•   A responsible entity must give an annual report relating to certain assets that are not covered by a critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.