OMB Issues Guidance on FISMA Compliance

OMB has issued new reporting guidance and deadlines for compliance with the Federal Information Security Modernization Act, consolidating prior guidance in what memo M-18-02 said would “ensure consistent, government-wide performance and agency adoption of best practices.”

One section describes information security program oversight and FISMA reporting requirements and includes deadlines for agencies’ quarterly and annual FISMA metrics. The reporting requirements also fulfill the requirement for agencies to conduct regular risk management assessments established in Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” it said.

FISMA requires agencies to report on the status of their information security programs to OMB. OMB and DHS collaborate with the IG community to ensure that the IG FISMA metrics provide independent assessments of agency information security programs in accordance with FISMA requirements, the memo said. “At a minimum, CFO Act agencies must update their data quarterly and non-CFO Act agencies must update their data on a semiannual basis,” it said.

The memo further describes required reporting to GAO and Capitol Hill, along with OMB and DHS.

Another section describes incident reporting requirements, including a definition of what qualifies as a “major incident” that requires reporting to Congress and the agency’s IG under the law, among other provisions.