Federal Information Security Management Act of 2002
Jump to navigation
Jump to search
Text of Law
`SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3531. Purposes
``The purposes of this subchapter are to--
``(1) provide a comprehensive framework for ensuring the
effectiveness of information security controls over information
resources that support Federal operations and assets;
``(2) recognize the highly networked nature of the current
Federal computing environment and provide effective
governmentwide management and oversight of the related
information security risks, including coordination of
information security efforts throughout the civilian, national
security, and law enforcement communities;
``(3) provide for development and maintenance of minimum
controls required to protect Federal information and
information systems; and
``(4) provide a mechanism for improved oversight of Federal
agency information security programs.
``Sec. 3533. Authority and functions of the Director
``(a) The Director shall oversee agency information security
policies and practices, including--
``(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on information
security, including through the promulgation of standards and
guidelines under section 5131 of the Clinger-Cohen Act of 1996
(40 U.S.C. 1441);
``(2) requiring agencies, consistent with the standards and
guidelines promulgated under such section 5131 and the
requirements of this subchapter, to identify and provide
information security protections commensurate with the risk and
magnitude of the harm resulting from the unauthorized use,
disclosure, disruption, modification, or destruction of--
``(A) information collected or maintained by or on
behalf of an agency; or
``(B) information systems used or operated by an
agency or by a contractor of an agency or other
organization on behalf of an agency;
``(3) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards and
guidelines are complementary with standards and guidelines
developed for national security systems;
``(4) overseeing agency compliance with the requirements of
this subchapter, including through any authorized action under
section 5113(b)(5) of the Clinger-Cohen Act of 1996 (40 U.S.C.
1413(b)(5)) to enforce accountability for compliance with such
requirements;
``(5) coordinating information security policies and
procedures with related information resources management
policies and procedures;
``(6) overseeing the development and operation of the
Federal information security incident center established under
section 3536; and
``(7) reporting to Congress on agency compliance with the
requirements of this subchapter, including--
``(A) a summary of the findings of evaluations
required by section 3535;
``(B) significant deficiencies in agency
information security practices; and
``(C) planned remedial action to address such
deficiencies.
``(b) Except for the authorities described in paragraphs (4) and
(7) of subsection (a), the authorities of the Director under this section shall not apply to national security systems. ``Sec. 3534. Federal agency responsibilities
``(a) The head of each agency shall--
``(1) be responsible for--
``(A) providing information security protections
commensurate with the risk and magnitude of the harm
resulting from unauthorized use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained
by or on behalf of the agency; and
``(ii) information systems used or operated
by an agency or by a contractor of an agency or
other organization on behalf of an agency;
``(B) complying with the requirements of this
subchapter and related policies, procedures, standards,
and guidelines, including--
``(i) information security standards and
guidelines promulgated by the Director under
section 5131 of the Clinger-Cohen Act of 1996
(40 U.S.C. 1441); and
``(ii) information security standards and
guidelines for national security systems issued
in accordance with law and as directed by the
President; and
``(C) ensuring that information security management
processes are integrated with agency strategic and
operational planning processes;
``(2) ensure that senior agency officials provide
information security for the information and information
systems that support the operations and assets under their
control, including through--
``(A) assessing the risk and magnitude of the harm
that could result from the unauthorized use,
disclosure, disruption, modification, or destruction of
such information or information systems;
``(B) determining the levels of information
security appropriate to protect such information and
information systems in accordance with standards and
guidelines promulgated under section 5131 of the
Clinger-Cohen Act of 1996 (40 U.S.C. 1441) for
information security classifications and related
requirements;
``(C) implementing policies and procedures to cost-
effectively reduce risks to an acceptable level; and
``(D) periodically testing and evaluating
information security controls and techniques to ensure
that they are effectively implemented;
``(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official in an
agency not covered by such section) the authority to ensure
compliance with the requirements imposed on the agency under
this subchapter, including--
``(A) designating a senior agency information
security officer who shall--
``(i) carry out the Chief Information
Officer's responsibilities under this section;
``(ii) possess professional qualifications,
including training and experience, required to
administer the functions described under this
section;
``(iii) have information security duties as
that official's primary duty; and
``(iv) head an office with the mission and
resources to assist in ensuring agency
compliance with this section;
``(B) developing and maintaining an agencywide
information security program as required by subsection
(b);
``(C) developing and maintaining information
security policies, procedures, and control techniques
to address all applicable requirements, including those
issued under section 3533 of this title, and section
5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441);
``(D) training and overseeing personnel with
significant responsibilities for information security
with respect to such responsibilities; and
``(E) assisting senior agency officials concerning
their responsibilities under subparagraph (2);
``(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and
``(5) ensure that the agency Chief Information Officer, in
coordination with other senior agency officials, reports
annually to the agency head on the effectiveness of the agency
information security program, including progress of remedial
actions.
``(b) Each agency shall develop, document, and implement an
agencywide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes--
``(1) periodic assessments of the risk and magnitude of the
harm that could result from the unauthorized use, disclosure,
disruption, modification, or destruction of information and
information systems that support the operations and assets of
the agency;
``(2) policies and procedures that--
``(A) are based on the risk assessments required by
subparagraph (1);
``(B) cost-effectively reduce information security
risks to an acceptable level;
``(C) ensure that information security is addressed
throughout the life cycle of each agency information
system; and
``(D) ensure compliance with--
``(i) the requirements of this subchapter;
``(ii) policies and procedures as may be
prescribed by the Director, including
information security standards and guidelines
promulgated under section 5131 of the Clinger-
Cohen Act of 1996 (40 U.S.C. 1441); and
``(iii) any other applicable requirements,
including standards and guidelines for national
security systems issued in accordance with law
and as directed by the President;
``(3) subordinate plans for providing adequate information
security for networks, facilities, and systems or groups of
information systems, as appropriate;
``(4) security awareness training to inform personnel,
including contractors and other users of information systems
that support the operations and assets of the agency, of--
``(A) information security risks associated with
their activities; and
``(B) their responsibilities in complying with
agency policies and procedures designed to reduce these
risks;
``(5) periodic testing and evaluation of the effectiveness
of information security policies, procedures, and practices, to
be performed with a frequency depending on risk, but no less
than annually;
``(6) a process for ensuring remedial action to address any
deficiencies in the information security policies, procedures,
and practices of the agency;
``(7) procedures for detecting, reporting, and responding
to security incidents, consistent with guidance issued under
section 3536, including--
``(A) mitigating risks associated with such
incidents before substantial damage is done;
``(B) notifying and consulting with the Federal
information security incident center established under
section 3536; and
``(C) notifying and consulting with, as
appropriate--
``(i) law enforcement agencies and relevant
Offices of Inspector General;
``(ii) an office designated by the
President for any incident involving a national
security system; and
``(iii) any other agency or office, in
accordance with law or as directed by the
President; and
``(8) plans and procedures to ensure continuity of
operations for information systems that support the operations
and assets of the agency.
``(c) Each agency shall--
``(1) report annually to the Director and the Comptroller
General on the adequacy and effectiveness of information
security policies, procedures, and practices, including
compliance with the requirements of this subchapter;
``(2) address the adequacy and effectiveness of information
security policies, procedures, and practices in plans and
reports relating to--
``(A) annual agency budgets;
``(B) information resources management under
subchapter 1 of this chapter;
``(C) information technology management under the
Clinger-Cohen Act of 1996 (40 U.S.C. 1401 et seq.);
``(D) program performance under sections 1105 and
1115 through 1119 of title 31, and sections 2801 and
2805 of title 39;
``(E) financial management under chapter 9 of title
31, and the Chief Financial Officers Act of 1990 (31
U.S.C. 501 note; Public Law 101-576) (and the
amendments made by that Act);
``(F) financial management systems under the
Federal Financial Management Improvement Act (31 U.S.C.
3512 note); and
``(G) internal accounting and administrative
controls under section 3512 of title 31, United States
Code, (known as the `Federal Managers Financial
Integrity Act'); and
``(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1) or (2)--
``(A) as a material weakness in reporting under
section 3512 of title 31, United States Code; and
``(B) if relating to financial management systems,
as an instance of a lack of substantial compliance
under the Federal Financial Management Improvement Act
(31 U.S.C. 3512 note).
``(d)(1) In addition to the requirements of subsection (c), each
agency, in consultation with the Director, shall include as part of the performance plan required under section 1115 of title 31 a description of--
``(A) the time periods, and
``(B) the resources, including budget, staffing, and
training,
that are necessary to implement the program required under subsection (b).
``(2) The description under paragraph (1) shall be based on the
risk assessments required under subsection (b)(2)(1).
``(e) Each agency shall provide the public with timely notice and
opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with the public. ``Sec. 3535. Annual independent evaluation
``(a)(1) Each year each agency shall have performed an independent
evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices.
``(2) Each evaluation by an agency under this section shall
include--
``(A) testing of the effectiveness of information security
policies, procedures, and practices of a representative subset
of the agency's information systems;
``(B) an assessment (made on the basis of the results of
the testing) of compliance with--
``(i) the requirements of this subchapter; and
``(ii) related information security policies,
procedures, standards, and guidelines; and
``(C) separate presentations, as appropriate, regarding
information security relating to national security systems.
``(b) Subject to subsection (c)--
``(1) for each agency with an Inspector General appointed
under the Inspector General Act of 1978, the annual evaluation
required by this section shall be performed by the Inspector
General or by an independent external auditor, as determined by
the Inspector General of the agency; and
``(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an independent
external auditor to perform the evaluation.
``(c) For each agency operating or exercising control of a national
security system, that portion of the evaluation required by this section directly relating to a national security system shall be performed--
``(1) only by an entity designated by the agency head; and
``(2) in such a manner as to ensure appropriate protection
for information associated with any information security
vulnerability in such system commensurate with the risk and in
accordance with all applicable laws.
``(d) The evaluation required by this section--
``(1) shall be performed in accordance with generally
accepted government auditing standards; and
``(2) may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices of the
applicable agency.
``(e) The results of an evaluation required by this section shall
be submitted to the Director no later than March 1, 2003, and every March 1 thereafter.
``(f) Agencies and evaluators shall take appropriate steps to
ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and regulations.
``(g)(1) The Director shall summarize the results of the
evaluations conducted under this section in a report to Congress.
``(2) The Director's report to Congress under this subsection shall
summarize information regarding information security relating to national security systems in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensurate with the risk and in accordance with all applicable laws.
``(3) Evaluations and any other descriptions of information systems
under the authority and control of the Director of Central Intelligence or of National Foreign Intelligence Programs systems under the authority and control of the Secretary of Defense shall be made available to Congress only through the appropriate oversight committees of Congress, in accordance with applicable laws.
``(h) The Comptroller General shall periodically evaluate and
report to Congress on--
``(1) the adequacy and effectiveness of agency information
security policies and practices; and
``(2) implementation of the requirements of this
subchapter.
``Sec. 3536. Federal information security incident center
``(a) The Director shall cause to be established and operated a
central Federal information security incident center to--
``(1) provide timely technical assistance to operators of
agency information systems regarding security incidents,
including guidance on detecting and handling information
security incidents;
``(2) compile and analyze information about incidents that
threaten information security;
``(3) inform operators of agency information systems about
current and potential information security threats, and
vulnerabilities; and
``(4) consult with agencies or offices operating or
exercising control of national security systems (including the
National Security Agency) and such other agencies or offices in
accordance with law and as directed by the President regarding
information security incidents and related matters.
``(b) Each agency operating or exercising control of a national
security system shall share information about information security incidents, threats, and vulnerabilities with the Federal information security incident center to the extent consistent with standards and guidelines for national security systems, issued in accordance with law and as directed by the President. ``Sec. 3537. National security systems
``The head of each agency operating or exercising control of a
national security system shall be responsible for ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm resulting
from the unauthorized use, disclosure, disruption,
modification, or destruction of the information contained in
such system;
``(2) implements information security policies and
practices as required by standards and guidelines for national
security systems, issued in accordance with law and as directed
by the President; and
``(3) complies with the requirements of this subchapter.
``Sec. 3538. Authorization of appropriations
``There are authorized to be appropriated to carry out the
provisions of this subchapter such sums as may be necessary for each of fiscal years 2003 through 2007..
(2) Clerical amendment.--The items in the table of sections
at the beginning of such chapter 35 under the heading.
Related harms under the Solove Taxonomy: Sec.3531-Insecurity, Sec.3531(2)(A)-Surveillance, Sec. 3534-Insecurity, Sec. 3536-Insecurity, Sec. 3538-Insecurity
Scope of the Law Information Security