116 STAT. 2266 PUBLIC LAW 107-296—NOV. 25, 2002 General or by an independent external auditor, as determined by the Inspector General of the agency; and "(2) for each agency to which paragraph (1) does not apply, the head of the agency shall engage an independent external auditor to perform the evaluation. "(c) For each agency operating or exercising control of a national security system, that portion of the evaluation required by this section directly relating to a national security system shall be performed— "(1) only by an entity designated by the agency head; and "(2) in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensurate with the risk and in accordance with all applicable laws. "(d) The evaluation required by this section— "(1) shall be performed in accordance with generally accepted government auditing standards; and "(2) may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the applicable agency. "(e) Each year, not later than such date established by the Director, the head of each agency shall submit to the Director the results of the evaluation required under this section. "(f) Agencies and evaluators shall take appropriate steps to ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and regulations. Reports. "(g)(1) The Director shall summarize the results of the evaluations conducted under this section in the report to Congress required under section 3533(a)(8). "(2) The Director's report to Congress under this subsection shall summarize information regarding information security relating to national security systems in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensurate with the risk and in accordance with all applicable laws. "(3) Evaluations and any other descriptions of information systems under the authority and control of the Director of Central Intelligence or of National Foreign Intelligence Programs systems under the authority and control of the Secretary of Defense shall be made available to Congress only through the appropriate oversight committees of Congress, in accordance with applicable laws. Reports. "(h) The Comptroller General shall periodically evaluate and report to Congress on— "(1) the adequacy and effectiveness of agency information security policies and practices; and "(2) implementation of the requirements of this subchapter.
- § 3536. National security systems
"The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency— "(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from
�
