Page:United States Statutes at Large Volume 114 Part 3.djvu/311

 PUBLIC LAW 106-398 —APPENDIX 114 STAT. 1654A-269 "(A) assessing the information security risks associated with the operations and assets for programs and systems over which such officials have control; "(B) determining the levels of information security appropriate to protect such operations and assets; and "(C) periodically testing and evaluating information security controls and techniques; "(3) delegate to the agency Chief Information Officer established under section 3506, or a comparable official in an agency not covered by such section, the authority to administer all functions under this subchapter including— "(A) designating a senior agency information security official who shall report to the Chief Information Officer or a comparable official; "(B) developing and maintaining an agencywide ., information security program as required under subsection (b); .,, "(C) ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques; i "(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and "(E) assisting senior agency officials concerning responsibilities under paragraph (2); "(4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and J "(5) ensure that the agency Chief Information Officer, in coordination with senior agency officials, periodically— "(A)(i) evaluates the effectiveness of the agency information security program, including testing control techniques; and "(ii) implements appropriate remedial actions based on that evaluation; and "(B) reports to the agency head on— "(i) the results of such tests and evaluations; and "(ii) the progress of remedial actions. "(b)(1) Each agency shall develop and implement an agencywide information security program to provide information security for the operations and assets of the agency, including operations and assets provided or managed by another agency. "(2) Each program under this subsection shall include— "(A) periodic risk assessments that consider internal and external threats to— "(i) the integrity, confidentiality, and availability of systems; and "(ii) data supporting critical operations and assets; "(B) policies and procedures that— "(i) are based on the risk assessments required under subparagraph (A) that cost-effectively reduce information security risks to an acceptable level; and "(ii) ensure compliance with— "(I) the requirements of this subchapter; "(II) policies and procedures as may be prescribed by the Director; and

�