Page:United States Statutes at Large Volume 114 Part 3.djvu/313

 PUBLIC LAW 106-398 —APPENDIX 114 STAT. 1654A-271 weakness in reporting required under the applicable provision of law under paragraph (1). "(d)(1) In addition to the requirements of subsection (c), each agency, in consultation with the Chief Information Officer, shall include as part of the performance plan required under section 1115 of title 31a description of— "(A) the time periods; and "(B) the resources, including budget, staffing, and training, which are necessary to implement the program required under subsection (b)(1). "(2) The description under paragraph (1) shall be based on the risk assessment required under subsection (b)(2)(A). "§ 3535. Annual independent evaluation "(a)(1) Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency. "(2) Each evaluation by an agency under this section shall include— "(A) testing of the effectiveness of information security control techniques for an appropriate subset of the agency's information systems; and "(B) an assessment (made on the basis of the results of the testing) of the compliance with— "(i) the requirements of this subchapter; and "(ii) related information security policies, procedures, standards, and guidelines. "(3) The Inspector General or the independent evaluator performing an evaluation under this section may use an audit, evaluation, or report relating to programs or practices of the applicable agency. "(b)(1)(A) Subject to subparagraph (B), for agencies with Inspectors General appointed under the Inspector General Act of 1978 (5 U.S.C. App.) or any other law, the annual evaluation required under this section or, in the case of systems described under subparagraphs (A) and (B) of section 3532(b)(2), an audit of the annual evaluation required under this section, shall be performed by the Inspector General or by an independent evaluator, as determined by the Inspector General of the agency. "(B) For systems described under subparagraphs (A) and (B) of section 3532(b)(2), the evaluation required under this section shall be performed only by an entity designated by the Secretary of Defense, the Director of Central Intelligence, or another agency head as designated by the President. "(2) For any agency to which paragraph (1) does not apply, the head of the agency shall contract with an independent evaluator to perform the evaluation. "(c) Each year, not later than the anniversary of the date of the enactment of this subchapter, the applicable agency head shall submit to the Director— "(1) the results of each evaluation required under this section, other than an evaluation of a system described under subparagraph (A) or (B) of section 3532(b)(2); and "(2) the results of each audit of an evaluation required under this section of a system described under subparagraph (A) or (B) of section 3532(b)(2).

�