§ 3535. — Annual independent evaluation.
[Laws in effect as of January 24, 2002]
[Document not affected by Public Laws enacted between
January 24, 2002 and December 19, 2002]
[CITE: 44USC3535]
TITLE 44--PUBLIC PRINTING AND DOCUMENTS
CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY
SUBCHAPTER II--INFORMATION SECURITY
Sec. 3535. Annual independent evaluation
(a)(1) Each year each agency shall have performed an independent
evaluation of the information security program and practices of that
agency to determine the effectiveness of such program and practices.
(2) Each evaluation by an agency under this section shall include--
(A) testing of the effectiveness of information security
policies, procedures, and practices of a representative subset of
the agency's information systems;
(B) an assessment (made on the basis of the results of the
testing) of compliance with--
(i) the requirements of this subchapter; and
(ii) related information security policies, procedures,
standards, and guidelines; and
(C) separate presentations, as appropriate, regarding
information security relating to national security systems.
(b) Subject to subsection (c)--
(1) for each agency with an Inspector General appointed under
the Inspector General Act of 1978, the annual evaluation required by
this section shall be performed by the Inspector General or by an
independent external auditor, as determined by the Inspector General
of the agency; and
(2) for each agency to which paragraph (1) does not apply, the
head of the agency shall engage an independent external auditor to
perform the evaluation.
(c) For each agency operating or exercising control of a national
security system, that portion of the evaluation required by this section
directly relating to a national security system shall be performed--
(1) only by an entity designated by the agency head; and
(2) in such a manner as to ensure appropriate protection for
information associated with any information security vulnerability
in such system commensurate with the risk and in accordance with all
applicable laws.
(d) The evaluation required by this section--
(1) shall be performed in accordance with generally accepted
government auditing standards; and
(2) may be based in whole or in part on an audit, evaluation, or
report relating to programs or practices of the applicable agency.
(e) Each year, not later than such date established by the Director,
the head of each agency shall submit to the Director the results of the
evaluation required under this section.
(f) Agencies and evaluators shall take appropriate steps to ensure
the protection of information which, if disclosed, may adversely affect
information security. Such protections shall be commensurate with the
risk and comply with all applicable laws and regulations.
(g)(1) The Director shall summarize the results of the evaluations
conducted under this section in the report to Congress required under
section 3533(a)(8).
(2) The Director's report to Congress under this subsection shall
summarize information regarding information security relating to
national security systems in such a manner as to ensure appropriate
protection for information associated with any information security
vulnerability in such system commensurate with the risk and in
accordance with all applicable laws.
(3) Evaluations and any other descriptions of information systems
under the authority and control of the Director of Central Intelligence
or of National Foreign Intelligence Programs systems under the authority
and control of the Secretary of Defense shall be made available to
Congress only through the appropriate oversight committees of Congress,
in accordance with applicable laws.
(h) The Comptroller General shall periodically evaluate and report
to Congress on--
(1) the adequacy and effectiveness of agency information
security policies and practices; and
(2) implementation of the requirements of this subchapter.
(Added Pub. L. 107-296, title X, Sec. 1001(b)(1), Nov. 25, 2002, 116
Stat. 2265.)
Applicability of Section
This section not to apply while subchapter III of this chapter
is in effect, see section 3549 of this title.
References in Text
The Inspector General Act of 1978, referred to in subsec. (b)(1), is
Pub. L. 95-452, Oct. 12, 1978, 92 Stat. 1101, as amended, which is set
out in the Appendix to Title 5, Government Organization and Employees.
Prior Provisions
A prior section 3535, added Pub. L. 106-398, Sec. 1 [[div. A], title
X, Sec. 1061], Oct. 30, 2000, 114 Stat. 1654, 1654A-271, related to
annual independent evaluation prior to the general amendment of this
subchapter by Pub. L. 107-296.
Section Referred to in Other Sections
This section is referred to in sections 3533, 3534 of this title;
title 10 section 2224.