Page:United States Statutes at Large Volume 114 Part 3.djvu/315

 PUBLIC LAW 106-398 —APPENDIX 114 STAT. 1654A-273 the maximum extent practicable, than the poHcies, principles, standards, and guidelines required under section 3533 of such title (as added by such section 1061); and (ii) ensure the implementation of the information security policies, principles, standards, and guidelines described under clause (i); and (B) the Secretary of Defense shall, consistent with his authority— (i) develop and issue information security policies, standards, and guidelines for systems described under subparagraph (C) of section 3532(b)(2) of title 44, United States Code (as added by section 1061 of this Act), that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that provide more stringent protection, to the maximum extent practicable, than the policies, principles, standards, and guidelines required under section 3533 of such title (as added by such section 1061); and (ii) ensure the implementation of the information security policies, principles, standards, and guidelines described under clause (i). (2) MEASURES ADDRESSED. — The policies, principles, standards, and guidelines developed by the Secretary of Defense and the Director of Central Intelligence under paragraph (1) shall address the full r^nge of information assurance measures needed to protect and defend Federal information and information systems by ensuring their integrity, confidentiality, authenticity, availability, and nonrepudiation. (c) DEPARTMENT OF JUSTICE. —The Attorney General shall review and update guidance to agencies on— (1) legal remedies regarding security incidents and ways to report to and work with law enforcement agencies concerning such incidents; and (2) lawful uses of security techniques and technologies. (d) GENERAL SERVICES ADMINISTRATION.—The Administrator of General Services shall— (1) review and update General Services Administration guidance to agencies on addressing security considerations when acquiring information technology; and (2) assist agencies in— (A) fulfilling agency responsibilities under section 3534(b)(2)(F) of title 44, United States Code (as added by section 1061 of this Act); and (B) the acquisition of cost-effective security products, services, and incident response capabilities. (e) OFFICE OF PERSONNEL MANAGEMENT.— The Director of the Office of Personnel Management shall— (1) review and update Office of Personnel Management regulations concerning computer security training for Federal civilian employees; (2) assist the Department of Commerce in updating and maintaining guidelines for training in computer security awareness and computer security best practices; and

�