Page:United States Statutes at Large Volume 116 Part 4.djvu/519

 PUBLIC LAW 107-347—DEC. 17, 2002 116 STAT. 2947 "(a) IN GENERAL.—Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter. "(b) ADDITIONAL DEFINITIONS. —As used in this subchapter: "(1) The term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— "(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; "(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and "(C) availability, which means ensuring timely and reliable access to and use of information. "(2)(A) The term 'national security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— "(i) the function, operation, or use of which— "(I) involves intelligence activities; "(II) involves cryptologic activities related to national security; "(III) involves command and control of military forces; "(IV) involves equipment that is an integral part of a weapon or weapons system; or "(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or "(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. "(B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). "(3) The term 'information technology' has the meaning given that term in section 11101 of title 40. "(a) IN GENERAL.— The Director shall oversee agency information security policies and practices, including— "(1) developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 11331 of title 40; "(2) requiring agencies, consistent with the standards promulgated under such section 11331 and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the
 * § 3542. Definitions
 * § 3543. Authority and functions of the Director

�