124 STAT. 2844 PUBLIC LAW 111–267—OCT. 11, 2010 (2) CRITERIA.—The criteria may include— (A) authentication or encryption codes; (B) embedded security markings in parts; (C) unique, harder to copy labels and markings; (D) identifying distinct lot and serial codes on external packaging; (E) radio frequency identification embedded into high- value parts; (F) physical destruction of all defective, damaged, and sub-standard parts that are by-products of the manufac- turing process; (G) testing certifications; (H) maintenance of procedures for handling any counterfeit parts that slip through; (I) maintenance of secure facilities to prevent unauthorized access to proprietary information; and (J) maintenance of product return, buy back, and inventory control practices that limit counterfeiting. (d) REPORT TO CONGRESS.—Within one year after the date of enactment of this Act, the Administrator shall report on the progress of implementing this section to the appropriate committees of Congress. SEC. 1207. INFORMATION SECURITY. (a) MONITORING RISK.— (1) UPDATE ON SYSTEM IMPLEMENTATION.—Not later than 120 days after the date of enactment of this Act, and on a biennial basis thereafter, the chief information officer of NASA, in coordination with other national security agencies, shall provide to the appropriate committees of Congress— (A) an update on efforts to implement a system to provide dynamic, comprehensive, real-time information regarding risk of unauthorized remote, proximity, and insider use or access, for all information infrastructure under the responsibility of the chief information officer, and mission-related networks, including contractor net- works; (B) an assessment of whether the system has demon- strably and quantifiably reduced network risk compared to alternative methods of measuring security; and (C) an assessment of the progress that each center and facility has made toward implementing the system. (2) EXISTING ASSESSMENTS.—The assessments required of the Inspector General under section 3545 of title 44, United States Code, shall evaluate the effectiveness of the system described in this subsection. (b) INFORMATION SECURITY AWARENESS AND EDUCATION.— (1) IN GENERAL.—In consultation with the Department of Education, other national security agencies, and other agency directorates, the chief information officer shall institute an information security awareness and education program for all operators and users of NASA information infrastructure, with the goal of reducing unauthorized remote, proximity, and insider use or access. (2) PROGRAM REQUIREMENTS.— Deadlines. Assessments. 42 USC 18445.
