Computer

Security Act of
1987
One of the first attempts to protect federal computer
systems by establishing minimal acceptable security
practices. The National Institute of Standards and
Technology (NIST)—known as the National Bureau of
Standards prior to 1988 - is responsible for
developing these security standards and guidelines
in cooperation with the National Security Agency.
 Computer Security Act of 1987

In 1987, the U.S. Congress, led by Rep. Jack Brooks,

enacted a law reaffirming that the National Institute for
Standards and Technology (NIST), a division of the
Department of Commerce, was responsible for the
security of unclassified, non-military government
computer systems. Under the law, the role of the
National Security Agency (NSA) was limited to
providing technical assistance in the civilian security
realm. Congress rightly felt that it was inappropriate for
a military intelligence agency to have control over the
dissemination of unclassified information.
The law was enacted after President
Reagan issued the controversial
National Security Decision Directive
(NSDD) 145 in 1984. The Reagan
directive gave NSA control over all
government computer systems
containing "sensitive but unclassified"
information. This was followed by a
second directive issued by National
Security Advisor John Poindexter that
extended NSA authority over non-
government computer systems.
Since the enactment of the Computer Security Act, the NSA has sought to
undercut NIST's authority. In 1989, NSA signed a Memorandum of
Understanding (MOU) which purported to transfer back to NSA the
authority given to NIST. The MOU created a NIST/NSA technical working
group that developed the controversial Clipper Chip and 
Digital Signature Standard. The NSA has also worked in other ways to
weaken the mandate of the CSA. In 1994, President Clinton issued
Presidential Decision Directive (PDD) 29. This directive created the Security
Policy Board, which has recommended that all computer security functions
for the government be merged under NSA control. In 2009, President Obama
released the Administration's Cyberspace Policy Review. The report placed
civil liberties and privacy protections at the center of the Administration's
new approach to guarding the nation's digital infrastructure. Recognizing
that privacy and security are complementary values, President Obama 
stressed privacy protections in every aspect of the new initiative. The
Administration created a new National Security Council cybersecurity team
that includes a privacy and civil liberties officer.
•Public Law 100-235, The Computer Security Act of 1987.
•U.S. House of Representatives, Science, Space, and Technology C
ommittee Report
 on the Computer Security Act.
•Memorandum from Clinton Brooks, Special Assistant to the
Director, NSA, on NSDD-145 and the CSA (scanned image of
document obtained by EPIC under FOIA) -- "In 1984 NSA
engineered a National Security Decision Directive, NSDD-145,
through the Reagan Administration that gave responsibility for the
security of all U.S. information systems to the Director of NSA,
removing [the National Bureau of Standards, now NIST] from this."
•Controversial 1989 Memorandum of Understanding between
NSA and NIST that attempted to give NSA power over civilian
computer security.
•Congressional testimony of EPIC Director Marc Rotenberg on
implications of NSA/ NIST Memorandum of Understanding.
•Computer System Security and Privacy Board (CSSPB) Web site.
Congress established the CSSPAB as a public advisory board in
the Computer Security Act.
•Text of Presidential Decision Directive 29, creating the Security
Policy Board (SPB). Scanned image of the first page of the
directive obtained by EPIC.
•Internal memorandum detailing activities
of the SPB, obtained by the 
Federation of American Scientists.
•Press release on EPIC's lawsuit seeking
information on the activities of the SPB.
The Computer Security Act of 1987, Public Law No. 100-235 (H.R. 145),
(Jan. 8, 1988), was a United States federal law enacted in 1987. It was
intended to improve the security and privacy of sensitive information in
federal computer systems and to establish minimally acceptable security
practices for such systems. It required the creation of computer security
plans, and appropriate training of system users or owners where the
systems would display, process or store sensitive information.
Computer Security Act
Requires all federal computer systems that contain classified
information to have security plans in place, and requires periodic
security training for all individuals who operate, design, or manage
such systems
The Computer Security Act of 1987
One of the first attempts to protect federal computer
systems
Established minimum acceptable security
practices
Established a Computer System Security and Privacy
Advisory Board within the Department of Commerce
Requires mandatory periodic training in computer
security awareness and accepted computer security
practice for all users of Federal computer systems
The Computer Security Act of 1987

- One of the first attempts to protect

federal computer systems
• Established minimum acceptable security
practices
- Established a Computer System
Security and Privacy Advisory Board
within the Department of Commerce

- Requires mandatory periodic training in

computer security awareness and
accepted computer security practice for
all users of Federal computer systems
The Computer Security Act of 1987 (cont’d.)

Charged the National Bureau of Standards and

the NSA ( now NIST) with the development of:
(cont’d.)
- Guidelines for operators of federal
computer systems containing sensitive
information in training their employees in
security awareness

- Validation procedures for, and evaluation

of the effectiveness of, standards and
guidelines
Through research and liaison with other
government and private agencies