by Unknown
Provisions (§§ 361–488i)
Subchapter IX: National Homeland Security Council (§§ 491–496)
Subchapter X: Construction (§§ 511–513)
Subchapter XI: Department of Justice Divisions (§§ 521–533)
Subchapter XII: Transition (§§ 541–557)
* Note: Statutes and case laws change constantly. Do not rely upon any source of law as being current without conducting legal research or consulting competent legal counsel.
Statutes and case law included here are current at the time of research but should be researched for current and up-to-date law before relying upon them. Always seek competent legal counsel on any legal questions.
361
362
Appendix C: Government Data Privacy Laws
Subchapter XIII: Emergency Communications (§§ 571–580)
Subchapter XIV: Domestic Nuclear Detection Office (§§ 591–596a)
Subchapter XV: Homeland Security Grants (§§ 601–613)
§ 101. Definitions
In this chapter, the following definitions apply:
(1) Each of the terms “American homeland” and “homeland” means the
United States.
(2) The term “appropriate congressional committee” means any committee
of the House of Representatives or the Senate having legislative or
oversight jurisdiction under the Rules of the House of Representatives
or the Senate, respectively, over the matter concerned.
(3) The term “assets” includes contracts, facilities, property, records,
unobligated or unexpended balances of appropriations, and other
funds or resources (other than personnel).
(4) The term “critical infrastructure” has the meaning given that term in section 5195c (e) of title 42.
(5) The term “Department” means the Department of Homeland
Security.
(6) The term “emergency response providers” includes Federal, State,
and local governmental and nongovernmental emergency public
safety, fire, law enforcement, emergency response, emergency medi-
cal (including hospital emergency facilities), and related personnel,
agencies, and authorities.
(7) The term “executive agency” means an executive agency and a mili-
tary department, as defined, respectively, in sections 105 and 102 of
title 5.
(8) The term “functions” includes authorities, powers, rights, privileges, immunities, programs, projects, activities, duties, and responsibilities.
(9) The term “intelligence component of the Department” means any
element or entity of the Department that collects, gathers, processes,
analyzes, produces, or disseminates intelligence information within
the scope of the information sharing environment, including home-
land security information, terrorism information, and weapons of
mass destruction information, or national intelligence, as defined
under section 401a (5) of title 50, except—
(A) the United States Secret Service; and
(B) the Coast Guard, when operating under the direct authority
of the Secretary of Defense or Secretary of the Navy pursuant
to section 3 of title 14, except that nothing in this paragraph
shall affect or diminish the authority and responsibilities
of the Commandant of the Coast Guard to command or
Appendix C: Government Data Privacy Laws
363
control the Coast Guard as an armed force or the authority
of the Director of National Intelligence with respect to the
Coast Guard as an element of the intelligence community
(as defined under section 401a (4) of title 50).
(10) The term “key resources” means publicly or privately controlled
resources essential to the minimal operations of the economy and
government.
(11) The term “local government” means—
(A) a county, municipality, city, town, township, local public author-
ity, school district, special district, intrastate district, council of
governments (regardless of whether the council of governments
is incorporated as a nonprofit corporation under State law),
regional or interstate government entity, or agency or instru-
mentality of a local government;
(B) an Indian tribe or authorized tribal organization, or in Alaska
a Native village or Alaska Regional Native Corporation; and
(C) a rural community, unincorporated town or village, or other
public entity.
(12) The term “major disaster” has the meaning given in section 5122 (2) of title 42.
(13) The term “personnel” means officers and employees.
(14) The term “Secretary” means the Secretary of Homeland Security.
(15) The term “State” means any State of the United States, the District
of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands,
Guam, American Samoa, the Commonwealth of the Northern
Mariana Islands, and any possession of the United States.
(16) The term “terrorism” means any activity that—
(A) involves an act that—
(i) is dangerous to human life or potentially destructive of
critical infrastructure or key resources; and
(ii) is a violation of the criminal laws of the United States or of
any State or other subdivision of the United States; and
(B) appears to be intended—
(i) to intimidate or coerce a civilian population;
(ii) to influence the policy of a government by intimidation or
coercion; or
(iii) to affect the conduct of a government by mass destruction,
assassination, or kidnapping.
(17)
(A) The term “United States”, when used in a geographic sense,
means any State of the United States, the District of Columbia,
the Commonwealth of Puerto Rico, the Virgin Islands, Guam,
American Samoa, the Commonwealth of the Northern Mariana
364
Appendix C: Government Data Privacy Laws
Islands, any possession of the United States, and any waters
within the jurisdiction of the United States.
(B) Nothing in this paragraph or any other provision of this chap-
ter shall be construed to modify the definition of “United
States” for the purposes of the Immigration and Nationality Act
[8 U.S.C. 1101 et seq.] or any other immigration or nationality law.
(18) The term “voluntary preparedness standards” means a common set
of criteria for preparedness, disaster management, emergency man-
agement, and business continuity programs, such as the American
National Standards Institute’s National Fire Protection Association
Standard on Disaster/Emergency Management and Business
Continuity Programs (ANSI/NFPA 1600).
Federal Information Security Management
Act (44 U.S.C. § 3541)
Subchapter III: Information Security
• § 3541. Purposes
• § 3542. Definitions
• § 3543. Authority and functions of the director
• § 3544. Federal agency responsibilities
• § 3545. Annual independent evaluation
• § 3546. Federal information security incident center
• § 3547. National security systems
• § 3548. Authorization of appropriations
• § 3549. Effect on existing law
§ 3541. Purposes
The purposes of this subchapter are
to
(1) provide a comprehensive framework for ensuring the effectiveness of
information security controls over information resources that support
Federal operations and assets;
(2) recognize the highly networked nature of the current Federal
computing environment and provide effective government wide
management and oversight of the related information security risks,
including coordination of information security efforts throughout
the civilian, national security, and law enforcement communities;
(3) provide for development and maintenance of minimum controls
required to protect Federal information and information systems;
(4) provide a mechanism for improved oversight of Federal agency
information security programs;
Appendix C: Government Data Privacy Laws
365
(5) acknowledge that commercial y developed information security
products offer advanced, dynamic, robust, and effective information
security solutions, reflecting market solutions for the protection of
critical information infrastructures important to the national defense
and economic security of the nation that are designed, built, and
operated by the private sector; and
(6) recognize that the selection of specific technical hardware and
software information security solutions should be left to individual
agencies from among commercially developed products.
§ 3542. Definitions
(a) In General—Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.
(b) Additional Definitions—As used in this subchapter:
(1) The term “information security” means protecting informa-
tion and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to
provide
(A) integrity, which means guarding against improper infor-
mation modification or destruction, and includes ensuring
information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restric-
tions on access and disclosure, including means for pro-
tecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable
access to and use of information.
(2)
(A) The term “national security system” means any informa-
tion system (including any telecommunications system)
used or operated by an agency or by a contractor of an
agency, or other organization on behalf of an agency
(i) the function, operation, or use of which
(I) involves intelligence activities;
(II) involves cryptologic activities related to national
security;
(III) involves command and control of military forces;
(IV) involves equipment that is an integral part of a
weapon or weapons system; or
(V) subject to subparagraph (B), is critical to the direct
fulfil ment of military or intel igence missions; or
(ii) is protected at all times by procedures established for
information that have been specifical y authorized
under criteria established by an Executive order or an
366
Appendix C: Government Data Privacy Laws
Act of Congress to be kept classified in the interest of
national defense or foreign policy.
(B) Subparagraph (A)(i)(V) does not include a system that is
to be used for routine administrative and business applica-
tions (including payroll, finance, logistics, and personnel
management applications).
(3) The term “information technology” has the meaning given that
term in section 11101 of title 40.
§ 3543. Authority and Functions of the Director
(a) In General—The Director shall oversee agency information security policies and practices, including
(1) developing and overseeing the implementation of policies, prin-
ciples, standards, and guidelines on information security, includ-
ing through ensuring timely agency adoption of and compliance
with standards promulgated under section 11331 of title 40;
(2) requiring agencies, consistent with the standards promulgated
under such section 11331 and the requirements of this subchap-
ter, to identify and provide information security protections
commensurate with the risk and magnitude of the harm result-
ing from the unauthorized access, use, disclosure, disruption,
modification, or destruction of—
(A) information collected or maintained by or on behalf of an
agency; or
(B) information systems used or operated by an agency or by a
contractor of an agency or other organization on behalf of
an agency;
(3) coordinating the development of standards and guidelines under
section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g–3) with agencies and offices operating or
exercising control of national security systems (including the
National Security Agency) to assure, to the maximum extent fea-
sible, that such standards and guidelines are complementary with
standards and guidelines developed for national security systems;
(4) overseeing agency compliance with the requirements of this
subchapter, including through any authorized action under
section 11303 of title 40, to enforce accountability for compli-
ance with such requirements;
(5) reviewing at least annual y, and approving or disapproving, agency
information security programs required under section 3544 (b);
(6) coordinating information security policies and procedures
with related information resources management policies and
procedures;
Appendix C: Government Data Privacy Laws
367
(7) overseeing the operation of the Federal information security
incident center required under section 3546; and
(8) reporting to Congress no later than March 1 of each year on
agency compliance with the requirements of this subchapter,
including—
(A) a summary of the findings of evaluations required by
section 3545;
(B) an assessment of the development, promulgation, and
adoption of, and compliance with, standards developed
under section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g–3) and promulgated under
section 11331 of title 40;
(C) significant deficiencies in agency information security
practices;
(D) planned remedial action to address such deficiencies; and
(E) a summary of, and the views of the Director on, the
report prepared by the National Institute of Standards
and Technology under section 20(d)(10) of the National
Institute of Standards and Technology Act (15 U.S.C.
278g–3).
(b) National Security Systems—Except for the authorities described in paragraphs (4) and (8) of subsection (a), the authorities of the Director under this section shall not apply to national security systems.
(c) Department of Defense and Central Intel igence Agency Systems.
(1) The authorities of the Director described in paragraphs (1)
&n
bsp; and (2) of subsection (a) shall be delegated to the Secretary of
Defense in the case of systems described in paragraph (2) and
to the Director of Central Intelligence in the case of systems
described in paragraph (3).
(2) The systems described in this paragraph are systems that
are operated by the Department of Defense, a contractor of
the Department of Defense, or another entity on behalf of the
Department of Defense that processes any information the
unauthorized access, use, disclosure, disruption, modification,
or destruction of which would have a debilitating impact on the
mission of the Department of Defense.
(3) The systems described in this paragraph are systems that are
operated by the Central Intelligence Agency, a contractor of
the Central Intelligence Agency, or another entity on behalf
of the Central Intelligence Agency that processes any informa-
tion the unauthorized access, use, disclosure, disruption, modifi-
cation, or destruction of which would have a debilitating impact
on the mission of the Central Intelligence Agency.
368
Appendix C: Government Data Privacy Laws
§ 3544. Federal Agency Responsibilities
(a) In General—The head of each agency shall
(1) be responsible for
(A) providing information security protections commensurate
with the risk and magnitude of the harm resulting from
unauthorized access, use, disclosure, disruption, modifica-
tion, or destruction of—
(i) information collected or maintained by or on behalf
of the agency; and
(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on
behalf of an agency;
(B) complying with the requirements of this subchapter and