Page:United States Statutes at Large Volume 116 Part 2.djvu/461

 PUBLIC LAW 107-217—AUG. 21, 2002 116 STAT. 1243 The Director shall prescribe the requirements and limitations during the Director's review of the executive agency's proposed budget submitted to the Director by the head of the executive agency for purposes of section 1105 of title 31. SUBCHAPTER III—OTHER RESPONSIBILITIES §11331. Responsibilities regarding efficiency, security, and privacy of federal computer systems (a) DEFINITIONS. —In this section, the terms "federal computer system" and "operator of a federal computer system" have the meanings given those terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)). (b) STANDARDS AND GUIDELINES.— (1) AUTHORITY TO PRESCRIBE AND DISAPPROVE OR MODIFY. — (A) AUTHORITY TO PRESCRIBE.—On the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the Act (15 U.S.C. 278g-3(a)(2), (3)), the Secretary of Commerce shall prescribe standards and guidelines pertaining to federal computer systems. The Secretary shall make those standards compulsory and binding to the extent the Secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems. (B) AUTHORITY TO DISAPPROVE OR MODIFY.—The President may disapprove or modify those standards and guidelines if the President determines that action to be in the public interest. The President's authority to disapprove or modify those standards and guidelines may not be delegated. Notice of disapproval or modification shall be published promptly in the Federal Register. On receiving notice of disapproval or modification, the Secretary shall immediately rescind or modify those standards or guidelines as directed by the President. (2) EXERCISE OF AUTHORITY. — To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget. (c) APPLICATION OF MORE STRINGENT STANDARDS.—The head of a federal agency may employ standards for the cost-effective security and privacy of sensitive information in a federal computer system in or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards contain at least the applicable standards the Secretary makes compulsory and binding. (d) WAIVER OF STANDARDS. — (1) AUTHORITY OF THE SECRETARY. —The Secretary may wgdve in writing compulsory and binding standards under subsection (b) if the Secretary determines that compliance would— (A) adversely affect the accomplishment of the mission of an operator of a federal computer system; or (B) cause a major adverse financial impact on the operator that is not offset by Federal Government-wide savings. (2) DELEGATION OF WAIVER AUTHORITY. —The Secretary may delegate to the head of one or more federal agencies authority

�