Government Information Security Act

Government Information Security Act of 1999 - Requires the Director of the Office of Management and Budget to establish government-wide policies for the management of programs that support the cost-effective security of Federal information systems by promoting security as an integral part of each agency's business operations. Requires such policies to: (1) be founded on a continuous risk management cycle; (2) implement controls that adequately address the risk; (3) promote continuing awareness of information security risks; (4) continually monitor and evaluate information security policy; and (5) control effectiveness of information security practices. Outlines information security responsibilities of each agency, including the development and implementation of an agency-wide program to provide information security for the operations and assets of such agency. Makes each program subject to Director approval and annual review by agency program officials.

Requires each agency to annually undergo an independent evaluation of its information security program and practices. Requires related reports.

Requires the: (1) Department of Commerce to develop, issue, review, and update standards and guidance for the security of information in Federal computer systems; (2) Department of Justice to review and update guidance to agencies on legal remedies regarding security incidents and coordination with law enforcement agencies concerning such incidents; (3) General Services Administration to review and update guidance on addressing security considerations relating to the acquisition of information technology; and (4) Office of Personnel Management to review and update regulations concerning computer security training for Federal civilian employees.