Page:United States Statutes at Large Volume 116 Part 4.djvu/522

 116 STAT. 2950 PUBLIC LAW 107-347—DEC. 17, 2002 "(3) delegate to the agency Chief Information Officer established under section 3506 (or comparable official in an agency not covered by such section) the authority to ensure compliance with the requirements imposed on the agency under this subchapter, including— "(A) designating a senior agency information security officer who shall— "(i) carry out the Chief Information Officer's responsibilities under this section; "(ii) possess professional qualifications, including training and experience, required to administer the functions described under this section; "(iii) have information security duties as that official's primary duty; and "(iv) head an office with the mission and resources to assist in ensuring agency compliance with this section; "(B) developing and maintaining an agencywide information security program as required by subsection (b); "(C) developing and mainteiining information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 3543 of this title, and section 11331 of title 40; "(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and "(E) assisting senior agency officials concerning their responsibilities under paragraph (2); "(4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and "(5) ensure that the agency Chief Information Officer, in coordination with other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. "(b) AGENCY PROGRAM.— Each agency shall develop, document, and implement an agencywide information security program, approved by the Director under section 3543(a)(5), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes— "(1) periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; "(2) policies and procedures that— "(A) are based on the risk assessments required by paragraph (1); "(B) cost-effectively reduce information security risks to an acceptable level; "(C) ensure that information security is addressed throughout the life cycle of each agency information system; and

�