end of paragraph (18), by strik- ing out the period at the end of paragraph (19) and inserting in lieu thereof a semicolon, and by inserting after such paragraph the following: "(20) the study of equipment, procedures, and systems for automatic acquisi- tion, storage, manipulation, display, and transmission of information, and its use to control machinery and processes."; (2) by redesignating section 18 as section 20, and by inserting after section 17 the following new sections: "SEC. 18. (a) The National Bureau of Standards shall- "(1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems; "(2) except as described in paragraph (3) of this subsection (relating to securi- ty standards), develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; "(3) have responsibility within the Federal Government for developing techni- cal, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems except- "(A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; and "(B) those systems which are protected at all times by procedures estab- lished for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, the primary purpose of which standards and guidelines shall be to control loss and unauthorized modification or disclosure of sensitive information in such systems and to prevent computer-related fraud and misuse; "(4) submit standards and guidelines developed pursuant to paragraphs (2) and (3) of this subsection, along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce, for promulgation under section 111 of the Federal Property and Administrative Services Act of 1949; "(5) develop guidelines for use by operators of Federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice, as required by section 5 of the Computer Securi- ty Act of 1986; and "(6) develop validation procedures for, and evaluate the effectiveness of, standards and guidelines developed pursuant to paragraphs (1), (2), and (3) of this subsection through research and liaison with other government and private agencies. "(b) In fulfilling subsection (a) of this section, the National Bureau of Standards is authorized- "(1) to assist the private sector in using and applying the results of the pro- grams and activities under this section; "(2) to make recommendations, as appropriate, to the Administrator of Gener- al Services on policies and regulations proposed pursuant to section 111(f) of the Federal Property and Administrative Services Act of 1949; "(3) as requested, to provide to operators of Federal computer systems techni- cal assistance in implementing the standards and guidelines promulgated pur- suant to section 111(f) of the Federal Property and Administrative Services Act of 1949; "(4) to assist, as appropriate, the Office of Personnel Management in develop- ing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1986; Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 "(5) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of, and to devise techniques for the cost effective security and privacy of sensitive information in Federal computer sys- tems; and "(6) to coordinate closely with other agencies and offices (including, but not limited to, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, the Office of Technology Assessment, and the Office of Management and Budget)- "(A) to assure maximum use of all existing and planned programs, mate- rials, studies, and reports relating to computer systems security and priva- cy, in order to avoid unnecessary and costly duplication of effort; and "(B) to assure, to the maximum extent feasible, that standards developed pursuant to subsection (a) (3) and (5) are consistent and compatible with standards and procedures developed for the protection of information in Federal computer systems which is authorized under criteria established by Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. "(c) As used in this section and section 19, the terms 'computer system', 'Federal computer system', 'operator of a Federal computer system', and 'sensitive informa- tion' have the meanings given in section 7 of the Computer Security Act of 1986. SEC. 19. (a) There is hereby established a Computer System Security and Privacy Advisory Board within the Department of Commerce. The Secretary of Commerce shall appoint the chairman of the Board. The Board shall be composed of twelve additional members appointed by the Secretary of Commerce as follows: "(1) four members from outside the Federal Government who are eminent in the computer or telecommunications industry, at least one of whom is repre- sentative of small or medium sized companies in such industry; "(2) four members from outside the Federal Government who are eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunications equipment; and "(3) four members from the Federal Government who have computer systems management experience, including experience in computer systems security and privacy, at least one of whom shall be from the National Security Agency. "(b) The duties of the Board shall be- "(1) to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy; "(2) to advise the Bureau of Standards and the Secretary of Commerce on se- curity and privacy issues pertaining to Federal computer systems; and "(3) to report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate committees of the Congress. "(c) The term of office of each member of the Board shall be four years, except that- "(1) of the initial members, three shall be appointed for terms of one year, three shall be appointed for terms of two years, three shall be appointed for terms of three years, and three shall be appointed for terms of four years; and "(2) any member appointed to fill a vacancy in the Board shall serve for the remainder of the term for which his predecessor was appointed. "(d) The Board shall not act in the absence of a quorum, which shall consist of seven members. "(e) Members of the Board, other than full-time employees of the Federal Govern- ment, while attending meetings of such committees or while otherwise performing duties at the request of the Board Chairman while away from their homes or a reg- ular place of business, may be allowed travel expenses in accordance with subchap- ter I of chapter 57 of title 5, United States Code. "(f) To provide the staff services necessary to assist the Board in carrying out its functions, the Board may utilize personnel from the National Bureau of Standards or any other agency of the Federal Government with the consent of the head of the agency."; and (3) by adding at the end thereof the following new section: "SEC. 21. This Act may be cited as the National Bureau of Standards Act.". SEC. 4. AMENDMENT TO BROOKS ACT. (a) AMENDMENT.-Section 111(f) of the Federal Property and Administrative Serv- ices Act of 1949 (40 U.S.C. 759(f)) is amended to read as follows: Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 "(0(1) The Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Bureau of Standards pursuant to section 18(a) (2) and (3) of the National Bureau of Standards Act, promulgate standards and guidelines per- taining to Federal computer systems, making such standards compulsory and bind- ing to the extent to which the Secretary determines necessary to improve the effi- ciency of operation or security and privacy of Federal computer systems. "(2) The head of a Federal agency may employ standards for the cost effective se- curity and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce, if such standards contain, at a mini- mum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce. "(3) The standards determined to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determination that compliance would adversely affect the accomplishment of the mission of an operator of a Federal com- puter system, or cause a major adverse financial impact on the operator which is not offset by government-wide savings. The Secretary may delegate to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective implementation of Federal computer systems standards. The head of such agency may redelegate such authority only to a senior official designat- ed pursuant to section 3506(b) of title 44, United States Code. Notice of each such waiver and delegation shall be promptly transmitted to the Committee on Govern- ment Operations of the House of Representatives and the Committee on Govern- mental Affairs of the Senate. "(4) The Administrator shall ensure that such standards and guidelines are imple- mented within an integrated information resources management system (as re- quired by chapter 35 of title 44, United States Code) by- "(A) developing and implementing policies on Federal computer systems; and "(B) revising the Federal information resources managment regulations (41 CFR ch. 201) to implement such standards, guidelines, and policies. "(5) As used in this section, the terms 'computer system', 'operator of a Federal computer system', and 'Federal computer system' have the meanings given in sec- tion 7 of the Computer Security Act of 1986. '. (b) TECHNICAL AND CONFORMING AMENDMENTS.-Section 111 of such Act is further amended- (1) by striking out "automatic data processing equipment" and "automatic data processing systems" each place they appear and inserting in lieu thereof "computer systems"; and (2) by striking out "Automatic data processing equipment" and inserting in lieu thereof "Computer systems". SEC. 5. TRAINING BY OPERATORS OF FEDERAL COMPUTER SYSTEMS. (a) IN GENERAL.-Each operator of a Federal computer system that contains sensi- tive information shall provide mandatory periodic training in computer security awareness and accepted computer security practice. Such training shall be provided under the guidelines developed pursuant to section 18(aX5) of the National Bureau of Standards Act (as added by section 3 of this Act), and in accordance with the reg- ulations issued under subsection (c) of this section, for all employees who are in- volved with the management, use, or operation of computer systems. (b) TRAINING OBJECrIvES.-Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed- (1) to enhance employees' awareness of the threats to and vulnerability of computer systems; and (2) to encourage the use of improved computer security practices. (c) REGuLATIoNS.-Within six months after the date of the enactment of this Act, the Director of the Office of Personnel Management shall issue regulations prescrib- ing the procedures and scope of the training to be provided under subsection (a) and the manner in which such training is to be carried out. SEC. 6. ADDITIONAL RESPONSIBILITIES FOR OPERATORS OF FEDERAL COMPUTER SYSTEM FOR COMPUTER SYSTEMS SECURITY AND PRIVACY. (a) IDENTIFICATION OF SYSTEMS THAT CONTAIN SENSITIVE INFORMATION.-Within 6 months after the date of enactment of this Act, each operator of a Federal computer system shall identify each computer system, and system under development, of that operator which contains sensitive information. In the case of a Federal contractor or Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 other organization (operating a Federal computer system), such identification shall be reviewed and approved by its supervising Federal agency. (b) SECURITY PLAN.-Within one year after the date of enactment of this Act, each such operator shall, consistent with the standards, guidelines, policies, and regula- tions prescribed pursuant to section 111(f) of the Federal Property and Administra- tive Services Act of 1949, establish a plan for the security and privacy of the com- puter systems identified pursuant to subsection (a). Copies of such plan shall be transmitted to the National Bureau of Standards and the National Security Agency for advice and comment. In the case of a Federal contractor or other organization (operating a Federal computer system), such plan shall be transmitted through its supervising Federal agency. Such plan shall be subject to disapproval by the Direc- tor of the Office of Management and Budget. SEC. 7. DEFINITIONS. As used in this Act, sections 18 and 19 of the National Bureau of Standards Act, and section 111 of the Federal Property and Administrative Services Act of 1949- (1) the term "computer system" means any equipment or interconnected col- lection of equipment, including- (A) ancillary equipment; (B) software and other procedures; (C) services; and (D) other resources, that are used in the automatic acquisition, storage, manipulation, or display, or in any associated electromagnetic transmission and reception, of information; (2) the term "Federal computer system" means a computer system operated by a Federal agency (as that term is defined in section 3(b) of the Federal Prop- erty and Administrative Services Act of 1949) or by a contractor of a Federal agency or other organization that processes information using a computer system on behalf of the Federal Government to accomplish a Federal Govern- ment function; (3) the term "operator of a Federal computer system" means a Federal agency (as that term is defined in section 3(b) of the Federal Property and Administra- tive Services Act of 1949), contractor of a Federal agency, or other organization that processes information using a computer system on behalf of the Federal Government to accomplish a Federal Government function; (4) the term "sensitive information" means any information, the loss, misuse, or unauthorized access or modification of which could adversely affect the na- tional interest or the conduct of Federal programs, or the privacy to which indi- viduals are entitled under section 552 of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. SEC. 8. AUTHORIZATION OF APPROPRIATIONS. There are authorized to be appropriated to each Federal agency such sums as may be necessary for fiscal years 1987, 1988, and 1989 to carry out the computer systems security training program established by section 5 of this Act and the identification and planning requirements of section 6. Amend the title so as to read: A bill to amend the Act establishing the National Bureau of Standards to provide for a computer standards program within such Bureau, to provide for government- wide computer security, and to provide for the training in security matters of per- sons who are involved in the management, operation, and use of Federal computer systems. Page I. Background ............................................................................................................. 6 II. Issues raised during the hearings ...................................................................... 8 III. Need for legislation ............................................................................................... 15 IV. Explanation of the bill ......................................................................................... 15 V. Sectional analysis .................................................................................................. 22 VI. Effect of legislation on inflation ......................................................................... 27 VII. Oversight findings and recommendations, Committee on Science and Technology .......................................................................................................... 27 Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 VIII. Oversight findings and recommendations, Committee on Government Operations ........................................................................................................... IX. Budget analysis and projection ........................................................................... X. Congressional Budget Office cost estimate ....................................................... XI. Changes in existing law ....................................................................................... XII. Committee recommendation ............................................................................... XIII. Additional views .................................................................................................... XIV. Dissenting views .................................................................................................... I. BACKGROUND Computers and information systems have so permeated today's society that there is virtually no sector which does not rely heavily on their use. This includes the Federal Government, which current- ly has over 17,000 medium- and large-scale computers and will have almost 500,000 microcomputers by 1990, according to a recent annual report by the General Services Administration, entitled "ADP Management of Information Systems," 1985. The Federal Government is the largest single user of computers in the world. Its investment in automated systems technology is so large that about 1.6 percent of the 1986 budget will be spent on automated data processing (ADP) equipment and services, or more than 15 billion dollars. This budget includes ADP for defense and national security, education, national energy programs, social wel- fare, and tax programs (to name just a few). As the role of the Federal Government has become broader, the need to automate and the corresponding need to secure data also has grown. In recent years, Congress and the executive agencies have directed their attention to Federal computer systems in a number of areas, including investigating and commenting on their integrity and security. Both Section 111(f) of the Federal Property and Administrative Services Act of 1949 (the Brooks Act of 1965) and the Paperwork Reduction Act of 1980 represented attempts by Congress to address the issues of automating information in Feder- al agencies and creating an efficient method of storing and dissemi- nating this information. In October 1984, Congress passed the first Federal computer crime legislation. This law, the Counterfeit Access Device and Computer Fraud Act of 1984 (P.L. 98-473), pro- hibits unauthorized access into a Federal computer system to modify, destroy, or disclose information; unauthorized access to in- formation to obtain financial or credit information protected by Federal financial privacy laws; and unauthorized access to obtain classified military intelligence information. Within the Federal Government several agencies have been charged with the responsibility for establishing computer security controls and standards. The Office of Management and Budget (OMB) has overall responsibility for computer security policy. The General Services Administration (GSA) also issues regulations for physical security of computer facilities, and ensures that security hardware and software meet certain technological and fiscal speci- fications. In defense and national security, the National Security Agency (NSA) has traditionally been responsible for the security of classified information, including that processed by and stored within computers. Recently, NSA has been given the responsibility to establish and maintain technical standards for secure, or "trust- ed," computers. NSA does this through its administration of the Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 Department of Defense (DOD) National Computer Security Center. NSA also will work with industries at the DOD Computer Security Center to develop security standards for private sector use. At the Department of Commerce, the National Bureau of Stand- ards' (NBS') Institute of Computer Science and Technology (ICST) has developed computer and processing standards, such as the Data Encryption Standard (DES), which protects data transferred be- tween automated information systems. The Federal Information Processing Standards (FIPS) developed by the ICST provide specific codes, language, procedures, and techniques for Federal and pri- vate sector information systems managers. Also at the Department of Commerce, the National Telecommunications and Information Administration (NTIA) has the responsibility for analyzing, devel- oping, implementing and applying executive branch policy for tele- communications in the Federal Government. This mixture of laws, regulations, and responsible agencies has raised concern that Federal computer security policy is lacking di- rection and forcefulness in some areas, yet has created overlapping and duplication of effort in other areas. Recently, Federal regula- tions and directives have been issued and congressional legislation has been introduced to address the lack of coordination of Federal ADP systems. On March 15, 1985, OMB issued a draft circular intended "to provide a general framework of management of information re- sources." This circular combined and updated operative OMB circu- lars, including OMB Circular A-71 (originally issued in July 1978). A version of the draft circular was then included in a final OMB circular, A-130 (issued on December 12, 1985), in which Appendix III addressed Federal government computer security issues. Appen- dix III of A-130 is a very broad policy directive, outlining both in- traagency and interagency guidelines for computer security. Those responsible for implementation of this circular include the Depart- ment of Commerce, Department of Defense, General Services Ad- ministration, and the Office of Personnel Management, in addition to OMB. On September 17, 1984, the executive branch issued National Se- curity Decision Directive 145 (NSDD-145), "National Policy on Telecommunications and Automated Information Systems Securi- ty." This directive is aimed at safeguarding automated information systems with a special focus on protecting those Federal systems accessed via (and dependent on) network communications. NSDD- 145 creates a National Telecommunications and Information Sys- tems Security Committee (NTISSC), a panel of 22 voting represent- atives from 12 defense/intelligence agencies and 10 civilian agen- cies. An Assistant Secretary of Defense chairs NTISSC, and the Di- rector of the National Security Agency acts as the National Man- ager for implementing policy under NSDD-145. The NTISSC is em- powered to issue operating policies to assure the security of tele- communications and automated information systems that process and communicate both classified national security information and other sensitive government information. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 On June 27, 1985, Representative Dan Glickman, then chairman of the Subcommittee on Transportation, Aviation, and Materials, House Committee on Science and Technology, introduced H.R. 2889, the Computer Security Research and Training Act of 1985. This legislation would establish the NBS as the focal point for de- veloping training guidelines for Federal employees who are in- volved in the management, operation, and use of automated infor- mation processing systems. This legislation was based in part on hearings which the subcommittee conducted in 1983 and a 1984 subcommittee report which had recommended increased ADP training and awareness in Federal agencies. II. ISSUES RAISED DURING THE HEARINGS The Subcommittee on Transportation, Aviation and Materials held a series of hearings which addressed computer and communi- cations privacy and security in the Federal Government on Sep- tember 24, 1984, June 27, 1985, and October 29 and jointly with the Subcommittee on Science, Research, and Technology on October 30, 1985. These hearings touched upon three major issues: (1) The cur- rent state of computer privacy and security in the Federal Govern- ment; (2) The major impact of NSDD-145 and the role of the NSA in setting Federal civilian computer security; (3) The role of the Federal Government in adequately training Federal employees and heightening awareness of computer security. FEDERAL COMPUTER CRIME AND SECURITY There has been a heightened awareness both inside and outside the Federal Government that current computer security measures are inadequate. This is an issue which has been discussed in con- gressional hearings since the mid-1970s, but it is only recently that several studies have attempted to quantify the extent of damage caused by computer fraud and abuse causes, as well as the demon- strated lack of computer preparedness and systems integrity in Federal ADP systems During the September 24, 1984 hearings, John Tompkins, chair- man of the Task Force on Computer Crime of the American Bar Association (ABA), commented on a survey conducted by the ABA on the state of computer crime in government and the private sector. The ABA report was one of the first extensive studies done on the number of "known and verifiable losses" which have result- ed from computer crimes, and the results of the survey included re- sponses from 13 Federal agencies and 28 State and local agencies. Although the results of the survey indicated a wide range of losses by respondents, several consistent factors emerged: that "insiders" having access to computer systems are the more likely perpetrators of fraud and abuse; that there is a proliferation of computers in government; that such security systems as currently exist do not facilitate detection of computer crimes; that security systems them- selves often are vulnerable and inadequate; and that a lack of awarness and concern by the public, as well as computer systems managers, are contributing to these problems. Mr. Tompkins noted that, although the ABA did not state any formal recommendations, the conclusions reached by the respondents to the ABA survey in- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 dicated: the need for Federal computer crime legislation; the need to adequately train and supervise personnel in data processing; and the large overall cost and expense of computer fraud and abuse. Richard Kusserow, Inspector General for the Department of Health and Human Services, also testified on the nature of fraud and abuse in Federal computer systems. As Inspector General for the largest Federal civil agency, Mr. Kusserow's office has been in- volved with auditing computer systems, reducing costs, and insur- ing the integrity of HHS ADP systems. As Mr. Kusserow stated at the September 24 hearings: We must ensure that agency managers in overseeing programs that use computerized systems, do audit the sys- tems, do look and make sure that the controls are func- tioning, and that we in the inspector general community, using our auditors and investigators, follow up to make sure it's being done. I think that in all of these areas it has not been done nearly enough. Also, as chairman of the President's Council on Integrity and Ef- ficiency investigating computer crime in the Federal Government, Mr. Kusserow testified on September 24, 1984, and again on Octo- ber 29, 1985, on a study he directed which examined computer-re- lated fraud and abuse in general, and a subsequent study in which the Inspector General's office interviewed those who had been con- victed of Federal computer fraud and abuse. The results of these studies are consistent with the findings of the ABA study: that Fed- eral computer fraud and abuse is often committed by insiders within the Federal agency; that training for computer security and awareness of vulnerabilities in computer systems were lacking; and that internal controls for computer security need to be increased. The profile of Federal computer criminals shows that they are young, considered good employees, and often use co-conspirators, and that many who commit these crimes never think about the consequences of being caught, or if they consider the consequences, assess the risk of being caught as minimal. As Mr. Kusserow stated in the October 29 hearing: One of the most disturbing findings from this study is that the work environment provided the perpetrators with the opportunity to commit their crime. We asked the per- petrators about computer security where they had commit- ted their crime . . . Virtually all of them had been aware of security efforts but most said they had been weak. So, they made the judgment that, although there may have been security efforts in their agencies, they were weak and could not be counted upon to act as a deterrence for them to committing the crime. The General Accounting Office also testified during the hearings on June 27, 1985, and October 29 and 30, 1985. GAO has conducted several studies on computer crime and security in the Federal Gov- ernment, including a 1985 survey of 25 computer systems in 17 Federal civil agencies, to evaluate the state of computer security and integrity of these systems. This survey was conducted by GAO using two questionnaires and subsequent interviews, promising an- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 onymity to the agencies so the systems could not be compromised after public disclosure. GAO indicated that: Generally, the results of our survey showed that each of the systems is vulnerable to abuse, destruction, error, fraud, and waste. Specifically we found that: key manage- ment responsibilities were missing. For example, many agencies do not use a risk management approach as part of implementing a security program; and actual safeguards needed to protect systems from potential threats were not always in place. For example, computerized techniques, such as passwords, allowing access to systems were not pe- riodically changed. GAO categorized Federal computer security methods into man- agement and three basic safeguard components: physical, technical, and administrative. No agency met all of the management respon- sibilities outlined in the questionnaire, and only five of the 25 sys- tems evaluated contained an element of physical, technical and ad- ministrative control. Only two of the systems provide what GAO described as adequate training for computer employees. GAO fur- ther characterized the systems as very vulnerable, and given the minimal oversight and coordination between agencies, GAO found that there is a lack of a balanced approach to security of Federal computer systems. The testimony by the ABA, the Inspector General's office of HHS, and GAO clearly indicated that Federal systems are in danger because of improper use and negligence. Other witnesses from both the public and private sector testified during the hear- ings that they also found computer security in general and Federal computer security specifically remains vulnerable and open to fraud and abuse, despite stated efforts by representatives of the Federal agencies to remedy this problem. With the introduction of NSDD-145, the prominent role of the NSA in establishing Federal computer security in civil agencies became a subject of debate among computer security experts. The Subcommittee on Transportation, Aviation, and Materials devoted an entire day of hearings to this subject on June 27, 1985, and the role of NSA under NSDD-145 was a topic mentioned during the hearings on October 29 and 30, 1985. Donald Latham, Chairman of the National Telecommunications and Information Systems Security Committee (NTISSC), Walter Deeley, Deputy Director for Communications Security, NSA, and Robert Brotzman, Director, DOD National Computer Security Center, testified on why NSDD-145 was necessary to coordinate Federal computer security. Citing a lack of overall coordination among Federal agencies, the high risk of compromising, losing or destroying Federal agency data, and the overall vulnerability of Federal computer security systems, they emphasized that the NSA had the experience and expertise to administer Federal computer security programs. As Mr. Latham stated: Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 We have provided cryptographic devices for protection of classified data, as Mr. Deeley will explain further. While we have done a reasonable job in some areas, there are still many areas that are left uncovered and there is more emphasis needed here. We have put in controls for tighter access to unclassified data through network access controls and things like this, so that the so-called hackers can't go in and just play havoc with our data. We are fostering very much a security awareness pro- gram. We are instituting training programs at the nation- al level as well as the local level, I'll say, within service schools and across the various agencies. And we are look- ing at more rigorous ways of clearing people who have access to computer systems and telecommunications net- work security devices. Other witnesses appearing before the subcommittee expressed concerns that NSDD-145 would hamper efforts to adequately ad- minister Federal computer security. One area of concern is that NSDD-145 will create conflict with other Federal security regula- tions, notably Transmittal Memorandum 1 to OMB Circular A-71 (which has since been embodied in OMB Circular A-130, published December 12, 1985). Although both NSDD-145 and the OMB circu- lar are broadly constructed, the emphasis in the OMB circular for planning and implementing Federal computer security rests with civil agencies, primarily with OMB and the Department of Com- merce. In NSDD-145, the Director of NSA and the Secretary of De- fense have primary roles. NSDD-145 does incorporate many of the lead Federal agencies on its NTISSC panel; but not all agencies are included. When Warren Reed, Director, Information Management and Technology Division, General Accounting Office, testified on the GAO survey on Federal computer security, he stated that the issuance of NSDD-145 might create confusion among the Federal agencies over which agency has jurisdiction over security functions. Mr. Reed stated that this could be a large or small problem, and may interfere with other Federal statutes and regulations which have given this jurisdiction to NBS. Raymond Wyrsch, Senior At- toney, Office of General Counsel at GAO, stated: * * * we do have laws on the books, the Brooks Act and the Paperwork Reduction Act, and there are very distinct responsibilities that have been placed on these agencies, namely OMB has been given the general oversight author- ity, if you will to set government policy. * * * And I don't know if anyone is really in the position to say with any degree of conclusiveness now, on what are the other agencies supposed to do if you have inconsistent or conflicting guidance that may be issued. There have been various pronouncements that have been made by the Secretary of Commerce over the years dealing with ADP standards. Another issue regarding NSDD-145 is that of the military setting ADP security priorities for civil agencies. NTISSC has established Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 three levels of classifying information: classified, unclassified, and unclassified but sensitive. What information NTISSC will choose to label "unclassified but sensitive" in Federal civilian agencies is un- known. Representative Jack Brooks, Chairman of the Subcommittee on Legislation and National Security of the House Government Oper- ations Committee, and author of the Brooks Act, highlighted these concerns during his testimony on NSDD-145: "NSA has a propensi- ty and a tendency to classify everything." GAO witnesses also ex- pressed concern that a lack of definition of "unclassified informa- tion considered sensitive" in civil agencies may be interpreted either broadly or narrowly, significantly affecting how agencies store and disseminate information contained in computer and tele- communications systems. However, Lt. Gen. Odom, Director of NSA, has stated in a letter to Chairman Fuqua on February 25, 1986: ". . . the Systems Steering Group, the senior governmental body created by NSDD-145 for information security matters, has concluded that each government department or agency must make its own determination as to what constitutes sensitive information to that department or agency mission or operation." Other witnesses, including representatives from the American Civil Liberties Union and the Institute of Electrical and Electronics Engineers, expressed similar concerns over the "unclassified but sensitive" categorization of computerized data and how that will affect citizens' access to public information or freedom to exchange scientific information. There has been some controversy over the review prc'cess for NSDD-145. Expressing concern that issuing National Security De- cision Directive 145 effectively circumvents the review process that OMB Circular A-71 went through, Subcommittee Chairman Glick- man noted during testimony given on June 27, that a document which ordinarily might be called a regulation, if labeled a national security directive, may avoid the Administrative Procedures Act, all public notification requirements, and Congressional oversight. Also, Mr. Richard P. Kusserow, Inspector General of HHS, stated at the October 29 hearing that "I haven't seen it, and I have not had any imput in the process". Still the review process spanned nearly a year and Dr. Robert E. Conley, who was chairman of the Subgroup on Telecommunications Security created under NSDD- 145 while he was with the Treasury Department, said at the same hearing that "we invited all of the government agencies to attend the meetings". Thus, although there is no question that Federal computer security is a vital national issue, use of NSDD-145 as an instrument for setting policy, without legislative or agency debate and review, has raised concerns in the Congress. Although NSA has a fine track record as the lead technical agency for securing ADP systems containing national security data, it is not clear that it is the appropriate lead agency for direct- ing civil agency computer security. Questions still remain about whether NSDD-145 will create confusion with existing Federal statutes and regulations; what the definition of "unclassified but sensitive" will mean; and whether there should be public debate and review of NSDD-145 before Congress and the Federal agencies. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 TRAINING FOR FEDERAL COMPUTER SYSTEMS USERS Testimony also described the need for greater computer security training of personnel in the Federal Government. GAO, ABA, the Inspector General of HHS, and others commented on the current state of Federal computer training and security awareness during the course of the subcommittee's hearings. Witnesses on the last day of testimony before the subcommittee on October 30, 1985, dealt directly with H.R. 2889. H.R. 2889, as introduced by Representative Dan Glickman, would establish a focus within the Federal Government at the National Bureau of Standards for computer security research, and develop- ment of computer security training guidelines. This is to ensure that agencies would better train personnel in the vulnerabilities of computer and communication systems. The bill requires that each Federal agency provide such training on a periodic basis. The train- ing would encompass all levels of personnel involved in the man- agement, operation, and use of automated information processing systems. There is little argument that such training is needed or that in some areas, that much is needed to supplement existing training procedures. Most of the witnesses testifying on the current state of Federal computer security commented that computer security training in the Federal Government is either inadequate or non-ex- istent and that such training is necessary. William Franklin, Asso- ciate Director, Information Management and Technology Division, GAO, stated on October 30: There can be little question that extensive and continu- ing security research and training are essential if we are to gain reasonable assurance that our computerized infor- mation is properly safeguarded in storage, processing and transmission. However, there was concern that the creation of a new structure within the Federal Government might add unnecessarily to its overall cost and bureaucracy. Several witnesses stated that existing Federal computer training fa-ilities, such as those at NSA, should be used to train Federal employees. Robert Brotzman, Assistant Di- rector for Computer Security at the National Computer Security Center at NSA, described the security program at the Computer Security Center. This program assists civilian and military agen- cies, as well as outside contractors with sensitive data, to develop secure information and communication systems. As Mr. Brotzman stated: The knowledge base that we have now will support an effective training program, and it will support the substan- tial improvement in the security of computer systems op- erated by and for the United States Government. Mr. Brotzman also stated that, as introduced, H.R. 2889 might cause duplication and overlapping of effort within Federal agencies and interfere with programs already supported by NTISSC under NSDD-145. H.Rept. 99-753 --- 2 Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 James Burrows, Director, Institute for Computer Sciences and Technology (ICST), of the NBS, spoke on the computer training and security programs at the ICST. As part of its mandate to develop computer security standards and guidelines, the ICST assists Feder- al agencies in developing computer security programs. This in- cludes both software and hardware development, system interfaces, personal identification and authentication of users. The Depart- ment of Commerce opposed the structure of H.R. 2889 because of its interpretation that the Brooks Act and other legislation makes a Federal computer training and awareness mandate for NBS un- necessary. However, Mr. Burrows did state that NSDD-145 could be "slightly confusing in who has control" of overall Federal securi- ty management among the agencies. Mr. Burrows also stated that, to date, NSDD-145 has had little adverse effect on NBS' activities in computer security and training. Terry Culler, Associate Director, Office of Personnel Manage- ment (OPM), also spoke on H.R. 2889, stating that OPM already has the legislative authority to provide other Federal agencies with guidance on information and communication systems security training. Mr. Culler did not feel the need for the additional regula- tory action, which H.R. 2889 would mandate by requiring that OPM coordinate Federal computer training. OPM currently con- tributes to Federal agency computer training, if the agency re- quests training for its employees. Several of the witnesses did speak in favor of Federal computer training legislation, although they also suggested changes in the language and intent of H.R. 2889. Donn Parker, a computer crime and security expert at SRI International, also spoke on October 30 on computer security in general, while testifying on H.R. 2889. Mr. Parker made several observations: that it is the information, not the technology, which needs security; that information must be considered secure before it goes into the computer; that technology controls to date are adequate-it is the management of "human controls" which need improvement; that most information systems employees consider security a detriment to productivity; therefore, that measures must be taken to incorporate computer security into personnel performance evaluations; that each individual must be held accountable for taking security precautions, to ensure that these measures are taken; that advisory and counseling provisions within an organization can short-circuit the stresses and problems which may drive someone to commit a computer crime; that all in- formation systems workers, not just computer programmers, should be trained in securing systems; and that training should be broad- ened to include a wider range of potential vulnerabilities, including the full civil, military, and private sector prospectives of computer training and awareness. William Franklin of GAO also addressed H.R. 2889: We endorse the bill's purpose in requiring the National Bureau of Standards to establish and conduct a computer security research program in the Federal Government and the requirement that each Federal agency provide manda- tory periodic training in computer security. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 GAO testimony also raised the basic question of the appropriate- ness of a Department of Defense agency taking the lead in training civilian employees and classifying non-military, non-national secu- rity computer data. GAO supported H.R. 2889 because of the eval- uation by GAO staff that H.R. 2889 clarifies the authority of NBS and its relationship to other agencies in setting training standards and computer security awareness. GAO staff expressed the opinion that such a clarification might encourage greater cooperation be- tween NBS and NSA. III. NEED FOR LEGISLATION There are several key principles the Committee seeks to empha- size by this legislation: 1. Computer crime in the Federal Government appears to be much more pervasive and serious an issue than previously as- sumed. Descriptions of computer criminals as "insiders" by ABA, GAO, the Inspector General of HHS, and others may imply that many Federal computer users represent potential risks of fraud and abuse. 2. Security measures in a number of agencies are very vulnerable to abuse and fraud. Only five of 25 Federal computer systems sur- veyed by GAO contained minimum safeguards, and only two of 25 systems offered formal training sessions for computer users. 3. There is a need for coordinated guidance for security of sensi- tive information in computers. NSDD-145 further complicates a sit- uation which already is unclear. NSDD-145 may create confusion among many Federal agencies which currently follow existing laws and regulations, such as the Brooks Act, the Paperwork Reduction Act, and the OMB circular, to set guidelines and standards for com- puter security. 4. NSDD-145 can be interpreted to give the national security community too great a role in setting computer security standards for civil agencies. A civilian authority is needed to develop stand- ards relating to sensitive, but unclassified data. 5. Training of Federal personnel in ADP security is a critical issue to ensure security in Federal agencies. Yet many Federal agencies do not take advantage of available training to remedy this problem. A stronger, more active computer training and awareness program is needed to address this issue in the civil agencies of the Federal Government. 6. Greater emphasis should be given to cooperation between the military and civil agencies as well as the private sector in setting computer security and training goals. This can be accomplished by fostering greater communication and cooperation between the NBS and NSA in setting overall Federal computer policy. IV. EXPLANATION OF THE BILL PURPOSE The purpose of H.R. 2889, the Computer Security Act of 1986, as amended, is to improve the security and privacy of sensitive infor- mation in federal computer systems. It achieves this purpose through improved training, aimed at raising the awareness of fed- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 eral workers about computer system security, by establishing a focal point within the government for developing computer system security standards and guidelines to protect sensitive information, and by requiring agencies to establish computer system security plans. To explain what these mean, it is first necessary to examine sev- eral underlying concepts that define and scope the boundaries of the bill's coverage. First, the primary objective of the bill is control- ling unauthorized use of the information in federal computer sys- tems, rather than merely protecting the computer systems them- selves. Although computer hardware and software have real value and certainly must be safeguarded, it is the data stored, manipulat- ed, displayed and transmitted by computer systems that represent the greatest vulnerability. Nevertheless, computer systems are the instrumentality through which security measures are usually ap- plied. Therefore, the bill makes distinctions both about which com- puter systems are included as well as about what kinds of informa- tion are subject to the bill's provisions. Second, the term "computer system," as used throughout the bill, is defined broadly to include traditional computer hardware and software, and related services and other resources used in the automatic acquisition, storage, manipulation or display of informa- tion. It also includes any of the above items used in the associated electromagnetic transmission and reception of information. The word "procedures" as used in the definition is intended to include procedures for humans using the computer system. The term "fed- eral computer system" is used to delineate the reach of the bill to include federal agencies, contractors of federal agencies and other organizations that process information using a computer system on behalf of the Federal Government to accomplish a Federal Govern- ment function. The term "operator of a federal computer system" denotes an agency or institution that owns or otherwise possesses a federal computer system, rather than an individual who physically operates the machine. Included in this definition, for example, would be state agencies that disburse federal funds or act in some other way as an extension of the federal government. The term "sensitive information" is used to limit the kinds of information which are covered by the bill. Sensitive information is defined as unclassified information which, if lost, misused, accessed or modi- fied in an unauthorized way, could adversely affect the national in- terest, the conduct of federal programs or the privacy of individ- uals. Examples include information which if modified, destroyed or disclosed in an unauthorized manner could cause: Loss of life; Loss of property or funds by unlawful means; Violation of personal privacy or civil rights; Gaining of an unfair commercial advantage; Loss of advanced technology, useful to a competitor; or Disclosure of proprietary information entrusted to the gov- ernment. The definition of sensitive information allows the possibility that some unclassified information may not be sensitive. Each operator of a federal computer system must make a determination (as de- scribed later) as to which unclassified information in its possession Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 is sensitive. Sensitive information does not include nor does the bill apply to classified information for which extensive standards-set- ting authority already exists. These mechanisms are unaffected by H.R. 2889. ADDITIONS TO NBS ORGANIC ACT H.R. 2889 amends the Act of March 3, 1901, creating the Nation- al Bureau of Standards, to add the study of computers to the list of authorized activities of the agency. The reason for this language is to provide specific authorization for activities that are widely ac- knowledged as necessary in the eomputer age, but which are con- ducted currently under general authorities contained in the Act. It is intended to authorize NBS to study the means of automatic com- putation (computer science) independent of the technology in- volved. The new language is occasioned by an opportunity for legis- lative update, rather than being related directly to the primary purpose of the bill-computer security. The bill also adds three new sections. Section 18 provides a hier- archical enumeration of NBS' responsibilities. At the top of the hi- erarchy is the mission of developing standards, and associated methods and techniques for computer systems generally. An exam- ple would be the "Open Systems Interconnection" (OSI) standards for computer networking, which the Bureau develops technically (with extensive private sector input) and presents to the American National Standards Institute, and through it to the International Standards Organization, for adoption. This statement of responsi- bility is intended to conform Section 18 with the above addition to the list of authorized activities. At the next hierarchical level, NBS is responsible for developing uniform standards and guidelines, in all areas other than security, for federal computer systems. As before, this delineation of respon- sibility is intended to conform Section 18 and to provide specific au- thority for activities that are currently carried out under general provisions of the Organic Act. The product of this effort is the Fed- eral Information Processing Standards (FIPS) which are used gov- ernment-wide. In current practice, some computer standards developed by NBS become compulsory under authority of OMB pursuant to the Brooks Act and the Paperwork Reduction Act. The process outlined in H.R. 2889-which includes standards development by NBS and subsequent promulgation by the Secretary of Commerce under re- drafted authority in the Brooks Act (to be described later)-is es- sentially the same as current practice, but is spelled out more ex- plicitly. Systems involving intelligence activities, cryptologic activities re- lated to national security, direct command and control of military forces, equipment that is integral to a weapons system or direct ful- fillment of military or intelligence missions (except routine admin- istrative and business functions) are exempted from this provision. Such systems are highly specialized in their functions and have been traditionally exempted from government-wide standards and regulations applying to general purpose computer systems. There- fore, the boundary of NBS' responsibility for non-security stand- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 18 ards is drawn so as to exclude such defense-related, special-purpose systems. The third hierarchial level spells out explicitly, and thereby gives special emphasis to, responsibility for standards and guide- lines in the computer security arena. It assigns to NBS responsibil- ity within the federal government for developing technical, man- agement, physical and administrative standards and guidelines de- signed to achieve, in a cost-effective way, the security and privacy of sensitive information in federal computer systems. The purpose of the standards and guidelines is to control loss and unauthorized modification or disclosure of sensitive information and to prevent computer-related fraud and abuse. Certain computer systems are exempted from this provision, re- gardless of the kind of information they contain. There are two cat- egories of such exempted systems. The first is the same list of de- fense and intelligence-related systems that were exempted in the previous subsection, dealing with non-security standards. The second category includes systems that are operated at all times under rules designed to protect classified information. The chief effect of this exemption is to exclude classified systems from cover- age by this subsection of the bill. Also exempted are mixed sys- tems-those systems containing classified information at certain times and unclassified information at other times-provided such systems are operated at all times under the rules for protecting classified information. The purpose of this exemption is to avoid imposition of a second, less stringent set of security standards-the NBS standards-for the unclassified operations of a mixed system. Further relief for mixed systems is provided in the amendment to the Brooks Act, allowing system operators to employ standards, other than the NBS standards, if such standards are more strin- gent. For example, an operator of a mixed system might use a subset of the classified rules for his unclassified operations, if the subset were more stringent than the NBS standards. The main reason for the assignment of responsibility to NBS for developing federal computer system security standards and guide- lines derives from the Committee's concern about the implementa- tion of National Security Decision Directive-145. As indicated pre- viously, this directive established an interagency committee-the National Telecommunications and Information Systems Security Committee (NTISSC). The function of the NTISSC is to devise oper- ating policies needed to assure the security of telecommunications and automated information systems that process and communicate lx th classified national security information and other sensitive government national security information. Policies developed by NTISSC would apply government-wide. While supporting the need for a focal point to deal with the gov- ernment computer security problem, the Committee is concerned about the composition of NTISSC, which favors military and intelli- gence agencies. It is also concerned about how broadly NTISSC might interpret its authority over "other sensitive national securi- ty information". For this reason, H.R. 2889 creates a civilian coun- terpart, within NBS, for setting policy with regard to unclassified information. In so doing, the bill has the additional effect of specifi- cally limiting the purview of the NTISSC to systems containing Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 classified information and cancelling the authority contained in NSDD-145 for systems containing unclassified information. NBS is required to work closely with other agencies and institutions, such as NTISSC, both to avoid duplication and to assure that its stand- ards and guidelines are consistent and compatible with standards and guidelines developed for classified systems; but the final au- thority for developing the standards and guidelines rests with NBS. Note that the previous subsection dealt with developing non-se- curity standards and guidelines, most of which affect hardware and software performance and interfaces. Accordingly, the bill's juris- diction in that area is defined by the universe of federal computer systems, as limited by certain exceptions. In this subsection, the bill deals with security standards and guidelines, which apply more properly to protecting information. Therefore, the bill addresses unclassified (but sensitive) information in federal computer sys- tems, but with certain systems exempted. The method for promulgating federal computer system security standards and guidelines is the same as for non-security standards and guidelines. NBS submits them to the Secretary of Commerce along with recommendations regarding the extent to which they should be made compulsory and binding. The Secretary of Com- merce, under redrafted authority in the Brooks Act (to be ex- plained later), then promulgates standards and guidelines, making those standards compulsory and binding that he determines are necessary to improve the efficiency of operation or security and pri- vacy of federal computer systems. An additional responsibility of NBS is to devise guidelines for use by operators of federal computer systems containing sensitive infor- mation for their use in training their employees in security aware- ness and good security practice. Periodic training of this kind is re- quired by Section 5 of H.R. 2889 to be conducted by all operators of federal computer systems that contain sensitive information. Also, as part of its responsibility for developing computer stand- ards and guidelines, NBS is required to devise validation proce- dures to evaluate the effectiveness of the standards and guidelines. This is not an enforcement or compliance determining function. Rather, it provides the ability for operators to determine if the standards and guidelines are achieving their desired purpose. NBS is to maintain liaison (as it now does) with users of the standards, to assure their workability. Finally, in fulfilling these responsibilities, NBS is authorized to give technical assistance to the General Services Administration, the Office of Personnel Management, operators of federal computer systems and the private sector in implementing the standards and guidelines promulgated pursuant to the bill. Also, NBS is author- ized to perform research and conduct studies to determine the nature and extent of the vulnerabilities of computer systems and to devise techniques to protect, in a cost effective way, the informa- tion contained in them, and to coordinate with other agencies (in- cluding NSA) which perform such research, to gain the benefits of their efforts. A new Section 19 of the NBS Organic Act establishes a twelve- member Computer System Security and Privacy Advisory Board within the Department of Commerce. The chief purpose of the Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 20 Board is to assure that NBS receives qualified input from those likely to be affected by its standards and guidelines, both in gov- ernment and the private sector. Specifically, the duties of the Board are to identify emerging managerial, technical, administra- tive and physical safeguard issues relative to computer systems se- curity and privacy and to advise the NBS and the Secretary of Commerce on security and privacy issues pertaining to federal com- puter systems. Members of the Board are to be appointed by the Secretary of Commerce and are to come from both inside and outside the feder- al government and have qualifications as specified in the bill. Members will not be paid for their services, other than for reim- bursement of travel expenses. The Board may use personnel from NBS or other agencies of the federal government for the purpose of staff support, with the consent of the respective agency head. The Board may conduct business with as few as seven members present. Findings must be reported to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate Committees of Congress. Section 21 is a housekeeping change. It adds a short title to the NBS Organic Act for ease of reference. AMENDMENT TO THE BROOKS ACT H.R. 2889 contains a redrafted version of section 111(f) of the Federal Property and Administrative Services Act of 1949. The chief purpose is to establish an orderly process for promulgating standards and guidelines pertaining to Federal computer systems. Specifically, the Secretary of Commerce is charged with issuing standards and guidelines based on the standards and guidelines de- veloped by NBS, pursuant to two subsections in the amendment to the NBS Act. As explained, those subsections formalize NBS' re- sponsibility for developing both non-security and security standards and guidelines. The Secretary is authorized to make certain stand- ards compulsory and binding as needed to improve the efficiency of operation or security and privacy of federal computer systems. As described earlier, the amendment contains relief from strict compliance with these standards, when agencies already employ standards that are more stringent. An example is the instance where the unclassified operations of a mixed system are conducted under a subset of the rules used during classified operations, pro- vided the subset is tougher than the standards mandated by the Secretary. Further relief is provided by language authorizing the Secretary of Commerce to waive the compulsory standards when compliance would adversely affect an operator's mission or cause major finan- cial impact on the operator that is not offset by government-wide savings. The Secretary may delegate this authority to agency heads when necessary and desirable to achieve timely and effective im- plementation of measures to improve federal computer system se- curity and privacy. Agency heads may redelegate this authority only to certain high-level officials, designated pursuant to the Pa- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 perwork Reduction Act for the purpose of carrying out the agen- cies' information management activities under that Act. The need for delegation authority arises from Committee con- cerns about the administrative burden on NBS. Under normal pro- cedures, the Secretary can be expected to rely on NBS for technical evaluation of any requests for waiver. The Committee expects NBS to devote the bulk of its energy to producing computer systems standards, rather than to such compliance determinations. Accord- ingly, the amendment to the Brooks Act allows the Secretary flexi- bility to delegate the waiver authority. The amendment ties the process for developing and promulgat- ing computer system standards to the requirement for an integrat- ed information resources management system, as set forth in the Paperwork Reduction Act. To achieve this, the Administrator of General Services is charged with developing and implementing policies on federal computer systems and revising the federal infor- mation resources management regulations to reflect the standards and guidelines emanating from the Secretary of Commerce. Finally, the amendment conforms those sections of the Brooks Act not changed by this bill by substituting the term "computer system", as defined in this bill for the terms "automatic data proc- essing equipment" and "automatic data processing systems" wher- ever they appear. One of the fundamental purposes of H.R. 2889 is improved com- puter security awareness and use of accepted computer security practice by all persons involved in management, use, or operation of federal computer systems that contain sensitive information. As indicated, the Committee found in its hearings that training in these areas is a particular weakness at most agencies. A GAO study revealed, for example, that only two of twenty-five major fed- eral computer systems surveyed had adequate training programs. For this reason, the bill contains a requirement that each operator of a Fedeal computer system that contains sensitive information provide periodic training for its employees. The objectives of the training are to enhance employees' awareness of the threats and vulnerabilities of computer systems and to encourage the use of im- proved security practices. The process envisioned in the bill starts with NBS, which is rsponsible for developing training guidelines based on its research and study of vulnerabilities and countermeasures. Within six months of enactment and using these guidelines, the Office of Per- sonnel Management must issue regulations coverins such areas as training objectives for various categories of employee general guid- ance concerning course content and frequency of training. Within sixty days after OPM issues regulations, each operator must begin training of its employees, tailored to emphasize its particular oper- ating conditions and needs. Training can be accomplished in sever- al ways, by using the services of providers such as OPM or private companies, or by using the agencies' internal training capabilities. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  I....l l _ Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 SECURITY PLANS A key determination upon which many provisions of the bill depend is the identification of which Federal computer systems contain sensitive information. By definition, the search for such systems is restricted to systems containing unclassified informa- tion. Some, but possibly not all, of these systems will be determined to contain unclassified-sensitive information. The philosophy re- flected in the bill is that each Federal agency is best equipped to make that determination relative to its own mission and circum- stances. Therefore, the bill calls on each agency to make a determi- nation for each computer system under its control, within six months of enactment. The determination should be based on the definition of "sensitive" contained in the bill and use the additional guidance in the section on purpose in this report. In the case of fed- eral contractors and other organizations, determinations are to be reviewed and approved by their supervising federal agency. Within one year of enactment, each operator must also establish a plan for the security and privacy of each computer system so identified by the operator. Plans are to be based on the standards and guidelines issued by the Secretary of Commerce pursuant to the Brooks Act, or any waivers received. This requirement applies only to those computer systems subiect o pro ons o at Act e p ans must be submitted to the atlona ureau oTS andards and the National Security Agency for advice and com- ment and to the Office of Management and Budget, which has the authority to disapprove the plan. In the case of plans established by federal contractors and other organizations, the plans are to be submitted through the supervising federal agency. Implicit in the authority to disapprove security plans is responsi- bility for oversight of the identification process and compliance with the security plans as approved. Thus, OMB is the watchdog over the key implementation step in the bill. AUTHORIZATION OF APPROPRIATIONS The bill contains a "such sums as may be necessary" authoriza- tion for fiscal years 1987, 1988 and 1989 for each federal agency to carry out the training and planning requirements of the bill. Reau- thorization will be required for subsequent years. Authorizations of appropriations needed to carry out the other provisions of the bill are implicit in the language establishing those provisions. The Con- gressional Budget Office has estimated this to be in the neighbor- hood of $20 million per year for the entire Federal government. In the case of NBS' responsibilities, explicit authorization was includ- ed in the Fiscal Year 1987 Authorization bill and must be reauthor- iN,ed in future years. The CBO estimate is that $4-5 million may be required for NBS. The computer security program will, therefore, be extremely cost-effective, since testimony has indicated that losses to fraud and abuse are in excess of a billion dollars yearly. V. SECTIONAL ANALYSIS-H.R. 2889 Section 1. Short Title. Section 2. Purpose: Sets forth the Congressional declaration that Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 improving the security and privacy of federal computer systems is in the public interest and states Congressional intent to institute a means for establishing minimum acceptable security practices for such systems, without limiting the scope of security measures al- ready planned or in use. The specific purposes of the Act are to assign the National Bureau of Standards responsibility for developing standards and guidelines for Federal computer systems, including standards and guidelines for the cost-effective security and privacy of sensitive in- formation in Federal computer systems; to provide for promulgat- ing such standards and guidelines through the Federal Property and Administrative Services Act of 1949; to require all operators of Federal computer systems that contain sensitive information to es- tablish security plans; and to require mandatory periodic training for all persons involved in management, use or operation of Feder- al computer systems that contain sensitive information. Section 3. Establishment of Computer Standards Program. Amends the Act of March 3, 1901 to add to the mission of the Na- tional Bureau of Standards the study of equipment, procedures and systems for automatic acquisition, storage, manipulation, display, and transmission of information, and its use to control machinery and processes. Inserts a new Section 18(a) stating the National Bureau of Stand- ards shall: (1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems; (2) develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; (3) have responsibility within the Federal Government for developing technical, management, physical and administra- tive standards and guidelines for the cost-effective security and privacy- of sensitive information in Federal computer systems except- (A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; and (B) those systems which are protected at all times by procedures established for information which has been spe- cifically authorized under criteria established by an Execu- tive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; (4) submit standards and guidelines developed pursuant to paragraphs (2) and (3) above, along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce, for promulgation under section 111 of the Federal Property and Administrative Serv- ices Act of 1949; (5) develop guidelines for use by operators of Federal comput- er systems that contain sensitive information in training their employees in security awareness and accepted security prac- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 tice, as required by section 5 of the Computer Security Act of 1986; and (6) develop validation procedures for, and evaluate the effec- tiveness of, standards and guidelines developed pursuant to paragraphs (1), (2), and (3) above through research and liaison with other government and private agencies. Inserts a new Section 18(b) authorizing the National Bureau of Standards to: (1) assist the private sector in using and applying the results of the programs and activities under this section; (2) make recommendations to, assist and coordinate with other Federal agencies, as appropriate, in carrying out this Act; (3) provide, as requested, technical assistance to operators of Federal computer systems in implementing the standards and guidelines promulgated pursuant to this Act; and (4) perform research and to conduct studies, as needed, to de- termine the nature and extent of the vulnerabilities of, and to devise techniques for the cost effective security and privacy of sensitive information in Federal computer systems. Inserts a new Section 19(a) establishing a Computer System Secu- rity and Privacy Advisory Board, with a chairman to be appointed by the Secretary of Commerce and twelve members as follows: (1) four members from outside the Federal Government who are eminent in the computer or telecommunications industry, at least one of whom is representative of small or medium sized companies in such industry; (2) four members from outside the Federal Government who are eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunica- tions equipment; and (3) four members from the Federal Government who have computer systems management experience, including experi- ence in computer systems security and privacy, at least one of whom shall be from the National Security Agency. Inserts a new Section 19(b) stating that the duties of the Board shall be: (1) to identify emerging managerial, technical, administra- tive, and physical safeguard issues relative to computer sys- tems security and privacy; (2) to advise the Bureau of Standards and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems; and (3) to report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate Commit- tees of the Congress. Inserts a new Section 19(c) stating that the term of office of each member of the Board shall be four years, except that- (1) of the initial members, three shall be appointed for terms of one year, three shall be appointed for terms of two years, three shall be appointed for terms of three years, and three shall be appointed for terms of four years; and Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 (2) any member appointed to fill a vacancy in the Board shall serve for the remainder of the term for which his prede- cessor was appointed. Inserts a new Section 19(d) prohibiting the Board from acting in the absence of a quorum, which shall consist of seven members. Inserts a new Section 19(e) stating that Members of the Board, other than full-time employees of the Federal Government, while attending meetings of such committees or while otherwise perform- ing duties at the request of the Board Chairman while away from their homes or a regular place of business, may be allowed travel expenses in accordance with subchapter I of chapter 57 of title 5, United States Code. Inserts a new Section 19(f) that authorizes the Board in carrying out its functions, to use staff personnel from the National Bureau of Standards or any other agency of the Federal Government with the consent of the head of the agency. Adds a new Section 20 which establishes a short title for the Act of March 3, 1901, henceforth to be known as the "National Bureau of Standards Act". Section 4. Amendment to the Brooks Act. Replaces Section 111(f) of the Federal Property and Administrative Services Act of 1949 with new language that: (1) empowers the Secretary of Commerce, on the basis of standards and guidelines developed by the National Bureau of Standards pursuant to section 18(a) (2) and (3) of the National Bureau of Standards Act, to promulgate standards and guide- lines pertaining to Federal computer systems, making such standards compulsory and binding to the extent to which the Secretary determines necessary to improve the efficiency of op- eration or security and privacy of Federal computer systems. (2) authorizes the head of a Federal agency to employ stand- ards for the cost effective security and privacy of sensitive in- formation in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce, if such standards contain, at a minimum, the provisions of those appli- cable standards made compulsory and binding by the Secretary of Commerce; (3) provides that the standards determined to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determination that compliance would adversely affect the accomplishment of the mission of an operator of a Federal computer system, or cause a major adverse financial impact on the operator which is not offset by government-wide savings. The Secretary may delegate to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective imple- mentation of Federal computer systems standards. The head of such agency may redelegate such authority only to a senior of- ficial designated pursuant to section 3506(b) of title 44, United States Code. Notice of each such waiver and delegation shall be promptly transmitted to the Committee on Government Oper- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 ations of the House of Representatives and the Committee on Governmental Affairs of the Senate; and (4) directs the Administrator of the General Services Admin- istration to ensure that such standards and guidelines are im- plemented within an integrated information resources manage- ment system (as required by chapter 35 of title 44, United States Code) by- (A) developng and implementing policies on Federal computer systems; and (B) revising the Federal information resources manage- ment regulations (41 CFR ch. 201) to implement such standards, guidelines, and policies. Adds language that conforms section 111 by substituting the term "computer system" for the terms "automatic data processing equipment" and "automatic data processing systems" whenever they appear. Section 5. Training by Operators of Federal Computer Systems. Provides that each operator of a Federal computer system that con- tains sensitive information shall provide mandatory periodic train- ing in computer security awareness and accepted computer securi- ty practice. Such training shall be provided under the guidelines developed pursuant to this Act. Training under this section shall be started within 60 days after the issuance of the regulations. Such training shall be designed- (1) to enhance employees' awareness of the threats to and vulnerability of computer systems; and (2) to encourage the use of improved security practices. Directs that within six months after the date of the enactment of this Act, the Director of the Office of Personnel Management shall issue regulations prescribing the procedures and scope of the train- ing to be provided and the manner in which such training is to be carried out. Section 6. Additional Responsibilities for Operators of Federal Computer Systems for Computer System Security and Privacy. Di- rects that within 6 months after the date of enactment of this Act, each operator of a Federal computer system shall identify each computer system, and system under development, of that operator which contains sensitive information. In the case of a Federal con- tractor or other organization, such identification shall be reviewed and approved by its supervising Federal agency. Provides that within one year after the date of enactment of this Act, each such operator shall, consistent with the standards, guide- lines, policies, and regulations prescribed pursuant to this Act, es- tablish a plan for the security and privacy of the identified comput- er systems. Copies of such plan shall be transmitted to the Nation- al Bureau of Standards and the National Security Agency for advice and comment. In the case of a Federal contractor or other organization, such plan shall be transmitted through its supervis- ing Federal agency. Such plan shall be subject to disapproval by the Director of the Office of Management and Budget. Section 7. Definitions. Defines- (1) the term "computer system" as any equipment or inter- connected collection of equipment, including (A) ancillary equipment, (B) software and other procedures, (C) services, and Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 (D) other resources that are used in the automatic acquisition, storage, manipulation, or display, or in any associated electro- magnetic transmission and reception of information; (2) the term "Federal computer system" as a computer system operated by a Federal agency (as that term is defined in section 3(b) of the Federal Property and Administrative Services Act of 1949) or by a contractor of a Federal agency or other organization that processes information using a comput- er system on behalf of the Federal Government to accomplish a Federal Government function; (3) the term "operator of a Federal computer system" as a Federal agency (as that term is defined in section 3(b) of the Federal Property and Administrative Services Act of 1949), contractor of a Federal agency, or other ogranization that proc- esses information using a computer system on behalf of the Federal Government to accomplish a Federal Government function; and (4) the term "sensitive information" as any information, the loss, misuse, or unauthorized access or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are enti- tled under section 552 of title 5, United States Code (the Priva- cy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Con- gress to be kept secret in the interest of national defense or foreign policy. Section 8. Authorization of Appropriations. Authorizes to be ap- propriated to each Federal agency such sums as may be necessary for fiscal years 1987, 1988, and 1989 to carry out the computer sys- tems security training program established by section 5 of this Act and the indentification and planning requirements of section 6. VI. EFFECT OF LEGISLATION ON INFLATION In accordance with Rule XI, Clause 2(l)(4), of the Rules of the House of Representatives, this legislation is assessed to have no ad- verse inflationary effect on prices and costs in the operation of the national economy. VII. COMMITTEE OVERSIGHT FINDINGS AND RECOMMENDATIONS Pursuant to Rule XI, Clause 2(l)(3)(A), and under the authority of Rule X, Clause 2(b)(1) and Clause 3(f), of the Rules of the House of Representatives, the following statement on oversight activities is made: The Committee's oversight findings are incorporated in the rec- ommendations contained in the present bill and report. VIII. OVERSIGHT FINDINGS AND RECOMMENDATIONS BY THE COMMITTEE ON GOVERNMENT OPERATIONS Pursuant to Rule XI, Clause 2(l)(3)(D), and under the authority of Rule X, Clause 2(c)(2), of the Rules of the House of Representatives, the following statement on oversight activities by the Committee on Government Operations is made: Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 The Committee's oversight findings are reflected in the recom- mendations contained in the bill as reported by that Committee and the accompanying report. IX. BUDGET ANALYSIS AND PROJECTION The bill provides for new authorization rather than new budget authority and consequently the provisions of Section 308(a) of the Congressional Budget Act are not applicable. X. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE U.S. CONGRESS, CONGRESSIONAL BUDGET OFFICE, Washington, DC, June 23, 1986. Hon. DON FUQUA, Chairman, Committee on Science and Technology, U.S. House of Representatives, Rayburn House Office Building, Washington, Be. DEAR MR. CHAIRMAN: The Congressional Budget Office has pre- pared the attached cost estimate for H.R. 2889, the Computer Secu- rity Act of 1986. If you wish further details on this estimate, we will be pleased to provide them. With best wishes, Sincerely, RUDOLPH G. PENNER, Director. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE 1. Bill number: H.R. 2889. 2. Bill title: Computer Security Act of 1986. 3. Bill status: As ordered reported by the House Committee on Science and Technology, June 4, 1986. 4. Bill purpose: H.R. 2889 would make a number of changes af- fecting the security of federal computer systems. It would authorize the appropriation of such sums as may be necessary for fiscal years 1987, 1988, and 1989 to carry out the planning and training pro- grams required by the bill. H.R. 2889 would direct the National Bureau of Standards (NBS) to establish a computer security standards program for those com- puter systems subject to the Brooks Act. NBS would be required to develop government-wide standards and guidelines; to conduct re- search; to provide technical assistance; to develop and coordinate training programs; and to develop validation standards to evaluate the effectiveness of computer security standards through research and liaison with government and private agencies. The bill would also establish a 13-member Computer System Security and Privacy Advisory Board composed of representatives of other federal agen- cies and the private sector. Within six months after the date of enactment, H.R. 2889 would require all federal agencies to identify each computer that contains sensitive data. Within a year after the date of enactment, each agency would be required to establish a plan for the security for each computer and related system previously identified. The bill Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 would also require mandatory periodic training in computer securi- ty for all federal agency employees who manage, use or operate computer or other automated information systems. Similar train- ing and security plans would also be required for certain employees of private contractors, and state or local governments. 5. Estimated cost to the Federal Government: CBO estimates that enactment of this bill would cost NBS about $4 million to $5 million annually beginning in 1987. Additional costs for planning and training in computer security by all agencies throughout the federal government would probably cost $20 million to $25 million in 1987 and $15 million to $20 million in each fiscal year thereaf- ter. To the extent that this legislation would reduce fraud or other financial losses, some savings could also result from enactment of H.R. 2889. It is not possible to quantify these potential savings at this time. Basis of estimate: Under the National Security Decision Direc- tive (NSDD) 145, which became effective in September 1984, the President gave the National Security Agency (NSA) responsibility for ensuring the security of all classified and certain other sensi- tive information transmitted by federal computers or telecommuni- cations systems. If enacted, H.R. 2889 would assign some of this au- thority to NBS, mainly in the area of unclassified data. Although under current guidelines it is expected that most federal agencies, with assistance from NSA, would have strengthened security ef- forts consistent with the directive, this bill would enhance the role of NBS and would also impose new requirements upon federal agencies and their contractors in the area of computer security. National Bureau of Standards: Assuming enactment of H.R. 2889 by October 1, 1987, the expanded role of NBS in computer security management and training is estimated to cost about $2 million an- nually beginning in 1987. Based on information from NBS, an esti- mated $2 million to $3 million annually mayalso be needed for re- search, beginning in 1987. This assumes that NBS would expand its management and oversight role, but would also receive assistance and information from the National Computer Security Center (NCSC) within the Department of Defense (DoD). Government-wide computer security plans: The level of computer security varies greatly among the approximately 80 federal enti- ties, including about 1,300 different organizations that would be af- fected by this legislation. The cost of identifying all sensitive com- puter systems and developing an appropriate plan for facility, ap- plication and personnel security would thus vary greatly from agency to agency, depending upon the agency's current level of se- curity, the size and number of sites, and the resources and exper- tise available to implement this provision. CBO has not been able to contact each major federal entity to determine the cost of identifying and developing these plans for computer security. Based on the information available, it is expect- ed that most agencies would probably assign existing personnel and resources to this task in order to meet the one-year deadline im- posed by H.R. 2889. If approximately 10,000 plans were developed, each requiring about 1-2 work weeks of effort by agency personnel, and two and one-half work days of review by NBS, NSA, and the Office of Management and Budget (OMB), the cost spread among Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 the various federal agencies would be $10 million to $20 million over the fiscal years 1987 and 1988. Government-wide training: Currently, training resources in the area of computer security are scattered throughout the federal gov- ernment. A few civilian agencies, such as the Department of Energy, have developed their own computer security training for both classified and unclassified systems. Most agencies, however, send employees to commercial courses or those offered by other federal agencies, such as the General Services Administration (GSA), the Office of Personnel Management (OPM), the Depart- ment of Agriculture Graduate School, or NSA. H.R. 2889 would require mandatory training for all federal and contractor personnel who manage, use of operate computer sys- tems. The cost of such training depends on the number of people involved and the kind of training provided. Based on information from a number of agencies, it expected that roughly half of all gov- ernment and contractor employees would initially receive some type of training as a result of the bill, or about 3 million employ- ees. Subsequently, training would be provided to most new employ- ees, and retraining would be required only periodically. It is expected that most training in the area of computer security would become decentralized, with each agency responsible for de- veloping its own programs, although some centralized training for smaller agencies and in specialized program areas would remain. The NCSC is developing a data base of educational opportunities offered by government, universities and private sources, and plans to make this available to agencies. Training courses are relatively expensive, however. They currently cost about $50 to $200 per day per person (not including development costs) and typically are of- fered to technical personnel who attend a three-to-five day session. In an effort to reduce training costs, NCSC is developing training packages that will be available on tape or film, sharply reducing the training cost per person. Based on information from NCSC, GSA, OPM, and OMB, CBO made a number of assumptions about the numbers and types of training that would be required as a result of enactment of H.R. 2889. The resulting estimates provide a rough estimate of the possi- ble additional cost of training, but should not be considered precise. Within three years after the date of enactment, it is assumed that about 90 percent of the estimated 3 million employees affected by the bill would receive some type of computer security awareness training. Assuming the availability of training modules and other low-cost products, it is expected that the cost for this type of train- ing would have no significant budget impact over and above the cost of maintaining good information systems, which is now the re- sponsibility of each agency. It is estimated that about 10 percent of the 3 million employees, or 300,000, would require more formalized training. Assuming that about three-quarters of these individuals (about one-half from DoD) would have received training under cur- rent law, then about 75,000 employees would likely require train- ing as a result of this bill. Three days of specialized training, at an average cost of $100 per day, for 75,000 persons would cost $20 mil- lion to $25 million over several years. After the initial training, Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 costs for retraining and training of new personnel are expected to cost about $5 million annually. Finally, it is assumed that about 250 civilian employees would gradually be recruited and/or trained to evaluate the technical pro- tection capabilities of industry and government-developed systems, and to train other agency personnel. This type of training, accord- ing to NCSC, takes two to three years. At an average cost of $60,000 per year, including overhead, it is estimated that this type of support staff would cost the federal government about $15 mil- lion annually, once fully implemented. 6. Estimated cost to State and local governments: H.R. 2889 would require nonfederal entities that process federal data to iden- tify and develop security plans for each applicable computer system, and to provide security training. Based on information from Committee staff, this requirement would also apply to nonfed- eral entities that maintain data for ultimate federal use, or that are involved in disbursing federal funds. No complete inventory=of the relevant systems currently exists, and it is not possible at this time to estimate with precision the costs to state and local govern- ments. Based on the limited information available, we expect that total costs incurred by state and local governments are likely to be less than $25 million annually. 7. Estimate comparison: None. 8. Previous CBO estimate: On November 14, 1985, CBO prepared a cost estimate for H.R. 2889, as ordered reported by the House Committee on Government Operations. The estimated costs of this version of H.R. 2889 reflect a later assumed date of enactment. 9. Estimate prepared by: Mary Maginniss. 10. Estimate approved by: C.G. Nuckols (for James L. Blum, As- sistant Director for Budget Analysis). XI. CHANGES IN EXISTING LAW MADE BY THE BILL, As REPORTED In compliance with clause 3 of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omit- ted is enclosed in black brackets, new matter is printed in italic, existing law in which no change is proposed is shown in roman): ACT OF MARCH 3, 1901 AN ACT To establish the National Bureau of Standards ? s s s s s s SEC. 2. The Secretary of Commerce (hereinafter referred to as the "Secretary") is authorized to undertake the following functions: (a) 3 (f) Invention and development of devices to serve special needs of the Government. In carrying out the functions enumerated in this section, the Sec- retary is authorized to undertake the following activities and simi- lar ones for which need may arise in the operations of Government agencies, scientific institutions, and industrial enterprises: Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 (18) the prosecution of such research in engineering, mathe- matics, and the physical sciences as may be necessary to obtain basic data pertinent to the functions specified herein; [and] (19) the compilation and publication of general scienctific and technical data resulting from the performance of the func- tions specified herein or from other sources when such data are of importance to scientific or manufacturing interests or to the general public, and are not available elsewhere, including demonstration of the results of the Bureau's work by exhibits or otherwise as may be deemed most effective, and including the use of National Bureau of Standards scientific or technical personnel for part-time or intermittent teaching and training activities at educational institutions of higher learning as part of and incidental to their official duties and without additional compensation other than that provided by law[.]; (20) the study of equipment, procedures, and systems for auto- matic acquisition, storage, manipulation, display, and transmis- sion of information, and its use to control machinery and proc- esses. SEC. 18. (a) The National Bureau of Standards shall- (1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems; (2) except as described in paragraph (3) of this subsection (re- lating to security standards), develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10, United States Code, or sec- tion 3502(2) of title 44, United States Code; (3) have responsibility within the Federal Government for de- veloping technical, management, physical, and administrative standards and guidelines for the cost-effective security and pri- vacy of sensitive information in Federal computer systems except- (A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; and (B) those systems which are protected at all times by pro- cedures established for information which has been specifi- cally authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, the primary purpose of which standards and guidelines shall be to control loss and unauthorized modification or disclosure of sensitive information in such systems and to prevent computer- related fraud and misuse; (4) Submit standards and guidelines developed pursuant to paragraphs (2) and (3) of this subsection, along with recommen- dations as to the extent to which these should be made compul- sory and binding, to the Secretary of Commerce, for promulga- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 tion under section 111 of the Federal Property and Administra- tive Services Act of 1949; (5) develop guidelines for use by operators of Federal comput- er systems that contain sensitive information in training their employees in security awareness and accepted security practice, as required by section 5 of the Computer Security Act of 1986; and (6) develop validation procedures for, and evaluate the effec- tiveness of standards and guidelines developed pursuant to paragraphs (1), (2), and (3) of this subsection through research and liaison with other government and private agencies. (b) In fulfilling subsection (a) of this section, the National Bureau of Standards is authorized- (1) to assist the private sector in using and applying the re- sults of the programs and activities under this section; (2) to make recommendations, as appropriate, to the Adminis- trator of General Services on policies and regulations proposed pursuant to section 111(f) of the Federal Property and Adminis- trative Services Act of 1949; (3) as required, to provide to operators of Federal computer systems technical assistance in implementing the standards and guidelines promulgated pursuant to section 111(f) of the Federal Property and Administrative Services Act of 1949; (4) to assist, as appropriate, the Office of Personnel Manage- ment in developing regulations pertaining to training, as re- quired by section 5 of the Computer Security Act of 1986; (5) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of and to devise techniques for the cost effective security and privacy of sensitive information in Federal computer systems; and (6) to coordinate closely with other agencies and offices (in- cluding, but not limited to, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, the Office of Technology Assessment, and the Office of Management and Budget)- (A) to assure maximum use of all existing and planned programs, materials, studies, and reports relating to com- puter systems security and privacy, in order to avoid unnec- essary and costly duplication of effort; and (B) to assure, to the maximum extent feasible, that stand- ards developed pursuant to subsection (a) (3) and (5) are consistent and compatible with standards and procedures developed for the protection of of information in Federal computer systems which is authorized under criteria estab- lished by Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. (c) As used in this section and section 19, the terms "computer system" ; "Federal computer system" "operator of a Federal comput- er system" ; and "sensitive information" have the meanings given in section 7 of the Computer Security Act of 1986. SEC. 19. (a) There is hereby established a Computer System Securi- ty and Privacy Advisory Board within the Department of Commerce. The Secretary of Commerce shall appoint the chairman of the Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 Board. The Board shall be composed of twelve additional members appointed by the Secretary of Commerce as follows: (1) four members from outside the Federal Government who are eminent in the computer or telecommunications industry, at least one of whom is representative of small or medium sized companies in such industry; (2) four members from outside the Federal Government who are eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunca- tions equipment; and (3) four members from the Federal Government who have computer systems management experience, including experience in computer systems security and privacy, at least one of whom shall be from the National Security Agency. (b) The duties of the Board shall be- (1) to identify emerging managerial, technical, administra- tive, and physical safeguard issues relative to computer systems security and privacy; (2) to advise the Bureau of Standards and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems; and (3) to report its findings to the Secretary of Commerce, the Di- rector of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate Committees of the Congress. (c) The term of office of each member of the Board shall be four years, except that- (1) of the initial members, three shall be appointed for terms of one year, three shall be appointed for terms of two years, three shall be appointed for terms of three years, and three shall be appointed for terms of four years; and (2) any member appointed to fill a vacancy in the Board shall serve for the remainder of the term for which his predecessor was appointed. (d) The Board shall not act in the absence of a quorum, which shall consist of seven members. (e) Members of the Board, other than full-time employees of the Federal Government, while attending meetings of such committees or while otherwise performing duties at the request of the Board Chairman while away from their homes or a regular place of busi- ness, may be allowed travel expenses in accordance with subchapter I of chapter 57 of title 5, United States Code. (f) To provide the staff services necessary to assist the Board in carrying out its functions, the Board may utilize personnel from the National Bureau of Standards or any other agency of the Federal Government with the consent of the head of the agency. SEC. [18.] 20. Appropriations to carry out the provisions of this Act may remain available for obligation and expenditure for such period or periods as may be specified in the Acts making such ap- propriations. SEC. 21. This Act may be cited as the National Bureau of Stand- ards Act. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 SECTION 111 OF THE FEDERAL PROPERTY AND ADMINISTRATIVE SERVICES ACT OF 1949 AUTOMATIC DATA PROCESSING EQUIPMENT SEC. 111. (a) The Administrator is authorized and directed to co- ordinate and provide for the economic and efficient purchase, lease, and maintenance of [automatic data processing equipment] Com- puter systems by Federal agencies. (b)(1) [Automatic data processing equipment] computer systems suitable for efficient and effective use by Federal agencies shall be provided by the Administrator through purchase, lease, transfer of equipment from other Federal agencies, or otherwise, and the Ad- ministrator is authorized and directed to provide by contract or otherwise for the maintenance and repair of such equipment. In carrying out his responsibilities under this section the Administra- tor is authorized to transfer [automatic data processing equip- ment] computer systems between Federal agencies, to provide for joint utilization of such equipment by two or more Federal agen- cies, and to establish and operate equipment pools and data proc- essing centers for the use of two or more such agencies when neces- sary for its most efficient and effective utilization. (2) The Administrator may delegate to one or more Federal agen- cies authority to operate [automatic data processing equipment] computer systems pools and automatic data processing centers, and to lease, purchase, or maintain individual [automatic data process- ing systems] computer systems or specific units of equipment, in- cluding such equipment used in automatic data processing pools and automatic data procesing centers, when such action is deter- mined by the Administrator to be necessary for the economy and efficiency of operations, or when such action is essential to national defense or national security. The Administrator may delegate to one or more Federal agencies authority to lease, purchase, or main- tain [automatic data processing equipment] computer systems to the extent to which he determines such action to be necessary and desirable* to allow for the orderly implementation of a program for the utilization of such equipment. [(f) The Secretary of Commerce is authorized (1) to provide agen- cies, and the Administrator of General Services in the exercise of the authority delegated in this section, with scientific and techno- logical advisory services relating to automatic data processing and related systems, and (2) to make appropriate recommendations to the President relating to the establishment of uniform Federal automatic data processing standards. The Secretary of Commerce is authorized to undertake the necessary research in the sciences and technologies of automatic data processing computer and related systems, as may be required under provisions of this subsection.] ()(1) The Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Bureau of Standards pru- suant to section 18(a) (2) and (3) of the National Bureau of Stand- ards Act, promulgate standards and guidelines pertaining to Feder- al computer systems, making such standards compulsory and bind- ing to the extent to which the Secretary determines necessary to im- Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 prove the efficiency of operation or security and privacy of Federal computer systems. (2) The head of a Federal agency may employ standards for the cost effective security and privacy of sensitive information in a Fed- eral computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Sec- retary of Commerce, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and bind- ing by the Secretary of Commerce. (3) The standards determined to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determi- nation that compliance would adversly affect the accomplishment of the mission of an operator of a Federal computer system, or cause a major adverse financial impact on the operator which is not offset by government-wide savings. The Secretary may delegate to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective implemen- tation of Federal computer systems standards. The head of such agency may redelegate such authority only to a senior official desig- nated pursuant to section 3506(b) of title 44, United States Code. Notice of each such waiver and delegation shall be promptly trans- mitted to the Committee on Government Operations of the House of Representatives and the Committee on Government Affairs of the Senate. (4) The Administrator shall ensure that such standards and guidelines are implemented within an integrated information re- sources management system (as required by chapter 35 of title 44, United States Code) by - (A) developing and implementing policies on Federal comput- er systems; and (B) revising the Federal information resources management regulations (41 CFR ch. 201) to implement such standards, guidelines, and policies. (5) As used in this section, the terms "computer system"; "operator of a Federal computer system ", and "Federal computer system " have the meanings given in section 7 of the Computer Security Act of 1986. (g) The authority conferred upon the Administrator and the Sec- retary of Commerce by this section shall be exercised subject to di- rection by the President and to fiscal and policy control exercised by the Office of Management & Budget. Authority so conferred upon the Administrator shall not be so construed as to impair or interfere with the determination by agencies of their individual [automatic data processing equipment] computer systems require- ments, including the development of specifications for and the se- lection of the types and configurations of equipment needed. The Administrator shall not interfere with, or attempt to control in any way, the use made of [automatic data processing equipment] com- puter systems or components thereof by any agency. The Adminis- trator shall provide adequate notice to all agencies and other users concerned with respect to each proposed determination specifically affecting them or the [automatic data processing equipment] com- puter systems or components used by them. In the absence of Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 mutual agreement between the Administrator and the agency or user concerned, such proposed determinations shall be subject to review and decision by the Office of Management & Budget unless the President otherwise directs. XII. COMMITTEE RECOMMENDATION A quorum being present, the bill was ordered favorably reported on June 4, 1986 by unanimous voice vote. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 XIII. ADDITIONAL VIEWS FOR H.R. 2889, COMPUTER SECURITY REPORT We are sensitive to the Administration's concerns about this bill. We believe we have reached a compromise that, while far from per- fect, gives directors of agencies the discretion they need to imple- ment reasonable, effective security procedures. For example, agency directors are given the option of choosing a single standard for their agency rather than being required to handle different data in different ways. Our goal has been to give agency directors maximum flexibility to enable them to decide the type of security system needed to pro- tect sensitive government information. SHERWOOD L. BOEHLERT. MANUEL LUJAN, Jr. TOM LEWIS. RON PACKARD. Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3  Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3 XIV. DISSENTING VIEWS FOR H.R. 2889, COMPUTER SECURITY REPORT We are opposed to H.R. 2889 as reported by the Committee. This unnecessary, ill-timed effort to pre-empt Administration policy is likely to lead only to confusion and duplication of efforts. This bill's supporters claim the measure is needed because Na- tional Security Decision Directive (NSDD)-145 will give the Nation- al Security Agency control over how civilian agencies operate their computer systems. Yet there is no evidence of any interference by NSA in civilian agencies. Indeed, civilian agencies are represented on the National Telecommunications and Information Systems Se- curity Committee (NTISSC), which is in the process of formulating security guidelines. There is no reason to pre-empt the panel's work. H.R. 2889 also provides for security training by the National Bureau of Standards. However, NSA already is putting out train- ing material. A new efffort by the Bureau could easily lead to pointless duplication. We ought to give NSDD-145 a chance to work before we begin tinkering. F. JAMES SENSENBRENNER, Jr. DON RITTER. JOE BARTON. DAVID S. MONSON. (39) 0 Approved For Release 2011/03/15: CIA-RDP87B00858R000400480025-3