44 USC 3531: Purposes
Result 1 of 1
   
 
<< Previous   TITLE 44 / CHAPTER 35 / SUBCHAPTER II / § 3531   Next >>
 
44 USC 3531: Purposes Text contains those laws in effect on January 2, 2001
From Title 44-PUBLIC PRINTING AND DOCUMENTSCHAPTER 35-COORDINATION OF FEDERAL INFORMATION POLICYSUBCHAPTER II-INFORMATION SECURITY
Jump To: Source CreditEffective DateMiscellaneous

§3531. Purposes

The purposes of this subchapter are the following:

(1) To provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support Federal operations and assets.

(2)(A) To recognize the highly networked nature of the Federal computing environment including the need for Federal Government interoperability and, in the implementation of improved security management measures, assure that opportunities for interoperability are not adversely affected.

(B) To provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities.

(3) To provide for development and maintenance of minimum controls required to protect Federal information and information systems.

(4) To provide a mechanism for improved oversight of Federal agency information security programs.

(Added Pub. L. 106–398, §1 [[div. A], title X, §1061], Oct. 30, 2000, 114 Stat. 1654 , 1654A-266.)

Effective Date

Pub. L. 106–398, §1 [[div. A], title X, §1065], Oct. 30, 2000, 114 Stat. 1654 , 1654A-275, provided that: "This subtitle [subtitle G (§§1061–1065) of title X of [div. A] of H.R. 5408, as enacted by section 1 of Pub. L. 106–398, enacting this subchapter, amending sections 3501 to 3507, 3509, 3512, 3514 to 3518, and 3520 of this title, and section 2224 of Title 10, Armed Forces, and enacting provisions set out as a note below] and the amendments made by this subtitle shall take effect 30 days after the date of the enactment of this Act [Oct. 30, 2000]."

Responsibilities of Certain Agencies

Pub. L. 106–398, §1 [[div. A], title X, §1062], Oct. 30, 2000, 114 Stat. 1654 , 1654A-272, provided that:

"(a) Department of Commerce.-Notwithstanding section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and except as provided under subsection (b), the Secretary of Commerce, through the National Institute of Standards and Technology and with technical assistance from the National Security Agency, as required or when requested, shall-

"(1) develop, issue, review, and update standards and guidance for the security of Federal information systems, including development of methods and techniques for security systems and validation programs;

"(2) develop, issue, review, and update guidelines for training in computer security awareness and accepted computer security practices, with assistance from the Office of Personnel Management;

"(3) provide agencies with guidance for security planning to assist in the development of applications and system security plans for such agencies;

"(4) provide guidance and assistance to agencies concerning cost-effective controls when interconnecting with other systems; and

"(5) evaluate information technologies to assess security vulnerabilities and alert Federal agencies of such vulnerabilities as soon as those vulnerabilities are known.

"(b) Department of Defense and the Intelligence Community.-

"(1) In general.-Notwithstanding any other provision of this subtitle [subtitle G (§§1061–1065) of title X of [div. A] of H.R. 5408, as enacted by section 1 of Pub. L. 106–398, see Effective Date note above] (including any amendment made by this subtitle)-

"(A) the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President, shall, consistent with their respective authorities-

"(i) develop and issue information security policies, standards, and guidelines for systems described under subparagraphs (A) and (B) of section 3532(b)(2) of title 44, United States Code (as added by section 1061 of this Act), that provide more stringent protection, to the maximum extent practicable, than the policies, principles, standards, and guidelines required under section 3533 of such title (as added by such section 1061); and

"(ii) ensure the implementation of the information security policies, principles, standards, and guidelines described under clause (i); and

"(B) the Secretary of Defense shall, consistent with his authority-

"(i) develop and issue information security policies, standards, and guidelines for systems described under subparagraph (C) of section 3532(b)(2) of title 44, United States Code (as added by section 1061 of this Act), that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that provide more stringent protection, to the maximum extent practicable, than the policies, principles, standards, and guidelines required under section 3533 of such title (as added by such section 1061); and

"(ii) ensure the implementation of the information security policies, principles, standards, and guidelines described under clause (i).

"(2) Measures addressed.-The policies, principles, standards, and guidelines developed by the Secretary of Defense and the Director of Central Intelligence under paragraph (1) shall address the full range of information assurance measures needed to protect and defend Federal information and information systems by ensuring their integrity, confidentiality, authenticity, availability, and nonrepudiation.

"(c) Department of Justice.-The Attorney General shall review and update guidance to agencies on-

"(1) legal remedies regarding security incidents and ways to report to and work with law enforcement agencies concerning such incidents; and

"(2) lawful uses of security techniques and technologies.

"(d) General Services Administration.-The Administrator of General Services shall-

"(1) review and update General Services Administration guidance to agencies on addressing security considerations when acquiring information technology; and

"(2) assist agencies in-

"(A) fulfilling agency responsibilities under section 3534(b)(2)(F) of title 44, United States Code (as added by section 1061 of this Act); and

"(B) the acquisition of cost-effective security products, services, and incident response capabilities.

"(e) Office of Personnel Management.-The Director of the Office of Personnel Management shall-

"(1) review and update Office of Personnel Management regulations concerning computer security training for Federal civilian employees;

"(2) assist the Department of Commerce in updating and maintaining guidelines for training in computer security awareness and computer security best practices; and

"(3) work with the National Science Foundation and other agencies on personnel and training initiatives (including scholarships and fellowships, as authorized by law) as necessary to ensure that the Federal Government-

"(A) has adequate sources of continuing information security education and training available for employees; and

"(B) has an adequate supply of qualified information security professionals to meet agency needs.

"(f) Information Security Policies, Principles, Standards, and Guidelines.-

"(1) Adoption of policies, principles, standards, and guidelines of other agencies.-The policies, principles, standards, and guidelines developed under subsection (b) by the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President may be adopted, to the extent that such policies are consistent with policies and guidance developed by the Director of the Office of Management and Budget and the Secretary of Commerce-

"(A) by the Director of the Office of Management and Budget, as appropriate, for application to the mission critical systems of all agencies; or

"(B) by an agency head, as appropriate, for application to the mission critical systems of that agency.

"(2) Development of more stringent policies, principles, standards, and guidelines.-To the extent that such policies are consistent with policies and guidance developed by the Director of the Office of Management and Budget and the Secretary of Commerce, an agency may develop and implement information security policies, principles, standards, and guidelines that provide more stringent protection than those required under section 3533 of title 44, United States Code (as added by section 1061 of this Act), or subsection (a) of this section.

"(g) Atomic Energy Act of 1954.-Nothing in this subtitle (including any amendment made by this subtitle) shall supersede any requirement made by, or under, the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.). Restricted Data or Formerly Restricted Data shall be handled, protected, classified, downgraded, and declassified in conformity with the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.)."