Page:United States Statutes at Large Volume 116 Part 3.djvu/671

 PUBLIC LAW 107-296—NOV. 25, 2002 116 STAT. 2263 "(ii) possess professional qualifications, including training and experience, required to administer the functions described under this section; "(iii) have information security duties as that official's primary duty; and "(iv) head an office with the mission and resources to assist in ensuring agency compliance with this section; "(B) developing and maintaining an agencywide information security program as required by subsection (b); "(C) developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 3533 of this title, and section 11331 of title 40; "(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and "(E) assisting senior agency officials concerning their responsibilities under paragraph (2); "(4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and "(5) ensure that the agency Chief Information Officer, in coordination with other senior ^ency officials, reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. "(b) Each agency shall develop, document, and implement an agencywide information security program, approved by the Director under section 3533(a)(5), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes— "(1) periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; "(2) policies and procedures that— "(A) are based on the risk assessments required by paragraph (1); "(B) cost-effectively reduce information security risks to an acceptable level; "(C) ensure that information security is addressed throughout the life cycle of each agency information system; and "(D) ensure compliance with— "(i) the requirements of this subchapter; "(ii) policies and procedures as may be prescribed by the Director, and information security standards promulgated under section 11331 of title 40; "(iii) minimally acceptable system configuration requirements, as determined by the agency; and "(iv) any other applicable requirements, including standards and guidelines for national security systems

�