§ 11331. Responsibilities for Federal information systems standards
1,827 words·~8 min read·
/usc/title-40/section-11331A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
(a)Standards and Guidelines.—
(1)Authority to prescribe.— Except as provided under paragraph (2), the Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs
(2)and
(3)of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), prescribe standards and guidelines pertaining to Federal information systems.
(2)National security systems.— Standards and guidelines for national security systems shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.
(b)Mandatory Requirements.—
(1)Authority to make mandatory.— Except as provided under paragraph (2), the Secretary of Commerce shall make standards prescribed under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of Federal information systems.
(2)Required mandatory standards.—
(A)In general.— Standards prescribed under subsection (a)(1) shall include information security standards that—
(i)provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(b)); and
(ii)are otherwise necessary to improve the security of Federal information and information systems.
(B)Requirement.— Information security standards described in subparagraph
(A)shall be compulsory and binding.
(c)Authority to Disapprove or Modify.— The President may disapprove or modify the standards and guidelines referred to in subsection (a)(1) if the President determines such action to be in the public interest. The President’s authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.
(d)Exercise of Authority.— To ensure fiscal and policy consistency, the Secretary of Commerce shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.
(e)Application of More Stringent Standards.— The head of an executive agency may employ standards for the cost-effective information security for Federal information systems within or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards—
(1)contain at least the applicable standards made compulsory and binding by the Secretary of Commerce; and
(2)are otherwise consistent with policies and guidelines issued under section 3553 of title 44.
(f)Decisions on Promulgation of Standards.— The decision by the Secretary of Commerce regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).
(g)Definitions.— In this section:
(1)Federal information system.— The term “Federal information system” means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.
(2)Information security.— The term “information security” has the meaning given that term in section 3552(b)(3) of title 44.
(3)National security system.— The term “national security system” has the meaning given that term in section 3552(b)(6) of title 44.
(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1243; Pub. L. 107–296, title X, § 1002(a), Nov. 25, 2002, 116 Stat. 2268; Pub. L. 107–347, title III, § 302(a), Dec. 17, 2002, 116 Stat. 2956; Pub. L. 117–167, div. B, title II, § 10246(f), Aug. 9, 2022, 136 Stat. 1492.)
Connections65 cite this · traces to 7
Cited by 65 sections · top 41
U.S. Code
- § 101Definitions
- § 3504Authority and functions of Director
- § 3161Procedures
- § 101Joint Committee on Printing: membership
- § 3554Federal agency responsibilities
- § 3553Authority and functions of the Director and the Secretary
- § 20111National Aeronautics and Space Administration
- § 11302Capital planning and investment control
- § 1323Functions and authorities
- § 1523Federal cybersecurity requirements
- § 3602Office of Electronic Government
- § 3603Chief Information Officers Council
- § 3558Effect on existing law
register
- NoticesNotice
- Rules and RegulationsInterim final rule with request for comments
- Rules and RegulationsInterim rule
- NoticesFinal rule
- NoticesInterim final rule with request for comments
- Proposed RulesProposed rule
- NoticesNotice
- Rules and RegulationsFinal rule
- NoticesNotice of a modified system of records
- Rules and RegulationsDisposition of comments on existing regulations
- NoticesNotice of proposed revision of system of records, establishment of new systems of records, and the removal of systems of records notices; request for comments
- NoticesDEPARTMENT OF LABOR
- NoticesNotice; request for comments
- Rules and RegulationsFinal rule
- Rules and RegulationsInterim final rule
- Proposed RulesProposed rule
- NoticesNotice of a modified system of records
- Proposed RulesProposed rule
- NoticesNotice; request for comments
- NoticesNotice of delegation of authority
- NoticesNotice of New Privacy Act System of Records
- UnknownFinal rule
- NoticesFinal rule
- NoticesNotice of Delegation of Authority
- Rules and RegulationsFinal rule
- NoticesNotice of a new system of records
Traces to 7 documents
U.S. Code
14 references not yet in our index
- Pub. L. 107–217
- 116 Stat. 1243
- Pub. L. 107–296, title X, § 1002(a)
- 116 Stat. 2268
- Pub. L. 107–347, title III, § 302(a)
- 116 Stat. 2956
- 136 Stat. 1492
- Pub. L. 107–296
- Pub. L. 107–347
- section 3543 of title 44
- section 3542(b)(1) of title 44
- section 3542(b)(2) of title 44
- section 402(b) of Pub. L. 107–347
- section 4 of Pub. L. 107–296
Citation graph
cites case law
§ 11331
Responsibilities for Federal information systems standards
U.S.C.×33
Fed. Reg.×30
C.F.R.×2
Pub. L.Pub. L. 107–217
Stat.116 Stat. 1243
Pub. L.Pub. L. 107–296, title X, § 1002(a)
Stat.116 Stat. 2268
Pub. L.Pub. L. 107–347, title III, § 302(a)
Cites 21 · showing 12Cited by 65 across 3 sources