OMB has issued instructions for meeting reporting requirements for fiscal 2008 under the Federal Information Security Management Act of 2002 as well as instructions for meeting agency privacy management programs.
According to the memo, M-08-21, from OMB deputy management director Clay Johnson, OMB and Congress will use the reports to evaluate agency-specific and government-wide security performance, so it’s important to resolve conflicting views or unresolved differences among the various parties contributing to the report such as chief information officers and agency inspectors general.
There are a few updates over last year based on security and privacy policies, including additional requests related to an OMB memo issued in January, M-08-09.
Agencies should also submit their most current documentation related to OMB memo, M-07-16, from May 22, 2007, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information."
OMB said that information should be provided in an appendix to annual FISMA reports and include agency breach notification policies, implementation plans and progress updates on eliminating unnecessary use of social security numbers, and policies outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules.