The Office of Management and Budget has released fiscal 2006 reporting instructions for the federal information security management act and agency privacy management programs.
Reporting categories and questions are the same as last year, but there are some new actions agencies must take as well as new information required and a few different time frames, as described in OMB memo M-06-20.
It said agencies should provide an appendix with their reports or separate attachments showing the results of the review required by OMB memo M-06-15 — regarding safeguarding personally identifiable information.
OMB has asked inspectors general this year to provide a list of systems they have found missing from the agency’s inventory of major information systems.
The memo requires agency privacy updates to be submitted quarterly with security updates for the President’s Management Agenda scorecard — the updates are now due on the first day of September, December, March and June.
The memo also asks agencies to identify physical or electronic incidents involving the loss of or unauthorized access to personally identifiable information and report them according to the policies that are outlined in another memo, M-06-19, regarding incident reporting and IT security costs.