40 USC Ch. 113: RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY
Result 1 of 1
   
 

TEXT OF PART V OF SUBTITLE A (3001 ET SEQ.), EFFECTIVE JANUARY 1, 2022, CURRENTLY SET OUT AS A PREVIEW

40 USC Ch. 113: RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY
From Title 40—PUBLIC BUILDINGS, PROPERTY, AND WORKSSUBTITLE III—INFORMATION TECHNOLOGY MANAGEMENT

CHAPTER 113—RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

SUBCHAPTER I—DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET

Sec.
11301.
Responsibility of Director.
11302.
Capital planning and investment control.
11303.
Performance-based and results-based management.

        

SUBCHAPTER II—EXECUTIVE AGENCIES

11311.
Responsibilities.
11312.
Capital planning and investment control.
11313.
Performance and results-based management.
11314.
Authority to acquire and manage information technology.
11315.
Agency Chief Information Officer.
11316.
Accountability.
11317.
Significant deviations.
11318.
Interagency support.
11319.
Resources, planning, and portfolio management.

        

SUBCHAPTER III—OTHER RESPONSIBILITIES

11331.
Responsibilities for Federal information systems standards.
[11332.
Repealed.]

        

Editorial Notes

Amendments

2014Pub. L. 113–291, div. A, title VIII, §831(b), Dec. 19, 2014, 128 Stat. 3440, added item 11319.

2002Pub. L. 107–296, title X, §§1002(b), 1005(a)(2), Nov. 25, 2002, 116 Stat. 2269, 2272, and Pub. L. 107–347, title III, §§302(b), 305(a), Dec. 17, 2002, 116 Stat. 2957, 2960, amended table of sections identically, substituting "Responsibilities for Federal information systems standards" for "Responsibilities regarding efficiency, security, and privacy of federal computer systems" in item 11331 and striking out item 11332 "Federal computer system security training and plan".

SUBCHAPTER I—DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET

§11301. Responsibility of Director

In fulfilling the responsibility to administer the functions assigned under chapter 35 of title 44, the Director of the Office of Management and Budget shall comply with this chapter with respect to the specific matters covered by this chapter.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1237.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11301 40:1411. Pub. L. 104–106, div. E, title LI, §5111, Feb. 10, 1996, 110 Stat. 680.

Statutory Notes and Related Subsidiaries

AI in Government

Pub. L. 116–260, div. U, title I, Dec. 27, 2020, 134 Stat. 2286, provided that:

"SEC. 101. SHORT TITLE.

"This title may be cited as the 'AI in Government Act of 2020'.

"SEC. 102. DEFINITIONS.

"In this Act [probably means "this title"]—

"(1) the term 'Administrator' means the Administrator of General Services;

"(2) the term 'agency' has the meaning given the term in section 3502 of title 44, United States Code;

"(3) the term 'AI CoE' means the AI Center of Excellence described in section 103;

"(4) the term 'artificial intelligence' has the meaning given the term in section 238(g) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (10 U.S.C. 2358 note);

"(5) the term 'Director' means the Director of the Office of Management and Budget;

"(6) the term 'institution of higher education' has the meaning given the term in section 101 of the Higher Education Act of 1965 (20 U.S.C. 1001); and

"(7) the term 'nonprofit organization' means an organization described in section 501(c)(3)of the Internal Revenue Code of 1986 [26 U.S.C. 501(c)(3)] and exempt from taxation under section 501(a) of that Code [26 U.S.C. 501(a)].

"SEC. 103. AI CENTER OF EXCELLENCE.

"(a) In General.—There is created within the General Services Administration a program to be known as the 'AI Center of Excellence', which shall—

"(1) facilitate the adoption of artificial intelligence technologies in the Federal Government;

"(2) improve cohesion and competency in the adoption and use of artificial intelligence within the Federal Government; and

"(3) carry out paragraphs (1) and (2) for the purposes of benefitting the public and enhancing the productivity and efficiency of Federal Government operations.

"(b) Duties.—The duties of the AI CoE shall include—

"(1) regularly convening individuals from agencies, industry, Federal laboratories, nonprofit organizations, institutions of higher education, and other entities to discuss recent developments in artificial intelligence, including the dissemination of information regarding programs, pilots, and other initiatives at agencies, as well as recent trends and relevant information on the understanding, adoption, and use of artificial intelligence;

"(2) collecting, aggregating, and publishing on a publicly available website information regarding programs, pilots, and other initiatives led by other agencies and any other information determined appropriate by the Administrator;

"(3) advising the Administrator, the Director, and agencies on the acquisition and use of artificial intelligence through technical insight and expertise, as needed;

"(4) assist agencies in applying Federal policies regarding the management and use of data in applications of artificial intelligence;

"(5) consulting with agencies, including the Department of Defense, the Department of Commerce, the Department of Energy, the Department of Homeland Security, the Office of Management and Budget, the Office of the Director of National Intelligence, and the National Science Foundation, that operate programs, create standards and guidelines, or otherwise fund internal projects or coordinate between the public and private sectors relating to artificial intelligence;

"(6) advising the Director on developing policy related to the use of artificial intelligence by agencies; and

"(7) advising the Director of the Office of Science and Technology Policy on developing policy related to research and national investment in artificial intelligence.

"(c) Staff.—

"(1) In general.—The Administrator shall provide necessary staff, resources, and administrative support for the AI CoE.

"(2) Shared staff.—To the maximum extent practicable, the Administrator shall meet the requirements described under paragraph (1) by using staff of the General Services Administration, including those from other agency centers of excellence, and detailees, on a reimbursable or nonreimbursable basis, from other agencies.

"(3) Fellows.—The Administrator may, to the maximum extent practicable, appoint fellows to participate in the AI CoE from nonprofit organizations, think tanks, institutions of higher education, and industry.

"(d) Sunset.—This section shall cease to be effective on the date that is 5 years after the date of enactment of this Act [Dec. 27, 2020].

"SEC. 104. GUIDANCE FOR AGENCY USE OF ARTIFICIAL INTELLIGENCE.

"(a) Guidance.—Not later than 270 days after the date of enactment of this Act [Dec. 27, 2020], the Director, in coordination with the Director of the Office of Science and Technology Policy in consultation with the Administrator and any other relevant agencies and key stakeholders as determined by the Director, shall issue a memorandum to the head of each agency that shall—

"(1) inform the development of policies regarding Federal acquisition and use by agencies regarding technologies that are empowered or enabled by artificial intelligence, including an identification of the responsibilities of agency officials managing the use of such technology;

"(2) recommend approaches to remove barriers for use by agencies of artificial intelligence technologies in order to promote the innovative application of those technologies while protecting civil liberties, civil rights, and economic and national security;

"(3) identify best practices for identifying, assessing, and mitigating any discriminatory impact or bias on the basis of any classification protected under Federal nondiscrimination laws, or any unintended consequence of the use of artificial intelligence, including policies to identify data used to train artificial intelligence algorithms as well as the data analyzed by artificial intelligence used by the agencies; and

"(4) provide a template of the required contents of the agency plans described in subsection (c).

"(b) Public Comment.—To help ensure public trust in the applications of artificial intelligence technologies, the Director shall issue a draft version of the memorandum required under subsection (a) for public comment not later than 180 days after [the] date of enactment of this Act.

"(c) Plans.—Not later than 180 days after the date on which the Director issues the memorandum required under subsection (a) or an update to the memorandum required under subsection (d), the head of each agency shall submit to the Director and post on a publicly available page on the website of the agency—

"(1) a plan to achieve consistency with the memorandum; or

"(2) a written determination that the agency does not use and does not anticipate using artificial intelligence.

"(d) Updates.—Not later than 2 years after the date on which the Director issues the memorandum required under subsection (a), and every 2 years thereafter for 10 years, the Director shall issue updates to the memorandum.

"SEC. 105. UPDATE OF OCCUPATIONAL SERIES FOR ARTIFICIAL INTELLIGENCE.

"(a) In General.—Not later than 18 months after the date of enactment of this Act [Dec. 27, 2020], and in accordance with chapter 51 of title 5, United States Code, the Director of the Office of Personnel Management shall—

"(1) identify key skills and competencies needed for positions related to artificial intelligence;

"(2) establish an occupational series, or update and improve an existing occupational job series, to include positions the primary duties of which relate to artificial intelligence;

"(3) to the extent appropriate, establish an estimate of the number of Federal employees in positions related to artificial intelligence, by each agency; and

"(4) using the estimate established in paragraph (3), prepare a 2-year and 5-year forecast of the number of Federal employees in positions related to artificial intelligence that each agency will need to employ.

"(b) Plan.—Not later than 120 days after the date of enactment of this Act, the Director of the Office of Personnel Management shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a comprehensive plan with a timeline to complete requirements described in subsection (a)."

GSA Modernization Centers of Excellence Program

Pub. L. 116–194, §2, Dec. 3, 2020, 134 Stat. 981, provided that:

"(a) Definitions.—In this section:

"(1) Cloud computing.—The term 'cloud computing' has the meaning given the term in section 1076 of the National Defense Authorization Act for Fiscal Year 2018 [Pub. L. 115–91] (40 U.S.C. 11301 note) [set out below].

"(2) Executive agency.—The term 'executive agency' has the meaning given the term 'Executive agency' in section 105 of title 5, United States Code.

"(3) Program.—The term 'Program' means the Information Technology Modernization Centers of Excellence Program established under subsection (b).

"(b) Establishment.—The Administrator of General Services shall establish a program to be known as the Information Technology Modernization Centers of Excellence Program to facilitate the adoption of modern technology by executive agencies on a reimbursable basis.

"(c) Responsibilities.—The Program shall have the following responsibilities:

"(1) To encourage the modernization of information technology used by an executive agency and how a customer interacts with an executive agency.

"(2) To improve cooperation between commercial and executive agency information technology sectors.

"(3) To the extent practicable, encourage the adoption of commercial items in accordance with section 3307 of title 41, United States Code.

"(4) Upon request by the executive agency, to assist executive agencies with planning and adoption of technology in focus areas designated by the Administrator, which may include the following:

"(A) A commercial cloud computing system that includes—

"(i) end-to-end migration planning and an assessment of progress towards modernization; and

"(ii) a cybersecurity and governance framework that promotes industry and government risk management best practice approaches, prioritizing efforts based on risk, impact, and consequences.

"(B) Tools to help an individual receive support from and communicate with an executive agency.

"(C) Contact centers and other related customer supports.

"(D) Efficient use of data management, analysis, and reporting.

"(E) The optimization of infrastructure, including for data centers, and the reduction of operating costs.

"(F) Artificial intelligence.

"(5) To share best practices and expertise with executive agencies.

"(6) Other responsibilities the Administrator may identify.

"(d) Coordination.—The Administrator shall coordinate with the Secretary of Homeland Security in establishing the Program to ensure that the technology, tools, and frameworks facilitated for executive agencies by the Program provide sufficient cybersecurity and maintain the integrity, confidentiality, and availability of Federal information.

"(e) Program Reporting.—Not later than 1 year after the date of enactment of this Act [Dec. 3, 2020], and every year thereafter, the Administrator shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report on the Program, which shall include the following:

"(1) A description of the reimbursable agreements, statements of work, and associated project schedules and deliverables for the Program.

"(2) Details on the total amount of the reimbursable agreements.

"(3) Any additional information the Administrator determines necessary.

"(f) Sunset.—This Act shall cease to have effect on the date that is 7 years after the date of enactment of this Act.

"(g) Rule of Construction.—Nothing in this Act shall be construed to impair or otherwise affect the authority delegated by law to an executive agency or the head of an executive agency."

Modernizing Government Technology

Pub. L. 115–91, div. A, title X, subtitle G, Dec. 12, 2017, 131 Stat. 1586, provided that:

"SEC. 1076. DEFINITIONS.

"In this subtitle:

"(1) Administrator.—The term 'Administrator' means the Administrator of General Services.

"(2) Board.—The term 'Board' means the Technology Modernization Board established under section 1094(c)(1).

"(3) Cloud computing.—The term 'cloud computing' has the meaning given the term by the National Institute of Standards and Technology in NIST Special Publication 800–145 and any amendatory or superseding document thereto.

"(4) Director.—The term 'Director' means the Director of the Office of Management and Budget.

"(5) Fund.—The term 'Fund' means the Technology Modernization Fund established under section 1094(b)(1) [probably should be "1078(b)(1)"].

"(6) Information technology.—The term 'information technology' has the meaning given the term in section 3502 of title 44, United States Code.

"(7) IT working capital fund.—The term 'IT working capital fund' means an information technology system modernization and working capital fund established under section 1093(b)(1) [probably should be "1077(b)(1)"].

"(8) Legacy information technology system.—The term 'legacy information technology system' means an outdated or obsolete system of information technology.

"SEC. 1077. ESTABLISHMENT OF AGENCY INFORMATION TECHNOLOGY SYSTEMS MODERNIZATION AND WORKING CAPITAL FUNDS.

"(a) Definition.—In this section, the term 'covered agency' means each agency listed in section 901(b) of title 31, United States Code.

"(b) Information Technology System Modernization and Working Capital Funds.—

"(1) Establishment.—The head of a covered agency may establish within the covered agency an information technology system modernization and working capital fund for necessary expenses described in paragraph (3).

"(2) Source of funds.—The following amounts may be deposited into an IT working capital fund:

"(A) Reprogramming and transfer of funds made available in appropriations Acts enacted after the date of enactment of this Act [Dec. 12, 2017], including the transfer of any funds for the operation and maintenance of legacy information technology systems, in compliance with any applicable reprogramming law or guidelines of the Committees on Appropriations of the Senate and the House of Representatives or transfer authority specifically provided in appropriations law.

"(B) Amounts made available to the IT working capital fund through discretionary appropriations made available after the date of enactment of this Act.

"(3) Use of funds.—An IT working capital fund established under paragraph (1) may only be used—

"(A) to improve, retire, or replace existing information technology systems in the covered agency to enhance cybersecurity and to improve efficiency and effectiveness across the life of a given workload, procured using full and open competition among all commercial items to the greatest extent practicable;

"(B) to transition legacy information technology systems at the covered agency to commercial cloud computing and other innovative commercial platforms and technologies, including those serving more than 1 covered agency with common requirements;

"(C) to assist and support covered agency efforts to provide adequate, risk-based, and cost-effective information technology capabilities that address evolving threats to information security;

"(D) to reimburse funds transferred to the covered agency from the Fund with the approval of the Chief Information Officer, in consultation with the Chief Financial Officer, of the covered agency; and

"(E) for a program, project, or activity or to increase funds for any program, project, or activity that has not been denied or restricted by Congress.

"(4) Existing funds.—An IT working capital fund may not be used to supplant funds provided for the operation and maintenance of any system within an appropriation for the covered agency at the time of establishment of the IT working capital fund.

"(5) Prioritization of funds.—The head of each covered agency—

"(A) shall prioritize funds within the IT working capital fund of the covered agency to be used initially for cost savings activities approved by the Chief Information Officer of the covered agency; and

"(B) may reprogram and transfer any amounts saved as a direct result of the cost savings activities approved under clause (i) [probably should be "subparagraph (A)"] for deposit into the IT working capital fund of the covered agency, consistent with paragraph (2)(A).

"(6) Availability of funds.—

"(A) In general.—Any funds deposited into an IT working capital fund shall be available for obligation for the 3-year period beginning on the last day of the fiscal year in which the funds were deposited.

"(B) Transfer of unobligated amounts.—Any amounts in an IT working capital fund that are unobligated at the end of the 3-year period described in subparagraph (A) shall be transferred to the general fund of the Treasury.

"(7) Agency cio responsibilities.—In evaluating projects to be funded by the IT working capital fund of a covered agency, the Chief Information Officer of the covered agency shall consider, to the extent applicable, guidance issued under section 1094(b)(1) [probably should be "1078(b)(1)"] to evaluate applications for funding from the Fund that include factors including a strong business case, technical design, consideration of commercial off-the-shelf products and services, procurement strategy (including adequate use of rapid, iterative software development practices), and program management.

"(c) Reporting Requirement.—

"(1) In general.—Not later than 1 year after the date of enactment of this Act, and every 6 months thereafter, the head of each covered agency shall submit to the Director, with respect to the IT working capital fund of the covered agency—

"(A) a list of each information technology investment funded, including the estimated cost and completion date for each investment; and

"(B) a summary by fiscal year of obligations, expenditures, and unused balances.

"(2) Public availability.—The Director shall make the information submitted under paragraph (1) publicly available on a website.

"SEC. 1078. ESTABLISHMENT OF TECHNOLOGY MODERNIZATION FUND AND BOARD.

"(a) Definition.—In this section, the term 'agency' has the meaning given the term in section 551 of title 5, United States Code.

"(b) Technology Modernization Fund.—

"(1) Establishment.—There is established in the Treasury a Technology Modernization Fund for technology-related activities, to improve information technology, to enhance cybersecurity across the Federal Government, and to be administered in accordance with guidance issued by the Director.

"(2) Administration of fund.—The Administrator, in consultation with the Chief Information Officers Council and with the approval of the Director, shall administer the Fund in accordance with this subsection.

"(3) Use of funds.—The Administrator shall, in accordance with recommendations from the Board, use amounts in the Fund—

"(A) to transfer such amounts, to remain available until expended, to the head of an agency for the acquisition of products and services, or the development of such products and services when more efficient and cost effective, to improve, retire, or replace existing Federal information technology systems to enhance cybersecurity and privacy and improve long-term efficiency and effectiveness;

"(B) to transfer such amounts, to remain available until expended, to the head of an agency for the operation and procurement of information technology products and services, or the development of such products and services when more efficient and cost effective, and acquisition vehicles for use by agencies to improve Governmentwide efficiency and cybersecurity in accordance with the requirements of the agencies;

"(C) to provide services or work performed in support of—

"(i) the activities described in subparagraph (A) or (B); and

"(ii) the Board and the Director in carrying out the responsibilities described in subsection (c)(2); and

"(D) to fund only programs, projects, or activities or to fund increases for any programs, projects, or activities that have not been denied or restricted by Congress.

"(4) Authorization of appropriations; credits; availability of funds.—

"(A) Authorization of appropriations.—There is authorized to be appropriated to the Fund $250,000,000 for each of fiscal years 2018 and 2019.

"(B) Credits.—In addition to any funds otherwise appropriated, the Fund shall be credited with all reimbursements, advances, or refunds or recoveries relating to information technology or services provided for the purposes described in paragraph (3).

"(C) Availability of funds.—Amounts deposited, credited, or otherwise made available to the Fund shall be available until expended for the purposes described in paragraph (3).

"(5) Reimbursement.—

"(A) Reimbursement by agency.—

"(i) In general.—The head of an agency shall reimburse the Fund for any transfer made under subparagraph (A) or (B) of paragraph (3), including any services or work performed in support of the transfer under paragraph (3)(C), in accordance with the terms established in a written agreement described in paragraph (6).

"(ii) Reimbursement from subsequent appropriations.—Notwithstanding any other provision of law, an agency may make a reimbursement required under clause (i) from any appropriation made available after the date of enactment of this Act [Dec. 12, 2017] for information technology activities, consistent with any applicable reprogramming law or guidelines of the Committees on Appropriations of the Senate and the House of Representatives.

"(iii) Recording of obligation.—Notwithstanding section 1501 of title 31, United States Code, an obligation to make a payment under a written agreement described in paragraph (6) in a fiscal year after the date of enactment of this Act shall be recorded in the fiscal year in which the payment is due.

"(B) Prices fixed by administrator.—

"(i) In general.—The Administrator, in consultation with the Director, shall establish amounts to be paid by an agency under this paragraph and the terms of repayment for activities funded under paragraph (3), including any services or work performed in support of that development under paragraph (3)(C), at levels sufficient to ensure the solvency of the Fund, including operating expenses.

"(ii) Review and approval.—Before making any changes to the established amounts and terms of repayment, the Administrator shall conduct a review and obtain approval from the Director.

"(C) Failure to make timely reimbursement.—The Administrator may obtain reimbursement from an agency under this paragraph by the issuance of transfer and counterwarrants, or other lawful transfer documents, supported by itemized bills, if payment is not made by the agency during the 90-day period beginning after the expiration of a repayment period described in a written agreement described in paragraph (6).

"(6) Written agreement.—

"(A) In general.—Before the transfer of funds to an agency under subparagraphs (A) and (B) of paragraph (3), the Administrator, in consultation with the Director, and the head of the agency shall enter into a written agreement—

"(i) documenting the purpose for which the funds will be used and the terms of repayment, which may not exceed 5 years unless approved by the Director; and

"(ii) which shall be recorded as an obligation as provided in paragraph (5)(A).

"(B) Requirement for use of incremental funding, commercial products and services, and rapid, iterative development practices.—The Administrator shall ensure—

"(i) for any funds transferred to an agency under paragraph (3)(A), in the absence of compelling circumstances documented by the Administrator at the time of transfer, that such funds shall be transferred only on an incremental basis, tied to metric-based development milestones achieved by the agency through the use of rapid, iterative, development processes; and

"(ii) that the use of commercial products and services are incorporated to the greatest extent practicable in activities funded under subparagraphs (A) and (B) of paragraph (3), and that the written agreement required under paragraph (6) documents this preference.

"(7) Reporting requirements.—

"(A) List of projects.—

"(i) In general.—Not later than 6 months after the date of enactment of this Act, the Director shall maintain a list of each project funded by the Fund, to be updated not less than quarterly, that includes a description of the project, project status (including any schedule delay and cost overruns), financial expenditure data related to the project, and the extent to which the project is using commercial products and services, including if applicable, a justification of why commercial products and services were not used and the associated development and integration costs of custom development.

"(ii) Public availability.—The list required under clause (i) shall be published on a public website in a manner that is, to the greatest extent possible, consistent with applicable law on the protection of classified information, sources, and methods.

"(B) Comptroller general reports.—Not later than 2 years after the date of enactment of this Act, and every 2 years thereafter, the Comptroller General of the United States shall submit to Congress and make publically available a report assessing—

"(i) the costs associated with establishing the Fund and maintaining the oversight structure associated with the Fund compared with the cost savings associated with the projects funded both annually and over the life of the acquired products and services by the Fund;

"(ii) the reliability of the cost savings estimated by agencies associated with projects funded by the Fund;

"(iii) whether agencies receiving transfers of funds from the Fund used full and open competition to acquire the custom development of information technology products or services; and

"(iv) the number of IT procurement, development, and modernization programs, offices, and entities in the Federal Government, including 18F and the United States Digital Services, the roles, responsibilities, and goals of those programs and entities, and the extent to which they duplicate work.

"(c) Technology Modernization Board.—

"(1) Establishment.—There is established a Technology Modernization Board to evaluate proposals submitted by agencies for funding authorized under the Fund.

"(2) Responsibilities.—The responsibilities of the Board are—

"(A) to provide input to the Director for the development of processes for agencies to submit modernization proposals to the Board and to establish the criteria by which those proposals are evaluated, which shall include—

"(i) addressing the greatest security, privacy, and operational risks;

"(ii) having the greatest Governmentwide impact; and

"(iii) having a high probability of success based on factors including a strong business case, technical design, consideration of commercial off-the-shelf products and services, procurement strategy (including adequate use of rapid, agile iterative software development practices), and program management;

"(B) to make recommendations to the Administrator to assist agencies in the further development and refinement of select submitted modernization proposals, based on an initial evaluation performed with the assistance of the Administrator;

"(C) to review and prioritize, with the assistance of the Administrator and the Director, modernization proposals based on criteria established pursuant to subparagraph (A);

"(D) to identify, with the assistance of the Administrator, opportunities to improve or replace multiple information technology systems with a smaller number of information technology services common to multiple agencies;

"(E) to recommend the funding of modernization projects, in accordance with the uses described in subsection (b)(3), to the Administrator;

"(F) to monitor, in consultation with the Administrator, progress and performance in executing approved projects and, if necessary, recommend the suspension or termination of funding for projects based on factors including the failure to meet the terms of a written agreement described in subsection (b)(6); and

"(G) to monitor the operating costs of the Fund.

"(3) Membership.—The Board shall consist of 7 voting members.

"(4) Chair.—The Chair of the Board shall be the Administrator of the Office of Electronic Government.

"(5) Permanent members.—The permanent members of the Board shall be—

"(A) the Administrator of the Office of Electronic Government; and

"(B) a senior official from the General Services Administration having technical expertise in information technology development, appointed by the Administrator, with the approval of the Director.

"(6) Additional members of the board.—

"(A) Appointment.—The other members of the Board shall be—

"(i) 1 employee of the National Protection and Programs Directorate [now Cybersecurity and Infrastructure Security Agency] of the Department of Homeland Security, appointed by the Secretary of Homeland Security; and

"(ii) 4 employees of the Federal Government primarily having technical expertise in information technology development, financial management, cybersecurity and privacy, and acquisition, appointed by the Director.

"(B) Term.—Each member of the Board described in paragraph (A) shall serve a term of 1 year, which shall be renewable not more than 4 times at the discretion of the appointing Secretary or Director, as applicable.

"(7) Prohibition on compensation.—Members of the Board may not receive additional pay, allowances, or benefits by reason of their service on the Board.

"(8) Staff.—Upon request of the Chair of the Board, the Director and the Administrator may detail, on a reimbursable or nonreimbursable basis, any employee of the Federal Government to the Board to assist the Board in carrying out the functions of the Board.

"(d) Responsibilities of Administrator.—

"(1) In general.—In addition to the responsibilities described in subsection (b), the Administrator shall support the activities of the Board and provide technical support to, and, with the concurrence of the Director, oversight of, agencies that receive transfers from the Fund.

"(2) Responsibilities.—The responsibilities of the Administrator are—

"(A) to provide direct technical support in the form of personnel services or otherwise to agencies transferred amounts under subsection (b)(3)(A) and for products, services, and acquisition vehicles funded under subsection (b)(3)(B);

"(B) to assist the Board with the evaluation, prioritization, and development of agency modernization proposals.

"(C) to perform regular project oversight and monitoring of approved agency modernization projects, in consultation with the Board and the Director, to increase the likelihood of successful implementation and reduce waste; and

"(D) to provide the Director with information necessary to meet the requirements of subsection (b)(7).

"(e) Effective Date.—This section shall take effect on the date that is 90 days after the date of enactment of this Act.

"(f) Sunset.—

"(1) In general.—On and after the date that is 2 years after the date on which the Comptroller General of the United States issues the third report required under subsection (b)(7)(B), the Administrator may not award or transfer funds from the Fund for any project that is not already in progress as of such date.

"(2) Transfer of unobligated amounts.—Not later than 90 days after the date on which all projects that received an award from the Fund are completed, any amounts in the Fund shall be transferred to the general fund of the Treasury and shall be used for deficit reduction.

"(3) Termination of technology modernization board.—Not later than 90 days after the date on which all projects that received an award from the Fund are completed, the Technology Modernization Board and all the authorities of subsection (c) shall terminate."

§11302. Capital planning and investment control

(a) Federal Information Technology.—The Director of the Office of Management and Budget shall perform the responsibilities set forth in this section in fulfilling the responsibilities under section 3504(h) of title 44.

(b) Use of Information Technology in Federal Programs.—The Director shall promote and improve the acquisition, use, security, and disposal of information technology by the Federal Government to improve the productivity, efficiency, and effectiveness of federal programs, including through dissemination of public information and the reduction of information collection burdens on the public.

(c) Use of Budget Process.—

(1) Definitions.—In this subsection:

(A) The term "covered agency" means an agency listed in section 901(b)(1) or 901(b)(2) of title 31.

(B) The term "major information technology investment" means an investment within a covered agency information technology investment portfolio that is designated by the covered agency as major, in accordance with capital planning guidance issued by the Director.

(C) The term "national security system" has the meaning provided in section 3542 of title 44.1


(2) Analyzing, tracking, and evaluating capital investments.—As part of the budget process, the Director shall develop a process for analyzing, tracking, and evaluating the risks, including information security risks, and results of all major capital investments made by an executive agency for information systems. The process shall cover the life of each system and shall include explicit criteria for analyzing the projected and actual costs, benefits, and risks, including information security risks, associated with the investments.

(3) Public availability.—

(A) In general.—The Director shall make available to the public a list of each major information technology investment, without regard to whether the investments are for new information technology acquisitions or for operations and maintenance of existing information technology, including data on cost, schedule, and performance.

(B) Agency information.—

(i) The Director shall issue guidance to each covered agency for reporting of data required by subparagraph (A) that provides a standardized data template that can be incorporated into existing, required data reporting formats and processes. Such guidance shall integrate the reporting process into current budget reporting that each covered agency provides to the Office of Management and Budget, to minimize additional workload. Such guidance shall also clearly specify that the investment evaluation required under subparagraph (C) adequately reflect the investment's cost and schedule performance and employ incremental development approaches in appropriate cases.

(ii) The Chief Information Officer of each covered agency shall provide the Director with the information described in subparagraph (A) on at least a semi-annual basis for each major information technology investment, using existing data systems and processes.


(C) Investment evaluation.—For each major information technology investment listed under subparagraph (A), the Chief Information Officer of the covered agency, in consultation with other appropriate agency officials, shall categorize the investment according to risk, in accordance with guidance issued by the Director.

(D) Continuous improvement.—If either the Director or the Chief Information Officer of a covered agency determines that the information made available from the agency's existing data systems and processes as required by subparagraph (B) is not timely and reliable, the Chief Information Officer, in consultation with the Director and the head of the agency, shall establish a program for the improvement of such data systems and processes.

(E) Waiver or limitation authority.—The applicability of subparagraph (A) may be waived or the extent of the information may be limited by the Director, if the Director determines that such a waiver or limitation is in the national security interests of the United States.

(F) Additional limitation.—The requirements of subparagraph (A) shall not apply to national security systems or to telecommunications or information technology that is fully funded by amounts made available—

(i) under the National Intelligence Program, defined by section 3(6) of the National Security Act of 1947 (50 U.S.C. 3003(6));

(ii) under the Military Intelligence Program or any successor program or programs; or

(iii) jointly under the National Intelligence Program and the Military Intelligence Program (or any successor program or programs).


(4) Risk management.—For each major information technology investment listed under paragraph (3)(A) that receives a high risk rating, as described in paragraph (3)(C), for 4 consecutive quarters—

(A) the Chief Information Officer of the covered agency and the program manager of the investment within the covered agency, in consultation with the Administrator of the Office of Electronic Government, shall conduct a review of the investment that shall identify—

(i) the root causes of the high level of risk of the investment;

(ii) the extent to which these causes can be addressed; and

(iii) the probability of future success;


(B) the Administrator of the Office of Electronic Government shall communicate the results of the review under subparagraph (A) to—

(i) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate;

(ii) the Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives; and

(iii) the committees of the Senate and the House of Representatives with primary jurisdiction over the agency;


(C) in the case of a major information technology investment of the Department of Defense, the assessment required by subparagraph (A) may be accomplished in accordance with section 2445c of title 10, provided that the results of the review are provided to the Administrator of the Office of Electronic Government upon request and to the committees identified in subsection (B); and

(D) for a covered agency other than the Department of Defense, if on the date that is one year after the date of completion of the review required under subsection (A), the investment is rated as high risk under paragraph (3)(C), the Director shall deny any request for additional development, modernization, or enhancement funding for the investment until the date on which the Chief Information Officer of the covered agency determines that the root causes of the high level of risk of the investment have been addressed, and there is sufficient capability to deliver the remaining planned increments within the planned cost and schedule.


(5) Report to congress.—At the same time that the President submits the budget for a fiscal year to Congress under section 1105(a) of title 31, the Director shall submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by executive agencies for information systems and how the benefits relate to the accomplishment of the goals of the executive agencies.


(d) Information Technology Standards.—The Director shall oversee the development and implementation of standards and guidelines pertaining to federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 11331 of this title and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).

(e) Designation of Executive Agents for Acquisitions.—The Director shall designate the head of one or more executive agencies, as the Director considers appropriate, as executive agent for Government-wide acquisitions of information technology.

(f) Use of Best Practices in Acquisitions.—The Director shall encourage the heads of the executive agencies to develop and use the best practices in the acquisition of information technology.

(g) Assessment of Other Models for Managing Information Technology.—On a continuing basis, the Director shall assess the experiences of executive agencies, state and local governments, international organizations, and the private sector in managing information technology.

(h) Comparison of Agency Uses of Information Technology.—The Director shall compare the performances of the executive agencies in using information technology and shall disseminate the comparisons to the heads of the executive agencies.

(i) Monitoring Training.—The Director shall monitor the development and implementation of training in information resources management for executive agency personnel.

(j) Informing Congress.—The Director shall keep Congress fully informed on the extent to which the executive agencies are improving the performance of agency programs and the accomplishment of the agency missions through the use of the best practices in information resources management.

(k) Coordination of Policy Development and Review.—The Director shall coordinate with the Office of Federal Procurement Policy the development and review by the Administrator of the Office of Information and Regulatory Affairs of policy associated with federal acquisition of information technology.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1237; Pub. L. 108–458, title VIII, §8401(1), (2), Dec. 17, 2004, 118 Stat. 3869; Pub. L. 113–291, div. A, title VIII, §832, Dec. 19, 2014, 128 Stat. 3440; Pub. L. 115–88, §2, Nov. 21, 2017, 131 Stat. 1278; Pub. L. 115–91, div. A, title VIII, §819(a), Dec. 12, 2017, 131 Stat. 1464.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11302 40:1412. Pub. L. 104–106, div. E, title LI, §5112, Feb. 10, 1996, 110 Stat. 680.

Editorial Notes

References in Text

Section 3542 of title 44, referred to in subsec. (c)(1)(C), was repealed by Pub. L. 113–283, §2(a), Dec. 18, 2014, 128 Stat. 3073. See section 3552 of Title 44, Public Printing and Documents.

Amendments

2017—Subsec. (c)(5). Pub. L. 115–88 and Pub. L. 115–91 amended subsec. (c) identically, striking out par. (5) relating to sunset of certain provisions. Text read as follows: "Paragraphs (1), (3), and (4) shall not be in effect on and after the date that is 5 years after the date of the enactment of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015."

2014—Subsec. (c). Pub. L. 113–291 added pars. (1), (3), (4), and par. (5) relating to sunset of certain provisions and redesignated former pars. (1) and (2) as par. (2) and par. (5) relating to report to Congress, respectively.

2004—Subsec. (b). Pub. L. 108–458, §8401(1), inserted "security," after "use,".

Subsec. (c)(1). Pub. L. 108–458, §8401(2), inserted ", including information security risks," after "evaluating the risks" and "costs, benefits, and risks".


Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019.

Management of Software Licenses

Pub. L. 114–210, July 29, 2016, 130 Stat. 824, provided that:

"SECTION 1. SHORT TITLE.

"This Act may be cited as the 'Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016' or the 'MEGABYTE Act of 2016'.

"SEC. 2. OMB DIRECTIVE ON MANAGEMENT OF SOFTWARE LICENSES.

"(a) Definition.—In this section—

"(1) the term 'Director' means the Director of the Office of Management and Budget; and

"(2) the term 'executive agency' has the meaning given that term in section 105 of title 5, United States Code.

"(b) OMB Directive.—The Director shall issue a directive to require the Chief Information Officer of each executive agency to develop a comprehensive software licensing policy, which shall—

"(1) identify clear roles, responsibilities, and central oversight authority within the executive agency for managing enterprise software license agreements and commercial software licenses; and

"(2) require the Chief Information Officer of each executive agency to—

"(A) establish a comprehensive inventory, including 80 percent of software license spending and enterprise licenses in the executive agency, by identifying and collecting information about software license agreements using automated discovery and inventory tools;

"(B) regularly track and maintain software licenses to assist the executive agency in implementing decisions throughout the software license management life cycle;

"(C) analyze software usage and other data to make cost-effective decisions;

"(D) provide training relevant to software license management;

"(E) establish goals and objectives of the software license management program of the executive agency; and

"(F) consider the software license management life cycle phases, including the requisition, reception, deployment and maintenance, retirement, and disposal phases, to implement effective decisionmaking and incorporate existing standards, processes, and metrics.

"(c) Report on Software License Management.—

"(1) In general.—Beginning in the first fiscal year beginning after the date of enactment of this Act [July 29, 2016], and in each of the following 5 fiscal years, the Chief Information Officer of each executive agency shall submit to the Director a report on the financial savings or avoidance of spending that resulted from improved software license management.

"(2) Availability.—The Director shall make each report submitted under paragraph (1) publically available."

Appropriate Use of Requirements Regarding Experience and Education of Contractor Personnel in the Procurement of Information Technology Services

Pub. L. 106–398, §1 [[div. A], title VIII, §813], Oct. 30, 2000, 114 Stat. 1654, 1654A-214, provided that:

"(a) Amendment of the Federal Acquisition Regulation.—Not later than 180 days after the date of the enactment of this Act [Oct. 30, 2000], the Federal Acquisition Regulation issued in accordance with sections 6 and 25 of the Office of Federal Procurement Policy Act ([former] 41 U.S.C. 405 and 421) [see 41 U.S.C. 1121, 1303] shall be amended to address the use, in the procurement of information technology services, of requirements regarding the experience and education of contractor personnel.

"(b) Content of Amendment.—The amendment issued pursuant to subsection (a) shall, at a minimum, provide that solicitations for the procurement of information technology services shall not set forth any minimum experience or educational requirement for proposed contractor personnel in order for a bidder to be eligible for award of a contract unless—

"(1) the contracting officer first determines that the needs of the executive agency cannot be met without any such requirement; or

"(2) the needs of the executive agency require the use of a type of contract other than a performance-based contract.

"(c) GAO Report.—Not later than one year after the date on which the regulations required by subsection (a) are published in the Federal Register, the Comptroller General shall submit to Congress an evaluation of—

"(1) executive agency compliance with the regulations; and

"(2) conformance of the regulations with existing law, together with any recommendations that the Comptroller General considers appropriate.

"(d) Definitions.—In this section:

"(1) The term 'executive agency' has the meaning given that term in section 4(1) of the Office of Federal Procurement Policy Act (former 41 U.S.C. 403(1)) [now 41 U.S.C. 133].

"(2) The term 'information technology' has the meaning given that term in section 5002(3) of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401(3)) [now 40 U.S.C. 11101(6)].

"(3) The term 'performance-based', with respect to a contract, means that the contract includes the use of performance work statements that set forth contract requirements in clear, specific, and objective terms with measurable outcomes."

1 See References in Text note below.

§11303. Performance-based and results-based management

(a) In General.—The Director of the Office of Management and Budget shall encourage the use of performance-based and results-based management in fulfilling the responsibilities assigned under section 3504(h) of title 44.

(b) Evaluation of Agency Programs and Investments.—

(1) Requirement.—The Director shall evaluate the information resources management practices of the executive agencies with respect to the performance and results of the investments made by the executive agencies in information technology.

(2) Direction for executive agency action.—The Director shall issue to the head of each executive agency clear and concise direction that the head of each agency shall—

(A) establish effective and efficient capital planning processes for selecting, managing, and evaluating the results of all of its major investments in information systems;

(B) determine, before making an investment in a new information system—

(i) whether the function to be supported by the system should be performed by the private sector and, if so, whether any component of the executive agency performing that function should be converted from a governmental organization to a private sector organization; or

(ii) whether the function should be performed by the executive agency and, if so, whether the function should be performed by a private sector source under contract or by executive agency personnel;


(C) analyze the missions of the executive agency and, based on the analysis, revise the executive agency's mission-related processes and administrative processes, as appropriate, before making significant investments in information technology to be used in support of those missions; and

(D) ensure that the information security policies, procedures, and practices are adequate.


(3) Guidance for multiagency investments.—The direction issued under paragraph (2) shall include guidance for undertaking efficiently and effectively interagency and Federal Government-wide investments in information technology to improve the accomplishment of missions that are common to the executive agencies.

(4) Periodic reviews.—The Director shall implement through the budget process periodic reviews of selected information resources management activities of the executive agencies to ascertain the efficiency and effectiveness of information technology in improving the performance of the executive agency and the accomplishment of the missions of the executive agency.

(5) Enforcement of accountability.—

(A) In general.—The Director may take any action that the Director considers appropriate, including an action involving the budgetary process or appropriations management process, to enforce accountability of the head of an executive agency for information resources management and for the investments made by the executive agency in information technology.

(B) Specific actions.—Actions taken by the Director may include—

(i) recommending a reduction or an increase in the amount for information resources that the head of the executive agency proposes for the budget submitted to Congress under section 1105(a) of title 31;

(ii) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources;

(iii) using other administrative controls over appropriations to restrict the availability of amounts for information resources; and

(iv) designating for the executive agency an executive agent to contract with private sector sources for the performance of information resources management or the acquisition of information technology.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1238.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11303 40:1413. Pub. L. 104–106, div. E, title LI, §5113, Feb. 10, 1996, 110 Stat. 681.

SUBCHAPTER II—EXECUTIVE AGENCIES

§11311. Responsibilities

In fulfilling the responsibilities assigned under chapter 35 of title 44, the head of each executive agency shall comply with this subchapter with respect to the specific matters covered by this subchapter.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1239.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11311 40:1421. Pub. L. 104–106, div. E, title LI, §5121, Feb. 10, 1996, 110 Stat. 683.

Statutory Notes and Related Subsidiaries

Procurement of Automatic Data Processing Equipment for Tax Systems Modernization Program; Delegation of Authority

Pub. L. 104–52, title V, §526, Nov. 19, 1995, 109 Stat. 495, provided that: "Notwithstanding any other provision of law, the Administrator of General Services shall delegate the authority to procure automatic data processing equipment for the Tax Systems Modernization Program to the Secretary of the Treasury: Provided, That the Director of the Office of Management and Budget shall have the authority to revoke such delegation upon the written recommendation of the Administrator that the Secretary's actions under such delegation are inconsistent with the goals of economic and efficient procurement and utilization of automatic data processing equipment: Provided further, That for all other purposes, a procurement conducted under such delegation shall be treated as if made under a delegation by the Administrator pursuant to [former] 40 U.S.C. 759."

§11312. Capital planning and investment control

(a) Design of Process.—In fulfilling the responsibilities assigned under section 3506(h) of title 44, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value, and assessing and managing the risks, of the information technology acquisitions of the executive agency.

(b) Content of Process.—The process of an executive agency shall—

(1) provide for the selection of investments in information technology (including information security needs) to be made by the executive agency, the management of those investments, and the evaluation of the results of those investments;

(2) be integrated with the processes for making budget, financial, and program management decisions in the executive agency;

(3) include minimum criteria to be applied in considering whether to undertake a particular investment in information systems, including criteria related to the quantitatively expressed projected net, risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems investment projects;

(4) identify information systems investments that would result in shared benefits or costs for other federal agencies or state or local governments;

(5) identify quantifiable measurements for determining the net benefits and risks of a proposed investment; and

(6) provide the means for senior management personnel of the executive agency to obtain timely information regarding the progress of an investment in an information system, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1239; Pub. L. 108–458, title VIII, §8401(3), Dec. 17, 2004, 118 Stat. 3869.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11312 40:1422. Pub. L. 104–106, div. E, title LI, §5122, Feb. 10, 1996, 110 Stat. 683.

Editorial Notes

Amendments

2004—Subsec. (b)(1). Pub. L. 108–458 substituted "investments in information technology (including information security needs)" for "information technology investments".

§11313. Performance and results-based management

In fulfilling the responsibilities under section 3506(h) of title 44, the head of an executive agency shall—

(1) establish goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology;

(2) prepare an annual report, to be included in the executive agency's budget submission to Congress, on the progress in achieving the goals;

(3) ensure that performance measurements—

(A) are prescribed for information technology used by, or to be acquired for, the executive agency; and

(B) measure how well the information technology supports programs of the executive agency;


(4) where comparable processes and organizations in the public or private sectors exist, quantitatively benchmark agency process performance against those processes in terms of cost, speed, productivity, and quality of outputs and outcomes;

(5) analyze the missions of the executive agency and, based on the analysis, revise the executive agency's mission-related processes and administrative processes as appropriate before making significant investments in information technology to be used in support of the performance of those missions; and

(6) ensure that the information security policies, procedures, and practices of the executive agency are adequate.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1240.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11313 40:1423. Pub. L. 104–106, div. E, title LI, §5123, Feb. 10, 1996, 110 Stat. 683.

§11314. Authority to acquire and manage information technology

(a) In General.—The authority of the head of an executive agency to acquire information technology includes—

(1) acquiring information technology as authorized by law;

(2) making a contract that provides for multiagency acquisitions of information technology in accordance with guidance issued by the Director of the Office of Management and Budget; and

(3) if the Director finds that it would be advantageous for the Federal Government to do so, making a multiagency contract for procurement of commercial products of information technology that requires each executive agency covered by the contract, when procuring those products, to procure the products under that contract or to justify an alternative procurement of the products.


(b) FTS 2000 Program.—The Administrator of General Services shall continue to manage the FTS 2000 program, and to coordinate the follow-on to that program, for and with the advice of the heads of executive agencies.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1241; Pub. L. 115–232, div. A, title VIII, §836(g)(7)(B), Aug. 13, 2018, 132 Stat. 1874.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11314 40:1424. Pub. L. 104–106, div. E, title LI, §5124, Feb. 10, 1996, 110 Stat. 684.

In subsection (b), the words "Notwithstanding any other provision of this or any other law" are omitted as unnecessary.


Editorial Notes

Amendments

2018—Subsec. (a)(3). Pub. L. 115–232 substituted "products" for "items" wherever appearing.


Statutory Notes and Related Subsidiaries

Effective Date of 2018 Amendment

Amendment by Pub. L. 115–232 effective Jan. 1, 2020, subject to a savings provision, see section 836(h) of Pub. L. 115–232, set out as an Effective Date of 2018 Amendment; Savings Provision note under section 453b of Title 6, Domestic Security.

§11315. Agency Chief Information Officer

(a) Definition.—In this section, the term "information technology architecture", with respect to an executive agency, means an integrated framework for evolving or maintaining existing information technology and acquiring new information technology to achieve the agency's strategic goals and information resources management goals.

(b) General Responsibilities.—The Chief Information Officer of an executive agency is responsible for—

(1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the executive agency to ensure that information technology is acquired and information resources are managed for the executive agency in a manner that implements the policies and procedures of this subtitle, consistent with chapter 35 of title 44 and the priorities established by the head of the executive agency;

(2) developing, maintaining, and facilitating the implementation of a sound, secure, and integrated information technology architecture for the executive agency; and

(3) promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.


(c) Duties and Qualifications.—The Chief Information Officer of an agency listed in section 901(b) of title 31

(1) has information resources management duties as that official's primary duty;

(2) monitors the performance of information technology programs of the agency, evaluates the performance of those programs on the basis of the applicable performance measurements, and advises the head of the agency regarding whether to continue, modify, or terminate a program or project; and

(3) annually, as part of the strategic planning and performance evaluation process required (subject to section 1117 of title 31) under section 306 of title 5 and sections 1105(a)(28), 1115–1117, and 9703 (as added by section 5(a) of the Government Performance and Results Act of 1993 (Public Law 103–62, 107 Stat. 289)) of title 31—

(A) assesses the requirements established for agency personnel regarding knowledge and skill in information resources management and the adequacy of those requirements for facilitating the achievement of the performance goals established for information resources management;

(B) assesses the extent to which the positions and personnel at the executive level of the agency and the positions and personnel at management level of the agency below the executive level meet those requirements;

(C) develops strategies and specific plans for hiring, training, and professional development to rectify any deficiency in meeting those requirements; and

(D) reports to the head of the agency on the progress made in improving information resources management capability.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1241; Pub. L. 108–458, title VIII, §8401(4), Dec. 17, 2004, 118 Stat. 3869.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11315 40:1425(b)–(d). Pub. L. 104–106, div. E, title LI, §5125(b)–(d), Feb. 10, 1996, 110 Stat. 685.

In subsection (c)(3), before subclause (A), the reference to 31:1105(a)(29) is changed to 1105(a)(28) because of the redesignation of 1105(a)(29) as 1105(a)(28) by section 4(1) of the Act of October 11, 1996, (Public Law 104–287, 110 Stat. 3388). The words "as added by section 5(a) of the Government Performance and Results Act of 1993 (Public Law 103–62, 107 Stat. 289)" are added for clarity because there is another 31:9703.


Editorial Notes

Amendments

2004—Subsec. (b)(2). Pub. L. 108–458 inserted ", secure," after "sound".


Executive Documents

Ex Ord. No. 13833. Enhancing the Effectiveness of Agency Chief Information Officers

Ex. Ord. No. 13833, May 15, 2018, 83 F.R. 23345, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Purpose. The Federal Government spends more than $90 billion annually on information technology (IT). The vast majority of this sum is consumed in maintaining legacy IT infrastructure that is often ineffective and more costly than modern technologies. Modern IT systems would enable agencies to reduce costs, mitigate cybersecurity risks, and deliver improved services to the American people. While the recently enacted Modernizing Government Technology Act [probably means subtitle G of title X of div. A of Pub. L. 115–91, set out as a note under section 11301 of this title] will provide needed financial resources to help transition agencies to more effective, efficient, and secure technologies, more can be done to improve management of IT resources. Department and agency (agency) Chief Information Officers (CIOs) generally do not have adequate visibility into, or control over, their agencies' IT resources, resulting in duplication, waste, and poor service delivery. Enhancing the effectiveness of agency CIOs will better position agencies to modernize their IT systems, execute IT programs more efficiently, reduce cybersecurity risks, and serve the American people well.

Sec. 2. Policy. It is the policy of the executive branch to:

(a) empower agency CIOs to ensure that agency IT systems are secure, efficient, accessible, and effective, and that such systems enable agencies to accomplish their missions;

(b) modernize IT infrastructure within the executive branch and meaningfully improve the delivery of digital services; and

(c) improve the management, acquisition, and oversight of Federal IT.

Sec. 3. Definitions. For purposes of this order:

(a) the term "covered agency" means an agency listed in 31 U.S.C. 901(b), other than the Department of Defense or any agency considered to be an "independent regulatory agency" as defined in 44 U.S.C. 3502(5);

(b) the term "information technology" has the meaning given that term in 40 U.S.C. 11101(6);

(c) the term "Chief Information Officer" or "CIO" means the individual within a covered agency as described in 40 U.S.C. 11315;

(d) the term "component Chief Information Officer" or "component CIO" means an individual in a covered agency, other than the CIO referred to in subsection (c) of this section, who has the title Chief Information Officer, or who functions in the capacity of a CIO, and has IT management authorities over a component of the agency similar to those the CIO has over the entire agency;

(e) the term "IT position" means a position within the job family standard for the Information Technology Management Series, GS–2210, as defined by the Office of Personnel Management (OPM) in the Handbook of Occupational Groups and Families and related guidance.

Sec. 4. Emphasizing Chief Information Officer Duties and Responsibilities. The head of each covered agency shall take all necessary and appropriate action to ensure that:

(a) consistent with 44 U.S.C. 3506(a)(2), the CIO of the covered agency reports directly to the agency head, such that the CIO has direct access to the agency head regarding all programs that include IT;

(b) consistent with 40 U.S.C. 11315(b), and to promote the effective, efficient, and secure use of IT to accomplish the agency's mission, the CIO serves as the primary strategic advisor to the agency head concerning the use of IT;

(c) consistent with 40 U.S.C. 11319(b)(1)(A), the CIO has a significant role, including, as appropriate, as lead advisor, in all annual and multi-year planning, programming, budgeting, and execution decisions, as well as in all management, governance, and oversight processes related to IT; and

(d) consistent with 40 U.S.C. 11319(b)(2) and other applicable law, the CIO of the covered agency approves the appointment of any component CIO in that agency.

Sec. 5. Agency-wide IT Consolidation. Consistent with the purposes of Executive Order 13781 of March 13, 2017 (Comprehensive Plan for Reorganizing the Executive Branch) [82 F.R. 13959], the head of each covered agency shall take all necessary and appropriate action to:

(a) eliminate unnecessary IT management functions;

(b) merge or reorganize agency IT functions to promote agency-wide consolidation of the agency's IT infrastructure, taking into account any recommendations of the relevant agency CIO; and

(c) increase use of industry best practices, such as the shared use of IT solutions within agencies and across the executive branch.

Sec. 6. Strengthening Cybersecurity. Consistent with the purposes of Executive Order 13800 of May 11, 2017 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure) [6 U.S.C. note prec. 1501], the head of each covered agency shall take all necessary and appropriate action to ensure that:

(a) the CIO, as the principal advisor to the agency head for the management of IT resources, works closely with an integrated team of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources to implement appropriate risk management measures; and

(b) the agency prioritizes procurement of shared IT services, including modern email and other cloud-based services, where possible and to the extent permitted by law.

Sec. 7. Knowledge and Skill Standards for IT Personnel. The head of each covered agency shall take all necessary and appropriate action to ensure that:

(a) consistent with 40 U.S.C. 11315(c)(3), the CIO assesses and advises the agency head regarding knowledge and skill standards established for agency IT personnel;

(b) the established knowledge and skill standards are included in the performance standards and reflected in the performance evaluations of all component CIOs, and that the CIO is responsible for that portion of the evaluation; and

(c) all component CIOs apply those standards within their own components.

Sec. 8. Chief Information Officer Role on IT Governance Boards. Wherever appropriate and consistent with applicable law, the head of each covered agency shall ensure that the CIO shall be a member of any investment or related board of the agency with purview over IT, or any board responsible for setting agency-wide IT standards. The head of each covered agency shall also, as appropriate and consistent with applicable law, direct the CIO to chair any such board. To the extent any such board operates through member votes, the head of each covered agency shall also, as appropriate and consistent with applicable law, direct the CIO to fulfill the role of voting member.

Sec. 9. Chief Information Officer Hiring Authorities. The Director of OPM (Director) shall publish a proposed rule delegating to the head of each covered agency authority to determine whether there is a severe shortage of candidates (or, with respect to the Department of Veterans Affairs, that there exists a severe shortage of highly qualified candidates), or that a critical hiring need exists, for IT positions at the covered agency pursuant to 5 U.S.C. 3304(a)(3), under criteria established by OPM.

(a) Such proposed rule shall provide that, upon an affirmative determination by the head of a covered agency that there is a severe shortage of candidates (or, with respect to the Department of Veterans Affairs, that there exists a severe shortage of highly qualified candidates), or that a critical hiring need exists for IT positions, under the criteria established by OPM, the Director shall, within 30 days, grant that agency direct hiring authority for IT positions.

(b) Such proposed rule shall further provide that employees hired using this authority may not be transferred to positions that are not IT positions; that the employees shall initially be given term appointments not to exceed 4 years; and that the terms of such employees may be extended up to 4 additional years at the discretion of the hiring agency.

(c) The Director shall submit the proposed rule for publication within 30 days of the date of this order [May 15, 2018].

Sec. 10. Guidance. The Director of the Office of Management and Budget shall amend or replace relevant guidance, as appropriate, to agencies to reflect the requirements of this order.

Sec. 11. General Provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to an executive department or agency, or the head thereof; or

(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Donald J. Trump.      

§11316. Accountability

The head of each executive agency, in consultation with the Chief Information Officer and the Chief Financial Officer of that executive agency (or, in the case of an executive agency without a chief financial officer, any comparable official), shall establish policies and procedures to ensure that—

(1) the accounting, financial, asset management, and other information systems of the executive agency are designed, developed, maintained, and used effectively to provide financial or program performance data for financial statements of the executive agency;

(2) financial and related program performance data are provided on a reliable, consistent, and timely basis to executive agency financial management systems; and

(3) financial statements support—

(A) assessments and revisions of mission-related processes and administrative processes of the executive agency; and

(B) measurement of the performance of investments made by the agency in information systems.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1242.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11316 40:1426. Pub. L. 104–106, div. E, title LI, §5126, Feb. 10, 1996, 110 Stat. 686.

§11317. Significant deviations

The head of each executive agency shall identify in the strategic information resources management plan required under section 3506(b)(2) of title 44 any major information technology acquisition program, or any phase or increment of that program, that has significantly deviated from the cost, performance, or schedule goals established for the program.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1242.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11317 40:1427. Pub. L. 104–106, div. E, title LI, §5127, Feb. 10, 1996, 110 Stat. 687.

§11318. Interagency support

The head of an executive agency may use amounts available to the agency for oversight, acquisition, and procurement of information technology to support jointly with other executive agencies the activities of interagency groups that are established to advise the Director of the Office of Management and Budget in carrying out the Director's responsibilities under this chapter. The use of those amounts for that purpose is subject to requirements and limitations on uses and amounts that the Director may prescribe. The Director shall prescribe the requirements and limitations during the Director's review of the executive agency's proposed budget submitted to the Director by the head of the executive agency for purposes of section 1105 of title 31.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1242.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11318 40:1428. Pub. L. 104–106, div. E, title LI, §5128, Feb. 10, 1996, 110 Stat. 687.

§11319. Resources, planning, and portfolio management

(a) Definitions.—In this section:

(1) The term "covered agency" means each agency listed in section 901(b)(1) or 901(b)(2) of title 31.

(2) The term "information technology" has the meaning given that term under capital planning guidance issued by the Office of Management and Budget.


(b) Additional Authorities for Chief Information Officers.—

(1) Planning, programming, budgeting, and execution authorities for cios.—

(A) In general.—The head of each covered agency other than the Department of Defense shall ensure that the Chief Information Officer of the agency has a significant role in—

(i) the decision processes for all annual and multi-year planning, programming, budgeting, and execution decisions, related reporting requirements, and reports related to information technology; and

(ii) the management, governance, and oversight processes related to information technology.


(B) Budget formulation.—The Director of the Office of Management and Budget shall require in the annual information technology capital planning guidance of the Office of Management and Budget the following:

(i) That the Chief Information Officer of each covered agency other than the Department of Defense approve the information technology budget request of the covered agency, and that the Chief Information Officer of the Department of Defense review and provide recommendations to the Secretary of Defense on the information technology budget request of the Department.

(ii) That the Chief Information Officer of each covered agency certify that information technology investments are adequately implementing incremental development, as defined in capital planning guidance issued by the Office of Management and Budget.


(C) Review.—

(i) In general.—A covered agency other than the Department of Defense—

(I) may not enter into a contract or other agreement for information technology or information technology services, unless the contract or other agreement has been reviewed and approved by the Chief Information Officer of the agency;

(II) may not request the reprogramming of any funds made available for information technology programs, unless the request has been reviewed and approved by the Chief Information Officer of the agency; and

(III) may use the governance processes of the agency to approve such a contract or other agreement if the Chief Information Officer of the agency is included as a full participant in the governance processes.


(ii) Delegation.—

(I) In general.—Except as provided in subclause (II), the duties of a Chief Information Officer under clause (i) are not delegable.

(II) Non-major information technology investments.—For a contract or agreement for a non-major information technology investment, as defined in the annual information technology capital planning guidance of the Office of Management and Budget, the Chief Information Officer of a covered agency other than the Department of Defense may delegate the approval of the contract or agreement under clause (i) to an individual who reports directly to the Chief Information Officer.


(2) Personnel-related authority.—Notwithstanding any other provision of law, for each covered agency other than the Department of Defense, the Chief Information Officer of the covered agency shall approve the appointment of any other employee with the title of Chief Information Officer, or who functions in the capacity of a Chief Information Officer, for any component organization within the covered agency.


(c) Limitation.—None of the authorities provided in this section shall apply to telecommunications or information technology that is fully funded by amounts made available—

(1) under the National Intelligence Program, defined by section 3(6) of the National Security Act of 1947 (50 U.S.C. 3003(6));

(2) under the Military Intelligence Program or any successor program or programs; or

(3) jointly under the National Intelligence Program and the Military Intelligence Program (or any successor program or programs).


(d) Information Technology Portfolio, Program, and Resource Reviews.—

(1) Process.—The Director of the Office of Management and Budget, in consultation with the Chief Information Officers of appropriate agencies, shall implement a process to assist covered agencies in reviewing their portfolio of information technology investments—

(A) to identify or develop ways to increase the efficiency and effectiveness of the information technology investments of the covered agency;

(B) to identify or develop opportunities to consolidate the acquisition and management of information technology services, and increase the use of shared-service delivery models;

(C) to identify potential duplication and waste;

(D) to identify potential cost savings;

(E) to develop plans for actions to optimize the information technology portfolio, programs, and resources of the covered agency;

(F) to develop ways to better align the information technology portfolio, programs, and financial resources of the covered agency to any multi-year funding requirements or strategic plans required by law;

(G) to develop a multi-year strategy to identify and reduce duplication and waste within the information technology portfolio of the covered agency, including component-level investments and to identify projected cost savings resulting from such strategy; and

(H) to carry out any other goals that the Director may establish.


(2) Metrics and performance indicators.—The Director of the Office of Management and Budget, in consultation with the Chief Information Officers of appropriate agencies, shall develop standardized cost savings and cost avoidance metrics and performance indicators for use by agencies for the process implemented under paragraph (1).

(3) Annual review.—The Chief Information Officer of each covered agency, in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) of the covered agency and the Administrator of the Office of Electronic Government, shall conduct an annual review of the information technology portfolio of the covered agency.

(4) Applicability to the department of defense.—In the case of the Department of Defense, processes established pursuant to this subsection shall apply only to the business systems information technology portfolio of the Department of Defense and not to national security systems as defined by section 11103(a) of this title. The annual review required by paragraph (3) shall be carried out by the Chief Management Officer of the Department of Defense (or any successor to such Officer), in consultation with the Chief Information Officer, the Under Secretary of Defense for Acquisition and Sustainment, and other appropriate Department of Defense officials. The Secretary of Defense may designate an existing investment or management review process to fulfill the requirement for the annual review required by paragraph (3), in consultation with the Administrator of the Office of Electronic Government.

(5) Quarterly reports.—

(A) In general.—The Administrator of the Office of Electronic Government shall submit a quarterly report on the cost savings and reductions in duplicative information technology investments identified through the review required by paragraph (3) to—

(i) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate;

(ii) the Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives; and

(iii) upon a request by any committee of Congress, to that committee.


(B) Inclusion in other reports.—The reports required under subparagraph (A) may be included as part of another report submitted to the committees of Congress described in clauses (i), (ii), and (iii) of subparagraph (A).

(Added and amended Pub. L. 113–291, div. A, title VIII, §§831(a), 833, title IX, §901(n)(1), Dec. 19, 2014, 128 Stat. 3438, 3442, 3469; Pub. L. 115–88, §3, Nov. 21, 2017, 131 Stat. 1278; Pub. L. 115–91, div. A, title VIII, §819(b), title X, §1081(b)(1)(D), Dec. 12, 2017, 131 Stat. 1464, 1597; Pub. L. 115–232, div. A, title X, §1081(f)(1)(A)(iii), Aug. 13, 2018, 132 Stat. 1986; Pub. L. 116–92, div. A, title IX, §902(87), Dec. 20, 2019, 133 Stat. 1554.)


Editorial Notes

Amendments

2019—Subsec. (d)(4). Pub. L. 116–92 substituted "Under Secretary of Defense for Acquisition and Sustainment" for "Under Secretary of Defense for Acquisition, Technology, and Logistics".

2018—Subsec. (d)(4). Pub. L. 115–232 substituted "Chief Management Officer" for "Deputy Chief Management Officer".

2017—Subsecs. (c), (d). Pub. L. 115–88, §3(1), and Pub. L. 115–91, §819(b)(1), amended section identically, redesignating subsec. (c) relating to information technology portfolio, program, and resource reviews as (d).

Subsec. (d)(6). Pub. L. 115–88, §3(2), and Pub. L. 115–91, §819(b)(2), amended subsec. (d) identically, striking out par. (6). Text read as follows: "This subsection shall not be in effect on and after the date that is 5 years after the date of the enactment of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015."

2014—Subsec. (c). Pub. L. 113–291, §833, added subsec. (c) relating to information technology portfolio, program, and resource reviews.


Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019.

SUBCHAPTER III—OTHER RESPONSIBILITIES

§11331. Responsibilities for Federal information systems standards

(a) Definition.—In this section, the term "information security" has the meaning given that term in section 3532(b)(1) 1 of title 44.

(b) Requirement to Prescribe Standards.—

(1) In general.—

(A) Requirement.—Except as provided under paragraph (2), the Director of the Office of Management and Budget shall, on the basis of proposed standards developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)) and in consultation with the Secretary of Homeland Security, promulgate information security standards pertaining to Federal information systems.

(B) Required standards.—Standards promulgated under subparagraph (A) shall include—

(i) standards that provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(b)); and

(ii) such standards that are otherwise necessary to improve the efficiency of operation or security of Federal information systems.


(C) Required standards binding.—Information security standards described under subparagraph (B) shall be compulsory and binding.


(2) Standards and guidelines for national security systems.—Standards and guidelines for national security systems, as defined under section 3532(3) 1 of title 44, shall be developed, promulgated, enforced, and overseen as otherwise authorized by law and as directed by the President.


(c) Application of More Stringent Standards.—The head of an agency may employ standards for the cost-effective information security for all operations and assets within or under the supervision of that agency that are more stringent than the standards promulgated by the Director under this section, if such standards—

(1) contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and

(2) are otherwise consistent with policies and guidelines issued under section 3533 1 of title 44.


(d) Requirements Regarding Decisions by Director.—

(1) Deadline.—The decision regarding the promulgation of any standard by the Director under subsection (b) shall occur not later than 6 months after the submission of the proposed standard to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).

(2) Notice and comment.—A decision by the Director to significantly modify, or not promulgate, a proposed standard submitted to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), shall be made after the public is given an opportunity to comment on the Director's proposed decision.

(Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1243; Pub. L. 107–296, title X, §1002(a), Nov. 25, 2002, 116 Stat. 2268; Pub. L. 107–347, title III, §302(a), Dec. 17, 2002, 116 Stat. 2956.)

Historical and Revision Notes
Revised

Section

Source (U.S. Code)Source (Statutes at Large)
11331 40:1441. Pub. L. 104–106, div. E, title LI, §5131(a)–(d), Feb. 10, 1996, 110 Stat. 687.

Editorial Notes

References in Text

Sections 3532 and 3533 of title 44, referred to in subsecs. (a), (b)(2), and (c)(2), were repealed by Pub. L. 113–283, §2(a), Dec. 18, 2014, 128 Stat. 3073. Provisions similar to sections 3532 and 3533 of title 44 are now contained, respectively, in sections 3552 and 3553 of title 44, as enacted by Pub. L. 113–283.

Amendments

2002Pub. L. 107–296 amended text generally. Prior to amendment, text, as amended generally by Pub. L. 107–347, read as follows:

"(a) Standards and Guidelines.—

"(1) Authority to prescribe.—Except as provided under paragraph (2), the Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), prescribe standards and guidelines pertaining to Federal information systems.

"(2) National security systems.—Standards and guidelines for national security systems (as defined under this section) shall be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.

"(b) Mandatory Requirements.—

"(1) Authority to make mandatory.—Except as provided under paragraph (2), the Secretary shall make standards prescribed under subsection (a)(1) compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of Federal information systems.

"(2) Required mandatory standards.—(A) Standards prescribed under subsection (a)(1) shall include information security standards that—

"(i) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(b)); and

"(ii) are otherwise necessary to improve the security of Federal information and information systems.

"(B) Information security standards described in subparagraph (A) shall be compulsory and binding.

"(c) Authority to Disapprove or Modify.—The President may disapprove or modify the standards and guidelines referred to in subsection (a)(1) if the President determines such action to be in the public interest. The President's authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.

"(d) Exercise of Authority.—To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.

"(e) Application of More Stringent Standards.—The head of an executive agency may employ standards for the cost-effective information security for information systems within or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards—

"(1) contain at least the applicable standards made compulsory and binding by the Secretary; and

"(2) are otherwise consistent with policies and guidelines issued under section 3543 of title 44.

"(f) Decisions on Promulgation of Standards.—The decision by the Secretary regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).

"(g) Definitions.—In this section:

"(1) Federal information system.—The term 'Federal information system' means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

"(2) Information security.—The term 'information security' has the meaning given that term in section 3542(b)(1) of title 44.

"(3) National security system.—The term 'national security system' has the meaning given that term in section 3542(b)(2) of title 44."

Pub. L. 107–347 substituted "Responsibilities for Federal information systems standards" for "Responsibilities regarding efficiency, security, and privacy of federal computer systems" in section catchline and amended text generally. Prior to amendment, text read as follows:

"(a) Definitions.—In this section, the terms 'federal computer system' and 'operator of a federal computer system' have the meanings given those terms in section 20(d) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(d)).

"(b) Standards and Guidelines.—

"(1) Authority to prescribe and disapprove or modify.—

"(A) Authority to prescribe.—On the basis of standards and guidelines developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the Act (15 U.S.C. 278g–3(a)(2), (3)), the Secretary of Commerce shall prescribe standards and guidelines pertaining to federal computer systems. The Secretary shall make those standards compulsory and binding to the extent the Secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems.

"(B) Authority to disapprove or modify.—The President may disapprove or modify those standards and guidelines if the President determines that action to be in the public interest. The President's authority to disapprove or modify those standards and guidelines may not be delegated. Notice of disapproval or modification shall be published promptly in the Federal Register. On receiving notice of disapproval or modification, the Secretary shall immediately rescind or modify those standards or guidelines as directed by the President.

"(2) Exercise of authority.—To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget.

"(c) Application of More Stringent Standards.—The head of a federal agency may employ standards for the cost-effective security and privacy of sensitive information in a federal computer system in or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards contain at least the applicable standards the Secretary makes compulsory and binding.

"(d) Waiver of Standards.—

"(1) Authority of the secretary.—The Secretary may waive in writing compulsory and binding standards under subsection (b) if the Secretary determines that compliance would—

"(A) adversely affect the accomplishment of the mission of an operator of a federal computer system; or

"(B) cause a major adverse financial impact on the operator that is not offset by Federal Government-wide savings.

"(2) Delegation of waiver authority.—The Secretary may delegate to the head of one or more federal agencies authority to waive those standards to the extent the Secretary determines that action to be necessary and desirable to allow for timely and effective implementation of federal computer system standards. The head of the agency may redelegate that authority only to a chief information officer designated pursuant to section 3506 of title 44.

"(3) Notice.—Notice of each waiver and delegation shall be transmitted promptly to Congress and published promptly in the Federal Register."


Statutory Notes and Related Subsidiaries

Effective Date of 2002 Amendments

Amendment by Pub. L. 107–347 effective Dec. 17, 2002, see section 402(b) of Pub. L. 107–347, set out as a note under section 3504 of Title 44, Public Printing and Documents.

Amendment by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.

1 See References in Text note below.

[§11332. Repealed. Pub. L. 107–296, title X, §1005(a)(1), Nov. 25, 2002, 116 Stat. 2272; Pub. L. 107–347, title III, §305(a), Dec. 17, 2002, 116 Stat. 2960]

Section, Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1244, related to Federal computer system security training and plan.


Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Repeal effective Dec. 17, 2002, see section 402(b) of Pub. L. 107–347, set out as an Effective Date of 2002 Amendments note under section 3504 of Title 44, Public Printing and Documents.

Repeal by Pub. L. 107–296 effective 60 days after Nov. 25, 2002, see section 4 of Pub. L. 107–296, set out as an Effective Date note under section 101 of Title 6, Domestic Security.