No edit summary |
(Adding categories) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Citation == |
== Citation == |
||
| − | Title X, Subtitle G — '''Government Information Security Reform Act''' ('''GISRA''') |
+ | Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Title X, Subtitle G — '''Government Information Security Reform Act''' ('''GISRA'''), Pub. L. No. 106-398 (Oct. 30, 2000). |
== Overview == |
== Overview == |
||
| + | The Act amended the [[Paperwork Reduction Act of 1995]] ([[PRA]]) by enacting a new subchapter on |
||
| − | The GISRA established [[information security]] program, evaluation, and reporting requirements for federal agencies. GISRA required agencies to perform periodic [[threat]]-based [[risk assessment]]s for [[system]]s and [[data]]. GISRA requires agencies to develop and implement [[risk]]-based, cost-effective policies and procedures to provide [[security]] protection for [[information]] [[collect]]ed or [[maintain]]ed either by the agency or for it by another agency or contractor. GISRA required that agencies develop a process for ensuring that remedial action is taken to address significant deficiencies. GISRA also required agencies to provide training on [[security]] awareness for agency personnel and on [[security]] responsibilities for [[information security]] personnel. |
||
| + | “Information Security,” which primarily addressed the [[information security]] program, evaluation, and reporting requirements for federal agencies. The Act became effective on November 29, 2000. |
||
| + | The Act: |
||
| ⚫ | |||
| + | |||
| + | * required agencies to perform periodic [[threat]]-based [[risk assessment]]s for [[system]]s and [[data]]; |
||
| + | * required agencies to develop and implement [[risk]]-based, cost-effective policies and procedures to provide [[security]] protection for [[information]] [[collect]]ed or [[maintain]]ed either by the agency or for it by another agency or contractor; |
||
| + | * required that agencies develop a process for ensuring that remedial action is taken to address significant deficiencies; |
||
| + | * required agencies to provide training on [[security]] awareness for agency personnel and on [[security]] responsibilities for [[information security]] personnel; |
||
| ⚫ | * required the agency head to ensure that the agency's [[information security]] plan is practiced throughout the [[life cycle]] of each agency system. The agency head is responsible for ensuring that the appropriate agency officials, evaluating the effectiveness of the [[information security]] program, including [[testing]] controls; |
||
| + | * required agencies to report annually to the [[OMB]] on the [[security]] of their [[information system]]s and to make [[information system security]] part of their regular process of doing business (e.g., in budget requests). |
||
| + | |||
| + | == Office of Management and Budget == |
||
| + | |||
| + | For [[unclassified]] systems, [[OMB]] retained its existing [[policy]] authority under the [[PRA]] and the [[Clinger-Cohen Act of 1996]]. |
||
| + | |||
| + | Except for the new annual program reviews, the role of the agency[[ Inspector General]], and the annual reporting requirement, the Act essentially codifies the existing requirements of [[OMB Circular No. A-130]], App. III, "Security of Federal Automated Information Resources." |
||
| + | |||
| + | The Act also requires agencies to incorporate [[security]] into the life cycle of agency |
||
| + | [[information system]]s.<ref>For guidance on meeting this requirement, see [[OMB Memorandum M-00-07]], "Incorporating and Funding Security in Information Systems Investments," now incorporated into Section 8b(3) of [[OMB Circular No. A-130]].</ref> |
||
| + | |||
| + | For [[national security]] systems, the Act directs [[OMB]] to delegate certain authorities to "the [[Secretary of Defense]], the [[Director of Central Intelligence]], and another agency head as designated by the President." The Act also directs [[OMB]] to delegate to the [[Secretary of Defense]] certain limited authorities concerning DOD unclassified mission critical systems. |
||
| + | |||
| + | == References == |
||
| + | <references /> |
||
| + | |||
| + | == See also == |
||
| + | |||
| + | * [[OMB Memorandum M-01-08]]. |
||
[[Category:Legislation]] |
[[Category:Legislation]] |
||
[[Category:Legislation-U.S.-Federal]] |
[[Category:Legislation-U.S.-Federal]] |
||
[[Category:Legislation-U.S.-Security]] |
[[Category:Legislation-U.S.-Security]] |
||
[[Category:Security]] |
[[Category:Security]] |
||
| + | [[Category:2000]] |
||
Latest revision as of 16:03, 19 December 2013
Citation[]
Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001. Title X, Subtitle G — Government Information Security Reform Act (GISRA), Pub. L. No. 106-398 (Oct. 30, 2000).
Overview[]
The Act amended the Paperwork Reduction Act of 1995 (PRA) by enacting a new subchapter on “Information Security,” which primarily addressed the information security program, evaluation, and reporting requirements for federal agencies. The Act became effective on November 29, 2000.
The Act:
- required agencies to perform periodic threat-based risk assessments for systems and data;
- required agencies to develop and implement risk-based, cost-effective policies and procedures to provide security protection for information collected or maintained either by the agency or for it by another agency or contractor;
- required that agencies develop a process for ensuring that remedial action is taken to address significant deficiencies;
- required agencies to provide training on security awareness for agency personnel and on security responsibilities for information security personnel;
- required the agency head to ensure that the agency's information security plan is practiced throughout the life cycle of each agency system. The agency head is responsible for ensuring that the appropriate agency officials, evaluating the effectiveness of the information security program, including testing controls;
- required agencies to report annually to the OMB on the security of their information systems and to make information system security part of their regular process of doing business (e.g., in budget requests).
Office of Management and Budget[]
For unclassified systems, OMB retained its existing policy authority under the PRA and the Clinger-Cohen Act of 1996.
Except for the new annual program reviews, the role of the agencyInspector General, and the annual reporting requirement, the Act essentially codifies the existing requirements of OMB Circular No. A-130, App. III, "Security of Federal Automated Information Resources."
The Act also requires agencies to incorporate security into the life cycle of agency information systems.[1]
For national security systems, the Act directs OMB to delegate certain authorities to "the Secretary of Defense, the Director of Central Intelligence, and another agency head as designated by the President." The Act also directs OMB to delegate to the Secretary of Defense certain limited authorities concerning DOD unclassified mission critical systems.
References[]
- ↑ For guidance on meeting this requirement, see OMB Memorandum M-00-07, "Incorporating and Funding Security in Information Systems Investments," now incorporated into Section 8b(3) of OMB Circular No. A-130.