What is the Computer Security Act of 1987?

The Computer Security Act of 1987 was enacted by the United States Congress in 1987 in an early attempt to establish standards for the security of the new generation of computers owned by the national government. Another objective of the act was to give legislative recognition to the idea that there exists a kind of information that didn’t qualify as “secret,” yet deserved safeguarding on the nation’s computer systems. Giving effect to that recognition by establishing security protocols and training to work with and safeguard it was the bulk of the Computer Security Act of 1987, as well as naming a single federal entity, the National Bureau of Standards, to oversee and coordinate these efforts throughout the federal government

In the early 1980s, what were then called personal computers were acknowledged as powerful tools, and the world wide web was still in its formative stages, but the full potential and vulnerabilities of computers had only been guessed at. The federal government was already a major user of desktop computers, both standalone and networked, but there was no central authority responsible for overseeing security and training issues; instead, responsibility for federally-owned computers, and the information they stored, was divided haphazardly among three agencies. Setting computer security policy for the federal government was the responsibility of the Office of Management and Budget, and the Commerce Department had responsibility for setting processing and computing standards of computers purchased by the government. The National Security Agency (NSA), in turn, was charged with securing classified information on federal computers. Coordination of efforts among these three agencies was nonexistent, and turf wars were common.

In 1984, President Ronald Reagan signed a directive that created a structure within which the NSA, Department of Defense (DoD) and the National Security Council had significant responsibilities in developing computer security standards, but their activities appeared to commingle civilian and defense matters, as well as jeopardize civilian access to government records. Reagan’s order was rescinded during hearings on the Computer Security Act of 1987, which were held because of failure to pass legislation in 1985 that was intended to assign to the National Bureau of Standards the job of developing and enforcing security standards for federal computers.

The Computer Security Act of 1987 addressed four specific areas. First, it established a new level of security classification: "sensitive," which was given to information that should be safeguarded but didn’t rise to the level of “secret.” Second, it required the development of uniform security policies and practices for federal computer systems that held sensitive material, as well as the identification of those systems. Third, the act called for the uniform standards of training for personnel assigned to operate those systems. The Act finally assigned to the National Bureau of Standards the task of developing minimum acceptable standards for the security of all federal computers and computer systems, with the assistance of the NSA. The object of numerous hearings and revisions, the Computer Security Act of 1987 was finally superseded by the Federal Information Security Management Act of 2002.