Brief History of Electronic Law
The Federal Information Security Management Act (FISMA)1 when signed into law by the President as part of the E-Government Act of 2002 permanently reauthorized and amended several previous laws. Whether it was a goal of reducing or eliminating paper waste in the government, standardizing technologies and processes, or securing our government resources, all of these laws were designed to give the federal government an upper edge in addressing the changing world of technology.
The first laws (Government Paper Reduction Act of 1980 and 19952 (PRA) and Government Paper Elimination Act of 19983 (GPEA) were meant to move the federal government from a paper-based bureaucracy, where inconsistencies across agencies led to wasted money and resources, to a “efficient, effective and economical”4 government that shared information and resources taking advantage of technology and all it had to offer. Soon to follow were laws (Computer Security Act of 19875 (CSA) and The Information Technology Management Reform Act of 19966 (Clinger-Cohen Act)) designed to secure the federal IT infrastructure as well as emphasize “a risk-based policy for cost effective security.”7 In order to assist federal agencies comply with these laws, the Office of Management and Budget (OMB) released Circular A-130, Appendix A Security of Federal Automated Information Resources. Circular A-130 required federal agencies to:
© SANS Institute 2004, Author retains full rights.
Specifically called out in Circular A-130, agencies must execute the accreditation process, thereby making the agency accountable for its own system, which includes completing risk assessments and security plans. Additionally, Circular A-130 introduced into law the definition of General Support System (GSS) and
1 2 3 FISMA - http://csrc.nist.gov/policies/FISMA-final.pdf P a p e r w o r k R e d u c t i o n A c t o f 1 9 9 5 – h t t p : / / w w w . c i o . g o v / D o c u m e n t s / p a p e r w o r k _ r e d u c t i o n _ a c t _ 1 9 9 5 . h t m H.R 4328 – Title XVII: Government Paperwork Elimination Act of 1998 - http://frwebgate.access.gpo.gov/cgi- bin/getdoc.cgi?dbname=105_cong_public_laws&docid=f:publ277.105.pdf – and OMB Procedures and Guidance on Implementing the GPEA – http://www.whitehouse.gov/omb/memoranda/m00-10.html OMB Circular A-130, Section 5: Background – http://whitehouse.gov/omb/circulars/a130/print/a130.html Computer Security Act of 1987 – http://www.cio.gov/Documents/computer_security_act_Jan_1998.html Clinger-Cohen Act – http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html Security Certification and Accreditation Project: Background – http://csrc.nist.gov/sec-cert/ca- background.html IBID l 4 5 6 7 8
a “plan for security; ensure that appropriate officials are assigned security responsibility; periodically review the security controls in their information systems; and u t h o r i z e s y s t e m p r o c e s s i n g p r i o r t o o p e r a t i o n s a n d , p e r i o d i c a l l y , 8 thereafter.”
© SANS Institute 2004,
As part of the Information Security Reading Room
2 Author retains full rights.