Applicable Laws

The following laws, regulations, and policies apply to EHRI systems:

Public Laws:

• Public Law 89-554, Freedom of Information Act of 1974 [5 U.S.C. § 552], 1966, amended 1974, 1976, 1978, 1984, 1986, 1996
• Public Law 93-579, Privacy Act of 1974 [5 U.S.C. § 552a], December 31, 1974
• Public Law 99-474, Computer Fraud & Abuse Act of 1986 [18 U.S.C. § 1030]
• Public Law 104-13, Paperwork Reduction Act of 1995, May 1995
• Public Law 104-106, Division E, Clinger-Cohen Act of 1996 (formerly Information Technology Management Reform Act), February 10, 1996
• Public Law 104-191, Health Insurance Portability and Accountability Act of 1996, August 21, 1996
• Public Law 107-347 [H.R. 2458], The E-Government Act of 2002, Title III of this Act is the Federal Information Security Management Act of 2002, December 17, 2002

Directives:

• Circular A-123, Management Accountability and Control, June 29, 1995
• Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, November 28, 2000
• Memorandum M-02-01, Guide for Reporting and Submitting Security Plans of Action and Milestones, October 17, 2001
• Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 30, 2003
• Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006
• Memorandum M-06-16, Protection of Sensitive Agency Information, June 23, 2006
• Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006
• Additional OMB circulars, memoranda, and other OMB guidance can be found at http://www.whitehouse.gov/omb/

Guidance

• FIPS PUB 199, Standards for Security Categorization of Information and Information Systems, February 2004
• FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006
• FIPS PUB 140-2, Security Requirements for Cryptographic Modules, May 15, 2001
• NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004
• NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002
• NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems, December 2006
• NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volumes I and II, June 2004
• NIST SP 800-61, Computer Security Incident Handling Guide, January 2004
• NIST SP 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers, May 2005
• NIST SP 800-88, Guidelines for Media Sanitization, September 2006
• NIST SP 800-92, Guide to Computer Security Log Management, September 2006
• Additional FIPS, NIST Special Publications, and other NIST guidance can be found at http://csrc.nist.gov/publications/index.html.

C&A materials and annual ST&Es are available by appointment in OPM's secure reading room.