Page:United States Statutes at Large Volume 114 Part 3.djvu/314

 114 STAT. 1654A-272 PUBLIC LAW 106-398 —APPENDIX "(d)(1) The Director shall submit to Congress each year a report summarizing the materials received from agencies pursuant to subsection (c) in that year. "(2) Evaluations and audits of evaluations of systems under the authority and control of the Director of Central Intelligence and evaluations and audits of evaluation of National Foreign Intelligence Programs systems under the authority and control of the Secretary of Defense shall be made available only to the appropriate oversight committees of Congress, in accordance with applicable laws. "(e) Agencies and evaluators shall take appropriate actions to ensure the protection of information, the disclosure of which may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws. "§ 3536. Expiration "This subchapter shall not be in effect after the date that is two years after the date on which this subchapter takes effect.". SEC. 1062. RESPONSIBILITIES OF CERTAIN AGENCIES. (a) DEPARTMENT OF COMMERCE. —Notwithstanding section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) and except as provided under subsection (b), the Secretary of Commerce, through the National Institute of Standards and Technology and with technical assistance from the National Security Agency, as required or when requested, shall— (1) develop, issue, review, and update standards and guidance for the security of Federal information systems, including development of methods and techniques for security systems and validation programs; (2) develop, issue, review, and update guidelines for training in computer security awareness and accepted computer security practices, with assistance from the Office of Personnel Management; (3) provide agencies with guidance for security planning to assist in the development of applications and system security plans for such agencies; (4) provide guidance and assistance to agencies concerning cost-effective controls when interconnecting with other systems; and (5) evaluate information technologies to assess security vulnerabilities and alert Federal agencies of such vulnerabilities as soon as those vulnerabilities are known. (b) DEPARTMENT OF DEFENSE AND THE INTELLIGENCE COMMU- NITY.— (1) IN GENERAL. — Notwithstanding any other provision of this subtitle (including any amendment made by this subtitle)— (A) the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President, shall, consistent with their respective authorities— (i) develop and issue information security policies, standards, and guidelines for systems described under subparagraphs (A) and (B) of section 3532(b)(2) of title 44, United States Code (as added by section 1061 of this Act), that provide more stringent protection, to

�