Page:United States Statutes at Large Volume 114 Part 3.djvu/309

 PUBLIC LAW 106-398 —APPENDIX 114 STAT. 1654A-267 "(A) support the cost-effective security of Federal information systems by promoting security as an integral component of each agency's business operations; and "(B) include information technology architectures as defined under section 5125 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1425). "(2) Policies under this subsection shall— "(A) be founded on a continuing risk management cycle that recognizes the need to— "(i) identify, assess, and understand risk; and "(ii) determine security needs commensurate with the level of risk; "(B) implement controls that adequately address the risk; "(C) promote continuing awareness of information security risk; and "(D) continually monitor and evaluate policy and control effectiveness of information security practices. "(b) The authority under subsection (a) includes the authority to— "(1) oversee and develop policies, principles, standards, and guidelines for the handling of Federal information and information resources to improve the efficiency and effectiveness of governmental operations, including principles, policies, and guidelines for the implementation of agency responsibilities under applicable law for ensuring the privacy, confidentiality, and security of Federal information; "(2) consistent with the standards and guidelines promulgated under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 1441 note; Public Law 100-235; 101 Stat. 1729), require Federal agencies to identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency; "(3) direct the heads of agencies to— .. "(A) identify, use, and share best security practices; "(B) develop an agencywide information security plan; "(C) incorporate information security principles and practices throughout the life cycles of the agency's information systems; and "(D) ensure that the agency's information security plan, Tfli is practiced throughout all life cycles of the agency's information systems; t. "(4) oversee the development and implementation of standards and guidelines relating to security controls for Federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section t 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3); "(5) oversee and coordinate compliance with this section in a manner consistent with— "(A) sections 552 and 552a of title 5; "(B) sections 20 and 21 of the National Institute of r:5 standards and Technology Act (15 U.S.C. 278g-3 and 278g- 4);

�