Citation: Title X, Subtitle G—Government Information Security Reform, Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001, P.L.106-398, October 30, 2000.
The Government Information Security Reform Act (GISRA) established information security program, evaluation, and reporting requirements for federal agencies. GISRA required agencies to perform periodic threat-based risk assessments for systems and data. GISRA requires agencies to develop and implement risk-based, cost-effective policies and procedures to provide security protection for information collected or maintained either by the agency or for it by another agency or contractor. GISRA required that agencies develop a process for ensuring that remedial action is taken to address significant deficiencies. GISRA also required agencies to provide training on security awareness for agency personnel and on security responsibilities for information security personnel.
GISRA required the agency head to ensure that the agency’s information security plan is practiced throughout the life cycle of each agency system. The agency head was responsible for ensuring that the appropriate agency officials, evaluated the effectiveness of the information security program, including testing controls.