116 STAT. 2270 PUBLIC LAW 107-296—NOV. 25, 2002 Deadlines. "(1) consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, and the Secretary of Homeland Security) to assure— "(A) use of appropriate information security policies, procedures, and techniques, in order to improve information security and avoid unnecessary and costly duplication of effort; and "(B) that such standards and guidelines are complementary with standards and guidelines employed for the protection of national security systems and information contained in such systems; "(2) provide the public with an opportunity to comment on proposed standards and guidelines; "(3) submit to the Director of the Office of Management and Budget for promulgation under section 11331 of title 40, United States Code— "(A) standards, as required under subsection (b)(1)(A), no later than 12 months after the date of the enactment of this section; and "(B) minimum information security requirements for each category, as required under subsection (b)(1)(C), no later than 36 months after the date of the enactment of this section; "(4) issue guidelines as required under subsection (b)(1)(B), no later than 18 months after the date of the enactrhent of this Act; "(5) ensure that such standards and guidelines do not require specific technological solutions or products, including any specific hardware or software security solutions; "(6) ensure that such standards and guidelines provide for sufficient flexibility to permit alternative solutions to provide equivalent levels of protection for identified information security risks; and "(7) use flexible, performance-based standards and guidelines that, to the greatest extent possible, permit the use of off-the-shelf commercially developed information security products. "(d) The Institute shall— "(1) submit standards developed pursuant to subsection (a), along with recommendations as to the extent to which these should be made compulsory and binding, to the Director of the Office of Management and Budget for promulgation under section 11331 of title 40, United States Code; "(2) provide assistance to agencies regarding— "(A) compliance with the standards and guidelines developed under subsection (a); "(B) detecting and handling information security incidents; and "(C) information security policies, procedures, and practices; "(3) conduct research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security;
�
