{"identifier":"/us/usc/t38/s5727","title":38,"num":"\u00a7\u202f5727.","heading":"Definitions","text":"\u00a7\u202f5727.\nDefinitions\nIn this subchapter:\n(1)\nAvailability.\u2014\nThe term \u201cavailability\u201d means ensuring timely and reliable access to and use of information.\n(2)\nConfidentiality.\u2014\nThe term \u201cconfidentiality\u201d means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.\n(3)\nControl techniques.\u2014\nThe term \u201ccontrol techniques\u201d means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.\n(4)\nData breach.\u2014\nThe term \u201cdata breach\u201d means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.\n(5)\nData breach analysis.\u2014\nThe term \u201cdata breach analysis\u201d means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.\n(6)\nFraud resolution systems.\u2014\nThe term \u201cfraud resolution services\u201d means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.\n(7)\nIdentity theft.\u2014\nThe term \u201cidentity theft\u201d has the meaning given such term under section 603 of the Fair Credit Reporting Act (\n15 U.S.C. 1681a\n(8)\nIdentity theft insurance.\u2014\nThe term \u201cidentity theft insurance\u201d means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.\n(9)\nInformation owner.\u2014\nThe term \u201cinformation owner\u201d means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.\n(10)\nInformation resources.\u2014\nThe term \u201cinformation resources\u201d means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.\n(11)\nInformation security.\u2014\nThe term \u201cinformation security\u201d means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.\n(12)\nInformation security requirements.\u2014\nThe term \u201cinformation security requirements\u201d means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.\n(13)\nInformation system.\u2014\nThe term \u201cinformation system\u201d means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.\n(14)\nIntegrity.\u2014\nThe term \u201cintegrity\u201d means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.\n(15)\nNational security system.\u2014\nThe term \u201cnational security system\u201d means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.\n(16)\nPlan of action and milestones.\u2014\nThe term \u201cplan of action and milestones\u201d, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:\n(A) A description of the security weakness.\n(B) The identity of the office or organization responsible for resolving the weakness.\n(C) An estimate of resources required to resolve the weakness by fiscal year.\n(D) The scheduled completion date.\n(E) Key milestones with estimated completion dates.\n(F) Any changes to the original key milestone date.\n(G) The source that identified the weakness.\n(H) The status of efforts to correct the weakness.\n(17)\nPrincipal credit reporting agency.\u2014\nThe term \u201cprincipal credit reporting agency\u201d means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (\n15 U.S.C. 1681a(p)\n(18)\nSecurity incident.\u2014\nThe term \u201csecurity incident\u201d means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.\n(19)\nSensitive personal information.\u2014\nThe term \u201csensitive personal information\u201d, with respect to an individual, means any information about the individual maintained by an agency, including the following:\n(A) Education, financial transactions, medical history, and criminal or employment history.\n(B) Information that can be used to distinguish or trace the individual\u2019s identity, including name, social security number, date and place of birth, mother\u2019s maiden name, or biometric records.\n(20)\nSubordinate plan.\u2014\nThe term \u201csubordinate plan\u201d, also referred to as a \u201csystem security plan\u201d, means a plan that defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.\n(21)\nTraining.\u2014\nThe term \u201ctraining\u201d means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge.\n(22)\nVa national rules of behavior.\u2014\nThe term \u201cVA National Rules of Behavior\u201d means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage.\n(23)\nVa sensitive data.\u2014\nThe term \u201cVA sensitive data\u201d means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.","url":"https://projectusc.org/usc/t38/s5727.html","content":[{"t":"sec","id":"/us/usc/t38/s5727","children":[{"t":"num","text":"\u00a7\u202f5727."},{"t":"heading","text":"Definitions","tail":"\n"},{"t":"chapeau","text":"In this subchapter:"},{"t":"para","id":"/us/usc/t38/s5727/1","children":[{"t":"num","text":"(1)"},{"t":"heading","text":"Availability.\u2014"},{"t":"content","text":"The term \u201cavailability\u201d means ensuring timely and reliable access to and use of information.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/2","children":[{"t":"num","text":"(2)"},{"t":"heading","text":"Confidentiality.\u2014"},{"t":"content","text":"The term \u201cconfidentiality\u201d means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/3","children":[{"t":"num","text":"(3)"},{"t":"heading","text":"Control techniques.\u2014"},{"t":"content","text":"The term \u201ccontrol techniques\u201d means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/4","children":[{"t":"num","text":"(4)"},{"t":"heading","text":"Data breach.\u2014"},{"t":"content","text":"The term \u201cdata breach\u201d means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/5","children":[{"t":"num","text":"(5)"},{"t":"heading","text":"Data breach analysis.\u2014"},{"t":"content","text":"The term \u201cdata breach analysis\u201d means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/6","children":[{"t":"num","text":"(6)"},{"t":"heading","text":"Fraud resolution systems.\u2014"},{"t":"content","text":"The term \u201cfraud resolution services\u201d means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/7","children":[{"t":"num","text":"(7)"},{"t":"heading","text":"Identity theft.\u2014"},{"t":"content","text":"The term \u201cidentity theft\u201d has the meaning given such term under section 603 of the Fair Credit Reporting Act (","children":[{"t":"ref","text":"15 U.S.C. 1681a","href":"/us/usc/t15/s1681a","tail":")."}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/8","children":[{"t":"num","text":"(8)"},{"t":"heading","text":"Identity theft insurance.\u2014"},{"t":"content","text":"The term \u201cidentity theft insurance\u201d means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/9","children":[{"t":"num","text":"(9)"},{"t":"heading","text":"Information owner.\u2014"},{"t":"content","text":"The term \u201cinformation owner\u201d means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/10","children":[{"t":"num","text":"(10)"},{"t":"heading","text":"Information resources.\u2014"},{"t":"content","text":"The term \u201cinformation resources\u201d means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/11","children":[{"t":"num","text":"(11)"},{"t":"heading","text":"Information security.\u2014"},{"t":"content","text":"The term \u201cinformation security\u201d means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/12","children":[{"t":"num","text":"(12)"},{"t":"heading","text":"Information security requirements.\u2014"},{"t":"content","text":"The term \u201cinformation security requirements\u201d means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/13","children":[{"t":"num","text":"(13)"},{"t":"heading","text":"Information system.\u2014"},{"t":"content","text":"The term \u201cinformation system\u201d means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/14","children":[{"t":"num","text":"(14)"},{"t":"heading","text":"Integrity.\u2014"},{"t":"content","text":"The term \u201cintegrity\u201d means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/15","children":[{"t":"num","text":"(15)"},{"t":"heading","text":"National security system.\u2014"},{"t":"content","text":"The term \u201cnational security system\u201d means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/16","children":[{"t":"num","text":"(16)"},{"t":"heading","text":"Plan of action and milestones.\u2014"},{"t":"chapeau","text":"The term \u201cplan of action and milestones\u201d, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:"},{"t":"subpara","id":"/us/usc/t38/s5727/16/A","children":[{"t":"num","text":"(A)"},{"t":"content","text":" A description of the security weakness.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/B","children":[{"t":"num","text":"(B)"},{"t":"content","text":" The identity of the office or organization responsible for resolving the weakness.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/C","children":[{"t":"num","text":"(C)"},{"t":"content","text":" An estimate of resources required to resolve the weakness by fiscal year.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/D","children":[{"t":"num","text":"(D)"},{"t":"content","text":" The scheduled completion date.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/E","children":[{"t":"num","text":"(E)"},{"t":"content","text":" Key milestones with estimated completion dates.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/F","children":[{"t":"num","text":"(F)"},{"t":"content","text":" Any changes to the original key milestone date.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/G","children":[{"t":"num","text":"(G)"},{"t":"content","text":" The source that identified the weakness.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/16/H","children":[{"t":"num","text":"(H)"},{"t":"content","text":" The status of efforts to correct the weakness.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/17","children":[{"t":"num","text":"(17)"},{"t":"heading","text":"Principal credit reporting agency.\u2014"},{"t":"content","text":"The term \u201cprincipal credit reporting agency\u201d means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (","children":[{"t":"ref","text":"15 U.S.C. 1681a(p)","href":"/us/usc/t15/s1681a/p","tail":")."}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/18","children":[{"t":"num","text":"(18)"},{"t":"heading","text":"Security incident.\u2014"},{"t":"content","text":"The term \u201csecurity incident\u201d means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/19","children":[{"t":"num","text":"(19)"},{"t":"heading","text":"Sensitive personal information.\u2014"},{"t":"chapeau","text":"The term \u201csensitive personal information\u201d, with respect to an individual, means any information about the individual maintained by an agency, including the following:"},{"t":"subpara","id":"/us/usc/t38/s5727/19/A","children":[{"t":"num","text":"(A)"},{"t":"content","text":" Education, financial transactions, medical history, and criminal or employment history.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t38/s5727/19/B","children":[{"t":"num","text":"(B)"},{"t":"content","text":" Information that can be used to distinguish or trace the individual\u2019s identity, including name, social security number, date and place of birth, mother\u2019s maiden name, or biometric records.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/20","children":[{"t":"num","text":"(20)"},{"t":"heading","text":"Subordinate plan.\u2014"},{"t":"content","text":"The term \u201csubordinate plan\u201d, also referred to as a \u201csystem security plan\u201d, means a plan that defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/21","children":[{"t":"num","text":"(21)"},{"t":"heading","text":"Training.\u2014"},{"t":"content","text":"The term \u201ctraining\u201d means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/22","children":[{"t":"num","text":"(22)"},{"t":"heading","text":"Va national rules of behavior.\u2014"},{"t":"content","text":"The term \u201cVA National Rules of Behavior\u201d means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage.","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t38/s5727/23","children":[{"t":"num","text":"(23)"},{"t":"heading","text":"Va sensitive data.\u2014"},{"t":"content","text":"The term \u201cVA sensitive data\u201d means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.","tail":"\n"}],"tail":"\n"},{"t":"text","text":"\n"},{"t":"text","text":"\n"}]}]}