Page:United States Statutes at Large Volume 116 Part 4.djvu/520

 116 STAT. 2948 PUBLIC LAW 107-347—DEC. 17, 2002 harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of— "(A) information collected or maintained by or on behalf of an agency; or "(B) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; "(3) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; "(4) overseeing agency compliance with the requirements of this subchapter, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements; "(5) reviewing at least euinually, and approving or disapproving, agency information security programs required under section 3544(b); "(6) coordinating information security policies and procedures with related information resources management policies and procedures; "(7) overseeing the operation of the Federal information security incident center required under section 3546; and "(8) reporting to Congress no later than March 1 of each year on agency compliance with the requirements of this subchapter, including— "(A) a simamary of the findings of evaluations required by section 3545; "(B) an assessment of the development, promulgation, and adoption of, and compliance with, standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) and promulgated under section 11331 of title 40; "(C) significant deficiencies in agency information security practices; "(D) planned remedial action to address such deficiencies; and "(E) a summary of, and the views of the Director on, the report prepared by the National Institute of Standards and Technology under section 20(d)(10) of the National Institute of Standards and Technology Act (15 U.S.C. 278g- 3). "(b) NATIONAL SECURITY SYSTEMS.— Except for the authorities described in paragraphs (4) and (8) of subsection (a), the authorities of the Director under this section shall not apply to national security systems. "(c) DEPARTMENT OF DEFENSE AND CENTRAL INTELLIGENCE AGENCY SYSTEMS. — (1) The authorities of the Director described in paragraphs (1) and (2) of subsection (a) shall be delegated to the Secretary of Defense in the case of systems described in paragraph (2) and to the Director of Central Intelligence in the case of systems described in paragraph (3).

�