Computer Security: A Summary of Selected Federal Laws, Executive Order, and Presidential Directives
Publication Date: April 2004
Publisher(s): Library of Congress. Congressional Research Service
This report provides a short summary of selected federal laws, executive orders, and presidential directives, currently in force, that govern computer security. The report focuses on the major roles and responsibilities assigned various federal agencies in the area of computer security. This report will not be updated.
One major area of federal activity in computer security deals with securing federal computer systems. The roles and responsibilities for securing federal computer systems are split between national security systems and all other federal systems. The Federal Information Security Management Act of 2002 authorizes the Director of the Office and Management and Budget to oversee the development of, and compliance with, security standards and guidelines, developed by the National Institute of Standards and Technology and promulgated by the Secretary of Commerce. These authorities, however, do not apply to computer systems considered to be national security systems. The roles and responsibilities for securing national security systems are established by National Security Directive 42 (NSD-42). NSD-42 establishes what is now called the Committee on National Security Systems, which it authorizes to develop, and require compliance with, standards and guidelines for national security systems.
In general, the federal government does not regulate the security of nongovernment computer systems. However, the federal government does require certain information held on non-government systems to be protected against unauthorized access and disclosure, primarily out of privacy considerations. To date, this has been limited to financial information (Gramm-Leach-Bliley Act) and medical information (Health Insurance Portability and Accountability Act of 1996). A number of regulatory agencies have authority for developing and enforcing standards for financial information. The Secretary of Health and Human Services has authority to develop and enforce standards for medical information. The Sarbanes-Oxley Act of 2002 requires certain companies to certify the accuracy of their internal financial controls. The Security Exchange Commission has authority to develop standards and enforce these regulations.
Although it currently has a limited role in securing the nation’s overall information infrastructure, the federal government does, through the Department of Homeland Security, work with and encourage the private sector, state and local government, academia, and the general public to protect the nation’s information infrastructure. This role is authorized in a generic sense for all critical infrastructure by the Homeland Security Act of 2002. It is also reinforced more specifically in Homeland Security Presidential Directive No. 7 and the National Strategy for Securing Cyberspace. To date, these activities are voluntary for non-federal entities.
Other roles established for the federal government include: investigation and prosecution of federal computer crimes; assisting state and local law enforcement entities in their investigation and prosecutions; and, developing the nation’s expertise in information security.