OMB has issued instructions for meeting fiscal 2009 reporting requirements under the Federal Information Security Management Act as well as reporting instructions for agency privacy management programs.
The memo does not include reporting templates. While reporting categories and questions are generally the same as last year, agencies will forego spreadsheets and instead exclusively submit data through an online application – not yet released – that will allow agencies to enter data manually or upload it.
According to the memo, M-09-29, chief information officers, inspectors general, and senior agency privacy officials will also all report through the automated tool, a test version of which is soon to be released. Reporting to Congress will continue as in prior years. FISMA reports are due November 18.
The guidance calls on agencies to separately submit through the online tool their breach notification policies if they have changed significantly since last year’s report; progress updates on eliminating unnecessary use of social security numbers; and, progress updates on review and reduction of personally identifiable information.
