Page:United States Statutes at Large Volume 116 Part 4.djvu/521

 PUBLIC LAW 107-347—DEC. 17, 2002 116 STAT. 2949 "(2) The systems described in this paragraph are systems that are operated by the Depari;ment of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense. "(3) The systems described in this paragraph are systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or Einother entity on behalf of the Central Intelligence Agency that processes any information the unauthorized access, use, (fisclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency. "§ 3544. Federal agency responsibilities "(a) IN GENERAL.— The head of each agency shall— "(1) be responsible for— "(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— "(i) information collected or maintained by or on behalf of the agency; and "(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; "(B) complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including— "(i) information security standards promulgated under section 11331 of title 40; and "(ii) information security standards and guidelines for nationsQ security systems issued in accordance with law and as directed by the President; and "(C) ensuring that information security management processes are integrated with agency strategic and operational planning processes; "(2) ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including through— "(A) assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; "(B) determining the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under section 11331 of title 40, for information security classifications and related requirements; "(C) implementing policies and procedures to cost-effectively reduce risks to an acceptable level; and "(D) periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented;

�