32 CFR § 2004.40 - Information system security.

---
identifier: "/us/cfr/t32/s2004.40"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "32 CFR § 2004.40 - Information system security."
title_number: 32
title_name: "National Defense"
section_number: "2004.40"
section_name: "Information system security."
chapter_name: "INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION"
part_number: "2004"
part_name: "NATIONAL INDUSTRIAL SECURITY PROGRAM (NISP)"
positive_law: false
currency: "2026-03-24"
last_updated: "2026-03-24"
format_version: "1.1.0"
generator: "[email protected]"
authority: "Section 102(b)(1) of E.O. 12829 (January 6, 1993), as amended by E.O. 12885 (December 14, 1993), E.O. 13691 (February 12, 2015), and section 4 of E.O. 13708 (September 30, 2015)."
regulatory_source: "83 FR 19951, May 7, 2018, unless otherwise noted."
cfr_part: "2004"
---


# 2004.40 Information system security.

(a) The responsible CSA must authorize an entity information system before the entity can use it to process classified information. The CSA must use the most complete, accurate, and trustworthy information to make a timely, credible, and risk-based decision whether to authorize an entity's system.

(b) The responsible CSA issues to entities guidance that establishes protection measures for entity information systems that process classified information. The responsible CSA must base the guidance on standards applicable to Federal systems, which must include the Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283, and may include National Institute of Standards and Technology (NIST) publications, Committee on National Security Systems (CNSS) publications, and Federal information processing standards (FIPS).