Page:United States Statutes at Large Volume 116 Part 4.djvu/524

 116 STAT. 2952 PUBLIC LAW 107-347—DEC. 17, 2002 authorization and appropriations committees of Congress, and the Comptroller General on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this subchapter, including compliance with each requirement of subsection (b); "(2) address the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to— "(A) annual agency budgets; "(B) information resources management under subchapter 1 of this chapter; "(C) information technology management under subtitle III of title 40; "(D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 and 2805 of title 39; "(E) financial management under chapter 9 of title 31, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made by that Act); "(F) financial management systems under the Federal Financial Management Improvement Act (31 U.S.C. 3512 note); and "(G) internal accounting and administrative controls under section 3512 of title 31, (known as the 'Federal Managers Financial Integrity Act'); and "(3) report any significant deficiency in a policy, procedure, or practice identified under paragraph (1) or (2)— "(A) as a material wealmess in reporting under section 3512oftitle31;and "(B) if relating to financial management systems, as an instance of a lack of substantial compliance under the Federal Financial Management Improvement Act (31 U.S.C. 3512 note). "(d) PERFORMANCE PLAN.—(1) In addition to the requirements of subsection (c), each agency, in consultation with the Director, shall include as part of the performance plan required under section 1115 of title 31 a description of— "(A) the time periods, and "(B) the resources, including budget, staffing, and training, that are necessary to implement the program required under subsection (b). "(2) The description under paragraph (1) shall be based on the risk assessments required under subsection (b)(2)(l). "(e) PUBLIC NOTICE AND COMMENT.— Each agency shall provide the public with timely notice and opportunities for comment on proposed information seciuity policies and procedures to the extent that such policies and procedures affect communication with the public. ^§ 3545. Annual independent evaluation "(a) IN GENERAL.— (1) Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. "(2) Each evaluation under this section shall include—

�