Computer Security Research and Training Act of 1985, H.R. 2889

GAO provided its views on H.R. 2889, the Computer Security Research and Training Act of 1985. Information stored in government computers and transmitted over connecting networks is vulnerable to unauthorized access and disclosure, fraudulent manipulation, and disruption. GAO endorsed the bill's purpose in requiring that: (1) the National Bureau of Standards (NBS) establish and conduct a computer security research and training program for the federal government; and (2) each federal agency provide mandatory periodic training in computer security. GAO found that only 2 of the 25 systems surveyed had a formal security training program and believes that the bill can be effectively used as a vehicle for addressing other related computer security management, research, and training issues. However, there is confusion concerning the levels of security required for the range of information involved and the lines of responsibility and authority. The Department of Defense (DOD) develops security standards for classified information, NBS handles the unclassified information standards, and the Office of Management and Budget (OMB) and the General Services Administration (GSA) are responsible for computer and telecommunications policy and standards. Recently, the White House issued a directive which establishes a Systems Security Steering Committee as the focal point for both military and civilian information systems security and fulfills the federal leadership role which GAO recommended. However, the directive: (1) does not cover information that is sensitive but is not considered critical to national security; (2) does not establish division of responsibilities for DOD and the civilian agencies; and (3) diffuses the recommendation for a central focus. GAO suggested that clear understanding of the roles of DOD, OMB, GSA, and NBS be established in conjunction with consideration of H.R. 2889.