Page:United States Statutes at Large Volume 120.djvu/3482

 PUBLIC LAW 109–461—DEC. 22, 2006

120 STAT. 3451

‘‘(C) ensure that information security is addressed throughout the life cycle of each Department information system. ‘‘(3) Selection and effective implementation of minimum, mandatory technical, operational, and management security controls, or other compensating countermeasures, to protect the confidentiality, integrity, and availability of each Department system and its information. ‘‘(4) Subordinate plans for providing adequate security for networks, facilities, systems, or groups of information systems, as appropriate. ‘‘(5) Annual security awareness training for all Department employees, contractors, and all other users of VA sensitive data and Department information systems that identifies the information security risks associated with the activities of such employees, contractors, and users and the responsibilities of such employees, contractors, and users to comply with Department policies and procedures designed to reduce such risks. ‘‘(6) Periodic testing and evaluation of the effectiveness of security controls based on risk, including triennial certification testing of all management, operational, and technical controls, and annual testing of a subset of those controls for each Department system. ‘‘(7) A process for planning, developing, implementing, evaluating, and documenting remedial actions to address deficiencies in information security policies, procedures, and practices. ‘‘(8) Procedures for detecting, immediately reporting, and responding to security incidents, including mitigating risks before substantial damage is done as well as notifying and consulting with the US-Computer Emergency Readiness Team of the Department of Homeland Security, law enforcement agencies, the Inspector General of the Department, and other offices as appropriate. ‘‘(9) Plans and procedures to ensure continuity of operations for Department systems. ‘‘(c) COMPLIANCE WITH CERTAIN REQUIREMENTS.—The Secretary shall comply with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements promulgated by the National Institute of Standards and Technology and the Office of Management and Budget that define Department information system mandates. ‘‘§ 5723. Responsibilities ‘‘(a) SECRETARY OF VETERANS AFFAIRS.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Secretary is responsible for the following: ‘‘(1) Ensuring that the Department adopts a Departmentwide information security program and otherwise complies with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements. ‘‘(2) Ensuring that information security protections are commensurate with the risk and magnitude of the potential harm to Department information and information systems resulting from unauthorized access, use, disclosure, disruption, modification, or destruction.

VerDate 14-DEC-2004

12:05 Jul 13, 2007

Jkt 059194

PO 00003

Frm 00254

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

APPS06

PsN: PUBL003

�