§ 3533. — Authority and functions of the Director.
[Laws in effect as of January 24, 2002]
[Document not affected by Public Laws enacted between
January 24, 2002 and December 19, 2002]
[CITE: 44USC3533]
TITLE 44--PUBLIC PRINTING AND DOCUMENTS
CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY
SUBCHAPTER II--INFORMATION SECURITY
Sec. 3533. Authority and functions of the Director
(a) The Director shall oversee agency information security policies
and practices, by--
(1) promulgating information security standards under section
11331 of title 40;
(2) overseeing the implementation of policies, principles,
standards, and guidelines on information security;
(3) requiring agencies, consistent with the standards
promulgated under such section 11331 and the requirements of this
subchapter, to identify and provide information security protections
commensurate with the risk and magnitude of the harm resulting from
the unauthorized access, use, disclosure, disruption, modification,
or destruction of--
(A) information collected or maintained by or on behalf of
an agency; or
(B) information systems used or operated by an agency or by
a contractor of an agency or other organization on behalf of an
agency;
(4) coordinating the development of standards and guidelines
under section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) with agencies and offices
operating or exercising control of national security systems
(including the National Security Agency) to assure, to the maximum
extent feasible, that such standards and guidelines are
complementary with standards and guidelines developed for national
security systems;
(5) overseeing agency compliance with the requirements of this
subchapter, including through any authorized action under section
11303(b)(5) of title 40, to enforce accountability for compliance
with such requirements;
(6) reviewing at least annually, and approving or disapproving,
agency information security programs required under section 3534(b);
(7) coordinating information security policies and procedures
with related information resources management policies and
procedures; and
(8) reporting to Congress no later than March 1 of each year on
agency compliance with the requirements of this subchapter,
including--
(A) a summary of the findings of evaluations required by
section 3535;
(B) significant deficiencies in agency information security
practices;
(C) planned remedial action to address such deficiencies;
and
(D) a summary of, and the views of the Director on, the
report prepared by the National Institute of Standards and
Technology under section 20(d)(9) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3).
(b) Except for the authorities described in paragraphs (4) and (7)
of subsection (a), the authorities of the Director under this section
shall not apply to national security systems.
(Added Pub. L. 107-296, title X, Sec. 1001(b)(1), Nov. 25, 2002, 116
Stat. 2261.)
Applicability of Section
This section not to apply while subchapter III of this chapter
is in effect, see section 3549 of this title.
Prior Provisions
A prior section 3533, added Pub. L. 106-398, Sec. 1 [[div. A], title
X, Sec. 1061], Oct. 30, 2000, 114 Stat. 1654, 1654A-266, set forth
authority and functions of the Director prior to the general amendment
of this subchapter by Pub. L. 107-296.
Section Referred to in Other Sections
This section is referred to in sections 3534, 3535 of this title.