[Laws in effect as of January 24, 2002]
[Document not affected by Public Laws enacted between
January 24, 2002 and December 19, 2002]
[CITE: 44USC3534]
TITLE 44--PUBLIC PRINTING AND DOCUMENTS
CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY
SUBCHAPTER II--INFORMATION SECURITY
Sec. 3534. Federal agency responsibilities
(a) The head of each agency shall--
(1) be responsible for--
(A) providing information security protections commensurate
with the risk and magnitude of the harm resulting from
unauthorized access, use, disclosure, disruption, modification,
or destruction of--
(i) information collected or maintained by or on behalf
of the agency; and
(ii) information systems used or operated by an agency
or by a contractor of an agency or other organization on
behalf of an agency;
(B) complying with the requirements of this subchapter and
related policies, procedures, standards, and guidelines,
including--
(i) information security standards promulgated by the
Director under section 11331 of title 40; and
(ii) information security standards and guidelines for
national security systems issued in accordance with law and
as directed by the President; and
(C) ensuring that information security management processes
are integrated with agency strategic and operational planning
processes;
(2) ensure that senior agency officials provide information
security for the information and information systems that support
the operations and assets under their control, including through--
(A) assessing the risk and magnitude of the harm that could
result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of such information or
information systems;
(B) determining the levels of information security
appropriate to protect such information and information systems
in accordance with standards promulgated under section 11331 of
title 40 for information security classifications and related
requirements;
(C) implementing policies and procedures to cost-effectively
reduce risks to an acceptable level; and
(D) periodically testing and evaluating information security
controls and techniques to ensure that they are effectively
implemented;
(3) delegate to the agency Chief Information Officer established
under section 3506 (or comparable official in an agency not covered
by such section) the authority to ensure compliance with the
requirements imposed on the agency under this subchapter,
including--
(A) designating a senior agency information security officer
who shall--
(i) carry out the Chief Information Officer's
responsibilities under this section;
(ii) possess professional qualifications, including
training and experience, required to administer the
functions described under this section;
(iii) have information security duties as that
official's primary duty; and
(iv) head an office with the mission and resources to
assist in ensuring agency compliance with this section;
(B) developing and maintaining an agencywide information
security program as required by subsection (b);
(C) developing and maintaining information security
policies, procedures, and control techniques to address all
applicable requirements, including those issued under section
3533 of this title, and section 11331 of title 40;
(D) training and overseeing personnel with significant
responsibilities for information security with respect to such
responsibilities; and
(E) assisting senior agency officials concerning their
responsibilities under paragraph (2);
(4) ensure that the agency has trained personnel sufficient to
assist the agency in complying with the requirements of this
subchapter and related policies, procedures, standards, and
guidelines; an