{"identifier":"/us/usc/t42/s18445","title":42,"num":"\u00a7\u202f18445.","heading":"Information security","text":"\u00a7\u202f18445.\nInformation security\n(a)\nMonitoring risk\n(1)\nUpdate on system implementation\nNot later than 120 days after\n(A) an update on efforts to implement a system to provide dynamic, comprehensive, real-time information regarding risk of unauthorized remote, proximity, and insider use or access, for all information infrastructure under the responsibility of the chief information officer, and mission-related networks, including contractor networks;\n(B) an assessment of whether the system has demonstrably and quantifiably reduced network risk compared to alternative methods of measuring security; and\n(C) an assessment of the progress that each center and facility has made toward implementing the system.\n(2)\nExisting assessments\nThe assessments required of the Inspector General under section 3545\n1\n1 See References in Text note below.\n(b)\nInformation security awareness and education\n(1)\nIn general\nIn consultation with the Department of Education, other national security agencies, and other agency directorates, the chief information officer shall institute an information security awareness and education program for all operators and users of NASA information infrastructure, with the goal of reducing unauthorized remote, proximity, and insider use or access.\n(2)\nProgram requirements\n(A) The program shall include, at a minimum, ongoing classified and unclassified threat-based briefings, and automated exercises and examinations that simulate common attack techniques.\n(B) All agency employees and contractors engaged in the operation or use of agency information infrastructure shall participate in the program.\n(C) Access to NASA information infrastructure shall only be granted to operators and users who regularly satisfy the requirements of the program.\n(D) The chief human capital officer of NASA, in consultation with the chief information officer, shall create a system to reward operators and users of agency information infrastructure for continuous high achievement in the program.\n(c)\nInformation infrastructure defined\nIn this section, the term \u201cinformation infrastructure\u201d means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices and communications networks and any associated hardware, software, or data.","url":"https://projectusc.org/usc/t42/s18445.html","content":[{"t":"sec","id":"/us/usc/t42/s18445","children":[{"t":"num","text":"\u00a7\u202f18445."},{"t":"heading","text":"Information security"},{"t":"subsec","id":"/us/usc/t42/s18445/a","children":[{"t":"num","text":"(a)"},{"t":"heading","text":"Monitoring risk"},{"t":"para","id":"/us/usc/t42/s18445/a/1","children":[{"t":"num","text":"(1)"},{"t":"heading","text":"Update on system implementation"},{"t":"chapeau","text":"Not later than 120 days after ","children":[{"t":"text","text":"October 11, 2010","tail":", and on a biennial basis thereafter, the chief information officer of NASA, in coordination with other national security agencies, shall provide to the appropriate committees of Congress\u2014"}]},{"t":"subpara","id":"/us/usc/t42/s18445/a/1/A","children":[{"t":"num","text":"(A)"},{"t":"content","text":" an update on efforts to implement a system to provide dynamic, comprehensive, real-time information regarding risk of unauthorized remote, proximity, and insider use or access, for all information infrastructure under the responsibility of the chief information officer, and mission-related networks, including contractor networks;","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t42/s18445/a/1/B","children":[{"t":"num","text":"(B)"},{"t":"content","text":" an assessment of whether the system has demonstrably and quantifiably reduced network risk compared to alternative methods of measuring security; and","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t42/s18445/a/1/C","children":[{"t":"num","text":"(C)"},{"t":"content","text":" an assessment of the progress that each center and facility has made toward implementing the system.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s18445/a/2","children":[{"t":"num","text":"(2)"},{"t":"heading","text":"Existing assessments"},{"t":"content","children":[{"t":"p","text":"The assessments required of the Inspector General under section 3545\u202f","children":[{"t":"ref","text":"1"},{"t":"num","text":"1","tail":"\u202fSee References in Text note below."},{"t":"text","text":"\u202fSee References in Text note below.","tail":" of title 44 shall evaluate the effectiveness of the system described in this subsection."}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t42/s18445/b","children":[{"t":"num","text":"(b)"},{"t":"heading","text":"Information security awareness and education"},{"t":"para","id":"/us/usc/t42/s18445/b/1","children":[{"t":"num","text":"(1)"},{"t":"heading","text":"In general"},{"t":"content","children":[{"t":"p","text":"In consultation with the Department of Education, other national security agencies, and other agency directorates, the chief information officer shall institute an information security awareness and education program for all operators and users of NASA information infrastructure, with the goal of reducing unauthorized remote, proximity, and insider use or access.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t42/s18445/b/2","children":[{"t":"num","text":"(2)"},{"t":"heading","text":"Program requirements"},{"t":"subpara","id":"/us/usc/t42/s18445/b/2/A","children":[{"t":"num","text":"(A)"},{"t":"content","text":" The program shall include, at a minimum, ongoing classified and unclassified threat-based briefings, and automated exercises and examinations that simulate common attack techniques.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t42/s18445/b/2/B","children":[{"t":"num","text":"(B)"},{"t":"content","text":" All agency employees and contractors engaged in the operation or use of agency information infrastructure shall participate in the program.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t42/s18445/b/2/C","children":[{"t":"num","text":"(C)"},{"t":"content","text":" Access to NASA information infrastructure shall only be granted to operators and users who regularly satisfy the requirements of the program.","tail":"\n"}],"tail":"\n"},{"t":"subpara","id":"/us/usc/t42/s18445/b/2/D","children":[{"t":"num","text":"(D)"},{"t":"content","text":" The chief human capital officer of NASA, in consultation with the chief information officer, shall create a system to reward operators and users of agency information infrastructure for continuous high achievement in the program.","tail":"\n"}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t42/s18445/c","children":[{"t":"num","text":"(c)"},{"t":"heading","text":"Information infrastructure defined"},{"t":"content","children":[{"t":"p","text":"In this section, the term \u201cinformation infrastructure\u201d means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices and communications networks and any associated hardware, software, or data.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"text","text":"\n"},{"t":"text","text":"\n"}]}]}