Page:United States Statutes at Large Volume 116 Part 3.djvu/672

 116 STAT. 2264 PUBLIC LAW 107-296—NOV. 25, 2002 Reports. issued in accordance with law and as directed by the President; "(3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate; "(4) security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of— "(A) information security risks associated with their activities; and "(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks; "(5) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, of which such testing— "(A) shall include testing of management, operational, and technical controls of every information system identified in the inventory required under section 3505(c); and "(B) may include testing relied on in a evaluation under section 3535; "(6) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; "(7) procedures for detecting, reporting, and responding to security incidents, including— "(A) mitigating risks associated with such incidents before substantial damage is done; and "(B) notifying and consulting with, as appropriate— "(i) law enforcement agencies and relevant Offices of Inspector General; "(ii) an office designated by the President for any incident involving a national security system; and "(iii) any other agency or office, in accordance with law or as directed by the President; and "(8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. "(c) Each agency shall— "(1) report annually to the Director, the Committees on Government Reform and Science of the House of Representatives, the Committees on Governmental Affairs and Commerce, Science, and Transportation of the Senate, the appropriate authorization and appropriations committees of Congress, and the Comptroller General on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this subchapter, including compliance with each requirement of subsection (b); "(2) address the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to— "(A) annual agency budgets; "(B) information resources management under subchapter 1 of this chapter; "(C) information technology management under subtitle III of title 40;

�