OMB has issued guidance to agencies on reporting and deadlines under the Federal Information Security Act in a memo that also consolidates several government-wide reporting requirements.
FISMA requires agencies to report the status of their information security programs to OMB and requires agency IGs to conduct annual independent assessments of those programs. Separate metrics, developed in conjunction with OMB, apply to reporting by agency CIOs and by IGs.
According to OMB memo M-19-2, CFO Act agencies–Cabinet departments and the largest independent agencies–must update their CIO metrics quarterly and other agencies must update them semiannually. “Reflecting the administration’s shift from compliance to risk management, CIO metrics are not limited to capabilities within National Institute of Standards and Technology security baselines, and agency responses should reflect actual implementation levels,” it says.
Separately, senior agency officials for privacy are to report annually on matters including the agency’s privacy program, any changes to it including changes in leadership and staffing, the agency’s breach response plan, and its privacy continuing monitoring strategy.
Further, agencies are to annually submit to OMB a detailed assessment of the adequacy and effectiveness of the agency’s information security policies, statistics on information security breaches and descriptions of major incidents, among other information. Those reports, which also must be provided to the GAO and to Congress, are due by March 1.
The memo also contains guidance on identifying high-value assets, incident reporting, continuous diagnostics and monitoring, and risk determination.
