PUBLIC LAW 107-296—NOV. 25, 2002 116 STAT. 2265 "(D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 and 2805 of title 39; "(E) financial management under chapter 9 of title 31, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made by that Act); "(F) financial management systems under the Federal Financial Management Improvement Act (31 U.S.C. 3512 note); and "(G) internal accounting and administrative controls under section 3512 of title 31, United States Code, (known as the 'Federal Managers Financial Integrity Act'); and "(3) report any significant deficiency in a policy, procedure, or practice identified under paragraph (1) or (2)— "(A) as a material weakness in reporting under section 3512oftitle31;and "(B) if relating to financial management systems, as an instance of a lack of substantial compliance under the Federal Financial Management Improvement Act (31 U.S.C. 3512 note). "(d)(1) In addition to the requirements of subsection (c), each agency, in consultation with the Director, shall include as part of the performance plan required under section 1115 of title 31 a description of— "(A) the time periods; and "(B) the resources, including budget, staffing, and training, that are necessary to implement the program required under subsection (b). "(2) The description under paragraph (1) shall be based on the risk assessments required under subsection (b)(2)(l). "(e) Each agency shall provide the public with timely notice Public and opportunities for comment on proposed information security information, policies and procedures to the extent that such policies and procedures affect communication with the public. "§ 3535. Annual independent evaluation "(a)(1) Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. "(2) Each evaluation by an agency under this section shall include— "(A) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency's information systems; "(B) an assessment (made on the basis of the results of the testing) of compliance with— "(i) the requirements of this subchapter; and "(ii) related information security policies, procedures, standards, and guidelines; and "(C) separate presentations, as appropriate, regarding information security relating to national security systems. "(b) Subject to subsection (c)—- "(1) for each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation required by this section shall be performed by the Inspector 99-194O-03 -22:QL3Part3
�