Federal Cybersecurity Statutes

Public Law:

114-113

U.S. Code:

6 U.S.C. §§ 1501-1510

In plain terms. The Cybersecurity Act of 2015 was enacted as Division N of the Consolidated Appropriations Act, 2016. Its centerpiece, the Cybersecurity Information Sharing Act (CISA), authorizes private entities to share cyber threat in…

Public Law:

80-253

U.S. Code:

50 U.S.C. ch. 44 (§ 3001 et seq.)

In plain terms. The National Security Act of 1947 reorganized the U.S. military and intelligence establishment, creating the National Security Council, the Central Intelligence Agency, and a unified Department of Defense. It is the statu…

Public Law:

109-461

U.S. Code:

38 U.S.C. §§ 5721-5728

In plain terms. Enacted after the 2006 theft of a VA laptop exposed millions of veterans' records, this Act established a comprehensive information-security program within the Department of Veterans Affairs and created the Office of Info…

Public Law:

114-23

U.S. Code:

50 U.S.C. § 1861 et seq. (amending FISA)

In plain terms. The USA FREEDOM Act of 2015 ended the National Security Agency's bulk collection of telephone metadata under Section 215 of the USA PATRIOT Act, replacing it with a targeted system in which records remain with carriers an…

Public Law:

81-152

U.S. Code:

40 U.S.C. and 41 U.S.C.

In plain terms. The Federal Property and Administrative Services Act of 1949 created the General Services Administration and established the government-wide framework for acquiring, managing, and disposing of federal property and service…

Public Law:

113-283

U.S. Code:

44 U.S.C. § 3551 et seq.

In plain terms. FISMA 2014 is the law that sets how federal agencies must run their cybersecurity. It updated the 2002 version to keep pace with modern information and communications technology. Who it applies to. Federal agencies direct…

Public Law:

100-235

U.S. Code:

40 U.S.C. § 1441; 15 U.S.C. § 278g-3 (superseded)

In plain terms. This was Congress's first attempt to set minimum security practices for federal computers that handle sensitive information. It put one agency — today's NIST — in charge of writing the security standards. Who it applies t…

Public Law:

107-296

U.S. Code:

6 U.S.C. §§ 481-486

In plain terms. The Homeland Security Information Sharing Act, enacted as part of the Homeland Security Act of 2002, directs the President to establish procedures for sharing homeland security information—including classified and sensiti…

Public Law:

116-194

U.S. Code:

40 U.S.C. § 11301 note

In plain terms. The IT Modernization Centers of Excellence Program Act codified GSA's Centers of Excellence initiative, which provides agencies with centralized expertise to modernize legacy information technology. Its work includes clou…

Public Law:

104-106

U.S. Code:

40 U.S.C. ch. 113

In plain terms. The Information Technology Management Reform Act of 1996, enacted with the Federal Acquisition Reform Act as the Clinger-Cohen Act, required agencies to appoint Chief Information Officers and to use capital-planning and p…

Public Law:

113-274

U.S. Code:

15 U.S.C. §§ 272, 7421 et seq.

In plain terms. The Cybersecurity Enhancement Act of 2014 directed NIST to facilitate and support the development of a voluntary, industry-led set of standards and best practices to reduce cyber risk to critical infrastructure—the statut…

Public Law:

89-487

U.S. Code:

5 U.S.C. § 552

In plain terms. FOIA is the law that gives the public a right to request records from federal agencies, and requires agencies to publish certain information on their own. Who it applies to. Federal agencies (which must disclose) and anyo…

Public Law:

102-243

U.S. Code:

47 U.S.C. § 227

In plain terms. The Telephone Consumer Protection Act restricts telemarketing calls, automatic telephone dialing systems, prerecorded voice messages, and unsolicited faxes. Enforced by the FCC and through a private right of action, it is…

Public Law:

95-630

U.S. Code:

12 U.S.C. §§ 3401-3423

In plain terms. The Right to Financial Privacy Act of 1978 limits federal government access to the records of a customer held by banks and other financial institutions, generally requiring notice to the customer and a lawful process such…

Public Law:

103-322

U.S. Code:

18 U.S.C. §§ 2721-2725

In plain terms. The Driver's Privacy Protection Act of 1994 restricts the disclosure and use of personal information contained in state motor-vehicle records, permitting release only for enumerated purposes. It established federal privac…

Public Law:

104-13

U.S. Code:

44 U.S.C. ch. 35

In plain terms. The Paperwork Reduction Act of 1995 gives OMB's Office of Information and Regulatory Affairs oversight of federal information collection and information-resources management. It situates information security and privacy w…

Public Law:

106-102

U.S. Code:

15 U.S.C. §§ 6801-6809

In plain terms. Title V of the Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of customers' nonpublic personal information. The implementing Safeguards Rule mandates a written informati…

Public Law:

73-416

U.S. Code:

47 U.S.C. ch. 5

In plain terms. The Communications Act of 1934 created the Federal Communications Commission and established the framework for regulating interstate wire and radio communications. Its customer proprietary network information (CPNI) provi…

Public Law:

117-263

U.S. Code:

44 U.S.C. § 3607 et seq.

In plain terms. This 2022 law wrote the government's cloud-security program, FedRAMP, into permanent federal law instead of leaving it as agency policy. FedRAMP is the standardized way agencies vet and approve cloud services that handle…

Public Law:

115-59

U.S. Code:

5 U.S.C. § 552a note

In plain terms. The Social Security Number Fraud Prevention Act of 2017 restricts federal agencies from including full Social Security numbers on documents sent by mail unless the agency determines inclusion is necessary. It is a targete…

Public Law:

107-56

U.S. Code:

50 U.S.C. and 18 U.S.C. (various)

In plain terms. The USA PATRIOT Act of 2001 substantially expanded federal surveillance and information-sharing authorities after the September 11 attacks, amending the Electronic Communications Privacy Act, the Foreign Intelligence Surv…

Public Law:

107-347

U.S. Code:

44 U.S.C. ch. 36

In plain terms. The E-Government Act of 2002 promoted electronic government services and information management, and—through its Title III—enacted the Federal Information Security Management Act (FISMA 2002). It also requires agencies to…

Public Law:

114-185

U.S. Code:

5 U.S.C. § 552 (amended)

In plain terms. The FOIA Improvement Act of 2016 strengthened the Freedom of Information Act by codifying the "foreseeable harm" standard for withholding, limiting the deliberative-process exemption to records less than 25 years old, and…

Public Law:

103-414

U.S. Code:

47 U.S.C. §§ 1001-1010

In plain terms. The Communications Assistance for Law Enforcement Act requires telecommunications carriers and equipment manufacturers to design their systems so that lawfully authorized electronic surveillance can be carried out. It ill…

Public Law:

107-296

U.S. Code:

6 U.S.C. ch. 1

In plain terms. The Homeland Security Act of 2002 created the Department of Homeland Security and consolidated numerous agencies and functions, including critical-infrastructure protection and cybersecurity coordination. It is the statut…

Public Law:

116-207

U.S. Code:

15 U.S.C. §§ 278g-3a to 278g-3e

In plain terms. The Internet of Things Cybersecurity Improvement Act of 2020 prohibits federal agencies from procuring IoT devices that do not meet NIST security standards and directs NIST and OMB to publish device-security and coordinat…

Public Law:

117-58

U.S. Code:

6 U.S.C. § 665g

In plain terms. The Cyber Response and Recovery Act authorizes the Secretary of Homeland Security, through CISA, to declare a "significant incident" and to draw on a Cyber Response and Recovery Fund to provide coordinated federal support…

Public Law:

106-554

U.S. Code:

44 U.S.C. § 3516 note

In plain terms. The Information Quality Act directs OMB to issue government-wide guidelines ensuring the quality, objectivity, utility, and integrity of information disseminated by federal agencies, and gives affected persons a means to…

Public Law:

105-304

U.S. Code:

17 U.S.C. §§ 512, 1201-1205

In plain terms. The Digital Millennium Copyright Act criminalizes circumvention of technological measures that control access to copyrighted works and provides safe harbors for online service providers. Its anti-circumvention provisions—…

Public Law:

113-291

U.S. Code:

40 U.S.C. § 11301 et seq.

In plain terms. The Federal Information Technology Acquisition Reform Act, enacted within the FY2015 NDAA, significantly strengthened agency CIO authority over IT budgeting, acquisition, and management. Stronger centralized IT governance…

Public Law:

115-182

U.S. Code:

38 U.S.C. § 1703 et seq.

In plain terms. The VA MISSION Act of 2018 consolidated and expanded the Department of Veterans Affairs' community-care programs, increasing the exchange of veterans' health information with non-VA providers. That expanded data sharing r…

Public Law:

117-103

U.S. Code:

6 U.S.C. § 681 et seq.

In plain terms. CIRCIA requires operators of critical infrastructure to tell the federal government when they suffer a serious cyber incident or pay a ransom, so threat information can be shared and acted on quickly. Who it applies to. "…

Public Law:

117-263

U.S. Code:

40 U.S.C. § 11301 note

In plain terms. This law pushes federal agencies to adopt American artificial-intelligence technology responsibly, with safeguards for privacy and civil liberties. Who it applies to. Federal agencies adopting AI — led by the Department o…

Public Law:

114-153

U.S. Code:

18 U.S.C. §§ 1836-1839

In plain terms. The Defend Trade Secrets Act of 2016 created a federal civil cause of action for trade-secret misappropriation, including provisions for ex parte seizure and whistleblower immunity. For contractors, it reinforces the lega…

Public Law:

107-347

U.S. Code:

44 U.S.C. § 3541 et seq. (superseded)

In plain terms. The original FISMA (2002) made information security a legal duty for federal agencies and put the Office of Management and Budget in charge of overseeing it. It is part of the Homeland Security Act of 2002. Who it applies…

Public Law:

83-703

U.S. Code:

42 U.S.C. ch. 23 (§ 2011 et seq.)

In plain terms. The Atomic Energy Act governs the control of nuclear materials and information, creating the unique category of "Restricted Data" that is classified at creation regardless of origin. It imposes stringent access, handling,…

Public Law:

116-179

U.S. Code:

52 U.S.C. § 20971; 18 U.S.C. § 1030 (amended)

In plain terms. The Defending the Integrity of Voting Systems Act amended the Computer Fraud and Abuse Act so that its prohibitions on unauthorized computer access expressly reach voting systems. It extended federal computer-crime protec…

Public Law:

117-58

U.S. Code:

Pub. L. 117-58 (various titles)

In plain terms. The Infrastructure Investment and Jobs Act of 2021 made substantial cybersecurity investments, including establishing the State and Local Cybersecurity Grant Program administered by CISA and FEMA and funding to protect cr…

Public Law:

96-480

U.S. Code:

15 U.S.C. § 3701 et seq.

In plain terms. This 1980 law set a national policy of moving technology developed with federal money out to industry, universities, and state and local governments so it gets used. Who it applies to. Federal research agencies, and the u…

Public Law:

96-511

U.S. Code:

44 U.S.C. ch. 35 (original)

In plain terms. The Paperwork Reduction Act of 1980 created the Office of Information and Regulatory Affairs and established central review of federal information-collection requests. It launched the federal information-resources managem…

Public Law:

104-106

U.S. Code:

40 U.S.C. § 11101 et seq.

In plain terms. The Clinger-Cohen Act overhauled how the government buys and manages information technology. It combines two laws: the Information Technology Management Reform Act and the Federal Acquisition Reform Act. Who it applies to…

Public Law:

108-447

U.S. Code:

Pub. L. 108-447 (omnibus)

In plain terms. The Consolidated Appropriations Act of 2005 was an omnibus appropriations measure that, among many provisions, funded and directed federal information-technology and privacy activities across agencies. Specific cybersecur…

Public Law:

99-474

U.S. Code:

18 U.S.C. § 1030

In plain terms. The CFAA is the core federal anti-hacking law. It makes it a crime to access computers without authorization or to go beyond the access you were given. Who it applies to. Anyone who accesses a protected computer — origina…

Public Law:

104-231

U.S. Code:

5 U.S.C. § 552 (amended)

In plain terms. The Electronic Freedom of Information Act Amendments of 1996 extended FOIA to electronic records, required agencies to maintain electronic reading rooms, and addressed the format and timeliness of electronic disclosures.…

Public Law:

96-157

U.S. Code:

42 U.S.C. § 3711 et seq.

In plain terms. The Justice System Improvement Act of 1979 reorganized federal criminal-justice assistance, establishing the Bureau of Justice Statistics, the National Institute of Justice, and related bodies. It shapes how justice data—…

Public Law:

117-58

U.S. Code:

6 U.S.C. § 665g

In plain terms. The State and Local Government Cybersecurity Improvement Act enhances coordination between DHS/CISA and state, local, tribal, and territorial governments, directing CISA's integration center to share threat information an…

Public Law:

104-104

U.S. Code:

47 U.S.C. (amending Communications Act)

In plain terms. The Telecommunications Act of 1996 overhauled U.S. communications law, deregulating much of the industry and amending the Communications Act of 1934. Its provisions on customer proprietary network information and carrier…

Public Law:

114-113

U.S. Code:

6 U.S.C. §§ 1501-1510

In plain terms. The Cybersecurity Information Sharing Act of 2015 (the core of the Cybersecurity Act of 2015) authorizes the voluntary exchange of cyber threat indicators and defensive measures between the private sector and the federal…

Public Law:

111-5

U.S. Code:

42 U.S.C. §§ 17921-17954

In plain terms. The HITECH Act, part of the 2009 Recovery Act, strengthened HIPAA by introducing mandatory breach notification, extending HIPAA obligations and direct liability to business associates, and increasing civil penalties. It m…

Public Law:

104-294

U.S. Code:

18 U.S.C. §§ 1831-1839

In plain terms. The Economic Espionage Act of 1996 criminalizes the theft of trade secrets, with enhanced penalties when the theft benefits a foreign government or instrumentality. It is a principal federal tool against state-sponsored a…

Public Law:

104-113

U.S. Code:

15 U.S.C. § 272 note

In plain terms. The National Technology Transfer and Advancement Act of 1995 directs federal agencies to use voluntary consensus standards in preference to government-unique standards. It is the legal basis for the federal government's r…

Public Law:

116-283

U.S. Code:

15 U.S.C. § 9401 et seq.

In plain terms. The National Artificial Intelligence Initiative Act of 2020, enacted within the FY2021 NDAA, coordinates federal AI research, standards, and workforce efforts and directs NIST to advance trustworthy-AI standards and risk-…

Public Law:

107-296

U.S. Code:

18 U.S.C. § 1030 (amended)

In plain terms. The Cyber Security Enhancement Act of 2002, enacted as part of the Homeland Security Act, increased criminal penalties under the Computer Fraud and Abuse Act and clarified emergency-disclosure provisions allowing provider…

Public Law:

83-740

U.S. Code:

13 U.S.C. (esp. §§ 9, 214)

In plain terms. Title 13 of the U.S. Code governs the Census and imposes some of the strongest confidentiality protections in federal law: census responses may be used only for statistical purposes and may not be disclosed in identifiabl…

Public Law:

105-318

U.S. Code:

18 U.S.C. § 1028

In plain terms. The Identity Theft and Assumption Deterrence Act of 1998 made identity theft a distinct federal crime and directed the FTC to serve as a central clearinghouse for victim complaints. It established identity-theft as a stan…

Public Law:

99-508

U.S. Code:

18 U.S.C. §§ 2510-2523, 2701-2713, 3121-3127

In plain terms. The Electronic Communications Privacy Act of 1986 governs the interception of communications in transit (Wiretap Act), access to stored communications (Stored Communications Act), and the use of pen registers and trap-and…

Public Law:

107-204

U.S. Code:

15 U.S.C. § 7201 et seq.

In plain terms. The Sarbanes-Oxley Act of 2002 imposed internal-control and financial-reporting requirements on public companies in the wake of major accounting scandals. Its Section 404 internal-controls mandate drives extensive IT gene…

Public Law:

116-50

U.S. Code:

44 U.S.C. § 3501 note

In plain terms. The Creating Advanced Streamlined Electronic Services for Constituents (CASES) Act requires federal agencies to accept electronic identity-verification and privacy-release consent forms. It modernized how agencies obtain…

Public Law:

115-435

U.S. Code:

44 U.S.C. § 3506 et seq.

In plain terms. The OPEN Government Data Act, enacted as Title II of the Foundations for Evidence-Based Policymaking Act of 2018, requires federal agencies to publish their data as open, machine-readable assets by default and to maintain…

Public Law:

104-191

U.S. Code:

42 U.S.C. § 1320d et seq.

In plain terms. The Health Insurance Portability and Accountability Act of 1996 authorized the HIPAA Privacy, Security, and Breach Notification Rules. The Security Rule requires covered entities and business associates to implement admin…

Public Law:

113-101

U.S. Code:

31 U.S.C. § 6101 note

In plain terms. The Digital Accountability and Transparency Act of 2014 standardized federal spending data and expanded public reporting through USAspending.gov. Reliable, standardized spending data supports oversight, but also requires…

Public Law:

110-325

U.S. Code:

42 U.S.C. § 12101 et seq.

In plain terms. The ADA Amendments Act of 2008 broadened the definition of disability under the Americans with Disabilities Act. In the IT context it reinforces the importance of accessible technology, which intersects with federal Secti…

Public Law:

115-390

U.S. Code:

40 U.S.C. § 1326 (FASC); 41 U.S.C. (SCRM)

In plain terms. The SECURE Technology Act of 2018 established the Federal Acquisition Security Council and authorized exclusion and removal orders against information-technology products and services that pose supply-chain risks. It is a…

Public Law:

109-476

U.S. Code:

18 U.S.C. § 1039

In plain terms. The Telephone Records and Privacy Protection Act of 2006 criminalizes obtaining confidential phone records through fraud or "pretexting" and the sale of such records. It targets a specific social-engineering technique use…

Public Law:

110-53

U.S. Code:

6 U.S.C. (various)

In plain terms. The Implementing Recommendations of the 9/11 Commission Act of 2007 advanced the national Information Sharing Environment and strengthened critical-infrastructure protection, transportation security, and intelligence coor…

Public Law:

115-435

U.S. Code:

44 U.S.C. § 3561 et seq.

In plain terms. The Confidential Information Protection and Statistical Efficiency Act of 2018, enacted within the Foundations for Evidence-Based Policymaking Act, protects the confidentiality of information collected by federal agencies…

Public Law:

94-409

U.S. Code:

5 U.S.C. § 552b

In plain terms. The Government in the Sunshine Act requires that meetings of multi-member federal agencies be open to public observation, subject to specific exemptions. It is part of the federal transparency framework alongside FOIA, wi…

Public Law:

105-277

U.S. Code:

15 U.S.C. §§ 6501-6506

In plain terms. The Children's Online Privacy Protection Act of 1998 restricts the online collection of personal information from children under 13 and requires verifiable parental consent. Its implementing FTC Rule imposes notice, conse…

Public Law:

105-147

U.S. Code:

17 U.S.C. § 506; 18 U.S.C. § 2319

In plain terms. The No Electronic Theft Act of 1997 closed a loophole by criminalizing willful copyright infringement even where the infringer derives no commercial gain. It expanded criminal liability for digital distribution of copyrig…

Public Law:

108-458

U.S. Code:

50 U.S.C. § 3001 et seq. (intelligence reform)

In plain terms. The Intelligence Reform and Terrorism Prevention Act of 2004 created the Office of the Director of National Intelligence and established the Information Sharing Environment to improve the exchange of terrorism information…

Public Law:

93-380

U.S. Code:

20 U.S.C. § 1232g

In plain terms. The Family Educational Rights and Privacy Act of 1974 protects the privacy of student education records, restricting disclosure without consent and granting access and amendment rights. It is the principal federal student…

Public Law:

116-260

U.S. Code:

40 U.S.C. § 11301 note

In plain terms. This law helps federal agencies adopt artificial intelligence by creating a center of expertise and assigning agencies to guide AI use across government. Who it applies to. Federal agencies adopting AI, supported by the G…

Public Law:

103-322

U.S. Code:

18 U.S.C. § 1030 (amended)

In plain terms. The Computer Abuse Amendments Act of 1994 amended the Computer Fraud and Abuse Act to add a private civil cause of action and to reach reckless and intentional damage to protected computers. It broadened both the scope an…

Public Law:

Originally 1863; major amendments 1986, 2009, 2010

U.S. Code:

31 U.S.C. §§ 3729–3733

In plain terms. The False Claims Act (FCA) is the government's main tool for punishing fraud against it. Its original caption read, "An Act to prevent and punish Frauds upon the Government of the United States." Who it applies to. Anyone…

Public Law:

91-508

U.S. Code:

31 U.S.C. §§ 5311-5336

In plain terms. The Currency and Foreign Transactions Reporting Act of 1970—the Bank Secrecy Act—requires financial institutions to keep records and file reports (such as Currency Transaction and Suspicious Activity Reports) to combat mo…

Public Law:

115-10

U.S. Code:

51 U.S.C. (NASA authorization)

In plain terms. The NASA Transition Authorization Act of 2017 set NASA's policy and program direction across an administration transition. For contractors it bears on the protection of sensitive space, scientific, and export-controlled t…

Public Law:

91-508

U.S. Code:

15 U.S.C. § 1681 et seq.

In plain terms. The Fair Credit Reporting Act (FCRA) limits when consumer credit reports can be pulled and used, and holds credit-reporting agencies accountable for handling that data carefully. Who it applies to. Consumer reporting agen…

Public Law:

63-311

U.S. Code:

15 U.S.C. §§ 41-58

In plain terms. The Federal Trade Commission Act created the FTC and, through Section 5's prohibition of "unfair or deceptive acts or practices," supplies the FTC's principal authority to bring data-security and privacy enforcement actio…