Page images
PDF
EPUB

The Director shall prescribe the requirements and limitations during the Director's review of the executive agency's proposed budget submitted to the Director by the head of the executive agency for purposes of section 1105 of title 31.

SUBCHAPTER III-OTHER RESPONSIBILITIES

§ 11331. Responsibilities regarding efficiency, security, and privacy of federal computer systems

(a) DEFINITIONS.-In this section, the terms "federal computer system" and "operator of a federal computer system" have the meanings given those terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)). (b) STANDARDS AND GUIDELINES.-

(1) AUTHORITY TO PRESCRIBE AND DISAPPROVE OR MODIFY.—

(A) AUTHORITY TO PRESCRIBE.-On the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the Act (15 U.S.C. 278g-3(a)(2), (3)), the Secretary of Commerce shall prescribe standards and guidelines pertaining to federal computer systems. The Secretary shall make those standards compulsory and binding to the extent the Secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems.

(B) AUTHORITY TO DISAPPROVE OR MODIFY.-The President may disapprove or modify those standards and guidelines if the President determines that action to be in the public interest. The President's authority to disapprove or modify those standards and guidelines may not be delegated. Notice of disapproval or modification shall be published promptly in the Federal Register. On receiving notice of disapproval or modification, the Secretary shall immediately rescind or modify those standards or guidelines as directed by the President.

(2) EXERCISE OF AUTHORITY.-To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.

(c) APPLICATION OF MORE STRINGENT STANDARDS.-The head of a federal agency may employ standards for the cost-effective security and privacy of sensitive information in a federal computer system in or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards contain at least the applicable standards the Secretary makes compulsory and binding. (d) WAIVER OF STANDARDS.

(1) AUTHORITY OF THE SECRETARY.-The Secretary may waive in writing compulsory and binding standards under subsection (b) if the Secretary determines that compliance would

(A) adversely affect the accomplishment of the mission of an operator of a federal computer system; or

(B) cause a major adverse financial impact on the operator that is not offset by Federal Government-wide savings. (2) DELEGATION OF WAIVER AUTHORITY.-The Secretary may delegate to the head of one or more federal agencies authority

to waive those standards to the extent the Secretary determines that action to be necessary and desirable to allow for timely and effective implementation of federal computer system standards. The head of the agency may redelegate that authority only to a chief information officer designated pursuant to section 3506 of title 44.

(3) NOTICE.-Notice of each waiver and delegation shall be transmitted promptly to Congress and published promptly in the Federal Register.

§ 11332. Federal computer system security training and plan (a) DEFINITIONS.-In this section, the terms "computer system", "federal agency", "federal computer system", "operator of a federal computer system", and "sensitive information" have the meanings given those terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)).

(b) TRAINING

(1) IN GENERAL.-Each federal agency shall provide for mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each federal computer system within or under the supervision of the agency. The training shall be

(A) provided in accordance with the guidelines developed pursuant to section 20(a)(5) of the Act (15 U.S.C. 278g3(a)(5)) and the regulations prescribed under paragraph (3) for federal civilian employees; or

(B) provided by an alternative training program that the head of the agency approves after determining that the alternative training program is at least as effective in accomplishing the objectives of the guidelines and regulations.

(2) TRAINING OBJECTIVES.-Training under this subsection shall be designed

(A) to enhance employees' awareness of the threats to, and vulnerability of, computer systems; and

(B) to encourage the use of improved computer security practices.

(3) REGULATIONS.-The Director of the Office of Personnel Management shall maintain regulations that establish the procedures and scope of the training to be provided federal civilian employees under this subsection and the manner in which the training is to be carried out.

(c) PLAN.—

(1) IN GENERAL.-Consistent with standards, guidelines, policies, and regulations prescribed pursuant to section 11331 of this title, each federal agency shall maintain a plan for the security and privacy of each federal computer system the agency identifies as being within or under its supervision and as containing sensitive information. The plan must be commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information contained in the system.

(2) REVISION AND REVIEW.-The plan shall be revised annually as necessary and is subject to disapproval by the Director of the Office of Management and Budget.

(d) HANDLING OF INFORMATION NOT AFFECTED.—This section does not

Sec.

(1) constitute authority to withhold information sought pursuant to section 552 of title 5; or

(2) authorize a federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information (regardless of the medium in which the information may be maintained) that is

(A) privately owned information;

(B) disclosable under section 552 of title 5 or another law requiring or authorizing the public disclosure of information; or

(C) public domain information.

CHAPTER 115-INFORMATION TECHNOLOGY
ACQUISITION PILOT PROGRAMS

SUBCHAPTER I-CONDUCT OF PILOT PROGRAMS

[blocks in formation]

SUBCHAPTER II-SPECIFIC PILOT PROGRAMS

11521. Share-in-savings pilot program.

11522. Solutions-based contracting pilot program.

SUBCHAPTER I-CONDUCT OF PILOT PROGRAMS

§ 11501. Authority to conduct pilot programs

(a) IN GENERAL.—

(1) PURPOSE.-In consultation with the Administrator for the Office of Information and Regulatory Affairs, the Administrator for Federal Procurement Policy may conduct pilot programs to test alternative approaches for the acquisition of information technology by executive agencies.

(2) MULTIAGENCY, MULTI-ACTIVITY CONDUCT OF EACH PROGRAM.-Except as otherwise provided in this chapter, each pilot program conducted under this chapter shall be carried out in not more than two procuring activities in each of the executive agencies that are designated by the Administrator for Federal Procurement Policy in accordance with this chapter to carry out the pilot program. With the approval of the Administrator for Federal Procurement Policy, the head of each designated executive agency shall select the procuring activities of the executive agency that are to participate in the test and shall designate a procurement testing official who shall be responsible for the conduct and evaluation of the pilot program within the executive agency. (b) LIMITATIONS.—

(1) NUMBER.-Not more than two pilot programs may be conducted under this chapter, including one pilot program each pursuant to the requirements of sections 11521 and 11522 of this title.

(2) AMOUNT.-The total amount obligated for contracts entered into under the pilot programs conducted under this chapter may not exceed $750,000,000. The Administrator for

Federal Procurement Policy shall monitor those contracts and ensure that contracts are not entered into in violation of this paragraph.

(c) PERIOD OF PROGRAMS.—

(1) IN GENERAL.-Subject to paragraph (2), a pilot program may be carried out under this chapter for the period, not in excess of five years, the Administrator for Federal Procurement Policy determines is sufficient to establish reliable results. (2) CONTINUING VALIDITY OF CONTRACTS.-A contract entered into under the pilot program before the expiration of that program remains in effect according to the terms of the contract after the expiration of the program.

§ 11502. Evaluation criteria and plans

(a) MEASURABLE TEST CRITERIA.-To the maximum extent practicable, the head of each executive agency conducting a pilot program under section 11501 of this title shall establish measurable criteria for evaluating the effects of the procedures or techniques to be tested under the program.

(b) TEST PLAN.-Before a pilot program may be conducted under section 11501 of this title, the Administrator for Federal Procurement Policy shall submit to Congress a detailed test plan for the program, including a detailed description of the procedures to be used and a list of regulations that are to be waived.

$11503. Report

(a) REQUIREMENT.-Not later than 180 days after the completion of a pilot program under this chapter, the Administrator for Federal Procurement Policy shall

(1) submit to the Director of the Office of Management and Budget a report on the results and findings under the program; and

(2) provide a copy of the report to Congress. (b) CONTENT.-The report shall include

(1) a detailed description of the results of the program, as measured by the criteria established for the program; and

(2) a discussion of legislation that the Administrator recommends, or changes in regulations that the Administrator considers necessary, to improve overall information resources management in the Federal Government.

$11504. Recommended legislation

If the Director of the Office of Management and Budget determines that the results and findings under a pilot program under this chapter indicate that legislation is necessary or desirable to improve the process for acquisition of information technology, the Director shall transmit the Director's recommendations for that legislation to Congress.

§ 11505. Rule of construction

This chapter does not authorize the appropriation or obligation of amounts for the pilot programs authorized under this chapter.

SUBCHAPTER II-SPECIFIC PILOT PROGRAMS

$11521. Share-in-savings pilot program

(a) REQUIREMENT.-The Administrator for Federal Procurement Policy may authorize the heads of two executive agencies to carry out a pilot program to test the feasibility of—

(1) contracting on a competitive basis with a private sector source to provide the Federal Government with an information technology solution for improving mission-related or administrative processes of the Federal Government; and

(2) paying the private sector source an amount equal to a portion of the savings derived by the Federal Government from any improvements in mission-related processes and administrative processes that result from implementation of the solution.

(b) LIMITATIONS.-The head of an executive agency authorized to carry out the pilot program may carry out one project and enter into not more than five contracts for the project under the pilot program.

(c) SELECTION OF PROJECTS.-In consultation with the Administrator for the Office of Information and Regulatory Affairs, the Administrator for Federal Procurement Policy shall select the projects.

§ 11522. Solutions-based contracting pilot program

(a) DEFINITION.-For purposes of this section, "solutions-based contracting" is an acquisition method under which the acquisition objectives are defined by the Federal Government user of the technology to be acquired, a streamlined contractor selection process is used, and industry sources are allowed to provide solutions that attain the objectives effectively.

(b) IN GENERAL.-The Administrator for Federal Procurement Policy may authorize the head of an executive agency, in accordance with subsection (d), to carry out a pilot program to test the feasibility of using solutions-based contracting for the acquisition of information technology.

(c) PROCESS REQUIREMENTS.-The Administrator shall require use of a process with the following aspects for acquisitions under the pilot program:

(1) ACQUISITION PLAN EMPHASIZING DESIRED RESULT.Preparation of an acquisition plan that defines the functional requirements of the intended users of the information technology to be acquired, identifies the operational improvements to be achieved, and defines the performance measurements to be applied in determining whether the information technology acquired satisfies the defined requirements and attains the identified results.

(2) RESULTS-ORIENTED STATEMENT OF WORK.-Use of a statement of work that is limited to an expression of the end results or performance capabilities desired under the acquisition plan. (3) SMALL ACQUISITION ORGANIZATION.-Assembly of a small acquisition organization consisting of the following:

(A) An acquisition management team, the members of which are to be evaluated and rewarded under the pilot program for contributions toward attainment of the desired results identified in the acquisition plan.

« ՆախորդըՇարունակել »