In this Note, the author offers a broad-based critique of the statutory scheme that governs how the federal government must safeguard data on its information systems. Examining two illustrative case studies from major federal agencies, the author identifies serious structural flaws in the design and implementation of the relevant legislation. Through the lens of bureaucratic and organizational theory, he explains why the legislation is not well-suited to achieving comprehensive information security-and why the federal government’s track record in this area has been so poor. Finally, the author proposes five concrete reforms Congress should enact to address these shortcomings.
LawReview
