Page:United States Statutes at Large Volume 101 Part 3.djvu/431

 PUBLIC LAW 100-235—JAN. 8, 1988

101 STAT. 1729

Affairs of the Senate and shall be published promptly in the Federal Register. "(4) The Administrator shall revise the Federal information re- Regulations, sources management regulations (41 CFR ch. 201) to be consistent with the standards and guidelines promulgated by the Secretary of Commerce under this subsection. "(5) As used in this subsection, the terms 'Federal computer - -^>,,, system' and 'operator of a Federal computer system' have the meanings given in section 20(d) of the National Bureau of Standards Act.". SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.

(a) IN GENERAL.—Each Federal agency shall provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency. Such training shall be— (1) provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the National Bureau of Standards Act (as added by section 3 of this Act), and in accordance with the regulations issued under subsection (c) of this section for Federal civilian employees; or (2) provided by an alternative training program approved by the head of that agency on the basis of a determination that the alternative training program is at least as effective in accomplishing the objectives of such guidelines and regulations. (b) TRAINING OBJECTIVES.—Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed— (1) to enhance employees' awareness of the threats to and vulnerability of computer systems; and (2) to encourage the use of improved computer security practices. (c) REGULATIONS.—Within six months after the date of the enactment of this Act, the Director of the Office of Personnel Management shall issue regulations prescribing the procedures and scope of the training to be provided Federal civilian employees under subsection (a) and the manner in which such training is to be carried out.

40 USC 759 note.

'

^*

...

SEC. 6. ADDITIONAL RESPONSIBILITIES FOR COMPUTER SYSTEMS 40 USC 759 note. SECURITY AND PRIVACY. (a) IDENTIFICATION OP SYSTEMS THAT CONTAIN SENSITIVE INFORMA-

TION.—Within 6 months after the date of enactment of this Act, each Federal agency shall identify each Federal computer system, and system under development, which is within or under the supervision of that agency and which contains sensitive information. (b) SECURITY PLAN.—Within one year after the date of enactment of this Act, each such agency shall, consistent with the standards, guidelines, policies, and regulations prescribed pursuant to section 111(d) of the Federal Property and Administrative Services Act of 1949, establish a plan for the security and privacy of each Federal computer system identified by that agency pursuant to subsection (a) that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in such system. Copies of each such plan shall be transmitted to the National Bureau of Standards

�