Federal Internet Law & Policy
An Educational Project

CyberSecurity: Federal Agencies

Dont be a FOOL; The Law is Not DIY



Department of Justice

Derived From: GAO Cybercrime Public and Private Entities Face Challenges in Addressing CyberthreatsPDF (June 2007)

"Implements and supports both the department’s Computer Crime Initiative, designed to combat electronic penetrations, data thefts, and cyber attacks on critical information systems, and the department’s aggressive battle to protect children from individuals who use computers and the Internet to sexually abuse and exploit them.

US Attorney's Office


Federal Trade Commission

"Both the public and private sectors have noted the importance of user education and consumer awareness relating to emerging cybersecurity threats. The Federal Trade Commission (FTC) has been a leader in this area, issuing consumer alerts and releasing several reports on spam as well as guidance for businesses on how to reduce identity theft. In addition, FTC has sponsored various events, including a spam forum in the spring of 2003, a spyware workshop in April 2004, and an e-mail authentication summit in the fall of 2004. Also notable is its Identity Theft Clearinghouse, an online resource for taking complaints from consumers." [GAO 05 p 7]

"The FTC’s enforcement authority stems from Section 5 of the FTC Act, which declares unlawful all “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In order for the FTC to assert that a commercial practice is “unfair,” the consumer injury that results from the practice must be substantial, without corresponding benefits, and one that consumers cannot reasonably avoid.[15 U.S.C. § 45(n) (stating the FTC requirements for the FTC to utilize its unfairness authority)] Similarly, the FTC will bring an action against a company for engaging in a deceptive trade practice if the company makes a representation; that representation is likely to mislead reasonable consumers; and the representation is material. FTC Policy Statement on Deception, appended to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984) (noting the elements the FTC must establish to find a business practice deceptive under §5 of the FTC Act).] Using its authority, the FTC has brought several enforcement actions against companies for failing to safeguard consumer data through reasonable security measures. See, e.g., Complaint at 1-3, In the Matter of BJ’s Wholesale Club, Inc., (No. C-4148), 2005 WL 2395788 (F.T.C.) (alleging that BJ’s engaged in an unfair practice by failing to take reasonable data security measures); Complaint at 2-5, In the Matter of Twitter, Inc., (No. C-4316), 2011 WL 914034 (F.T.C.), (attacking Twitter’s data security practices as deceptive).] Over the past two decades, the FTC has engaged in numerous enforcement actions that have involved security breaches and other cybersecurity issues with a particular focus around personal privacy and data security issues.20 The FTC’s role in challenging both deceptive and unfair acts or practices in the data security area is vital so that companies’ voluntary efforts to implement specific cybersecurity best practices are backed by a legal obligation to implement reasonable and appropriate security. Public companies must also comply with the Information Integrity provisions of Sarbanes-Oxley that require management to certify internal controls are in place to address a wide range of issues including data security. 15 U.S.C. § 7262" - Cybersecurity, Innovation and the Internet Economy, The Department of Commerce Internet Policy Task Force, p. 12 (June 2011)  


Department of Commerce

The Board's authority does not extend to private sector systems or federal systems which process classified information.  Their objectives and duties include:

The membership of the Board consists of twelve members and a Chairperson.  TheDirector of NIST approves membership appointments and appoints the Chairperson. The Board meets quarterly throughout the year and all meetings are open to the public.

National Science Foundation

Department of State, Bureau of Diplomatic Security, Office of Computer Security, Cyber Threat Division

See Protecting Information

Critical Infrastructure Protection Board

Executive Order : Critical Infrastructure Protection in the Information Age, WH 10/16/01 ("I hereby establish the "President's Critical Infrastructure Protection Board" (the "Board")").  The Board has membership from the leadership of federal agencies.  It is not at this time clear what the Board will be doing. Howard Schmidt, Chairman of the PCIP

Other Agencies

One of the oldest and most active internal federal efforts is the US Dept of Energy Computer Incident Advisory Capability (CIAC) "provides on-call technical assistance and information to U.S. Department of Energy  (DOE) sites faced with computer security incidents. This central incident handling  capability is one component of all encompassing service provided to the DOE community.  The other services CIAC provides are: awareness, training, and education; trend, threat,  vulnerability data collection and analysis; and technology watch. CIAC was established in 1989 to serve the DOE Community. CIAC is one of two oldest response teams and is recognized nationally and internationally for its contributions to the Internet community. CIAC is a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide." Who is CIAC One of the more interesting services that CIAC provides is Hoaxbusters, an information source debunking many of the popular myths and legends on the Internet.  See HoaxbustersHoaxbusters!


Information Assurance Directorate

"NSA/CSS provides the Solutions, Products and Services, and conducts Defensive Information Operations, to achieve Information Assurance for information infrastructures critical to U.S. National Security interests."  NSA/CSS Infosec Page

"In order to enable our customers to protect and defend cyber systems, the NSA develops, and supports a variety of products and services. We also conduct ongoing research to aid in the development of next generation solutions. Our IA solutions must encompass a wide range of voice, data and video applications, extending across networked, tactical and satellite systems. IA solutions include the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine and support activities needed to implement the protect, detect and report, and respond elements of cyber defense.

"The Information Assurance Framework Forum, developed in a collaborative effort by NSA solution architects, customers with requirements, component vendors, and commercial integrators, guides our solution development. It finds the right solution for environments ranging from outerspace to the office or foxhole. Our framework provides top level guidance in addition to the specification of essential security features and assurances for the security products. It brings producers and consumers together before products are built so that products which better meet our customers' needs will be built.

"The internationally recognized Common Criteria (CC) employs standardized terms to describe the security functionality and assurance of consumers' requirements and manufacturers' products. CC-based Protection Profiles specify what consumers need at both the system and the component level to fulfill their mission. CC-based Security Targets describe how specific products meet consumers' requirements.

"These IA solutions take maximum advantage of commercial components, using NSA developed products and services to fill gaps in areas not satisfied by commercial offerings. Commercial-off-the-shelf (COTS) products include security products (e.g. a firewall) or security enabled or enhanced Information Technology (IT) products (e.g. an e-mail application or secure cellular phone). Our solutions include technologies and tools necessary for a layered defense-in-depth strategy and tools for defensive information operations such as intrusion detection, automated data reduction and modeling/simulation tools.

The NSA constantly works with its government and industry partners to facilitate emerging technology, taking the lead in problems not addressed by industry." About the ISSO



CERT Cordination Center

Other Federal Links


  • Child Online Protection (COP)
  • Cybersecurity Gateway
  • Global Security Agenda
  • International Multilateral Partnership Against Cyber Threats
  • States

     National Association of State CIOs

    "NASCIO represents state chief information officers and information resource executives and managers from the 50 states, six U. S. territories, and the District of Columbia. State members are senior officials from any of the three branches of state government who have executive-level and statewide responsibility for information resource management. Representatives from federal, municipal, and international governments and state officials who are involved in information resource management but do not have chief responsibility for that function participate in the organization as associate members. Private-sector firms and non-profit organizations may join as corporate members."  About NASCIO

    Multi State ISAC

    © Cybertelecom ::