Issued 03/17/03; Effective 03/07/03 Last Reviewed: In Process
SECTION 1. PURPOSE.
This Order establishes requirements, policies, responsibilities, and authorities for the development, implementation, and oversight of the National Oceanic and Atmospheric Administration (NOAA) Information Technology (IT) Security Program for the protection of all IT resources, including computers, networks, telecommunications systems, applications, data, and information. The Order also authorizes the development of the NOAA IT Security Manual.
SECTION 2. SCOPE.
This Order applies to all NOAA offices and their employees, including contractors and temporary employees, who are responsible for systems and data; to all IT resources within NOAA, including hardware and software; and to the processes of acquisition, management, and use of information resources.
SECTION 3. POLICY.
.01 The IT Security Program ensures safeguards exist to protect the confidentiality, integrity, and availability of all IT resources that support the missions of NOAA.
.02 All IT resources will be protected from abuse and misuse.
.03 NOAA information will be protected from unauthorized disclosure, destruction, or modification while collected, processed, transmitted, stored, or disseminated.
.04 IT security will be applied throughout all phases of an information system's life cycle.
SECTION 4. AUTHORITY.
.01 Federal Information Security Management Act of 2002.
.02 Computer Security Act of 1987 (Public Law (Pub.L.) 100-235).
.03 Computer Fraud and Abuse Act of 1987 (Pub.L. 99-474).
.04 Office of Management and Budget Circular A-130, Appendix III, Management of Federal Information Resources.
.05 Clinger-Cohen Act of 1996, as amended.
.06 Executive Order 13011, Federal Information Technology.
.07 Privacy Act of 1974, as amended (Pub.L. 93-579).
.08 The Department of Commerce Information Technology Management Handbook – Section titled “IT Security Program Policy and Minimum Implementation Standards.”
SECTION 5. RESPONSIBILITIES.
.01 Assistant Administrators and Staff Office Directors are responsible for adequate protection of their respective organization's IT resources.
.02 The designated approving authority (DAA) is responsible for ensuring compliance with system security requirements and for accrediting each system under his/her jurisdiction.
.03 The NOAA Chief Information Officer (CIO) serves as the DAA for NOAA. In this capacity, the NOAA CIO exercises NOAA-wide program leadership through the NOAA IT Security Office, which is responsible for the design, development, and compliance monitoring of the NOAA IT Security Program in accordance with applicable federal laws and other relevant directives.
.04 The Line Office (LO) CIO serves as the DAA for the LO. The LO CIO appoints an IT Security Officer (ITSO) and alternate ITSO who will be responsible for compliance monitoring of the LO's IT security program. For purposes of this Order, the CIOs of NOAA Finance and Administration and NOAA Marine and Aviation Operations are deemed LO CIOs.
SECTION 6. NOAA IT SECURITY MANUAL.
.01 Issuance of the NOAA IT Security Manual (the Manual) is in compliance with the Department of Commerce Information Technology Management Handbook. The Manual augments and supplements those portions of the Department's Handbook that relate to IT Security.
.02 The Manual applies to all NOAA elements and has the same force and effect as this Order.
.03 The Manual is issued, updated, and maintained by the NOAA IT Security Office. The Manual will adhere to the requirements of NOAA Administrative Order (NAO) 200-3, The NOAA Administrative Order Series, as listed in Section 5.02, "Handbooks and Manuals." Updates to the Manual will be issued by the Director, NOAA IT Security Office. LO CIOs will be afforded prior review of proposed changes or additions to the Manual. The Director will request concurrence of the NOAA CIO on updates which are potentially controversial.
.04 Distribution of the Manual will be accomplished in both paper and electronic form. The paper version will be issued in loose-leaf form to allow for ease of updating, and updates will be distributed using sequentially numbered transmittal sheets issued over the signature of the Director, NOAA IT Security Office. The NOAA IT Security Office will maintain a list of officials and organizations who will receive a printed copy of the Manual. The electronic version of the Manual, accessible at https://www.csp.noaa.gov, will be maintained by the NOAA IT Security Office.
SECTION 7. EFFECT ON OTHER ISSUANCES.
This Order supersedes NAO 212-13, Information Technology Security Management, dated May 21, 1993.
Chief Financial Officer/Chief Administrative Officer
Office of Primary Interest:
NOAA Chief Information Officer (CIO)
NOAA IT Security Office