Page:United States Statutes at Large Volume 116 Part 4.djvu/530

This page needs to be proofread.

116 STAT. 2958 PUBLIC LAW 107-347—DEC. 17, 2002 "(C) minimum information security requirements for information and information systems in each such category; "(2) a definition of and guideUnes concerning detection and handhng of information security incidents; and "(3) guidelines developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system consistent with applicable reqmrements for national security systems, issued in accordsuice with law and as directed by the President. "(c) DEVELOPMENT OF STANDARDS AND GUIDELINES. —In developing standards and guidelines required by subsections (a) and (b), the Institute shall— "(1) consult with other agencies and offices and the private sector (including the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, and the Secretary of Homeland Seciunty) to assure— "(A) use of appropriate information security policies, procedures, and techniques, in order to improve information seciuity and avoid unnecessary and costly duplication of effort; and "(B) that such standards and guidelines are complementary with standards and guidelines employed for the protection of national security systems and information contained in such systems; "(2) provide the public with an opportunity to comment on proposed standards and guidelines; Deadlines. "(3) submit to the Secretary of Commerce for promulgation under section 11331 of title 40, United States Code—- "(A) standards, as required under subsection (b)(1)(A), no later than 12 months after the date of the enactment of this section; and "(B) minimum information security requirements for each category, as required under subsection (b)(1)(C), no later than 36 months after the date of the enactment of this section; Deadline. "(4) issue guidelines as required under subsection (b)(1)(B), no later than 18 months after the date of the enactment of this section; "(5) to the maximum extent practicable, ensure that such standeirds and guidelines do not require the use or procurement of specific products, including any specific hardware or software; "(6) to the maximum extent practicable, ensure that such standards and guidelines provide for sufficient flexibility to permit altemative solutions to provide equivalent levels of protection for identified information security risks; and "(7) to the maximum extent practicable, use flexible, performance-based standeirds and guidelines that permit the use of off-the-shelf commercially developed information security products. "(d) INFORMATION SECURITY FUNCTIONS. — The Institute shall— "(1) submit steindards developed pursuant to subsection (a), along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce for promulgation under section 11331 of title 40, United States Code;