Page:United States Statutes at Large Volume 116 Part 3.djvu/677

 PUBLIC LAW 107-296—NOV. 25, 2002 116 STAT. 2269 occur not later than 6 months after the submission of the proposed standard to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). "(2) NOTICE AND COMMENT.—^A decision by the Director to significantly modify, or not promulgate, a proposed standard submitted to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3), shall be made after the public is given an opportunity to comment on the Director's proposed decision.", (b) CLERICAL AMENDMENT. —The table of sections at the beginning of chapter 113 of title 40, United States Code, is amended by striking the item relating to section 11331 and inserting the following: "11331. Responsibilities for Federal information systems standards.". SEC. 1003. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY. Guidelines. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), is amended by striking the text and inserting the following: " (a) The Institute shall— "(1) have the mission of developing standards, guidelines, and associated methods and techniques for information systems; "(2) develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in section 3532(b)(2) of title 44, United States Code); "(3) develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems; and "(4) carry out the responsibilities described in paragraph (3) through the Computer Security Division. "(b) The standards and guidelines required by subsection (a) shall include, at a minimum— "(1)(A) standards to be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; "(B) guidelines recommending the types of information and information systems to be included in each such category; and "(C) minimum information security requirements for information and information systems in each such category; "(2) a definition of and guidelines concerning detection and handling of information security incidents; and "(3) guidelines developed in coordination with the National Security Agency for identifying an information system as a national security system consistent with applicable requirements for national security systems, issued in accordance with law and as directed by the President. "(c) In developing standards and guidelines required by subsections (a) and (b), the Institute shall—

�