44 U.S.C. § 3557

Current through P.L. 118-106 (published on www.congress.gov on 10/04/2024)
Section 3557 - National security systems

The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency-

(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system;
(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President; and
(3) complies with the requirements of this subchapter.

44 U.S.C. § 3557

Added Pub. L. 113-283, §2(a), Dec. 18, 2014, 128 Stat. 3084.

EDITORIAL NOTES

PRIOR PROVISIONSProvisions similar to this section were contained in sections 3536 and 3547 of this title prior to repeal by Pub. L. 113-283.

STATUTORY NOTES AND RELATED SUBSIDIARIES

ENFORCEMENT OF CYBERSECURITY REQUIREMENTS FOR NATIONAL SECURITY SYSTEMS Pub. L. 117-263, div. F, title LXIII, §63096309,, 136 Stat. 3506, as amended by Pub. L. 118-31, div. G, title III, §73527352,, 137 Stat. 1065, provided that:"(a) DEFINITIONS.-In this section:"(1) CYBERSECURITY REQUIREMENTS FOR NATIONAL SECURITY SYSTEMS.-The term 'cybersecurity requirements for national security systems' means the minimum cybersecurity requirements established by the National Manager, consistent with the direction of the President and in consultation with the Director of National Intelligence, that applies to all national security systems operated by, on the behalf of, or administered by the head of an element of the intelligence community."(2) NATIONAL MANAGER.-The term 'National Manager' means the National Manager for National Security Systems designated by the President."(3) NATIONAL SECURITY SYSTEMS.-The term 'national security systems' includes-"(A) national security systems (as defined in section 3552(b) of title 44, United States Code); and"(B) information systems described in paragraph (2) or (3) of section 3553(e) of such title."(b) IMPLEMENTATION DEADLINE.-The cybersecurity requirements for national security systems shall include appropriate deadlines by which all elements of the intelligence community shall have fully implemented the requirements."(c) REEVALUATION AND UPDATES.-Not less frequently than once every 2 years, the National Manager shall reevaluate and update the cybersecurity requirements for national security systems."(d) RESOURCES.-Each head of an element of the intelligence community that owns or operates a national security system shall update plans of the element to prioritize resources in such a manner as to fully implement the cybersecurity requirements for national security systems by the deadline established pursuant to subsection (b) for the next 10 fiscal years."(e) IMPLEMENTATION REPORT.-Each head of an element of the intelligence community that owns or operates a national security system shall submit to the congressional intelligence committees not later than 90 days after the date of the enactment of this subsection [Dec. 22, 2023] a plan detailing the cost and schedule requirements necessary to meet all of the cybersecurity requirements for national security systems by the end of fiscal year 2026."(f) EXEMPTIONS.-"(1) IN GENERAL.-The head of an element of the intelligence community may exempt a national security system owned or operated by the element from the cybersecurity requirements for national security systems if done so in accordance with the procedures established under paragraph (2)."(2) EXEMPTION PROCEDURES.-The National Manager shall, consistent with the direction of the President, establish procedures that govern-"(A) the circumstances under which the head of an element of the intelligence community may exempt a national security system under paragraph (1); and"(B) the process for implementing the exemption."(3) ANNUAL REPORTS ON EXEMPTIONS.-"(A) IN GENERAL.-Each year, the National Manager and the Director of National Intelligence shall-"(i) submit to the congressional intelligence committees an annual report documenting all exemptions made under paragraph (1) during the period covered by the report, along with the justifications for the exemptions; and"(ii) in the case of an exemption made by the Assistant Secretary of State for Intelligence and Research under such paragraph, submit to the Committee on Foreign Relations of the Senate and the Committee on Foreign Affairs of the House of Representatives a separate report describing the exemption and the justification for it."(B) MANNER.-Each report submitted under subparagraph (A) shall be submitted with such classification as the Director considers appropriate and with due regard for the protection of sensitive intelligence sources and methods."[For definitions of "intelligence community" and "congressional intelligence committees" as used in section 6309 of Pub. L. 117-263 set out above, see section 3003 of Title 50, War and National Defense, as made applicable by section 6002 of Pub. L. 117-263 which is set out as a note under section 3003 of Title 50.]