1.6.3 Agency IT Authorities – Laws and Executive Orders
This section consists of IT authorities assigned to agencies in laws and executive orders which directly or indirectly task the CIO with duties or responsibilities pertaining to information security and privacy. The statutory language is directly pulled from the applicable laws and executive orders. In most cases, the heads of agencies delegate all IT management responsibilities to the CIO, but some functions are explicitly assigned to more than one person (e.g. the CIO in consultation with the CFO). See individual agency policies to determine how instances of dual responsibility are implemented and executed, and what tasks (if any) are required of the agency head but not delegated to the CIO.
The E-Government Act Requires agencies to conduct a [privacy impact assessment (PIA)] (A PIA is an analysis of how personal identifiable information (PII) is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis.) before: (i) developing or procuring IT that collects, maintains, or disseminates information that is in an identifiable form; or (ii) initiating a new collection of information that –(I) will be collected, maintained, or disseminated using IT; and (II) includes any information in an identifiable form permitting the physical or online contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, 10 or more persons, other than agencies, instrumentalities, or employees of the Federal Government. (44 U.S.C. § 3501. Section 208(b). E-Government Act of 2002. Privacy Provisions.)
Federal Agency Responsibilities
The head of each agency shall¬ (1) be responsible for¬ (A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of¬ (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency [...].” (44 U.S.C. § 3554. Title 44 Public Printing and Documents. Federal Agency Responsibilities.)