COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
                        Resolution 97-2
                          June 6, 1997
                                
In order to enhance security and privacy of Federal information systems and their data, and to
strengthen the implementation of the Computer Security Act of 1987, information should be
gathered about security events and vulnerabilities which exist in Federal computer systems.  Such
information provides a basis for security and privacy problems that may exist in multiple
locations, be a repository for solutions to such problems, and a source of statistics by which
progress for individual sites and for the Federal government as a whole can be tracked.  To avoid
compromise of systems, it is imperative that certain aspects of this information be protected from
disclosure.  For example, details about the precise nature of the attack must be protected to
prevent it from becoming a "cookbook" for hacker attackers.

Therefore, we resolve:

That NIST should --

     1)  define the data which must be collected by each civilian agency (e.g., virus attacks,
     network attacks, exploitation of software flaws, compromise of personal information,
     etc.);

     2) develop a repository for the compilation of this data; and

     3) develop a mechanism to report and track progress in these areas for each civilian
     Federal agency and for the composite of all. 


FOR:      Burns, Layton, Leo, Parker, Sanovic, Spix, Vetter, Weingarten
AGAINST:  None
ABSTAIN:  None
ABSENT:   Fischer*


*Present at the meeting but not available for this vote