Laws and rules governing how agencies manage security, including software:
* The Privacy, Paperwork Reduction and Computer Security acts. Require
agencies to protect sensitive information, including personal data stored
on government systems.
* The Office of Management and Budget Circular A-130, Appendix II.
Requires agencies to establish key security controls for information systems,
including conducting background checks of key staff and contractors working
* The National Institute of Standards and Technology Publications 800-12
and 800-18. Require agencies to document any changes to software and how
the changes affect the security of the system.
* The General Accounting Office's Federal Information Systems Control
Audit Manual. Suggests to agencies what criteria are needed to assess software
and what is needed to develop a policy to ensure an agency is following
applicable laws and OMB and NIST rules.