Computer Security Research and Training Act of 1985 - H.R. 2889

GAO presented its views on H.R. 2889, the Computer Security Research and Training Act of 1985, which would require the National Bureau of Standards to establish and conduct a computer security research and training program to address problems of computer security in the federal government. GAO endorsed the bill, but noted that there must be a clear understanding of the security levels required for the range of information involved, and clear lines of authority and responsibility must be established; presently, confusion exists on both these counts. GAO pointed out certain provisions of H.R. 2889, which overlap similar provisions of National Security Decision Directive 145, established as the focal point for both military and civilian information security, but without a clearly established division of responsibilities. GAO suggested that, since the Department of Defense (DOD) already conducts computer security research and training programs for all federal agencies for both classified and unclassified material, there is a possibility of commitment to inordinately expensive approaches to computer security because DOD treats cost as a secondary factor in determining the degree of protection involved. GAO also questioned the extent to which DOD should be involved in policy formulation and program administration within the government's civilian agencies. GAO noted that the assignment of responsibility for decisionmaking in this area is of long-range importance and should be thoroughly considered by Congress.