REGULATORY AND
GUIDANCE DOCUMENTS
Federal Laws Website
Though many Federal laws mandate specific requirements for the
protection of sensitive information
and
systems, the following serve as the basis of most departmental security
guidance.
a. 5 U.S.C. 552a, 552a
Note, The Privacy Act of 1974: Establishes standards and safeguards for the
collection, maintenance, or disclosure of an individual's
personal information by Federal agencies and
grants an individual access to the records that require
confidential treatment.
b. 5 U.S.C. 552, 552
Notes, Freedom of Information Act of 1974: Establishes procedures under which
an individual can obtain records in the possession of
the Federal government while enabling the
government to protect records that require confidential
treatment.
c. 15 U.S.C. 271 Note, 272, 278 g-3,
278 g-4,
278 h, 40 U.S.C. 759, 759 Notes, 40 U.S.C. 1441 Note,
The Computer Security Act of 1987: Creates a means for establishing minimum acceptable
security
practices for federally owned/operated computer systems.
d. 18 U.S.C. 1030, 1001
Note, The Computer Fraud and Abuse Act of 1986: Establishes specific
protection for fraud and related activities in connection with
Federal computers. Such offenses
include intentionally accessing a Federal Interest Computer
without authorization and (1) obtaining
anything of value (including data), (2) preventing authorized
use, or (3) altering information.
e. 18 U.S.C. 1367, 2232, 2510, 2510
Notes, 2511
to 2521,
2701, 2701
Note, 2702
to 2711,
3117, 3121
Note, 3122 to 3127,
Electronic Communications Privacy Act of 1986: Defines the circumstances
and conditions under which the interception of wire and
oral communications may be authorized,
prohibits any unauthorized interception of such communications,
and defines the use of the contents
thereof in evidence in courts and administrative proceedings.
f. The Provider Exception, 18 U.S.C. § 2511(2)(a)(i): Defines the
exceptions to the wiretap rule for
providers and system administrators.
g. 31 U.S.C. 1105, 1113, 3512,
Federal Managers Financial Integrity Act of 1982: Requires that
agency internal control systems be periodically evaluated
and that the heads of executive agencies
report annually on their systems' status.
h. 40 U.S.C. 1401, The Clinger-Cohen Act of 1996: Establishes the Chief Information Officer, and
assigns responsibilities related to Information Technologies
(IT) system management including
development and monitoring of IT programs.
i. 44 U.S.C. 2101 et. seq.,
2501 et. seq.,
2701 et. seq.,
2901 et. seq.,
3101 et. seq.,
44 U.S.C. 2103,
2108, 2111, 2112, 2901, 2902, 2904, 2906, 2907, 3102, 3103, 3107,
3301, 3302, Federal Records
Management Acts: Require establishment of standards and procedures to
ensure effective records
creation, use, maintenance, and disposal.
j. 44 U.S.C. Chapter 35, The Paperwork
Reduction Act of 1995:
Establishes the requirement to
minimize the paperwork burden for individuals, small
businesses, educational and nonprofit
institutions, Federal contractors, State, local and tribal
governments, and other persons resulting from
the collection of information by or for the Federal
Government.
The
Electronic Communications Privacy Act
The Electronic
Communications Privacy Act (ECPA) of 1986 was adopted to address the legal
privacy issues
that were evolving with the growing use of computers and other new
innovations in electronic communications.
a. Summary
of ECPA
The
Patriot Act
The Patriot Act, 2001,
updated many sections of US Code. The
main section that applies to computer crime is referenced
as the Field
Guidance on New Authorities That Relate to Computer Crime and Electronic
Evidence
a. Summary of
the Patriot Act
Executive Orders Website
a. Executive Order 10450, “Security Requirements for Government Employment”,
December 28,
1978: Directs the establishment and maintenance, within Government
departments and agencies, an
effective program to insure that the employment and retention
in employment of any civilian officer
or employee within that department or agency is clearly
consistent with the interests of the national
security
b. Executive Order 12958,
“Classified National Security Information”,
uniform system for classifying, safeguarding, and
declassifying national security information.
c. Executive Order 12968, “Access to Classified Information”,
uniform Federal personnel security program for employees who
will be considered for initial or
continued access to classified
information.
d. Executive Order 13011,
“Federal Information Technology”,
accountability for information resources management activities by
creating agency Chief Information
Officers (CIOs)
with the visibility and management responsibilities necessary to advise the
agency
head on the design, development, and
implementation of those information systems.
e. The
Directive 63 (PDD 63), May 1998: Establishes policy relating to assignment of responsibilities for
the protection of critical infrastructure,
including planning and management of assets, especially IT
resources.
Regulatory Requirements
The following agencies publish more specific guidelines for the
implementation of the Federal laws. A
list of and applicable guidelines are listed after the promulgating
agency below:
Office of Management and Budget (OMB) Website
OMB issues basic Federal policy for automated information systems
security.
1) OMB Circular A-123, Management Accountability and Control,
the policies and standards to be followed by executive
agencies in establishing and maintaining
internal controls in their programs and
administrative activities.
2) OMB Circular A-127, Financial
Management Systems,
standards for executive agencies to follow in developing,
operating, evaluating, and reporting on
financial management systems.
3) OMB Circular A-130
(including all Appendices), Management of Federal Information
Resources, revised
information resources, as well as procedures for information
system security.
National
The Computer
Security Act of 1987 assigned the responsibility for developing computer
security standards and guidelines for Federal
unclassified systems to the National Institute of
Standards and Technology (NIST), while the National
Security Agency (NSA) retains the
responsibility for Federal classified systems.
1) National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-2,
Public Key Cryptography, April 1991: Provides a state-of-the-art survey of public-key
cryptography.
2) NIST SP 800-3, Establishing a Computer Security Incident Response
Capability, November
1991: Defines a centralized and cost-effective approach to handling
computer security incidents.
3) NIST SP 800-4, Computer Security Considerations in Federal
Procurements: A Guide for
Procurement Initiators, Contracting
Officers, and Computer Security Officials, March 1992:
Provides guidance for federal procurement
initiators, contracting officers, and computer security
officials on including computer security
in acquisitions.
4) NIST SP 800-5, Guide to Selection of Anti-Virus Tools and
Techniques, December 1992:
Provides criteria for judging the
functionality, practicality, and convenience of anti-virus tools.
5) NIST SP 800-6, Automated Tools for Testing Computer System
Vulnerability, December
1992: Provides guidance on the implementation, selection, utilization, and
distribution of
vulnerability testing tools.
6) NIST SP 800-7, Security in Open Systems, July 1994: Provides information for the practicing
programmer involved in the development of
telecommunications application software, regarding
methodologies for building security into
software based on open system platforms.
7) NIST SP 800-8, Security Issues in the Database Language SQL, August
1993: Examines the
security functionality that might be
required of relational DBMS’s, and compares them with
the
requirements and options of the SQL
specifications.
8) NIST SP 800-9, Good Security Practices for E-Commerce, December
1993: Examines the
security functionality that might be
required of e-commerce systems
9) NIST SP 800-10, Keeping Your Site Comfortably Secure: An
Introduction to Internet
Firewalls, December 1994: Provides a basis of understanding of how firewalls
work and the
steps necessary for implementing
firewalls. Users can then use this document to assist in
planning or purchasing a firewall.
10) NIST SP 800-11, The Impact of the FCC's
Open Network Architecture on NS/EP
Telecommunications Security, February
1995: Provides an overview of Open
Network
Architecture (ONA), describes National
Security and Emergency Preparedness (NS/EP)
telecommunications security concerns, and
describes NS/EP telecommunications security
concerns that the FCC’s ONA requirement
introduces into the Public Switched Network (PSN).
11) NIST SP 800-12, An Introduction to
Computer Security: The NIST Handbook,
October 1995:
Provides assistance in securing
computer-based resources (including hardware, software, and
information) by explaining important
concepts, cost considerations, and interrelationships of
security controls. It illustrates the
benefits of security controls, the major techniques or
approaches for each control, and important
related considerations.
12) NIST SP 800-13, Telecommunications Security Guidelines for
Telecommunications
Management Network, October 1995: Provides
baseline protection measures that government agencies
or commercial organizations can use to
safeguard Telecommunication Management Networks (TMN) resources
and counter security threats.
13) NIST SP 800-14, General Acceptable Principles and Practices for
Securing Information
Technology, June 1996: Provides a baseline that organizations can use to
establish and review
their IT security programs, and gain an
understanding of the basic security requirements most IT
systems should contain.
14) NIST SP 800-15, Minimum Interoperability Specification for PKI
Components (MISPC),
Version 1, January 1998: Provides a basis for interoperation between public
key infrastructure
(PKI) components from different vendors.
15) NIST SP 800-16, Information Technology Training Requirements, March
1998: Establishes
current training requirements for
information technology systems.
16) NIST SP 800-17, Modes of Operation Validation System (MOVS): Requirements and
Procedures, February 1998: Provides a
brief overview of the Data Encryption Standard (DES)
and Skipjack algorithms, and introduces
the basic design and configuration of the MOVS.
17) NIST SP 800-18, Guide to Developing Security Plans for Information
Technology Systems,
December 1998: Provides guidance for the development of IT systems
security plans in
compliance with Federal regulations
18) NIST SP 800-31, Guide to Intrusion Detection Systems,November 2001:
Provides guidance for the deployment of
IDS systems
19) NIST SP 800-26, Guide to conducting Security Self-Assessments for
Information Technology Systems,
November 2001: Provides guidance for conducting self assessments on
IT systems
20) NIST SP 800-41, Guidelines on Firewalls and Firewall Policy,
January 2002: Provides guidance for Firewalls and Firewall policy
Office of Personnel Management (OPM) Website
The Computer Security Act of 1987 assigned the responsibility
for issuing security training
requirements to the Office of Personnel Management (OPM). OPM also
specifies the procedures for
designating sensitive positions and screening the incumbents..
1) OPM, 5 CFR, Part 930.302 OPM Training Requirements: Specifies the content of computer
security awareness training for
Executives, Program & Functional Managers, IRM, Security &
Audit personnel, ADP Management &
Operations personnel and End Users.
NON-REGULATORY
DOCUMENTS
Department of Justice (DOJ) Website
DOJ enforces the law and
defends the interests of the
Federal leadership in
preventing and controlling crime, to seek just punishment for those guilty of
unlawful
behavior, to administer and enforce
the Nation's immigration laws fairly and effectively, and to ensure fair
and impartial administration
of justice for all Americans.
1) DOJ, Federal Guidelines for searching and seizing computers,
July 1994:
Guidelines and legal awareness for seizing
and searching computer systems used in the
Act of a crime.
2)
DOJ, Federal
Guidelines for searching and seizing computers - Supplement I, October 1997
3) DOJ, Federal
Guidelines for searching and seizing computers - Supplement II, January
1999
4) DOJ, CCIPS,
Searching and Seizing Computers, January 2001:
Computer Crime & Intellectual Property
Section (CCIPS) guide for searching and seizing computers
and obtaining electronic evidence in
criminal investigations
5)
DOJ, Banner, Sample Network Logon Banner, August 2001:
A checklist of issues that may be
considered when drafting a banner as well as sample banners