Applicable Laws

The following laws, regulations, and policies apply to EHRI systems:

Public Laws:

• Public Law 89-554, Freedom of Information Act of 1974 [5 U.S.C. § 552], 1966, amended 1974, 1976, 1978, 1984, 1986, 1996
• Public Law 93-579, Privacy Act of 1974 [5 U.S.C. § 552a], December 31, 1974
• Public Law 99-474, Computer Fraud & Abuse Act of 1986 [18 U.S.C. § 1030]
• Public Law 104-13, Paperwork Reduction Act of 1995, May 1995
• Public Law 104-106, Division E, Clinger-Cohen Act of 1996 (formerly Information Technology Management Reform Act), February 10, 1996
• Public Law 104-191, Health Insurance Portability and Accountability Act of 1996, August 21, 1996
• Public Law 107-347 [H.R. 2458], The E-Government Act of 2002, Title III of this Act is the Federal Information Security Management Act of 2002, December 17, 2002

Directives:

• Circular A-123, Management Accountability and Control, December 21, 2004
• Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, November 28, 2000
• Memorandum M-02-01, Guide for Reporting and Submitting Security Plans of Action and Milestones, October 17, 2001
• Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 30, 2003
• Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006
• Memorandum M-06-16, Protection of Sensitive Agency Information, June 23, 2006
• Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006
• Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007
• Additional OMB circulars, memoranda, and other OMB guidance found at http://www.whitehouse.gov/omb/e-gov/.

Guidance

• FIPS PUB 199, Standards for Security Categorization of Information and Information Systems, February 2004
• FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006
• FIPS PUB 140-2, Security Requirements for Cryptographic Modules, May 25, 2001 NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, February, 2006
• NIST SP 800-30 Risk Management Guide for Information Technology Systems, July 2002
• NIST SP 800-37 Revision 1, Guide for the Security Certification and Accreditation of Federal Information Systems, February 2010
• NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002
• NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems, August 2009
• NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, Volumes I and II, August 2008
• NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide, March 2008
• NIST SP 800-70 Revision 1, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers, September 2009
• NIST SP 800-88, Guidelines for Media Sanitization, September 2006
• NIST SP 800-92, Guide to Computer Security Log Management, September 2006
• Additional FIPS, NIST Special Publications, and other NIST guidance found at http://csrc.nist.gov/publications/index.html.

Certification and Accreditation materials and the annual system test and evaluations are available for review by appointment in OPM's secure reading room.