15 U.S.C. § 278g-3 - Computer standards program

Cite as:15 U.S.C. § 278g-3
Currency:Current through P.L. 116-21 (6/12/2019)
 
FREE EXCERPT

(a) In general

The Institute shall-

(1) have the mission of developing standards, guidelines, and associated methods and techniques for information systems;

(2) develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in section 3552(b)(5) 1 of title 44);

(3) develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems; and

(4) carry out the responsibilities described in paragraph (3) through the Computer Security Division.

(b) Minimum requirements for standards and guidelines

The standards and guidelines required by subsection (a) shall include, at a minimum-

(1)

(A) standards to be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;

(B) guidelines recommending the types of information and information systems to be included in each such category; and

(C) minimum information security requirements for information and information systems in each such category;

(2) a definition of and guidelines concerning detection and handling of information security incidents; and

(3) guidelines developed in coordination with the National Security Agency for identifying an information system as a national security system consistent with applicable requirements for national security systems, issued in accordance with law and as directed by the President.

(c) Development of standards and guidelines

In developing standards and guidelines required by subsections (a) and (b), the Institute shall-

(1) consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accountability Office, and the Secretary of Homeland Security) to assure-

(A) use of appropriate information security policies, procedures, and techniques, in order to improve information security and avoid unnecessary and costly duplication of effort; and

(B) that such standards and guidelines are complementary with standards and guidelines employed for the protection of national security systems and information contained in such systems;

(2) provide the public with an opportunity to comment on proposed standards and guidelines;

(3) submit to the Director of the Office of Management and Budget for promulgation under section 11331 of title 40-

(A) standards, as required under subsection (b)(1)(A), no later than 12 months after November 25, 2002; and

(B) minimum information security requirements for each category, as required under subsection (b)(1)(C), no later than 36 months after November 25, 2002;

(4) issue guidelines as required under subsection (b)(1)(B), no later than 18 months after November 25, 2002;

(5) ensure that such standards and guidelines do not require specific technological solutions or products, including any specific hardware or software security solutions;

(6) ensure that such standards and guidelines provide for sufficient flexibility to permit alternative solutions to provide equivalent levels of protection for identified information security risks; and

(7) use flexible, performance-based standards and guidelines that, to the greatest extent possible, permit the use of off-the-shelf commercially developed information security products.

(d) Information security functions

The Institute shall-

(1) submit standards developed pursuant to subsection (a), along with recommendations as to the extent to which these should be made compulsory and binding, to the Director of the Office of Management and Budget for promulgation under section 11331 of title 40;

(2) provide assistance to agencies regarding-

(A) compliance with the standards and guidelines developed under subsection (a);

(B) detecting and handling information security incidents; and

(C) information security policies, procedures, and practices;

(3) conduct research and analysis-

(A) to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security;

(B) to review and determine prevalent information security challenges and deficiencies identified by agencies or the Institute, including any challenges or deficiencies described in any of the annual reports under section 3553 or 3554 of title 44, and in any of the reports and the independent evaluations under section 3555 of that title, that may undermine the effectiveness of agency information security programs and practices; and

(C) to evaluate the effectiveness and sufficiency of, and challenges to, Federal agencies' implementation of standards and guidelines developed under this section and policies and standards promulgated under section 11331 of title 40;

(4) develop and periodically revise performance indicators and measures for agency information security policies and practices;

(5) evaluate private sector information security policies and practices and commercially available information technologies to assess potential application by agencies to strengthen information security;

To continue reading

FREE SIGN UP