Summary

GAO discussed legislation which would provide for the security and privacy of sensitive information in federal computer systems through the: (1) development of computer security standards, research, and training; and (2) establishment of security plans by operators of federal computer systems that store and transmit sensitive information. GAO found that: (1) much of the underlying purpose of H.R. 145 is addressed in National Security Decision Directive (NSDD) 145, which assigns primary responsibility to the Department of Defense; (2) the definition of sensitive information covered by NSDD 145 includes unclassified information pertaining to a wide range of government interests not directly related to national security; and (3) although the Department of Commerce would be responsible for the protection of such information under H.R. 145, neither NSDD 145 nor H.R. 145 provides for any determination as to who might have legitimate access. GAO believes that H.R. 145: (1) does not go far enough to prevent the overzealous categorization of systems as sensitive; (2) needs to be strengthened to ensure that appropriate safeguards surround any tendency toward an unwarranted restriction of access to unclassified data; and (3) should explicitly state that its provisions are not to be construed as in any way modifying the availability of information under the terms of the Freedom of Information Act.