The Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 278g–3(a) of title 15, promulgate standards and guidelines pertaining to Federal computer systems. The Secretary shall make such standards compulsory and binding to the extent to which the Secretary determines necessary to improve the efficiency of operation or security and privacy of Federal computer systems. The President may disapprove or modify such standards and guidelines if the President determines such action to be in the public interest. The President's authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.
The authority conferred upon the Secretary of Commerce by this section shall be exercised subject to direction by the President and in coordination with the Director to ensure fiscal and policy consistency.
The head of a Federal agency may employ standards for the cost-effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce.
The standards determined under subsection (a) of this section to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determination that compliance would adversely affect the accomplishment of the mission of an operator of a Federal computer system, or cause a major adverse financial impact on the operator which is not offset by Government-wide savings. The Secretary may delegate to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective implementation of Federal computer system standards. The head of such agency may redelegate such authority only to a Chief Information Officer designated pursuant to section 3506 of title 44. Notice of each such waiver and delegation shall be transmitted promptly to Congress and shall be published promptly in the Federal Register.
In this section, the terms “Federal computer system” and “operator of a Federal computer system” have the meanings given such terms in section 278g–3(d) of title 15.
(Pub. L. 104–106, div. E, title LI, §5131, Feb. 10, 1996, 110 Stat. 687.)
Section is comprised of section 5131 of Pub. L. 104–106. Subsec. (e) of section 5131 of Pub. L. 104–106 amended sections 3504 and 3518 of Title 44, Public Printing and Documents.
Pub. L. 100–235, §§1, 2, 5–8, Jan. 8, 1988, 101 Stat. 1724, 1729, as amended by Pub. L. 100–418, title V, §5115(c), Aug. 23, 1988, 102 Stat. 1433; Pub. L. 104–106, div. E, title LVI, §5607(b), Feb. 10, 1996, 110 Stat. 701; Pub. L. 105–85, div. A, title X, §1073(h)(4), Nov. 18, 1997, 111 Stat. 1907, provided that:
“This Act [enacting sections 278g–3 and 278g–4 of Title 15, Commerce and Trade, amending section 759 of this title and section 272 of Title 15, and enacting provisions set out as a note under section 271 of Title 15] may be cited as the ‘Computer Security Act of 1987’.
“(1) by amending the Act of March 3, 1901 [15 U.S.C. 271 et seq.], to assign to the National Institute of Standards and Technology responsibility for developing standards and guidelines for Federal computer systems, including responsibility for developing standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems, drawing on the technical advice and assistance (including work products) of the National Security Agency, where appropriate;
“(2) to provide for promulgation of such standards and guidelines;
“(3) to require establishment of security plans by all operators of Federal computer systems that contain sensitive information; and
“(4) to require mandatory periodic training for all persons involved in management, use, or operation of Federal computer systems that contain sensitive information.
“(1) provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the National Bureau of Standards Act [now National Institute of Standards and Technology Act] (as added by section 3 of this Act) [15 U.S.C. 278g–3(a)(5)], and in accordance with the regulations issued under subsection (c) of this section for Federal civilian employees; or
“(2) provided by an alternative training program approved by the head of that agency on the basis of a determination that the alternative training program is at least as effective in accomplishing the objectives of such guidelines and regulations.
“(1) to enhance employees’ awareness of the threats to and vulnerability of computer systems; and
“(2) to encourage the use of improved computer security practices.
“As used in this Act, the terms ‘computer system’, ‘Federal computer system’, ‘operator of a Federal computer system’, ‘sensitive information’, and ‘Federal agency’ have the meanings given in section 20(d) of the National Bureau of Standards Act [now National Institute of Standards and Technology Act] (as added by section 3 of this Act) [15 U.S.C. 278g–3(d)].
“Nothing in this Act, or in any amendment made by this Act, shall be construed—
“(1) to constitute authority to withhold information sought pursuant to section 552 of title 5, United States Code; or
“(2) to authorize any Federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information (regardless of the medium in which the information may be maintained) that is—
“(A) privately-owned information;
“(B) disclosable under section 552 of title 5, United States Code, or other law requiring or authorizing the public disclosure of information; or
“(C) public domain information.”
This section is referred to in section 1412 of this title; title 15 section 278g–3; title 44 sections 3504, 3518, 3533.