§ 278g–3. Computer standards program
4,313 words·~20 min read·
/usc/title-15/section-278g-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
The Institute shall— have the mission of developing standards, guidelines, and associated methods and techniques for information systems; develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in section 3552(b)(6) of title 44 ); develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems; carry out the responsibilities described in paragraph
(3)through the Computer Security Division; and identify and develop standards and guidelines for improving the cybersecurity workforce for an agency as part of the National Initiative for Cybersecurity Education
(NICE)Cybersecurity Workforce Framework (NIST Special Publication 800–181), or successor framework. The standards and guidelines required by subsection
(a)shall include, at a minimum— standards to be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; guidelines recommending the types of information and information systems to be included in each such category; and minimum information security requirements for information and information systems in each such category; a definition of and guidelines concerning detection and handling of information security incidents; guidelines developed in coordination with the National Security Agency for identifying an information system as a national security system consistent with applicable requirements for national security systems, issued in accordance with law and as directed by the President; and performance standards and guidelines for high risk biometric identification systems, including facial recognition systems, accounting for various use cases, types of biometric identification systems, and relevant operational conditions. In developing standards and guidelines required by subsections
(a)and (b), the Institute shall— consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accountability Office, and the Secretary of Homeland Security) to assure— use of appropriate information security policies, procedures, and techniques, in order to improve information security and avoid unnecessary and costly duplication of effort; and that such standards and guidelines are complementary with standards and guidelines employed for the protection of national security systems and information contained in such systems; provide the public with an opportunity to comment on proposed standards and guidelines; submit such standards and guidelines to the Secretary of Commerce for promulgation under section 11331 of title 40 ; issue guidelines as required under subsection (b)(1)(B), no later than 18 months after November 25, 2002 ; ensure that such standards and guidelines do not require specific technological solutions or products, including any specific hardware or software security solutions; ensure that such standards and guidelines provide for sufficient flexibility to permit alternative solutions to provide equivalent levels of protection for identified information security risks; and use flexible, performance-based standards and guidelines that, to the greatest extent possible, permit the use of off-the-shelf commercially developed information security products. The Institute shall— submit standards developed pursuant to subsection (a), along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce for promulgation under section 11331 of title 40 ; provide assistance to agencies regarding— compliance with the standards and guidelines developed under subsection (a); detecting and handling information security incidents; and information security policies, procedures, and practices; conduct research and analysis— to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security; to review and determine prevalent information security challenges and deficiencies identified by agencies or the Institute, including any challenges or deficiencies described in any of the annual reports under section 3553 or 3554 of title 44, and in any of the reports and the independent evaluations under section 3555 of that title, that may undermine the effectiveness of agency information security programs and practices; and to evaluate the effectiveness and sufficiency of, and challenges to, Federal agencies’ implementation of standards and guidelines developed under this section and policies and standards promulgated under section 11331 of title 40 ; develop and periodically revise performance indicators and measures for agency information security policies and practices; evaluate private sector information security policies and practices and commercially available information technologies to assess potential application by agencies to strengthen information security; evaluate security policies and practices developed for national security systems to assess potential application by agencies to strengthen information security; periodically assess the effectiveness of standards and guidelines developed under this section and undertake revisions as appropriate; solicit and consider the recommendations of the Information Security and Privacy Advisory Board, established by section 278g–4 of this title , regarding standards and guidelines developed under subsection
(a)and submit such recommendations to the Secretary of Commerce with such standards submitted to the Secretary; and prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this section. As part of the research activities conducted in accordance with subsection (d)(3), the Institute shall, to the extent practicable and appropriate— conduct a research program to develop a unifying and standardized identity, privilege, and access control management framework for the execution of a wide variety of resource protection policies and that is amenable to implementation within a wide variety of existing and emerging computing environments; carry out research associated with improving the security of information systems and networks; carry out research associated with improving the testing, measurement, usability, and assurance of information systems and networks; carry out research associated with improving security of industrial control systems; carry out research associated with improving the security and integrity of the information technology supply chain; and carry out any additional research the Institute determines appropriate. As used in this section— the term “agency” has the same meaning as provided in section 3502(1) of title 44 ; the term “information security” has the same meaning as provided in section 3552(b)(2) 1 of such title; the term “information system” has the same meaning as provided in section 3502(8) of such title; the term “information technology” has the same meaning as provided in section 11101 of title 40 ; and the term “national security system” has the same meaning as provided in section 3552(b)(5) 2 of such title. 3 ( Mar. 3, 1901, ch. 872, § 20 , as added Pub. L. 100–235, § 3(2) , Jan. 8, 1988 , 101 Stat. 1724 ; amended Pub. L. 100–418, title V, § 5115(a)(1) , Aug. 23, 1988 , 102 Stat. 1433 ; Pub. L. 104–106, div. E, title LVI, § 5607(a) , Feb. 10, 1996 , 110 Stat. 701 ; Pub. L. 105–85, div. A, title X, § 1073(h)(1) , Nov. 18, 1997 , 111 Stat. 1906 ; Pub. L. 107–296, title X, § 1003 , Nov. 25, 2002 , 116 Stat. 2269 ; Pub. L. 107–305 , §§ 8(b), 9, 10, Nov. 27, 2002 , 116 Stat. 2378 , 2379; Pub. L. 107–347, title III, § 303 , Dec. 17, 2002 , 116 Stat. 2957 ; Pub. L. 108–271, § 8(b) , July 7, 2004 , 118 Stat. 814 ; Pub. L. 113–274, title II, § 204 , Dec. 18, 2014 , 128 Stat. 2980 ; Pub. L. 113–283, § 2(e)(4) , Dec. 18, 2014 , 128 Stat. 3087 ; Pub. L. 114–329, title I, § 104(b)(3) , Jan. 6, 2017 , 130 Stat. 2976 ; Pub. L. 116–283, div. H, title XCIV, § 9402(a) , Jan. 1, 2021 , 134 Stat. 4810 ; Pub. L. 117–167, div. B, title II , §§ 10227, 10246(a)(2), (g), Aug. 9, 2022 , 136 Stat. 1481 , 1491, 1494.)
Connections81 cite this · traces to 5
Cited by 81 sections · top 56
register
- NoticesNotice; request for comments SUMMARY: The National Institute of Standards and Technology (NIST) is requesting comments on a proposed process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms
- NoticesNotice
- NoticesNotice; request for information (RFI)
- NoticesNotice and request for comments
- NoticesNotice
- NoticesNotice of Privacy Act system of records; “COMMERCE/NOAA-23; Economic Data Collection Program for West Coast Groundfish Trawl Catch Share Program off the coast of Washington, Oregon, and California
- NoticesNotice and request for comments
- NoticesSignificantly Altered System of Records Notice
- NoticesNotice of public meetings; request for information
- NoticesNotice
- NoticesNotice
- NoticesNotice; request for comment
- Rules and RegulationsFinal rule
- NoticesNotice of a revised Privacy Act System of Records: COMMERCE/NOAA-12, Marine Mammals, Endangered and Threatened Species, Permits and Authorizations, Applicants
- NoticesDEPARTMENT OF LABOR
- NoticesNotice; request for comments
- NoticesNotice
- Rules and RegulationsInterim final rule
- NoticesNotice; request for comments
- NoticesNotice of a new system of records
- NoticesNotice of a modified system of records
- NoticesNotice
- NoticesNotice; request for comments
- NoticesNotice and Request for Comments
- NoticesNotice of Proposed Amendment to Privacy Act System of Records: COMMERCE/NOAA-16, Crab Economic Data Report (EDR) for BSAI off the Coast of Alaska
- NoticesNotice; request for comment
- NoticesNotice; request for comments
- NoticesNotice of Proposed Amendment to Privacy Act System of Records: COMMERCE/NOAA-19, Permits and Registrations for United States Federally Regulated Fisheries
- NoticesNotice of an Amended Privacy Act System of Records: COMMERCE/NOAA-11, Contact Information for Members of the Public Requesting or Providing Information Related to NOAA's Mission
- NoticesNotice; request for comments
- NoticesNotice of Privacy Act system of records: COMMERCE/NOAA-11, contact information for members of the public requesting or providing information related to NOAA's mission
- NoticesRequest for Information
- NoticesRequest for information
- NoticesNotice; request for comments
- NoticesNotice
- NoticesNotice of a new system of records
- NoticesNotice of a New Privacy Act System of Records: COMMERCE/NOAA-21, Financial Systems Division
- NoticesNotice of availability of funds
- NoticesNotice
- NoticesNotice and request for nominations for candidate post-quantum algorithms
statute-compilations
- Sec. 204NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY RESEARCH AND DEVELOPMENT
- Sec. 9402DEVELOPMENT OF STANDARDS AND GUIDELINES FOR IMPROVING CYBERSECURITY WORKFORCE OF FEDERAL AGENCIES
- Sec. 4SECURITY STANDARDS AND GUIDELINES FOR AGENCIES ON USE AND MANAGEMENT OF INTERNET OF THINGS DEVICES
- Sec. 10227FEDERAL BIOMETRIC PERFORMANCE STANDARDS
- Sec. 503CLOUD COMPUTING STRATEGY
- Sec. 5GUIDELINES ON THE DISCLOSURE PROCESS FOR SECURITY VULNERABILITIES RELATING TO INFORMATION SYSTEMS, INCLUDING INTERNET OF THINGS DEVICES
- Sec. 104CYBERSECURITY RESEARCH
- Sec. 10246STANDARD TECHNICAL UPDATE
statutes-at-large
- Public Law 107–305To authorize funding for computer and network security research and development and research fellowship programs, and for other purposes
- Public Law 107–217To revise, codify, and enact without substantive change certain general and permanent laws, related to public buildings, property, and works, as title 40, United States Code, “Public Buildings, Property, and Works”
- Public Law 107–296To establish the Department of Homeland Security, and for other purposes
Traces to 5 documents
public-private-law
- Cybersecurity Enhancement Act of 2014Public Law 113-274
- Federal Information Security Modernization Act of 2014Public Law 113-283
- American Innovation and Competitiveness ActPublic Law 114-329
- William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021Public Law 116-283
- Making appropriations for Legislative Branch for the fiscal year ending September 30, 2022, and for other purposes.AugPublic Law 117-167
23 references not yet in our index
- Pub. L. 100-235
- 101 Stat. 1724
- Pub. L. 100-418
- 102 Stat. 1433
- Pub. L. 104-106
- 110 Stat. 701
- Pub. L. 105-85
- 111 Stat. 1906
- Pub. L. 107-296
- 116 Stat. 2269
- Pub. L. 107-305
- 116 Stat. 2378
- Pub. L. 107-347
- 116 Stat. 2957
- Pub. L. 108-271
- 118 Stat. 814
- 128 Stat. 2980
- 128 Stat. 3087
- 130 Stat. 2976
- 134 Stat. 4810
- 136 Stat. 1481
- 110 Stat. 702
- 15 USC 278g–3
Citation graph
cites case law
§ 278g–3
Computer standards program
Fed. Reg.×43
Stat.×18
Stat. Comp.×15
C.F.R.×3
Bills×2
Pub. L.Pub. L. 100-235
Stat.101 Stat. 1724
Pub. L.Pub. L. 100-418
Stat.102 Stat. 1433
Pub. L.Pub. L. 104-106
Cites 28 · showing 10Cited by 81 across 5 sources