Page:United States Statutes at Large Volume 114 Part 3.djvu/312

This page needs to be proofread.

114 STAT. 1654A-270 PUBLIC LAW 106-398—APPENDIX "(III) any other applicable requirements; "(C) security awareness training to inform personnel of— "(i) information security risks associated with the activities of personnel; and "(ii) responsibilities of personnel in complying with agency policies and procedures designed to reduce such risks; "(D) periodic management testing and evaluation of the effectiveness of information security policies and procedures; "(E) a process for ensuring remedial action to address any significant deficiencies; and "(F) procedures for detecting, reporting, and responding to security incidents, including— "(i) mitigating risks associated with such incidents before substantial damage occurs; "(ii) notifying and consulting with law enforcement officials and other offices and authorities; "(iii) notifying and consulting with an office designated by the Administrator of General Services within the General Services Administration; and "(iv) notifying and consulting with an ofRce designated by the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President for incidents involving systems described under subparagraphs (A) and (B) of section 3532(b)(2). "(3) Each program under this subsection is subject to the approval of the Director and is required to be reviewed at least annually by agency program officials in consultation with the Chief Information Officer. In the case of systems described under subparagraphs (A) and (B) of section 3532(b)(2), the Director shall delegate approval authority under this paragraph to the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President. "(c)(1) Each agency shall examine the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to— "(A) Einnual agency budgets; "(B) information resources management under subchapter I of this chapter; "(C) performance and results based management under the Clinger-Cohen Act of 1996 (40 U.S.C. 1401 et seq.); "(D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 through 2805 of title 39; and "(E) financial management under— "(i) chapter 9 of title 31, United States Code, and ' the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made by that Act); "(ii) the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note) (and the amendments made by that Act); and "(iii) the internal controls conducted under section 3512 of title 31. "(2) Any significant deficiency in a policy, procedure, or practice identified under paragraph (1) shall be reported as a material