15 U.S.C. § 278g-3 : US Code - Section 278G-3: Computer standards program

Search 15 U.S.C. § 278g-3 : US Code - Section 278G-3: Computer standards program

(a) In general
The Institute shall -
(1) have the mission of developing standards, guidelines, and
associated methods and techniques for information systems;
(2) develop standards and guidelines, including minimum
requirements, for information systems used or operated by an
agency or by a contractor of an agency or other organization on
behalf of an agency, other than national security systems (as
defined in section 3532(b)(2) of title 44);
(3) develop standards and guidelines, including minimum
requirements, for providing adequate information security for all
agency operations and assets, but such standards and guidelines
shall not apply to national security systems; and
(4) carry out the responsibilities described in paragraph (3)
through the Computer Security Division.
(b) Minimum requirements for standards and guidelines
The standards and guidelines required by subsection (a) of this
section shall include, at a minimum -
(1)(A) standards to be used by all agencies to categorize all
information and information systems collected or maintained by or
on behalf of each agency based on the objectives of providing
appropriate levels of information security according to a range
of risk levels;
(B) guidelines recommending the types of information and
information systems to be included in each such category; and
(C) minimum information security requirements for information
and information systems in each such category;
(2) a definition of and guidelines concerning detection and
handling of information security incidents; and
(3) guidelines developed in coordination with the National
Security Agency for identifying an information system as a
national security system consistent with applicable requirements
for national security systems, issued in accordance with law and
as directed by the President.
(c) Development of standards and guidelines
In developing standards and guidelines required by subsections
(a) and (b) of this section, the Institute shall -
(1) consult with other agencies and offices (including, but not
limited to, the Director of the Office of Management and Budget,
the Departments of Defense and Energy, the National Security
Agency, the Government Accountability Office, and the Secretary
of Homeland Security) to assure -
(A) use of appropriate information security policies,
procedures, and techniques, in order to improve information
security and avoid unnecessary and costly duplication of
effort; and
(B) that such standards and guidelines are complementary with
standards and guidelines employed for the protection of
national security systems and information contained in such
systems;
(2) provide the public with an opportunity to comment on
proposed standards and guidelines;
(3) submit to the Director of the Office of Management and
Budget for promulgation under section 11331 of title 40 -
(A) standards, as required under subsection (b)(1)(A) of this
section, no later than 12 months after November 25, 2002; and
(B) minimum information security requirements for each
category, as required under subsection (b)(1)(C) of this
section, no later than 36 months after November 25, 2002;
(4) issue guidelines as required under subsection (b)(1)(B) of
this section, no later than 18 months after November 25, 2002;
(5) ensure that such standards and guidelines do not require
specific technological solutions or products, including any
specific hardware or software security solutions;
(6) ensure that such standards and guidelines provide for
sufficient flexibility to permit alternative solutions to provide
equivalent levels of protection for identified information
security risks; and
(7) use flexible, performance-based standards and guidelines
that, to the greatest extent possible, permit the use of off-the-
shelf commercially developed information security products.
(d) Information security functions
The Institute shall -
(1) submit standards developed pursuant to subsection (a) of
this section, along with recommendations as to the extent to
which these should be made compulsory and binding, to the
Director of the Office of Management and Budget for promulgation
under section 11331 of title 40;
(2) provide assistance to agencies regarding -
(A) compliance with the standards and guidelines developed
under subsection (a) of this section;
(B) detecting and handling information security incidents;
and
(C) information security policies, procedures, and practices;
(3) conduct research, as needed, to determine the nature and
extent of information security vulnerabilities and techniques for
providing cost-effective information security;
(4) develop and periodically revise performance indicators and
measures for agency information security policies and practices;
(5) evaluate private sector information security policies and
practices and commercially available information technologies to
assess potential application by agencies to strengthen
information security;
(6) evaluate security policies and practices developed for
national security systems to assess potential application by
agencies to strengthen information security;
(7) periodically assess the effectiveness of standards and
guidelines developed under this section and undertake revisions
as appropriate;
(8) solicit and consider the recommendations of the Information
Security and Privacy Advisory Board, established by section 278g-
4 of this title, regarding standards and guidelines developed
under subsection (a) of this section and submit such
recommendations to the Director of the Office of Management and
Budget with such standards submitted to the Director; and
(9) prepare an annual public report on activities undertaken in
the previous year, and planned for the coming year, to carry out
responsibilities under this section.
(e) Definitions
As used in this section -
(1) the term "agency" has the same meaning as provided in
section 3502(1) of title 44;
(2) the term "information security" has the same meaning as
provided in section 3532(1) of such title;
(3) the term "information system" has the same meaning as
provided in section 3502(8) of such title;
(4) the term "information technology" has the same meaning as
provided in section 11101 of title 40; and
(5) the term "national security system" has the same meaning as
provided in section 3532(b)(2) of such title.(!1)