Which requirement does the Computer Security Act of 1987 mandate for federal computer systems that contain sensitive information?

The main concept is that federal agencies must create a formal framework for protecting sensitive information in their computer systems. The Computer Security Act of 1987 directs agencies to develop and implement security policies and procedures for information systems that handle sensitive data, designate a security official, and establish security plans for major systems. It also assigns the responsibility to NIST to develop standards and guidelines to support those policies and planning. This is about building a policy and planning foundation for information security, not mandating encryption of all data at rest, outsourcing security to contractors, or making logs openly accessible, which are not requirements of this act.