OMB releases FISMA guidance with focus on privacy
- By Jason Miller
- Jun 15, 2005
For the first time, agencies will include a detailed report on the strength of their privacy programs in their annual Federal Information Security Management Act report.
Departments have until Oct. 7 to submit a FISMA report to the Office of Management and Budget. Administration officials then will create a report to send to Congress by March 2006. OMB released the reporting guidance
'The privacy program questions shall be completed by the senior agency official for privacy, in consultation with other agency privacy officials as appropriate,' said Clay Johnson, OMB's deputy director for management, in a memo to agency executives. 'These questions relate, in part, to agency implementation of the privacy provisions of the E-Government Act.'
Along with privacy, the FISMA report includes separate IT security evaluations by the agency's inspector general and the CIO. Johnson said that before turning in the report, agencies' CIOs and IGs should work together to 'resolve any discrepancies' between their sections.
Under the IT security section, agencies will find two new questions on the use of the National Institute of Standards and Technology's Special Publication 800-53
, which lays out security controls for federal systems, and on whether the agency has developed security procedures for emerging technologies such as wireless, Internet Protocol Version 6, spyware and malware.
OMB also updated questions about NIST's Federal Information Processing Standards 199
for assessing security risks; the tools or techniques used to detect incidents and how many systems the agency is using the tools for; and the number of successful outside attacks in 2005, including the number reported to law enforcement and the number reported to the U.S. Computer Emergency Response Team. Incidents may include denial of service attacks, unauthorized access, malicious code or improper usage.
'OMB uses the information to help evaluate agency-specific and governmentwide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance and inform development of the E-Government's scorecard under the President's Management Agenda,' Johnson said. 'Reports are most helpful when they clearly and accurately reflect the status of the agency's information security program.'