§ 3543. Authority and functions of the Director
(a)
In General.—
The Director shall oversee agency information security policies and practices, including—
(1)
developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section
11331 of title
40;
(2)
requiring agencies, consistent with the standards promulgated under such section
11331 and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of—
(3)
coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems;
(4)
overseeing agency compliance with the requirements of this subchapter, including through any authorized action under section
11303 of title
40, to enforce accountability for compliance with such requirements;
(5)
reviewing at least annually, and approving or disapproving, agency information security programs required under section
3544
(b);
(6)
coordinating information security policies and procedures with related information resources management policies and procedures;
(7)
overseeing the operation of the Federal information security incident center required under section
3546; and
(8)
reporting to Congress no later than March 1 of each year on agency compliance with the requirements of this subchapter, including—
(b)
National Security Systems.—
Except for the authorities described in paragraphs (4) and (8) of subsection (a), the authorities of the Director under this section shall not apply to national security systems.
(c)
Department of Defense and Central Intelligence Agency Systems.—
(1)
The authorities of the Director described in paragraphs (1) and (2) of subsection (a) shall be delegated to the Secretary of Defense in the case of systems described in paragraph (2) and to the Director of Central Intelligence in the case of systems described in paragraph (3).
(2)
The systems described in this paragraph are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense.
(3)
The systems described in this paragraph are systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency.