Page:United States Statutes at Large Volume 101 Part 3.djvu/427

 PUBLIC LAW 100-235—JAN. 8, 1988

101 STAT. 1725

"(1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems; "(2) except as described in paragraph (3) of this subsection (relating to security standards), develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; "(3) have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems except— "(A) those systems excluded by section 2315 of title 10, United States Code, or section 3502(2) of title 44, United States Code; and "(B) those systems which are protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, the primary purpose of which standards and guidelines shall be to control loss and unauthorized modification or disclosure of sensitive information in such systems and to prevent computerrelated fraud and misuse; "(4) submit standards and guidelines developed pursuant to paragraphs (2) and (3) of this subsection, along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce for promulgation under section 111(d) of the Federal Property and Administrative Services Act of 1949; "(5) develop guidelines for use by operators of Federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice, as required by section 5 of the Computer Security Act of 1987; and "(6) develop validation procedures for, and evaluate the effectiveness of, standards and guidelines developed pursuant to paragraphs (1), (2), and (3) of this subsection through research and liaison with other government and private agencies. "(b) In fulfilling subsection (a) of this section, the National Bureau of Standards is authorized— "(1) to assist the private sector, upon request, in using and applying the results of the programs and activities under this section; "(2) to make recommendations, as appropriate, to the Administrator of General Services on policies and regulations proposed pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949; "(3) as requested, to provide to operators of Federal computer systems technical assistance in implementing the standards and guidelines promulgated pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949; "(4) to assist, as appropriate, the Office of Personnel Mansige- Regulations. ment in developing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1987; "(5) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of, and to

�