Information Technology: Federal Laws, Regulations, and Mandatory Standards for Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors [open pdf - 881KB]
The federal government uses both voluntary partnerships with private industry and requirements in federal laws, regulations, and mandatory standards to assist in the security of privately owned information technology (IT) systems and data within critical infrastructure sectors. As agreed, our objectives were to (1) identify, for each critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing that sector's privately owned IT systems and data and (2) identify enforcement mechanisms for each of the above laws, regulations, and mandatory standards. To accomplish these objectives, we solicited information from the federal agencies responsible for overseeing each critical infrastructure sector to identify the applicable requirements, as well as the mechanisms and authorities available to the government to enforce compliance with these requirements. On July 24, 2008, we presented a briefing to the staffs of the House Homeland Security Subcommittees on Transportation Security and Infrastructure Protection and Emerging Threats, Cybersecurity, and Science and Technology. This report briefly summarizes our findings and transmits the presentation slides we used to brief the staffs. The full briefing, including our scope and methodology, is reprinted in enclosure I.
House Committee on Homeland Security: http://homeland.house.gov/