by Unknown
related policies, procedures, standards, and guidelines,
including—
(i) information security standards promulgated under
section 11331 of title 40; and
(ii) information security standards and guidelines for
national security systems issued in accordance with
law and as directed by the President; and
(C) ensuring that information security management processes
are integrated with agency strategic and operational plan-
ning processes;
(2) ensure that senior agency officials provide information security
for the information and information systems that support the
operations and assets under their control, including through
(A) assessing the risk and magnitude of the harm that could
result from the unauthorized access, use, disclosure, dis-
ruption, modification, or destruction of such information
or information systems;
(B) determining the levels of information security appropri-
ate to protect such information and information systems
in accordance with standards promulgated under section
11331 of title 40, for information security classifications
and related requirements;
(C) implementing policies and procedures to cost-effectively
reduce risks to an acceptable level; and
(D) periodically testing and evaluating information security
controls and techniques to ensure that they are effectively
implemented;
(3) delegate to the agency Chief Information Officer established
under section 3506 (or comparable official in an agency not
Appendix C: Government Data Privacy Laws
369
covered by such section) the authority to ensure compliance with
the requirements imposed on the agency under this subchapter,
including
(A) designating a senior agency information security officer
who shall—
(i) carry out the Chief Information Officer’s responsibili-
ties under this section;
(ii) possess professional qualifications, including training
and experience, required to administer the functions
described under this section;
(i i) have information security duties as that official’s pri-
mary duty; and
(iv) head an office with the mission and resources to assist
in ensuring agency compliance with this section;
(B) developing and maintaining an agency-wide information
security program as required by subsection (b);
(C) developing and maintaining information security policies,
procedures, and control techniques to address all appli-
cable requirements, including those issued under section
3543 of this title, and section 11331 of title 40;
(D) training and overseeing personnel with significant respon-
sibilities for information security with respect to such
responsibilities; and
(E) assisting senior agency officials concerning their responsi-
bilities under paragraph (2);
(4) ensure that the agency has trained personnel sufficient to assist
the agency in complying with the requirements of this subchapter
and related policies, procedures, standards, and guidelines; and
(5) ensure that the agency Chief Information Officer, in coordina-
tion with other senior agency officials, reports annually to the
agency head on the effectiveness of the agency information
security program, including progress of remedial actions.
(b) Agency Program—Each agency shall develop, document, and implement an agency-wide information security program, approved by the
Director under section 3543 (a)(5), to provide information security
for the information and information systems that support the opera-
tions and assets of the agency, including those provided or managed
by another agency, contractor, or other source, that includes—
(1) periodic assessments of the risk and magnitude of the harm that
could result from the unauthorized access, use, disclosure, dis-
ruption, modification, or destruction of information and informa-
tion systems that support the operations and assets of the agency;
370
Appendix C: Government Data Privacy Laws
(2) policies and procedures that
(A) are based on the risk assessments required by paragraph (1);
(B) cost-effectively reduce information security risks to an
acceptable level;
(C) ensure that information security is addressed throughout
the life cycle of each agency information system; and
(D) ensure compliance with—
(i) the requirements of this subchapter;
(ii) policies and procedures as may be prescribed by the
Director, and information security standards pro-
mulgated under section 11331 of title 40;
(iii) minimally acceptable system configuration require-
ments, as determined by the agency; and
(iv) any other applicable requirements, including standards
and guidelines for national security systems issued in
accordance with law and as directed by the President;
(3) subordinate plans for providing adequate information security
for networks, facilities, and systems or groups of information
systems, as appropriate;
(4) security awareness training to inform personnel, including con-
tractors and other users of information systems that support the
operations and assets of the agency, of
(A) information security risks associated with their activities; and
(B) their responsibilities in complying with agency policies
and procedures designed to reduce these risks;
(5) periodic testing and evaluation of the effectiveness of informa-
tion security policies, procedures, and practices, to be performed
with a frequency depending on risk, but no less than annual y, of
which such testing—
(A) shall include testing of management, operational, and
technical controls of every information system identified
in the inventory required under section 3505 (c); and
(B) may include testing relied on in an evaluation under sec-
tion 3545;
(6) a process for planning, implementing, evaluating, and docu-
menting remedial action to address any deficiencies in the infor-
mation security policies, procedures, and practices of the agency;
(7) procedures for detecting, reporting, and responding to
security incidents, consistent with standards and guidelines
issued pursuant to section 3546 (b), including—
(A) mitigating risks associated with such incidents before
substantial damage is done;
Appendix C: Government Data Privacy Laws
371
(B) notifying and consulting with the Federal information
security incident center referred to in section 3546; and
(C) notifying and consulting with, as appropriate—
(i) law enforcement agencies and relevant Offices of
Inspector General;
(ii) an office designated by the President for any incident
involving a national security system; and
(iii) any other agency or office, in accordance with law or
as directed by the President; and
(8) plans and procedures
to ensure continuity of operations for
information systems that support the operations and assets of
the agency.
(c) Agency Reporting—Each agency shall—
(1) report annually to the Director, the Committees on Government
Reform and Science of the House of Representatives, the
Committees on Governmental Affairs and Commerce, Science,
and Transportation of the Senate, the appropriate authori-
zation and appropriations committees of Congress, and the
Comptroller General on the adequacy and effectiveness of
information security policies, procedures, and practices, and
compliance with the requirements of this subchapter, including
compliance with each requirement of subsection (b);
(2) address the adequacy and effectiveness of information secu-
rity policies, procedures, and practices in plans and reports
relating to—
(A) annual agency budgets;
(B) information resources management under subchapter 1 of
this chapter;
(C) information technology management under subtitle III of
title 40;
(D) program performance under sections 1105 and 1115–1119
of title 31, and sections 2801 and 2805 of title 39;
(E) financial management under chapter 9 of title 31, and
the Chief Financial Officers Act of 1990 (31 U.S.C. 501
note; Public Law 101–576) (and the amendments made
by that Act);
(F) financial management systems under the Federal
Financial Management Improvement Act (31 U.S.C. 3512
note); and
(G) internal accounting and administrative controls under
section 3512 of title 31, (known as the “Federal Managers
Financial Integrity Act”); and
372
Appendix C: Government Data Privacy Laws
(3) report any significant deficiency in a policy, procedure, or prac-
tice identified under paragraph (1) or (2)
(A) as a material weakness in reporting under section 3512 of
title 31; and
(B) if relating to financial management systems, as an instance
of a lack of substantial compliance under the Federal
Financial Management Improvement Act (31 U.S.C. 3512
note).
(d) Performance Plan—
(1) In addition to the requirements of subsection (c), each agency,
in consultation with the Director, shall include as part of the
performance plan required under section 1115 of title 31 a
description of—
(A) the time periods, and
(B) the resources, including budget, staffing, and training, that
are necessary to implement the program required under
subsection (b).
(2) The description under paragraph (1) shall be based on the risk
assessments required under subsection (b)(2)(1).
(e) Public Notice and Comment—Each agency shall provide the pub-
lic with timely notice and opportunities for comment on pro-
posed information security policies and procedures to the extent
that such policies and procedures affect communication with the
public.
§ 3545. Annual Independent Evaluation
(a) In General.
(1) Each year each agency shall have performed an independent
evaluation of the information security program and practices of
that agency to determine the effectiveness of such program and
practices.
(2) Each evaluation under this section shall include—
(A) testing of the effectiveness of information security policies,
procedures, and practices of a representative subset of the
agency’s information systems;
(B) an assessment (made on the basis of the results of the test-
ing) of compliance with
(i) the requirements of this subchapter; and
(ii) related information security policies, procedures,
standards, and guidelines; and
(C) separate presentations, as appropriate, regarding information
security relating to national security systems.
Appendix C: Government Data Privacy Laws
373
(b) Independent Auditor—Subject to subsection (c)
(1) for each agency with an Inspector General appointed under
the Inspector General Act of 1978 or any other law, the annual
evaluation required by this section shall be performed by the
Inspector General or by an independent external auditor, as
determined by the Inspector General of the agency; and
(2) for each agency to which paragraph (1) does not apply, the head
of the agency shall engage an independent external auditor to
perform the evaluation.
(c) National Security Systems—For each agency operating or exercising control of a national security system, that portion of the evaluation
required by this section directly relating to a national security system
shall be performed—
(1) only by an entity designated by the agency head; and
(2) in such a manner as to ensure appropriate protection for infor-
mation associated with any information security vulnerability
in such system commensurate with the risk and in accordance
with all applicable laws.
(d) Existing Evaluations—The evaluation required by this section may be based in whole or in part on an audit, evaluation, or report relating
to programs or practices of the applicable agency.
(e) Agency Reporting.
(1) Each year, not later than such date established by the Director,
the head of each agency shall submit to the Director the results
of the evaluation required under this section.
(2) To the extent an evaluation required under this section directly
relates to a national security system, the evaluation results
submitted to the Director shall contain only a summary and
assessment of that portion of the evaluation directly relating to
a national security system.
(f) Protection of Information—Agencies and evaluators shall take
appropriate steps to ensure the protection of information which, if
disclosed, may adversely affect information security. Such protections
shall be commensurate with the risk and comply with all applicable
laws and regulations.
(g) OMB Reports to Congress.
(1) The Director shall summarize the results of the evaluations
conducted under this section in the report to Congress required
under section 3543 (a)(8).
(2) The Director’s report to Congress under this subsection
shall summarize information regarding information secu-
rity relating to national security systems in such a manner as
374
Appendix C: Government Data Privacy Laws
to ensure appropriate protection for information associated
with any information security vulnerability in such system
commensurate with the risk and in accordance with all appli-
cable laws.
(3) Evaluations and any other descriptions of information systems
under the authority and control of the Director of Central
Intel igence or of National Foreign Intel igence Programs systems
under the authority and control of the Secretary of Defense
shall be made available to Congress only through the appropri-
ate oversight committees of Congress, i
n accordance with appli-
cable laws.
(h) Comptrol er General—The Comptroller General shall periodically evaluate and report to Congress on
(1) the adequacy and effectiveness of agency information security
policies and practices; and
(2) implementation of the requirements of this subchapter.
§ 3546. Federal Information Security Incident Center
(a) In General—The Director shall ensure the operation of a central Federal information security incident center to—
(1) provide timely technical assistance to operators of agency
information systems regarding security incidents, including
guidance on detecting and handling information security
incidents;
(2) compile and analyze information about incidents that threaten
information security;
(3) inform operators of agency information systems about current
and potential information security threats, and vulnerabilities;
and
(4) consult with the National Institute of Standards and Technology,
agencies or offices operating or exercising control of national
security systems (including the National Security Agency), and
such other agencies or offices in accordance with law and as
directed by the President regarding information security inci-
dents and related matters.
(b) National Security Systems—Each agency operating or exercising control of a national security system shall share information
