OMB has issued guidance to agencies on fiscal 2021 requirements for complying with the Federal Information Security Modernization Act, in the process changing several reporting requirements to eliminate duplication with those under other laws.
The law requires agencies to report the status of their information security programs to OMB and to the Congress, reports that also are reviewed by agency IGs and used by DHS and other entities involved with cybersecurity. The reports must include a detailed assessment of the adequacy and effectiveness of the agency’s information security policies, procedures, and practices, including details on progress toward meeting government-wide targets, and the number of information security incidents and details including the type of attack and the agency’s response.
Memo M-21-02 spells out details and deadlines for those requirements, defines terms such as what is considered a major incident, and more.
The memo does not apply to national security systems “although agencies are encouraged to leverage the document to inform their management processes,” it says.