Advanced Criminal Investigations and Intelligence Operations

Home > Nonfiction > Advanced Criminal Investigations and Intelligence Operations > Page 50
Advanced Criminal Investigations and Intelligence Operations Page 50

by Unknown


  related policies, procedures, standards, and guidelines,

  including—

  (i) information security standards promulgated under

  section 11331 of title 40; and

  (ii) information security standards and guidelines for

  national security systems issued in accordance with

  law and as directed by the President; and

  (C) ensuring that information security management processes

  are integrated with agency strategic and operational plan-

  ning processes;

  (2) ensure that senior agency officials provide information security

  for the information and information systems that support the

  operations and assets under their control, including through

  (A) assessing the risk and magnitude of the harm that could

  result from the unauthorized access, use, disclosure, dis-

  ruption, modification, or destruction of such information

  or information systems;

  (B) determining the levels of information security appropri-

  ate to protect such information and information systems

  in accordance with standards promulgated under section

  11331 of title 40, for information security classifications

  and related requirements;

  (C) implementing policies and procedures to cost-effectively

  reduce risks to an acceptable level; and

  (D) periodically testing and evaluating information security

  controls and techniques to ensure that they are effectively

  implemented;

  (3) delegate to the agency Chief Information Officer established

  under section 3506 (or comparable official in an agency not

  Appendix C: Government Data Privacy Laws

  369

  covered by such section) the authority to ensure compliance with

  the requirements imposed on the agency under this subchapter,

  including

  (A) designating a senior agency information security officer

  who shall—

  (i) carry out the Chief Information Officer’s responsibili-

  ties under this section;

  (ii) possess professional qualifications, including training

  and experience, required to administer the functions

  described under this section;

  (i i) have information security duties as that official’s pri-

  mary duty; and

  (iv) head an office with the mission and resources to assist

  in ensuring agency compliance with this section;

  (B) developing and maintaining an agency-wide information

  security program as required by subsection (b);

  (C) developing and maintaining information security policies,

  procedures, and control techniques to address all appli-

  cable requirements, including those issued under section

  3543 of this title, and section 11331 of title 40;

  (D) training and overseeing personnel with significant respon-

  sibilities for information security with respect to such

  responsibilities; and

  (E) assisting senior agency officials concerning their responsi-

  bilities under paragraph (2);

  (4) ensure that the agency has trained personnel sufficient to assist

  the agency in complying with the requirements of this subchapter

  and related policies, procedures, standards, and guidelines; and

  (5) ensure that the agency Chief Information Officer, in coordina-

  tion with other senior agency officials, reports annually to the

  agency head on the effectiveness of the agency information

  security program, including progress of remedial actions.

  (b) Agency Program—Each agency shall develop, document, and implement an agency-wide information security program, approved by the

  Director under section 3543 (a)(5), to provide information security

  for the information and information systems that support the opera-

  tions and assets of the agency, including those provided or managed

  by another agency, contractor, or other source, that includes—

  (1) periodic assessments of the risk and magnitude of the harm that

  could result from the unauthorized access, use, disclosure, dis-

  ruption, modification, or destruction of information and informa-

  tion systems that support the operations and assets of the agency;

  370

  Appendix C: Government Data Privacy Laws

  (2) policies and procedures that

  (A) are based on the risk assessments required by paragraph (1);

  (B) cost-effectively reduce information security risks to an

  acceptable level;

  (C) ensure that information security is addressed throughout

  the life cycle of each agency information system; and

  (D) ensure compliance with—

  (i) the requirements of this subchapter;

  (ii) policies and procedures as may be prescribed by the

  Director, and information security standards pro-

  mulgated under section 11331 of title 40;

  (iii) minimally acceptable system configuration require-

  ments, as determined by the agency; and

  (iv) any other applicable requirements, including standards

  and guidelines for national security systems issued in

  accordance with law and as directed by the President;

  (3) subordinate plans for providing adequate information security

  for networks, facilities, and systems or groups of information

  systems, as appropriate;

  (4) security awareness training to inform personnel, including con-

  tractors and other users of information systems that support the

  operations and assets of the agency, of

  (A) information security risks associated with their activities; and

  (B) their responsibilities in complying with agency policies

  and procedures designed to reduce these risks;

  (5) periodic testing and evaluation of the effectiveness of informa-

  tion security policies, procedures, and practices, to be performed

  with a frequency depending on risk, but no less than annual y, of

  which such testing—

  (A) shall include testing of management, operational, and

  technical controls of every information system identified

  in the inventory required under section 3505 (c); and

  (B) may include testing relied on in an evaluation under sec-

  tion 3545;

  (6) a process for planning, implementing, evaluating, and docu-

  menting remedial action to address any deficiencies in the infor-

  mation security policies, procedures, and practices of the agency;

  (7) procedures for detecting, reporting, and responding to

  security incidents, consistent with standards and guidelines

  issued pursuant to section 3546 (b), including—

  (A) mitigating risks associated with such incidents before

  substantial damage is done;

  Appendix C: Government Data Privacy Laws

  371

  (B) notifying and consulting with the Federal information

  security incident center referred to in section 3546; and

  (C) notifying and consulting with, as appropriate—

  (i) law enforcement agencies and relevant Offices of

  Inspector General;

  (ii) an office designated by the President for any incident

  involving a national security system; and

  (iii) any other agency or office, in accordance with law or

  as directed by the President; and

  (8) plans and procedures
to ensure continuity of operations for

  information systems that support the operations and assets of

  the agency.

  (c) Agency Reporting—Each agency shall—

  (1) report annually to the Director, the Committees on Government

  Reform and Science of the House of Representatives, the

  Committees on Governmental Affairs and Commerce, Science,

  and Transportation of the Senate, the appropriate authori-

  zation and appropriations committees of Congress, and the

  Comptroller General on the adequacy and effectiveness of

  information security policies, procedures, and practices, and

  compliance with the requirements of this subchapter, including

  compliance with each requirement of subsection (b);

  (2) address the adequacy and effectiveness of information secu-

  rity policies, procedures, and practices in plans and reports

  relating to—

  (A) annual agency budgets;

  (B) information resources management under subchapter 1 of

  this chapter;

  (C) information technology management under subtitle III of

  title 40;

  (D) program performance under sections 1105 and 1115–1119

  of title 31, and sections 2801 and 2805 of title 39;

  (E) financial management under chapter 9 of title 31, and

  the Chief Financial Officers Act of 1990 (31 U.S.C. 501

  note; Public Law 101–576) (and the amendments made

  by that Act);

  (F) financial management systems under the Federal

  Financial Management Improvement Act (31 U.S.C. 3512

  note); and

  (G) internal accounting and administrative controls under

  section 3512 of title 31, (known as the “Federal Managers

  Financial Integrity Act”); and

  372

  Appendix C: Government Data Privacy Laws

  (3) report any significant deficiency in a policy, procedure, or prac-

  tice identified under paragraph (1) or (2)

  (A) as a material weakness in reporting under section 3512 of

  title 31; and

  (B) if relating to financial management systems, as an instance

  of a lack of substantial compliance under the Federal

  Financial Management Improvement Act (31 U.S.C. 3512

  note).

  (d) Performance Plan—

  (1) In addition to the requirements of subsection (c), each agency,

  in consultation with the Director, shall include as part of the

  performance plan required under section 1115 of title 31 a

  description of—

  (A) the time periods, and

  (B) the resources, including budget, staffing, and training, that

  are necessary to implement the program required under

  subsection (b).

  (2) The description under paragraph (1) shall be based on the risk

  assessments required under subsection (b)(2)(1).

  (e) Public Notice and Comment—Each agency shall provide the pub-

  lic with timely notice and opportunities for comment on pro-

  posed information security policies and procedures to the extent

  that such policies and procedures affect communication with the

  public.

  § 3545. Annual Independent Evaluation

  (a) In General.

  (1) Each year each agency shall have performed an independent

  evaluation of the information security program and practices of

  that agency to determine the effectiveness of such program and

  practices.

  (2) Each evaluation under this section shall include—

  (A) testing of the effectiveness of information security policies,

  procedures, and practices of a representative subset of the

  agency’s information systems;

  (B) an assessment (made on the basis of the results of the test-

  ing) of compliance with

  (i) the requirements of this subchapter; and

  (ii) related information security policies, procedures,

  standards, and guidelines; and

  (C) separate presentations, as appropriate, regarding information

  security relating to national security systems.

  Appendix C: Government Data Privacy Laws

  373

  (b) Independent Auditor—Subject to subsection (c)

  (1) for each agency with an Inspector General appointed under

  the Inspector General Act of 1978 or any other law, the annual

  evaluation required by this section shall be performed by the

  Inspector General or by an independent external auditor, as

  determined by the Inspector General of the agency; and

  (2) for each agency to which paragraph (1) does not apply, the head

  of the agency shall engage an independent external auditor to

  perform the evaluation.

  (c) National Security Systems—For each agency operating or exercising control of a national security system, that portion of the evaluation

  required by this section directly relating to a national security system

  shall be performed—

  (1) only by an entity designated by the agency head; and

  (2) in such a manner as to ensure appropriate protection for infor-

  mation associated with any information security vulnerability

  in such system commensurate with the risk and in accordance

  with all applicable laws.

  (d) Existing Evaluations—The evaluation required by this section may be based in whole or in part on an audit, evaluation, or report relating

  to programs or practices of the applicable agency.

  (e) Agency Reporting.

  (1) Each year, not later than such date established by the Director,

  the head of each agency shall submit to the Director the results

  of the evaluation required under this section.

  (2) To the extent an evaluation required under this section directly

  relates to a national security system, the evaluation results

  submitted to the Director shall contain only a summary and

  assessment of that portion of the evaluation directly relating to

  a national security system.

  (f) Protection of Information—Agencies and evaluators shall take

  appropriate steps to ensure the protection of information which, if

  disclosed, may adversely affect information security. Such protections

  shall be commensurate with the risk and comply with all applicable

  laws and regulations.

  (g) OMB Reports to Congress.

  (1) The Director shall summarize the results of the evaluations

  conducted under this section in the report to Congress required

  under section 3543 (a)(8).

  (2) The Director’s report to Congress under this subsection

  shall summarize information regarding information secu-

  rity relating to national security systems in such a manner as

  374

  Appendix C: Government Data Privacy Laws

  to ensure appropriate protection for information associated

  with any information security vulnerability in such system

  commensurate with the risk and in accordance with all appli-

  cable laws.

  (3) Evaluations and any other descriptions of information systems

  under the authority and control of the Director of Central

  Intel igence or of National Foreign Intel igence Programs systems

  under the authority and control of the Secretary of Defense

  shall be made available to Congress only through the appropri-

  ate oversight committees of Congress, i
n accordance with appli-

  cable laws.

  (h) Comptrol er General—The Comptroller General shall periodically evaluate and report to Congress on

  (1) the adequacy and effectiveness of agency information security

  policies and practices; and

  (2) implementation of the requirements of this subchapter.

  § 3546. Federal Information Security Incident Center

  (a) In General—The Director shall ensure the operation of a central Federal information security incident center to—

  (1) provide timely technical assistance to operators of agency

  information systems regarding security incidents, including

  guidance on detecting and handling information security

  incidents;

  (2) compile and analyze information about incidents that threaten

  information security;

  (3) inform operators of agency information systems about current

  and potential information security threats, and vulnerabilities;

  and

  (4) consult with the National Institute of Standards and Technology,

  agencies or offices operating or exercising control of national

  security systems (including the National Security Agency), and

  such other agencies or offices in accordance with law and as

  directed by the President regarding information security inci-

  dents and related matters.

  (b) National Security Systems—Each agency operating or exercising control of a national security system shall share information

 

‹ Prev