Page:United States Statutes at Large Volume 120.djvu/3490

 PUBLIC LAW 109–461—DEC. 22, 2006

120 STAT. 3459

criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy. ‘‘(16) PLAN OF ACTION AND MILESTONES.—The term ‘plan of action and milestones’, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information: ‘‘(A) A description of the security weakness. ‘‘(B) The identity of the office or organization responsible for resolving the weakness. ‘‘(C) An estimate of resources required to resolve the weakness by fiscal year. ‘‘(D) The scheduled completion date. ‘‘(E) Key milestones with estimated completion dates. ‘‘(F) Any changes to the original key milestone date. ‘‘(G) The source that identified the weakness. ‘‘(H) The status of efforts to correct the weakness. ‘‘(17) PRINCIPAL CREDIT REPORTING AGENCY.—The term ‘principal credit reporting agency’ means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)). ‘‘(18) SECURITY INCIDENT.—The term ‘security incident’ means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures. ‘‘(19) SENSITIVE PERSONAL INFORMATION.—The term ‘sensitive personal information’, with respect to an individual, means any information about the individual maintained by an agency, including the following: ‘‘(A) Education, financial transactions, medical history, and criminal or employment history. ‘‘(B) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. ‘‘(20) SUBORDINATE PLAN.—The term ‘subordinate plan’, also referred to as a ‘system security plan’, means a subordinate plan defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary. ‘‘(21) TRAINING.—The term ‘training’ means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge. ‘‘(22) VA NATIONAL RULES OF BEHAVIOR.—The term ‘VA National Rules of Behavior’ means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage. ‘‘(23) VA SENSITIVE DATA.—The term ‘VA sensitive data’ means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.

VerDate 14-DEC-2004

12:05 Jul 13, 2007

Jkt 059194

PO 00003

Frm 00262

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

APPS06

PsN: PUBL003

�