32 CFR 2400.45: Information Security Program Review.
(a) The Director, OSTP, shall require an annual formal review of the OSTP Information Security Program to ensure compliance with the provisions of Executive Order 12356 and Directive No. 1, and this regulation.
(b) The review shall be conducted by a group of three to five persons appointed by the Director and chaired by the Executive Director. The Security Officer will provide any records and assistance required to facilitate the review.
(c) The findings and recommendations of the review will be provided to the Director for his determination.