Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Title X, Subtitle G — Government Information Security Reform Act (GISRA), Pub. L. No. 106-398 (Oct. 30, 2000).
The Act amended the Paperwork Reduction Act of 1995 (PRA) by enacting a new subchapter on “Information Security,” which primarily addressed the information security program, evaluation, and reporting requirements for federal agencies. The Act became effective on November 29, 2000.
- required agencies to perform periodic threat-based risk assessments for systems and data;
- required agencies to develop and implement risk-based, cost-effective policies and procedures to provide security protection for information collected or maintained either by the agency or for it by another agency or contractor;
- required that agencies develop a process for ensuring that remedial action is taken to address significant deficiencies;
- required agencies to provide training on security awareness for agency personnel and on security responsibilities for information security personnel;
- required the agency head to ensure that the agency's information security plan is practiced throughout the life cycle of each agency system. The agency head is responsible for ensuring that the appropriate agency officials, evaluating the effectiveness of the information security program, including testing controls;
- required agencies to report annually to the OMB on the security of their information systems and to make information system security part of their regular process of doing business (e.g., in budget requests).
Office of Management and Budget Edit
Except for the new annual program reviews, the role of the agency Inspector General, and the annual reporting requirement, the Act essentially codifies the existing requirements of OMB Circular No. A-130, App. III, "Security of Federal Automated Information Resources."
For national security systems, the Act directs OMB to delegate certain authorities to "the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President." The Act also directs OMB to delegate to the Secretary of Defense certain limited authorities concerning DOD unclassified mission critical systems.
- ↑ For guidance on meeting this requirement, see OMB Memorandum M-00-07, "Incorporating and Funding Security in Information Systems Investments," now incorporated into Section 8b(3) of OMB Circular No. A-130.