Page:United States Statutes at Large Volume 116 Part 3.djvu/676

 116 STAT. 2268 PUBLIC LAW 107-296—NOV. 25, 2002 (2) ATOMIC ENERGY ACT OF 1954. —Nothing in this Act shall supersede any requirement made by or under the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.). Restricted Data or Formerly Restricted Data shall be handled, protected, classified, downgraded, and declassified in conformity with the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.). SEC. 1002. MANAGEMENT OF INFORMATION TECHNOLOGY. (a) IN GENERAL. —Section 11331 of title 40, United States Code, is amended to read as follows: "§ 11331. Responsibilities for Federal information systems standards "(a) DEFINITION.— In this section, the term 'information security' has the meaning given that term in section 3532(b)(1) of title 44. "(b) REQUIREMENT TO PRESCRIBE STANDARDS. — "(1) IN GENERAL. — "(A) REQUIREMENT.— Except as provided under paragraph (2), the Director of the Office of Management and Budget shall, on the basis of proposed standards developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(a)) and in consultation with the Secretary of Homeland Security, promulgate information security standards pertaining to Federal information systems. "(B) REQUIRED STANDARDS.— Standards promulgated under subparagraph (A) shall include— "(i) standards that provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)); and "(ii) such standards that are otherwise necessary to improve the efficiency of operation Or security of Federal information systems. "(C) REQUIRED STANDARDS BINDING.—Information security standards described under subparagraph (B) shall be compulsory and binding. President. " (2) STANDARDS AND GUIDELINES FOR NATIONAL SECURITY SYSTEMS. —Standards and guidelines for national security systems, as defined under section 3532(3) of title 44, shall be developed, promulgated, enforced, and overseen as otherwise authorized by law and as directed by the President. "(c) APPLICATION OF MORE STRINGENT STANDARDS.—The head of an agency may employ standards for the cost-effective information security for all operations and assets within or under the supervision of that agency that are more stringent than the standards promulgated by the Director under this section, if such standards— "(1) contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and "(2) are otherwise consistent with policies and guidelines issued under section 3533 of title 44. "(d) REQUIREMENTS REGARDING DECISIONS BY DIRECTOR.— "(1) DEADLINE.— The decision regarding the promulgation of any standard by the Director under subsection (b) shall

�