Page:United States Statutes at Large Volume 116 Part 3.djvu/670

 116 STAT. 2262 PUBLIC LAW 107-296—NOV. 25, 2002 Institute of Standards and Technology Act (15 U.S.C. 278g- 3). "(b) Except for the authorities described in paragraphs (4) and (7) of subsection (a), the authorities of the Director under this section shall not apply to national security systems. "§ 3534. Federal agency responsibilities "(a) The head of each agency shall— "(1) be responsible for— "(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— "(i) information collected or maintained by or on behalf of the agency; and "(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; "(B) complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including— "(i) information security standards promulgated by the Director under section 11331 of title 40; and "(ii) information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and "(C) ensuring that information security management processes are integrated with agency strategic and operational planning processes; "(2) ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including through— "(A) assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; "(B) determining the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under section 11331 of title 40 for information security classifications and related requirements; "(C) implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and "(D) periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented; "(3) delegate to the agency Chief Information Officer established under section 3506 (or comparable official in an agency not covered by such section) the authority to ensure compliance with the requirements imposed on the agency under this subchapter, including— "(A) designating a senior agency information security officer who shall— "(i) carry out the Chief Information Officer's responsibilities under this section;

�