U.S. Code, Title 44, Public Printing and Documents

Contents:
Author: "U.S. Congress, Office of the Law Revision Counsel"

Show Summary

§ 3534. Federal Agency Responsibilities

     (a) The head of each agency shall—

     (1) be responsible for—

     (A) adequately ensuring the integrity, confidentiality, authenticity, availability, and nonrepudiation of information and information systems supporting agency operations and assets;

     (B) developing and implementing information security policies, procedures, and control techniques sufficient to afford security protections commensurate with the risk and magnitude of the harm resulting from unauthorized disclosure, disruption, modification, or destruction of information collected or maintained by or for the agency; and

     (C) ensuring that the agency’s information security plan is practiced throughout the life cycle of each agency system;

     (2) ensure that appropriate senior agency officials are responsible for—

     (A) assessing the information security risks associated with the operations and assets for programs and systems over which such officials have control;

     (B) determining the levels of information security appropriate to protect such operations and assets; and

     (C) periodically testing and evaluating information security controls and techniques;

     (3) delegate to the agency Chief Information Officer established under section 3506, or a comparable official in an agency not covered by such section, the authority to administer all functions under this subchapter including—

     (A) designating a senior agency information security official who shall report to the Chief Information Officer or a comparable official;

     (B) developing and maintaining an agencywide information security program as required under subsection (b);

     (C) ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;

     (D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and

     (E) assisting senior agency officials concerning responsibilities under paragraph (2);

     (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and

     (5) ensure that the agency Chief Information Officer, in coordination with senior agency officials, periodically—

     (A)(i) evaluates the effectiveness of the agency information security program, including testing control techniques; and

     (ii) implements appropriate remedial actions based on that evaluation; and

     (B) reports to the agency head on—

     (i) the results of such tests and evaluations; and

     (ii) the progress of remedial actions.

     (b)(1) Each agency shall develop and implement an agencywide information security program to provide information security for the operations and assets of the agency, including operations and assets provided or managed by another agency.

     (2) Each program under this subsection shall include—

     (A) periodic risk assessments that consider internal and external threats to—

     (i) the integrity, confidentiality, and availability of systems; and

     (ii) data supporting critical operations and assets;

     (B) policies and procedures that—

     (i) are based on the risk assessments required under subparagraph (A) that cost-effectively reduce information security risks to an acceptable level; and

     (ii) ensure compliance with—

     (I) the requirements of this subchapter;

     (II) policies and procedures as may be prescribed by the Director; and

     (III) any other applicable requirements;

     (C) security awareness training to inform personnel of—

     (i) information security risks associated with the activities of personnel; and

     (ii) responsibilities of personnel in complying with agency policies and procedures designed to reduce such risks;

     (D) periodic management testing and evaluation of the effectiveness of information security policies and procedures;

     (E) a process for ensuring remedial action to address any significant deficiencies; and

     (F) procedures for detecting, reporting, and responding to security incidents, including—

     (i) mitigating risks associated with such incidents before substantial damage occurs;

     (ii) notifying and consulting with law enforcement officials and other offices and authorities;

     (iii) notifying and consulting with an office designated by the Administrator of General Services within the General Services Administration; and

     (iv) notifying and consulting with an office designated by the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President for incidents involving systems described under subparagraphs (A) and (B) of section 3532(b)(2).

     (3) Each program under this subsection is subject to the approval of the Director and is required to be reviewed at least annually by agency program officials in consultation with the Chief Information Officer. In the case of systems described under subparagraphs (A) and (B) of section 3532(b)(2), the Director shall delegate approval authority under this paragraph to the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President.

     (c)(1) Each agency shall examine the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to—

     (A) annual agency budgets;

     (B) information resources management under subchapter I of this chapter;

     (C) performance and results based management under the Clinger-Cohen Act of 1996 (40 U.S.C. 1401 et seq.);

     (D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 through 2805 of title 39; and

     (E) financial management under—

     (i) chapter 9 of title 31, United States Code, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101–576) (and the amendments made by that Act);

     (ii) the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note) (and the amendments made by that Act); and

     (iii) the internal controls conducted under section 3512 of title 31.

     (2) Any significant deficiency in a policy, procedure, or practice identified under paragraph (1) shall be reported as a material weakness in reporting required under the applicable provision of law under paragraph (1).

     (d)(1) In addition to the requirements of subsection (c), each agency, in consultation with the Chief Information Officer, shall include as part of the performance plan required under section 1115 of title 31 a description of—

     (A) the time periods; and

     (B) the resources, including budget, staffing, and training,

which are necessary to implement the program required under subsection (b)(1).

     (2) The description under paragraph (1) shall be based on the risk assessment required under subsection (b)(2)(A).

(Added Pub. L. 106–398, § 1 [[div. A], title X, § 1061], Oct. 30, 2000, 114 Stat. 1654, 1654A–268.)

References in Text

     The Clinger-Cohen Act of 1996, referred to in subsec. (c)(1)(C), is div. D (§§ 4001–4402) and div. E (§§ 5001–5703) of Pub. L. 104–106, Feb. 10, 1996, 110 Stat. 642, 679. Div. E of Pub. L. 104–106 is classified principally to chapter 25 (§ 1401 et seq.) of Title 40, Public Buildings, Property, and Works. For complete classification of this Act to the Code, see Short Title note set out under section 1401 of Title 40, Short Title of 1996 Amendment note set out under section 251 of Title 41, Public Contracts, and Tables.

     The Chief Financial Officers Act of 1990, referred to in subsec. (c)(1)(E)(i), is Pub. L. 101–576, Nov. 15, 1990, 104 Stat. 2838. For complete classification of this Act to the Code, see Short Title of 1990 Amendment note set out under section 501 of Title 31, Money and Finance, and Tables.

     The Federal Financial Management Improvement Act of 1996, referred to in subsec. (c)(1)(E)(ii), is Pub. L. 104–208, div. A, title I, § 101(f) [title VIII], Sept. 30, 1996, 110 Stat. 3009–314, 3009–389, which is set out as a note under section 3512 of Title 31, Money and Finance. For complete classification of this Act to the Code, see Tables.

Section Referred to in Other Sections

     This section is referred to in title 10 section 2224.

Contents:

Related Resources

None available for this document.

Download Options


Title: U.S. Code, Title 44, Public Printing and Documents

Select an option:

*Note: A download may not start for up to 60 seconds.

Email Options


Title: U.S. Code, Title 44, Public Printing and Documents

Select an option:

Email addres:

*Note: It may take up to 60 seconds for for the email to be generated.

Chicago: "U.S. Congress, Office of the Law Revision Counsel", "§ 3534. Federal Agency Responsibilities," U.S. Code, Title 44, Public Printing and Documents in U.S. Code, Title 44, Public Printing and Documents (Washington, D.C.: Government Printing Office, 2002), Original Sources, accessed February 6, 2023, http://www.originalsources.com/Document.aspx?DocID=8DXHQ1HZ7WCU2D8.

MLA: "U.S. Congress, Office of the Law Revision Counsel". "§ 3534. Federal Agency Responsibilities." U.S. Code, Title 44, Public Printing and Documents, in U.S. Code, Title 44, Public Printing and Documents, Washington, D.C., Government Printing Office, 2002, Original Sources. 6 Feb. 2023. http://www.originalsources.com/Document.aspx?DocID=8DXHQ1HZ7WCU2D8.

Harvard: "U.S. Congress, Office of the Law Revision Counsel", '§ 3534. Federal Agency Responsibilities' in U.S. Code, Title 44, Public Printing and Documents. cited in 2002, U.S. Code, Title 44, Public Printing and Documents, Government Printing Office, Washington, D.C.. Original Sources, retrieved 6 February 2023, from http://www.originalsources.com/Document.aspx?DocID=8DXHQ1HZ7WCU2D8.