§ 278g-3. Computer standards program
(a)
In general
The Institute shall—
(1)
have the mission of developing standards, guidelines, and associated methods and techniques for information systems;
(2)
develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in section
3532
(b)(2) of title
44);
(b)
Minimum requirements for standards and guidelines
The standards and guidelines required by subsection (a) of this section shall include, at a minimum—
(1)
(A)
standards to be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
(c)
Development of standards and guidelines
In developing standards and guidelines required by subsections (a) and (b) of this section, the Institute shall—
(1)
consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accountability Office, and the Secretary of Homeland Security) to assure—
(3)
submit to the Director of the Office of Management and Budget for promulgation under section
11331 of title
40—
(4)
issue guidelines as required under subsection (b)(1)(B) of this section, no later than 18 months after November 25, 2002;
(5)
ensure that such standards and guidelines do not require specific technological solutions or products, including any specific hardware or software security solutions;
(d)
Information security functions
The Institute shall—
(1)
submit standards developed pursuant to subsection (a) of this section, along with recommendations as to the extent to which these should be made compulsory and binding, to the Director of the Office of Management and Budget for promulgation under section
11331 of title
40;
(3)
conduct research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security;
(4)
develop and periodically revise performance indicators and measures for agency information security policies and practices;
(5)
evaluate private sector information security policies and practices and commercially available information technologies to assess potential application by agencies to strengthen information security;
(6)
evaluate security policies and practices developed for national security systems to assess potential application by agencies to strengthen information security;
(7)
periodically assess the effectiveness of standards and guidelines developed under this section and undertake revisions as appropriate;
(8)
solicit and consider the recommendations of the Information Security and Privacy Advisory Board, established by section
278g–4 of this title, regarding standards and guidelines developed under subsection (a) of this section and submit such recommendations to the Director of the Office of Management and Budget with such standards submitted to the Director; and
(e)
Definitions
As used in this section—
(2)
the term “information security” has the same meaning as provided in section 3532(1) of such title;
(3)
the term “information system” has the same meaning as provided in section 3502(8) of such title;
(4)
the term “information technology” has the same meaning as provided in section
11101 of title
40; and
(5)
the term “national security system” has the same meaning as provided in section 3532(b)(2) of such title.[1]
[1] See References in Text note below.