Computer Security Act of 1987
Generated by DeepSeek V3.2Expansion Funnel Raw 40 → Dedup 0 → NER 0 → Enqueued 0
| Computer Security Act of 1987 | |
|---|---|
| Shorttitle | Computer Security Act of 1987 |
| Longtitle | An Act to provide for a computer standards program within the National Bureau of Standards, to provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems. |
| Enacted by | the 100th United States Congress |
| Effective | January 8, 1988 |
| Citations | Public Law 100-235 |
| Introducedin | House |
| Introducedby | Dan Glickman |
| Signedby | President Ronald Reagan |
| Signeddate | January 8, 1988 |
Computer Security Act of 1987 was a landmark piece of United States federal law that established a federal mandate for improving the security and privacy of sensitive information in government computer systems. Enacted in response to growing concerns about vulnerabilities in federal information technology and the expanding role of the National Security Agency, the law aimed to create a clear framework for protecting non-national security systems. It represented a significant assertion of civilian authority over technical standards for most federal computing, designating the National Bureau of Standards as the lead agency.
Background and legislative history
The impetus for the legislation stemmed from a pivotal 1986 report by the Office of Technology Assessment titled "Defending Secrets, Sharing Data," which highlighted systemic security weaknesses across the federal government. Concurrently, there was significant congressional and public apprehension regarding the expanding influence of the National Security Agency in setting standards for all government computers, including those handling unclassified but sensitive data, following initiatives like National Security Decision Directive 145. Key legislators, including Representative Dan Glickman and Senator John Glenn, championed the bill to ensure civilian control over standards for non-defense systems. After hearings that featured testimony from experts like Willis H. Ware of the RAND Corporation and officials from the General Accounting Office, the act passed with broad support and was signed by President Ronald Reagan in early 1988.
Key provisions
The act formally assigned the National Bureau of Standards (later renamed the National Institute of Standards and Technology) the responsibility for developing technical, management, and physical standards and guidelines for the security of non-national security federal computer systems. It mandated the creation of a binding computer standards program and required each federal agency to identify its systems containing sensitive information and develop mandated security plans. Furthermore, the law established requirements for mandatory security training for all employees and contractors involved with managing or using federal systems. It also created the Computer System Security and Privacy Advisory Board to provide independent advice to the Secretary of Commerce and the Director of the Office of Management and Budget on security issues.
Implementation and impact
Implementation was overseen by the National Institute of Standards and Technology, which began issuing the Federal Information Processing Standards (FIPS) publications on security. Agencies like the Department of Energy, the Social Security Administration, and the Internal Revenue Service were required to conduct inventories of sensitive systems and initiate training programs. The act directly led to the development of foundational standards such as FIPS 140 for cryptographic modules and increased the profile of information security as a formal discipline within the civil service. The establishment of the Computer System Security and Privacy Advisory Board provided a lasting forum for debate among experts from industry, academia, and government.
Controversy and criticism
The primary controversy surrounded the ongoing "turf war" between the National Institute of Standards and Technology and the National Security Agency over control of federal security standards. Critics, including some in the Department of Defense and intelligence community, argued the law created a problematic bifurcation between national security and civilian systems. Some technologists contended that the standards developed, like many Federal Information Processing Standards, were too slow to be created and often lagged behind evolving commercial technology and emerging threats like computer viruses and network intrusions. Privacy advocates, while supportive of the act's intentions, later criticized it for focusing more on system security than on robust data privacy protections for citizens.
Legacy and subsequent legislation
The act laid the essential groundwork for all subsequent federal cybersecurity policy, clearly establishing the principle of civilian agency leadership in standards development. Its framework was expanded and modernized by later laws, most notably the Clinger–Cohen Act, which addressed IT management, and the pivotal Federal Information Security Management Act of 2002 (FISMA), which codified and strengthened its security program requirements. The institutional structures it created, including the enduring role of the National Institute of Standards and Technology as exemplified in its NIST Cybersecurity Framework, and the continued operation of the Computer System Security and Privacy Advisory Board, demonstrate its lasting influence on the United States approach to securing its digital infrastructure.
Category:United States federal computing legislation Category:1987 in law Category:1988 in the United States