Page:United States Statutes at Large Volume 117.djvu/2636

 PUBLIC LAW 108–177—DEC. 13, 2003

117 STAT. 2617

of the elements of the intelligence community and of the Department of Defense. (b) ASSESSMENTS.—The report under subsection (a) shall include an assessment of the following: (1) The vulnerability of the computers and computer systems of the elements of the intelligence community, and of the Department of Defense, to various threats from foreign governments, international terrorist organizations, and organized crime, including information warfare (IW), Information Operations (IO), Computer Network Exploitation (CNE), and Computer Network Attack (CNA). (2) The risks of providing users of local area networks (LANs) or wide-area networks (WANs) of computers that include classified information with capabilities for electronic mail, upload and download, or removable storage media without also deploying comprehensive computer firewalls, accountability procedures, or other appropriate security controls. (3) Any other matters that the Director and the Secretary jointly consider appropriate for purposes of the report. (c) INFORMATION ON ACCESS TO NETWORKS.—The report under subsection (a) shall also include information as follows: (1) An estimate of the number of access points on each classified computer or computer system of an element of the intelligence community or the Department of Defense that permit unsupervised uploading or downloading of classified information, set forth by level of classification. (2) An estimate of the number of individuals utilizing such computers or computer systems who have access to input-output devices on such computers or computer systems. (3) A description of the policies and procedures governing the security of the access points referred to in paragraph (1), and an assessment of the adequacy of such policies and procedures. (4) An assessment of the viability of utilizing other technologies (including so-called ‘‘thin client servers’’) to achieve enhanced security of such computers and computer systems through more rigorous control of access to such computers and computer systems. (d) RECOMMENDATIONS.—The report under subsection (a) shall also include such recommendations for modifications or improvements of the current computer security practices of the elements of the intelligence community, and of the Department of Defense, as the Director and the Secretary jointly consider appropriate as a result of the assessments under subsection (b) and the information under subsection (c). (e) SUBMITTAL DATE.—The report under subsection (a) shall be submitted not later than February 15, 2004. (f) FORM.—The report under subsection (a) may be submitted in classified or unclassified form, at the election of the Director. (g) DEFINITIONS.—In this section: (1) The term ‘‘appropriate committees of Congress’’ means— (A) the Select Committee on Intelligence and the Committee on Armed Services of the Senate; and (B) the Permanent Select Committee on Intelligence and the Committee on Armed Services of the House of Representatives.

VerDate 11-MAY-2000

13:59 Aug 30, 2004

Jkt 019194

PO 00000

Frm 00553

Fmt 6580

Sfmt 6581

D:\STATUTES\2003\19194PT3.001

APPS10

PsN: 19194PT3

�