Page:United States Statutes at Large Volume 110 Part 1.djvu/712

 110 STAT. 688 PUBLIC LAW 104-106—FEB. 10, 1996 Federal Register, publication. (2) EXERCISE OF AUTHORITY.—The authority conferred upon the Secretary of Commerce by this section shall be exercised subject to direction by the President and in coordination with the Director to ensure fiscal and policy consistency. (b) APPLICATION OF MORE STRINGENT STANDARDS.—The head of a Federal agency may employ standards for the cost-effective security and privacy of sensitive information in a Federal computer system within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Secretary of Commerce. (c) WAIVER OF STANDARDS. —The standards determined under subsection (a) to be compulsory and binding may be waived by the Secretary of Commerce in writing upon a determination that compliance would adversely affect the accomplishment of the mission of an operator of a Federal computer system, or cause a major adverse financial impact on the operator which is not offset by Government-wide savings. The Secretary may delegate to the head of one or more Federal agencies authority to waive such standards to the extent to which the Secretary determines such action to be necessary and desirable to allow for timely and effective implementation of Federal computer system standards. The head of such agency may redelegate such authority only to a Chief Information Officer designated pursuant to section 3506 of title 44, United States Code. Notice of each such waiver and delegation shall be transmitted promptly to Congress and shall be published promptly in the Federal Register. (d) DEFINITIONS. —In this section, the terms "Federal computer system" and "operator of a Federal computer system" have the meanings given such terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)). (e) TECHNICAL AMENDMENTS.—Chapter 35 of title 44, United States Code, is amended— (1) in section 3504(g)— (A) in paragraph (2), by striking out "the Computer Security Act of 1987 (40 U.S.C. 759 note)" and inserting in lieu thereof "sections 20 and 21 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3 and 278g-4), section 5131 of the Information Technology Management Reform Act of 1996, and sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note)"; and (B) in paragraph (3), by striking out "the Computer Security Act of 1987 (40 U.S.C. 759 note)" and inserting in lieu thereof "the standards and guidelines promulgated under section 5131 of the Information Technology Management Reform Act of 1996 and sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note)"; and (2) in section 3518(d), by striking out "Public Law 89- 306 on the Administrator of the General Services Administration, the Secretary of Commerce, or" and inserting in lieu thereof "section 5131 of the Information Technology Management Reform Act of 1996 and the Computer Security Act of 1987 (40 U.S.C. 759 note) on the Secretary of Commerce or".

�