Section 206 of HR 5005, the Homeland Security Act of 2002 -- Chairman Armey's Mark, July 18, 2002.
This section was included in the version of HR 5005 that was approved by the House Select Committee on Homeland Security on July 19, 2002.
This language comes from the House Commerce Committee's version of HR 5005, approved on July 11, 2002.
SEC. 206. FEDERAL CYBERSECURITY PROGRAM.
(a) IN GENERAL.—The Secretary, acting through the Under Secretary for Information Analysis and Infrastructure Protection, shall establish and manage a program to improve the security of Federal critical information systems, including carrying out responsibilities under paragraphs (1) and (2) of section 201 that relate to such systems.
(b) DUTIES.—The duties of the Secretary under subsection (a) are—
(1) to evaluate the increased use by civilian executive agencies of techniques and tools to enhance the security of Federal critical information systems, including, as appropriate, consideration of cryptography;
(2) to provide assistance to civilian executive agencies in protecting the security of Federal critical information systems, including identification of significant risks to such systems; and
(3) to coordinate research and development for critical information systems relating to supervisory control and data acquisition systems, including, as appropriate, the establishment of a test bed.
(c) FEDERAL INFORMATION SYSTEM SECURITY TEAM.—
(1) IN GENERAL.—In carrying out subsection (b)(2), the Secretary shall establish, manage, and support a Federal information system security team whose purpose is to provide technical expertise to civilian executive agencies to assist such agencies in securing Federal critical information systems by conducting information security audits of such systems, including conducting tests of the effectiveness of information security control techniques and performing logical access control tests of interconnected computer systems and networks, and related vulnerability assessment techniques.
(2) TEAM MEMBERS.—The Secretary shall ensure that the team under paragraph (1) includes technical experts and auditors, computer scientists, and computer forensics analysts whose technical competence enables the team to conduct audits under such paragraph.
(3) AGENCY AGREEMENTS REGARDING AUDITS.—Each civilian executive agency may enter into an agreement with the team under paragraph (1) for the conduct of audits under such paragraph of the Federal critical information systems of the agency. Such agreement shall establish the terms of the audit and shall include provisions to minimize the extent to which the audit disrupts the operations of the agency.
(4) REPORTS.—Promptly after completing an audit under paragraph (1) of a civilian executive agency, the team under such paragraph shall prepare a report summarizing the findings of the audit and making recommendations for corrective action. Such report shall be submitted to the Secretary, the head of such agency, and the Inspector General of the agency (if any), and upon request of any congressional committee with jurisdiction over such agency, to such committee.
(d) DEFINITION.—For purposes of this section, the term ‘‘Federal critical information system’’ means an ‘‘information system’’ as defined in section 3502 of title 44, United States Code, that—
(1) is, or is a component of, a key resource or critical infrastructure;
(2) is used or operated by a civilian executive agency or by a contractor of such an agency; and
(3) does not include any national security system as defined in section 5142 of the Clinger-Cohen Act of 1996.