Page:United States Statutes at Large Volume 116 Part 4.djvu/529

This page needs to be proofread.

PUBLIC LAW 107-347—DEC. 17, 2002 116 STAT. 2957 "(1) contain at least the applicable standards made compulsory and binding by the Secretary; and "(2) are otherwise consistent with policies and guidelines issued under section 3543 of title 44. "(f) DECISIONS ON PROMULGATION OF STANDARDS.— The decision Deadline. by the Secretary regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3). "(g) DEFINITIONS.— In this section: "(1) FEDERAL INFORMATION SYSTEM.—The term 'Federal information system' meeuis an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. "(2) INFORMATION SECURITY.—The term 'information security' has the meaning given that term in section 3542(b)(1) of title 44. "(3) NATIONAL SECURITY SYSTEM.— The term 'nationeJ security system' has the meaning given that term in section 3542(b)(2) of title 44. ". (b) CLERICAL AMENDMENT.—The item relating to section 11331 in the table of sections at the beginning of chapter 113 of such title is amended to read as follows: "11331. Responsibilities for Federal information systems standards.". SEC. 303. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), is amended by striking the text and inserting the following: "(a) IN GENERAL. —The Institute shall— "(1) have the mission of developing standards, guidelines, and associated methods and techniques for information systems; "(2) develop stsindards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in section 3542(b)(2) of title 44, United States Code); and "(3) develop standards and guidelines, including minimum reqmrements, for providing adequate information secvuity for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. " (b) MINIMUM REQUIREMENTS FOR STANDARDS AND GUIDE- LINES.—The standards and guidelines required by subsection (a) shall include, at a minimum— "(1)(A) standards to be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a rginge of risk levels; "(B) guidelines recommending the types of information and information systems to be included in each such category; and