The CSA is an Act to provide for a computer standards program within the National Bureau of Standards (renamed to the National Institute of Standards and Technology), to provide government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes.
The CSA was originally enacted as United States Public Law 100-235 on January 8, 1988, compiled at 101 Stat. 1724; and codified at 15 USC 272 et seq.
Purpose of the Act
- to rename the National Bureau of Standards as the National Institute of Standards and Technology and to modernize and restructure that agency to augment its unique ability to enhance the competitiveness of American industry while maintaining its traditional function as lead national laboratory for providing the measurements, calibrations, and quality assurance techniques which underpin United States commerce, technological progress, improved product reliability and manufacturing processes, and public safety;
- to assist private sector initiatives to capitalize on advanced technology;
- to advance, through cooperative efforts among industries, universities, and government laboratories, promising research and development projects, which can be optimized by the private sector for commercial and industrial applications;
- to promote shared risks, accelerated development, and pooling of skills which will be necessary to strengthen America’s manufacturing industries.
15 U.S.C. §272 Establishment, functions, and activities
(a) Establishment of National Institute of Standards and Technology
There is established within the Department of Commerce a science, engineering, technology, and measurement laboratory to be known as the National Institute of Standards and Technology (hereafter in this chapter referred to as the “Institute”)
(b) Functions of Secretary and Institute
The Secretary of Commerce (hereafter in this chapter referred to as the “Secretary”) acting through the Director of the Institute (hereafter in this chapter referred to as the “Director”) is authorized to serve as the President’s principal adviser on standards policy pertaining to the Nation’s technological competitiveness and innovation ability and to take all actions necessary and appropriate to accomplish the purposes of this chapter, including the following functions of the Institute—
(1) to assist industry in the development of technology and procedures needed to improve quality, to modernize manufacturing processes, to ensure product reliability, manufacturability, functionality, and cost-effectiveness, and to facilitate the more rapid commercialization, especially by small- and medium-sized companies throughout the United States, of products based on new scientific discoveries in fields such as automation, electronics, advanced materials, biotechnology, and optical technologies;
(2) to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for making measurements consistent with those standards;
(3) to facilitate standards-related information sharing and cooperation between Federal agencies and to coordinate the use by Federal agencies of private sector standards, emphasizing where possible the use of standards developed by private, consensus organizations;
(4) to enter into contracts, including cooperative research and development arrangements, and grants and cooperative agreements, in furtherance of the purposes of this chapter;
(5) to provide United States industry, Government, and educational institutions with a national clearinghouse of current information, techniques, and advice for the achievement of higher quality and productivity based on current domestic and international scientific and technical development;
(6) to assist industry in the development of measurements, measurement methods, and basic measurement technology;
(7) to determine, compile, evaluate, and disseminate physical constants and the properties and performance of conventional and advanced materials when they are important to science, engineering, manufacturing, education, commerce, and industry and are not available with sufficient accuracy elsewhere;
(8) to develop a fundamental basis and methods for testing materials, mechanisms, structures, equipment, and systems, including those used by the Federal Government;
(9) to assure the compatibility of United States national measurement standards with those of other nations;
(10) to cooperate with other departments and agencies of the Federal Government, with industry, with State and local governments, with the governments of other nations and international organizations, and with private organizations in establishing standard practices, codes, specifications, and voluntary consensus standards;
(11) to advise government and industry on scientific and technical problems;
(12) to invent, develop, and (when appropriate) promote transfer to the private sector of measurement devices to serve special national needs; and
(13) to coordinate technical standards activities and conformity assessment activities of Federal, State, and local governments with private sector technical standards activities and conformity assessment activities, with the goal of eliminating unnecessary duplication and complexity in the development and promulgation of conformity assessment requirements and measures.
(c) Implementation activities
In carrying out the functions specified in subsection (b), the Secretary, acting through the Director may, among other things—
(1) construct physical standards;
(2) test, calibrate, and certify standards and standard measuring apparatus;
(3) study and improve instruments, measurement methods, and industrial process control and quality assurance techniques;
(4) cooperate with the States in securing uniformity in weights and measures laws and methods of inspection;
(5) cooperate with foreign scientific and technical institutions to understand technological developments in other countries better;
(6) prepare, certify, and sell standard reference materials for use in ensuring the accuracy of chemical analyses and measurements of physical and other properties of materials;
(7) in furtherance of the purposes of this chapter, accept research associates, cash donations, and donated equipment from industry, and also engage with industry in research to develop new basic and generic technologies for traditional and new products and for improved production and manufacturing;
(8) study and develop fundamental scientific understanding and improved measurement, analysis, synthesis, processing, and fabrication methods for chemical substances and compounds, ferrous and nonferrous metals, and all traditional and advanced materials, including processes of degradation;
(9) investigate ionizing and nonionizing radiation and radioactive substances, their uses, and ways to protect people, structures, and equipment from their harmful effects;
(10) determine the atomic and molecular structure of matter, through analysis of spectra and other methods, to provide a basis for predicting chemical and physical structures and reactions and for designing new materials and chemical substances, including biologically active macromolecules;
(11) perform research on electromagnetic waves, including optical waves, and on properties and performance of electrical, electronic, and electromagnetic devices and systems and their essential materials, develop and maintain related standards, and disseminate standard signals through broadcast and other means;
(12) develop and test standard interfaces, communication protocols, and data structures for computer and related telecommunications systems;
(13) study computer systems (as that term is defined in section 278g–3(d) of this title) and their use to control machinery and processes;
(14) perform research to develop standards and test methods to advance the effective use of computers and related systems and to protect the information stored, processed, and transmitted by such systems and to provide advice in support of policies affecting Federal computer and related telecommunications systems;
(15) on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure (as defined under subsection (e));
(16) perform research to support the development of voluntary, consensus-based, industry-led standards and recommendations on the security of computers, computer networks, and computer data storage used in election systems to ensure voters can vote securely and privately.3
(17) determine properties of building materials and structural elements, and encourage their standardization and most effective use, including investigation of fire-resisting properties of building materials and conditions under which they may be most efficiently used, and the standardization of types of appliances for fire prevention;
(18) undertake such research in engineering, pure and applied mathematics, statistics, computer science, materials science, and the physical sciences as may be necessary to carry out and support the functions specified in this section;
(19) host, participate in, and support scientific and technical workshops (as defined in section 202 of the American Innovation and Competitiveness Act);
(20) collect and retain any fees charged by the Secretary for hosting a scientific and technical workshop described in paragraph (19);
(21) notwithstanding title 31 of the United States Code, use the fees described in paragraph (20) to pay for any related expenses, including subsistence expenses for participants;
(22) compile, evaluate, publish, and otherwise disseminate general, specific and technical data resulting from the performance of the functions specified in this section or from other sources when such data are important to science, engineering, or industry, or to the general public, and are not available elsewhere;
(23) collect, create, analyze, and maintain specimens of scientific value;
(24) operate national user facilities;
(25) evaluate promising inventions and other novel technical concepts submitted by inventors and small companies and work with other Federal agencies, States, and localities to provide appropriate technical assistance and support for those inventions which are found in the evaluation process to have commercial promise;
(26) demonstrate the results of the Institute’s activities by exhibits or other methods of technology transfer, including the use of scientific or technical personnel of the Institute for part-time or intermittent teaching and training activities at educational institutions of higher learning as part of and incidental to their official duties; and
(27) undertake such other activities similar to those specified in this subsection as the Director determines appropriate.
(d) Management costs
In carrying out the extramural funding programs of the Institute, including the programs established under sections 278k and 278l of this title, the Secretary may retain reasonable amounts of any funds appropriated pursuant to authorizations for these programs in order to pay for the Institute’s management of these programs.
(e) Cyber risks
(1) In general
In carrying out the activities under subsection (c)(15), the Director—
(A) shall—
(i) coordinate closely and regularly with relevant private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations, including Sector Coordinating Councils and Information Sharing and Analysis Centers, and incorporate industry expertise;
(ii) consult with the heads of agencies with national security responsibilities, sector-specific agencies and other appropriate agencies, State and local governments, the governments of other nations, and international organizations;
(iii) identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks;
(iv) include methodologies—
(I) to identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and
(II) to protect individual privacy and civil liberties;
(v) incorporate voluntary consensus standards and industry best practices;
(vi) align with voluntary international standards to the fullest extent possible;
(vii) prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes;
(viii) consider small business concerns (as defined in section 632 of this title); and
(ix) include such other similar and consistent elements as the Director considers necessary; and
(B) shall not prescribe or otherwise require—
(i) the use of specific solutions;
(ii) the use of specific information or communications technology products or services; or
(iii) that information or communications technology products or services be designed, developed, or manufactured in a particular manner.
(2) Limitation
Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity. Nothing in this paragraph shall be construed to modify any regulatory requirement to report or submit information to a Federal, State, tribal, or local department or agency.
(3) Definitions
In this subsection:
(A) Critical infrastructure
The term “critical infrastructure” has the meaning given the term in section 5195c(e) of title 42.
(B) Sector-specific agency
The term “sector-specific agency” means the Federal department or agency responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment.
(Mar. 3, 1901, ch. 872, §2, 31 Stat. 1449; July 22, 1950, ch. 486, §1, 64 Stat. 371; Pub. L. 92–317, §3(b), June 22, 1972, 86 Stat. 235; Pub. L. 100–235, §3(1), Jan. 8, 1988, 101 Stat. 1724; Pub. L. 100–418, title V, §5112(a), Aug. 23, 1988, 102 Stat. 1428; Pub. L. 102–245, title II, §201(e), Feb. 14, 1992, 106 Stat. 19; Pub. L. 104–113, §12(a), (b), Mar. 7, 1996, 110 Stat. 782; Pub. L. 110–69, title III, §§3002(c)(2)(A), 3013(b), Aug. 9, 2007, 121 Stat. 586, 598; Pub. L. 113–274, title I, §101(a), (b), Dec. 18, 2014, 128 Stat. 2972; Pub. L. 114–329, title I, §104(b)(4), title II, §§202(d), 205(a)(2)(B), title IV, §403, Jan. 6, 2017, 130 Stat. 2976, 2998, 3000, 3023; Pub. L. 115–236, §2(b), Aug. 14, 2018, 132 Stat. 2444.)
Action Cyber Times™ © 2018 All Rights Reserved.
Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.
Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.