Page:United States Statutes at Large Volume 116 Part 2.djvu/462

 116 STAT. 1244 PUBLIC LAW 107-217—AUG. 21, 2002 to waive those standards to the extent the Secretary determines that action to be necessary and desirable to allow for timely and effective implementation of federal computer system standards. The head of the agency may redelegate that authority only to a chief information officer designated pursuant to section 3506 of title 44. (3) NOTICE.—Notice of each waiver and delegation shall be transmitted promptly to Congress and published promptly in the Federal Register. § 11332. Federal computer system security training and plan (a) DEFINITIONS.—In this section, the terms "computer system", "federal agency", "federal computer system", "operator of a federal computer system", and "sensitive information" have the meanings given those terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)). (b) TRAINING— (1) IN GENERAL,—Each federal agency shall provide for mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of the agency. The training shall be- (A) provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the Act (15 U.S.C. 278g- 3(a)(5)) and the regulations prescribed under paragraph (3) for federal civilian employees; or (B) provided by an alternative training program that the head of the agency approves after determining that the alternative training program is at least as effective in accomplishing the objectives of the guidelines and regulations. (2) TRAINING OBJECTIVES.—Training under this subsection shall be designed— (A) to enhance employees' awareness of the threats to, and vulnerability of, computer systems; and (B) to encourage the use of improved computer security practices. (3) REGULATIONS.—The Director of the Office of Personnel Management shall maintain regulations that establish the procedures and scope of the training to be provided federal civilian employees under this subsection and the manner in which the training is to be carried out. (c) PLAN.— (1) IN GENERAL.— Consistent with standards, guidelines, policies, and regulations prescribed pursuant to section 11331 of this title, each federal agency shall maintain a plan for the security and privacy of each federal computer system the agency identifies as being within or under its supervision and as containing sensitive information. The plan must be commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information contained in the system. (2) REVISION AND REVIEW. —The plan shall be revised annuedly as necesssuy and is subject to disapproval by the Director of the Office of Management and Budget.

�