Book Read Free

Advanced Criminal Investigations and Intelligence Operations

Page 49

by Unknown


  Provisions (§§ 361–488i)

  Subchapter IX: National Homeland Security Council (§§ 491–496)

  Subchapter X: Construction (§§ 511–513)

  Subchapter XI: Department of Justice Divisions (§§ 521–533)

  Subchapter XII: Transition (§§ 541–557)

  * Note: Statutes and case laws change constantly. Do not rely upon any source of law as being current without conducting legal research or consulting competent legal counsel.

  Statutes and case law included here are current at the time of research but should be researched for current and up-to-date law before relying upon them. Always seek competent legal counsel on any legal questions.

  361

  362

  Appendix C: Government Data Privacy Laws

  Subchapter XIII: Emergency Communications (§§ 571–580)

  Subchapter XIV: Domestic Nuclear Detection Office (§§ 591–596a)

  Subchapter XV: Homeland Security Grants (§§ 601–613)

  § 101. Definitions

  In this chapter, the following definitions apply:

  (1) Each of the terms “American homeland” and “homeland” means the

  United States.

  (2) The term “appropriate congressional committee” means any committee

  of the House of Representatives or the Senate having legislative or

  oversight jurisdiction under the Rules of the House of Representatives

  or the Senate, respectively, over the matter concerned.

  (3) The term “assets” includes contracts, facilities, property, records,

  unobligated or unexpended balances of appropriations, and other

  funds or resources (other than personnel).

  (4) The term “critical infrastructure” has the meaning given that term in section 5195c (e) of title 42.

  (5) The term “Department” means the Department of Homeland

  Security.

  (6) The term “emergency response providers” includes Federal, State,

  and local governmental and nongovernmental emergency public

  safety, fire, law enforcement, emergency response, emergency medi-

  cal (including hospital emergency facilities), and related personnel,

  agencies, and authorities.

  (7) The term “executive agency” means an executive agency and a mili-

  tary department, as defined, respectively, in sections 105 and 102 of

  title 5.

  (8) The term “functions” includes authorities, powers, rights, privileges, immunities, programs, projects, activities, duties, and responsibilities.

  (9) The term “intelligence component of the Department” means any

  element or entity of the Department that collects, gathers, processes,

  analyzes, produces, or disseminates intelligence information within

  the scope of the information sharing environment, including home-

  land security information, terrorism information, and weapons of

  mass destruction information, or national intelligence, as defined

  under section 401a (5) of title 50, except—

  (A) the United States Secret Service; and

  (B) the Coast Guard, when operating under the direct authority

  of the Secretary of Defense or Secretary of the Navy pursuant

  to section 3 of title 14, except that nothing in this paragraph

  shall affect or diminish the authority and responsibilities

  of the Commandant of the Coast Guard to command or

  Appendix C: Government Data Privacy Laws

  363

  control the Coast Guard as an armed force or the authority

  of the Director of National Intelligence with respect to the

  Coast Guard as an element of the intelligence community

  (as defined under section 401a (4) of title 50).

  (10) The term “key resources” means publicly or privately controlled

  resources essential to the minimal operations of the economy and

  government.

  (11) The term “local government” means—

  (A) a county, municipality, city, town, township, local public author-

  ity, school district, special district, intrastate district, council of

  governments (regardless of whether the council of governments

  is incorporated as a nonprofit corporation under State law),

  regional or interstate government entity, or agency or instru-

  mentality of a local government;

  (B) an Indian tribe or authorized tribal organization, or in Alaska

  a Native village or Alaska Regional Native Corporation; and

  (C) a rural community, unincorporated town or village, or other

  public entity.

  (12) The term “major disaster” has the meaning given in section 5122 (2) of title 42.

  (13) The term “personnel” means officers and employees.

  (14) The term “Secretary” means the Secretary of Homeland Security.

  (15) The term “State” means any State of the United States, the District

  of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands,

  Guam, American Samoa, the Commonwealth of the Northern

  Mariana Islands, and any possession of the United States.

  (16) The term “terrorism” means any activity that—

  (A) involves an act that—

  (i) is dangerous to human life or potentially destructive of

  critical infrastructure or key resources; and

  (ii) is a violation of the criminal laws of the United States or of

  any State or other subdivision of the United States; and

  (B) appears to be intended—

  (i) to intimidate or coerce a civilian population;

  (ii) to influence the policy of a government by intimidation or

  coercion; or

  (iii) to affect the conduct of a government by mass destruction,

  assassination, or kidnapping.

  (17)

  (A) The term “United States”, when used in a geographic sense,

  means any State of the United States, the District of Columbia,

  the Commonwealth of Puerto Rico, the Virgin Islands, Guam,

  American Samoa, the Commonwealth of the Northern Mariana

  364

  Appendix C: Government Data Privacy Laws

  Islands, any possession of the United States, and any waters

  within the jurisdiction of the United States.

  (B) Nothing in this paragraph or any other provision of this chap-

  ter shall be construed to modify the definition of “United

  States” for the purposes of the Immigration and Nationality Act

  [8 U.S.C. 1101 et seq.] or any other immigration or nationality law.

  (18) The term “voluntary preparedness standards” means a common set

  of criteria for preparedness, disaster management, emergency man-

  agement, and business continuity programs, such as the American

  National Standards Institute’s National Fire Protection Association

  Standard on Disaster/Emergency Management and Business

  Continuity Programs (ANSI/NFPA 1600).

  Federal Information Security Management

  Act (44 U.S.C. § 3541)

  Subchapter III: Information Security

  • § 3541. Purposes

  • § 3542. Definitions

  • § 3543. Authority and functions of the director

  • § 3544. Federal agency responsibilities

  • § 3545. Annual independent evaluation

  • § 3546. Federal information security incident center

  • § 3547. National security systems

  • § 3548. Authorization of appropriations

  • § 3549. Effect on existing law

  § 3541. Purposes

  The purposes of this subchapter are
to

  (1) provide a comprehensive framework for ensuring the effectiveness of

  information security controls over information resources that support

  Federal operations and assets;

  (2) recognize the highly networked nature of the current Federal

  computing environment and provide effective government wide

  management and oversight of the related information security risks,

  including coordination of information security efforts throughout

  the civilian, national security, and law enforcement communities;

  (3) provide for development and maintenance of minimum controls

  required to protect Federal information and information systems;

  (4) provide a mechanism for improved oversight of Federal agency

  information security programs;

  Appendix C: Government Data Privacy Laws

  365

  (5) acknowledge that commercial y developed information security

  products offer advanced, dynamic, robust, and effective information

  security solutions, reflecting market solutions for the protection of

  critical information infrastructures important to the national defense

  and economic security of the nation that are designed, built, and

  operated by the private sector; and

  (6) recognize that the selection of specific technical hardware and

  software information security solutions should be left to individual

  agencies from among commercially developed products.

  § 3542. Definitions

  (a) In General—Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.

  (b) Additional Definitions—As used in this subchapter:

  (1) The term “information security” means protecting informa-

  tion and information systems from unauthorized access, use,

  disclosure, disruption, modification, or destruction in order to

  provide

  (A) integrity, which means guarding against improper infor-

  mation modification or destruction, and includes ensuring

  information nonrepudiation and authenticity;

  (B) confidentiality, which means preserving authorized restric-

  tions on access and disclosure, including means for pro-

  tecting personal privacy and proprietary information; and

  (C) availability, which means ensuring timely and reliable

  access to and use of information.

  (2)

  (A) The term “national security system” means any informa-

  tion system (including any telecommunications system)

  used or operated by an agency or by a contractor of an

  agency, or other organization on behalf of an agency

  (i) the function, operation, or use of which

  (I) involves intelligence activities;

  (II) involves cryptologic activities related to national

  security;

  (III) involves command and control of military forces;

  (IV) involves equipment that is an integral part of a

  weapon or weapons system; or

  (V) subject to subparagraph (B), is critical to the direct

  fulfil ment of military or intel igence missions; or

  (ii) is protected at all times by procedures established for

  information that have been specifical y authorized

  under criteria established by an Executive order or an

  366

  Appendix C: Government Data Privacy Laws

  Act of Congress to be kept classified in the interest of

  national defense or foreign policy.

  (B) Subparagraph (A)(i)(V) does not include a system that is

  to be used for routine administrative and business applica-

  tions (including payroll, finance, logistics, and personnel

  management applications).

  (3) The term “information technology” has the meaning given that

  term in section 11101 of title 40.

  § 3543. Authority and Functions of the Director

  (a) In General—The Director shall oversee agency information security policies and practices, including

  (1) developing and overseeing the implementation of policies, prin-

  ciples, standards, and guidelines on information security, includ-

  ing through ensuring timely agency adoption of and compliance

  with standards promulgated under section 11331 of title 40;

  (2) requiring agencies, consistent with the standards promulgated

  under such section 11331 and the requirements of this subchap-

  ter, to identify and provide information security protections

  commensurate with the risk and magnitude of the harm result-

  ing from the unauthorized access, use, disclosure, disruption,

  modification, or destruction of—

  (A) information collected or maintained by or on behalf of an

  agency; or

  (B) information systems used or operated by an agency or by a

  contractor of an agency or other organization on behalf of

  an agency;

  (3) coordinating the development of standards and guidelines under

  section 20 of the National Institute of Standards and Technology

  Act (15 U.S.C. 278g–3) with agencies and offices operating or

  exercising control of national security systems (including the

  National Security Agency) to assure, to the maximum extent fea-

  sible, that such standards and guidelines are complementary with

  standards and guidelines developed for national security systems;

  (4) overseeing agency compliance with the requirements of this

  subchapter, including through any authorized action under

  section 11303 of title 40, to enforce accountability for compli-

  ance with such requirements;

  (5) reviewing at least annual y, and approving or disapproving, agency

  information security programs required under section 3544 (b);

  (6) coordinating information security policies and procedures

  with related information resources management policies and

  procedures;

  Appendix C: Government Data Privacy Laws

  367

  (7) overseeing the operation of the Federal information security

  incident center required under section 3546; and

  (8) reporting to Congress no later than March 1 of each year on

  agency compliance with the requirements of this subchapter,

  including—

  (A) a summary of the findings of evaluations required by

  section 3545;

  (B) an assessment of the development, promulgation, and

  adoption of, and compliance with, standards developed

  under section 20 of the National Institute of Standards and

  Technology Act (15 U.S.C. 278g–3) and promulgated under

  section 11331 of title 40;

  (C) significant deficiencies in agency information security

  practices;

  (D) planned remedial action to address such deficiencies; and

  (E) a summary of, and the views of the Director on, the

  report prepared by the National Institute of Standards

  and Technology under section 20(d)(10) of the National

  Institute of Standards and Technology Act (15 U.S.C.

  278g–3).

  (b) National Security Systems—Except for the authorities described in paragraphs (4) and (8) of subsection (a), the authorities of the Director under this section shall not apply to national security systems.

  (c) Department of Defense and Central Intel igence Agency Systems.

  (1) The authorities of the Director described in paragraphs (1)

&n
bsp; and (2) of subsection (a) shall be delegated to the Secretary of

  Defense in the case of systems described in paragraph (2) and

  to the Director of Central Intelligence in the case of systems

  described in paragraph (3).

  (2) The systems described in this paragraph are systems that

  are operated by the Department of Defense, a contractor of

  the Department of Defense, or another entity on behalf of the

  Department of Defense that processes any information the

  unauthorized access, use, disclosure, disruption, modification,

  or destruction of which would have a debilitating impact on the

  mission of the Department of Defense.

  (3) The systems described in this paragraph are systems that are

  operated by the Central Intelligence Agency, a contractor of

  the Central Intelligence Agency, or another entity on behalf

  of the Central Intelligence Agency that processes any informa-

  tion the unauthorized access, use, disclosure, disruption, modifi-

  cation, or destruction of which would have a debilitating impact

  on the mission of the Central Intelligence Agency.

  368

  Appendix C: Government Data Privacy Laws

  § 3544. Federal Agency Responsibilities

  (a) In General—The head of each agency shall

  (1) be responsible for

  (A) providing information security protections commensurate

  with the risk and magnitude of the harm resulting from

  unauthorized access, use, disclosure, disruption, modifica-

  tion, or destruction of—

  (i) information collected or maintained by or on behalf

  of the agency; and

  (ii) information systems used or operated by an agency or

  by a contractor of an agency or other organization on

  behalf of an agency;

  (B) complying with the requirements of this subchapter and

 

‹ Prev