GAO QUERY ON COMPUTER SECURITY ACT OF 1987

Declassified in Part- Sanitized Copy Approved forRelease2012/09/20 : CIA-RDP90M00005R000600150012-2 C0NFIDE.W1AL STAT STAT STAT OIT-0847/88 31 AUG irm MEMORANDUM FOR: Director of Congressional Affairs FROM: Edward J. Maloney Director of Information Technology SUBJECT: GAO Query on Computer Security Act of 1987 REFERENCES: A. Letter fm GAO to DCI requesting completion of attached questionnaire on Computer Security Act of 1987, dtd 18 Jul 88 B. Letter fm GAO to DCI following up on Reference A, dtd 3 Aug 88 C. Memo fm OMB,dtd 26 May 88, Subject: Request for Comment on Draft Guidance...by the Computer Security Act of 1987 D. OGC Memo OGC-81-05486, dtd 30 Jun 81 E. OS Memo OS-8-5628, dtd 15 Aug 88 1. PURPOSE: This memorandum presents OIT's rationale for claiming exemption from reporting requirements of the Computer Security Act of 1987 and, consequently, exemption from completing the General Accounting Office (GAO) questionnaire requested by references A and B. It also presents a suggested response to GAO. 2. BACKGROUND: The Computer Security Act of 1987 is concerned with the protection of "sensitive" information in federal computer systems. Sensitive information is defined as information that is not classified but the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled." The Act, with certain exceptions, requires the identification of all systems containing such sensitive information and the establishment of security, privacy and security training plans for such systems. The Act further requires that the National Bureau of Standards and the National Security Agency receive copies of such plans. The GAO questionnaire is a result of Congressional interest in determining the extent to which federal agencies are complying with the requirements of the Act. DOWNGRADE TO AIUO WHEN SEPARATED FROM ATTACHMENT CONFID IAL Declassified in Part - Sanitized Copy Approved for Release 2012/09/20: CIA-RDP90M00005R000600150012-2 Declassified in Part - Sanitized Copy Approved for Release 2012/09/20: CIA-RDP90M00005R000600150012-2 STAT STAT STAT STAT CONFIDENTIAL 3. OIT POSITION: OIT's position is that the Agency is exempt from all provisions of the Act, including the reporting provisions. The OMB guidance in Reference C states in part that the Act does not apply to (a) "systems containing classified information," (b) "systems involving intelligence activities," or (c) "mixed classified/unclassified systems, providing that such systems are always operated under rules for protecting classified information." Most Agency systems meet parts (a) or (c) of this exemption. OIT believes that those systems that are not covered by parts (a) or (c) are covered by part (b). This assertion is supported by wording in the Act itself which exempts those systems 'excluded by section 3502(2) of Title 44, United States Code." This section of the Code refers to exempting 'intelligence activities" from provisions of the Paperwork Reduction Act of 1980. In the opinion of the General Counsel (reference D), all of the Agency's ADP (computer) equipment would fit in this exemption. The reference in the Computer Security Act to this section of the Code, combined with the General Counsel opinion including all Agency ADP equipment within the scope of 'intelligence activities." appears to exempt all Agency systems from the Computer Security Act. 4. OS POSITION: The Office of Security has arrived at the same conclusion, namely, that Agency systems are exempt. Reference E cites the 27 July 1988 OS response to the ONE guidance memorandum which refers not only to Title 44, as above, but also to Section 2315 of Title 10, U.S.C. 5. I have attached for your consideration a draft response to the GAO request. Attachments: A. References B. Draft Response to GAO - 2 - CONFIDENTIAL Edwarc/1/4. Malonern? Declassified in Part - Sanitized Copy Approved for Release 2012/09/20: CIA-RDP90M00005R000600150012-2