Clinger-Cohen Act of 1996

Citation[]

Clinger-Cohen Act of 1996, Pub. L. No. 104-106 (Div. D and E), 110 Stat. 186, 642 (Feb. 10, 1996) (full-text), codified at 40 U.S.C. §11101 et seq. (full-text).

Overview[]

The Act was initially Division D and Division E of the National Defense Authorization Act of 1996 (NDAA). Division D of the Act was the Federal Acquisition Reform Act of 1996 (FARA) and Division E was the Information Technology Management Reform Act of 1996 (ITMRA). Both divisions of the Act made significant changes to defense acquisition policy.

The law, initially titled the Information Technology Management Reform Act of 1996, was subsequently renamed the Clinger-Cohen Act in Pub. L. No. 104-208 (Sept. 30, 1996). It substantially revised the way that IT resources are managed and procured by the U.S. government, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of IT investments.

The Act makes every federal agency responsible for its own IT acquisition, and requires the purchase of the best and most cost-effective technology available.

The Act also made agency heads responsible for ensuring the adequacy of agency information security policies and procedures, established the chief information officer (CIO) position in agencies, and gave the Secretary of Commerce authority to make promulgated security standards mandatory.

The Act requires the Office of Management and Budget (OMB) to oversee major IT acquisitions and equires OMB to promulgate, in consultation with the Secretary of Homeland Security, compulsory federal computer standards based on those developed by the National Institute of Standards and Technology (NIST).^[1]

The Act exempts national security systems from most provisions.

Application to cybersecurity[]

With the increasing globalization of the IT hardware and software industries, concerns have been growing among cybersecurity experts about potential vulnerabilities at various points along the supply chain for IT products.

Congress and the executive branch have debated the limits of the authority and jurisdiction of CIOs since their establishment. In the private sector, CIOs may often serve as the senior IT decisionmaker. In federal agencies, in contrast, CIOs do not have budgetary control or authority over IT resources.^[2] The Obama Administration has indicated its intention to change the role of CIOs "away from just policymaking and infrastructure maintenance, to encompass true portfolio management for all IT," including information security.^[3] The White House Proposal does not include any provisions related to that proposed change, but additional legislative authority may be required for such a change to be fully implemented.

References[]

↑ The Act originally gave this promulgation authority to the Secretary of Commerce, while providing the President authority to disapprove or modify such standards, and gave the Secretary authority to waive the standards in specific cases to avoid adverse financial or mission-related impacts. The Federal Information Security Management Act of 2002 (FISMA), enacted as part of the Homeland Security Act of 2002, transferred that authority to OMB.
↑ They do have authority under FISMA to ensure compliance with that law's information security requirements (44 U.S.C. §3544). Some agency CIOs also have statutory authority in addition to that provided by Clinger-Cohen and FISMA. For example, the CIO of the intelligence community has procurement approval authority for IT (50 U.S.C. §403-3g), and CIOs within DOD have budgetary review authority (10 U.S.C. § 2223).
↑ OMB Memorandum M-11-29, at 1-2.

Source[]

Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, at 28-29.

[1] The Act originally gave this promulgation authority to the Secretary of Commerce, while providing the President authority to disapprove or modify such standards, and gave the Secretary authority to waive the standards in specific cases to avoid adverse financial or mission-related impacts. The Federal Information Security Management Act of 2002 (FISMA), enacted as part of the Homeland Security Act of 2002, transferred that authority to OMB.

[2] They do have authority under FISMA to ensure compliance with that law's information security requirements (44 U.S.C. §3544). Some agency CIOs also have statutory authority in addition to that provided by Clinger-Cohen and FISMA. For example, the CIO of the intelligence community has procurement approval authority for IT (50 U.S.C. §403-3g), and CIOs within DOD have budgetary review authority (10 U.S.C. § 2223).

[3] OMB Memorandum M-11-29, at 1-2.

[1]

[2]

[3]