Page:United States Statutes at Large Volume 116 Part 4.djvu/523

 PUBLIC LAW 107-347—DEC. 17, 2002 116 STAT. 2951 "(D) ensure compliance with— "(i) the requirements of this subchapter; "(ii) poHcies and procedures as may be prescribed by the Director, and information security standsirds promulgated under section 11331 of title 40; "(iii) minimally acceptable system configuration requirements, as determined by the agency; and "(iv) any other applicable requirements, including standeirds and guidelines for national security systems issued in accordance with law and as directed by the President; "(3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate; "(4) security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of— "(A) information security risks associated with their activities; and "(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks; "(5) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, of which such testing— "(A) shall include testing of mgmagement, operational, and technical controls of every information system identified in the inventory required under section 3505(c); and "(B) may include testing relied on in a evaluation under section 3545; "(6) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; "(7) procedures for detecting, reporting, and responding to security incidents, consistent with standsirds and guidelines issued pursuant to section 3546(b), including— "(A) mitigating risks associated with such incidents before substantial damage is done; "(B) notifying and consulting with the Federal information security incident center referred to in section 3546; and "(C) notifying and consulting with, as appropriate— "(i) law enforcement agencies and relevant Offices of Inspector General; "(ii) an office designated by the President for any incident involving a national security system; and "(iii) any other agency or office, in accordance with law or as directed by the President; and "(8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. "(c) AGENCY REPORTING. — Each agency shall— "(1) report annually to the Director, the Committees on Government Reform and Science of the House of Representatives, the Committees on Governmental Affairs and Commerce, Science, and Transportation of the Senate, the appropriate

�