M-08-21 M-09-29 Comparison

From FISMApedia
(Redirected from M-08-21 M-09-23 Comparison)
Jump to: navigation, search
M-08-21 M-09-29
1 1
2  EXECUTIVE OFFICE OF THE PRESIDENT 2  EXECUTIVE OFFICE OF THE PRESIDENT
3  OFFICE OF MANAGEMENT AND BUDGET 3  OFFICE OF MANAGEMENT AND BUDGET
4  WASHINGTON, D.C. 20503 4  WASHINGTON, D.C. 20503
5DEPUTY DIRECTOR 
6FOR MANAGEMENT 
7 5
8 6
9 7
10July 14, 2008 
11 8
12 9
13M-08-21  10August 20, 2009 
14 11
15MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES 
16 12
13M-09-29 
17 14
15MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES 
18 16
19 17
20FROM:  Clay Johnson III 
21Deputy Director for Management 
22 18
23 19
20FROM: Jeffrey D. Zients 
21Deputy Director for Management 
24 22
23Vivek Kundra 
24U.S. Chief Information Officer 
25 25
26 26
27 27
28 28
29 29
30SUBJECT: FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management 30SUBJECT: FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
31 31
32This memorandum provides instructions for meeting your agency's FY 2008 reporting requirements under the Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347). It also includes reporting instructions on your agency's privacy management program. 32This memorandum provides instructions for meeting your agency's FY 2009 reporting requirements under the Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347). It also includes reporting instructions on your agency's privacy management program.
33 33
34Because the Office of Management and Budget (OMB) and Congress use this report to evaluate agency-specific and Government-wide security performance, it is especially important your agency's report clearly and accurately reflect the overall status of your program and not include conflicting views of, or unresolved differences among, the various parties contributing to the report including the Chief Information Officer (CIO), the Inspector General (IG), and the Senior Agency Official for Privacy (SAOP).  34The reporting categories and questions are generally the same as last year, and the report will cover the same areas as in previous years. However, while the content of the report has changed little since 2008, the means of collection have changed substantially. This year, rather than using spreadsheets, the annual FISMA report data collection will occur via an automated reporting tool. This tool will allow both manual data entry and automatic upload of data. Therefore, the attachments to this memo only contain lists of questions and not reporting templates. 
35 35
36Although the reporting categories and questions are generally the same as last year, there are some updates based on security and privacy policies issued within the year. In particular, there are additional questions related to OMB Memorandum M-08-09 of January 18, 2008 New FISMA Privacy Reporting Requirements for FY 2008.  36The Chief Information Officers (CIO), Inspectors General (IG), and the Senior Agency Officials for Privacy (SAOP) will all report through the automated collection tool. A test version will be available in August and further instructions will be issued. Please note that OMB will only accept reports submitted through the automated tool. Reporting to the Congress will continue as in prior years. Due to the new collection system, the due date for FISMA reports will be November 18, 2009. 
37 37
38Agencies should also submit their most current documentation related to OMB Memorandum M- 07-16, of May 22, 2007, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information,"1 This information should be provided in an appendix to your annual report and include the following items for your agency: 38Agencies should also submit the following information related to OMB Memorandum M-07-16, of May 22, 2007, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information."1 This information should be provided as separate documents submitted through the automated reporting tool and should include the following items for your agency:
39 39
40 • Breach notification policy  40 • Breach notification policy if it has changed significantly since last year's report; 
41Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);  41Progress update on eliminating unnecessary use of Social Security Numbers (SSN); and 
42Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and  42Progress update on review and reduction of holdings of personally identifiable information (PII). 
43 • Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules. 
44 43
451 http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf 441 http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
46 45
47Please send one formal copy of your report addressed to the Director of OMB and an electronic copy to fisma@omb.eop.gov by October 1, 2008. Each report must include a transmittal letter from the agency head reconciling any differences between the findings of the agency CIO, IG, and SAOP. The report must reflect the agency head's determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices. More details on reporting are found in the attachments to this memorandum. Your staff may contact Susan Jennifer Haggerty, shaggerty@omb.eop.gov, regarding security questions or John Barkhamer, jbarkham@omb.eop.gov, regarding privacy questions.  46Agency reports must reflect the agency head's determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices. The new automated reporting tool will allow agencies to submit an electronic copyof the signed official transmittal letter. 
48 47
48Agency staff may contact Suzanne Lightman, slightman@omb.eop.gov, regarding security questions or Sharon Mar, smar@omb.eop.gov, regarding privacy questions. 
49 49
50Attachments  50Attachments: 
51 51
52Instructions for Preparing the FISMA Report and Agency Privacy Management Report  52List of FISMA FAQs 
53Reporting Template for Micro Agencies (Excel)  53CIO Questions 
54Reporting Template for CIOs (Excel)  54IG Questions 
55Reporting Template for IGs (Excel)  55SAOP Questions 
56Reporting Template for SAOPs (Excel)  56Microagency Questions 
57 • FY 2009 Quarterly Reporting Template (Excel) (this template will be posted at a later date for use in submitting the December 09 quarterly update) 
58 57
59 58
60  FY 2008 Reporting Instructions for the  59 
60  FY 2009 Reporting Instructions for the 
61 61
62  Federal Information Security Management Act and 62  Federal Information Security Management Act and
63  Agency Privacy Management 63  Agency Privacy Management
64  Table of Contents 64  Table of Contents
65 65
66 66
67 67
68 68
69 69
70 70
71 71
72 72
73 73
74 74
75 75
76 76
77 77
78 78
79 79
80 80
81 81
82 82
83 83
84 84
85 85
86 86
87 87
88 88
89 89
90 90
91 91
92 92
93 93
94 94
95 95
96 96
97 97
98 98
99 99
100Section A - Instructions for Completing the Annual Federal Information Security Management Act (FISMA) and Agency Privacy Management Report 
101 100
102  This section contains instructions, frequently asked questions, and definitions to aid Chief Information Officers (CIO), Inspectors General (IG), and Senior Agency Officials for Privacy (SAOP) in preparing and submitting the annual FISMA and 
103Privacy Management Report. 
104 101
105Section B– Reporting Template for CIOs 
106 102
107  This section contains instructions for CIOs to complete the annual FISMA reporting template (attached). 
108 103
109Section C– Reporting Template for IGs  
110 104
111  This section contains instructions for IGs to complete the annual FISMA reporting template (attached). 
112 105
113Section D – Reporting Template for SAOPs 
114 106
115  This section contains instructions for SAOPs to complete the annual privacy and civil liberties reporting template (attached). The template in this attachment shall be completed by all agencies. 
116 107
117 108
118 109
119 110
120 111
121 112
122 113
123 114
124 115
125 116
126 117
127 118
128 119
129 120
130 121
131 122
132 123
133 124
134 125
135 126
136 127
137 128
138 129
139 130
140 131
141 132
142 133
143 134
144 135
145 136
146 137
147 138
148 139
149 140
150Section A - Instructions for Completing the Annual Federal Information Security Management Act (FISMA) and Agency Privacy Management Report 
151 141
152This section contains instructions for annual FISMA and privacy reporting. The reporting templates are contained in Sections B, C, and D. Each of the templates are to be completed by the appropriate agency officials, as part of one combined report signed by the agency head and transmitted to the Director, Office of Management and Budget (OMB) by October 1, 2008. In addition to formal transmission, an electronic copy of the report should be sent to fisma@omb.eop.gov. All parts of the report should be transmitted in the contents of one single e-mail, in a file format that is not zipped. 
153 142
154Each agency head's annual report to OMB shall comprise: 
155 143
156 1. Transmittal letter from the agency head reconciling any differences between the findings of the agency CIO, IG, and SAOP. The transmittal letter and report contained within must reflect the agency head's determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices. 
157 2. Section B Template completed by the CIO – Summarizing the results of annual IT security reviews of systems and programs conducted by the agency. 
158 3. Section C Template completed by the IG – Summarizing the results of the agency IG's independent evaluation. 
159 4. Section D Template completed by the SAOP – Summarizing the status of agency compliance with privacy laws and policies. 
160 144
161Agency reports shall be based on the results of the annual system and program reviews, the agency's work in correcting weaknesses identified in their Plans of Action and Milestones (POA&Ms), and any other work performed throughout the reporting period. While the completed report should consist primarily of the transmittal letter and the completed reporting templates, IGs are encouraged to provide any additional narrative in an appendix to the report to the extent they provide meaningful insight into the status of the agency's security or privacy program. 
162 145
163Incomplete reporting on OMB's performance measures by either the agency or the agency IG will be noted in OMB's public report to Congress and will be a consideration in OMB's annual approval or disapproval of the agency's security program. When completing the reporting template, agencies should refer to the definitions section provided.  146 
147 
148 
149 
150Section A - Frequently Asked Questions 
151 
152This section contains frequently asked questions, and definitions to aid Chief Information Officers (CIO), Inspectors General (IG), and Senior Agency Officials for Privacy (SAOP) in preparing and submitting the annual FISMA and Privacy Management Report. 
153 
154 
155 
156 
157 
158 
159 
160 
161 
162 
163 
164 164
165 165
166 166
167 167
168 168
169 169
170Frequently Asked Questions 170Frequently Asked Questions
171 171
172Sending to Congress and GAO 172Sending to Congress and GAO
173 173
174 174
175 175
176 176
177 177
178 178
179 179
1801. When should my agency send our annual report to Congress and the Government Accountability Office (GAO)? 1801. When should my agency send our annual report to Congress and the Government Accountability Office (GAO)?
181 181
182After review by and notification from OMB, agencies shall forward their transmittal letter with report sections B, C, and D to the appropriate Congressional Committees and GAO. Transmittal of agency reports to Congress shall be made by, or be consistent with guidance from, the agency's Congressional or Legislative Affairs office to the following: Committees on Oversight and Government Reform and Science and Technology of the House, the Committees on Government Affairs and Commerce, Science, and Transportation of the Senate, and the Congressional authorization and appropriations committees for each individual agency. In prior years, the Committees have provided to OMB specific points of contact for receiving the reports. As in the past, if such are provided to OMB, we will notify the agencies. 182After review by and notification from OMB, agencies shall forward their transmittal letter with a report from the automated reporting tool to the appropriate Congressional Committees and GAO. Transmittal of agency reports to Congress shall be made by, or be consistent with guidance from, the agency's Congressional or Legislative Affairs office to the following: Committees on Oversight and Government Reform and Science and Technology of the House, the Committees on Government Affairs and Commerce, Science, and Transportation of the Senate, and the Congressional authorization and appropriations committees for each individual agency. In prior years, the Committees have provided to OMB specific points of contact for receiving the reports. As in the past, if such are provided to OMB, we will notify the agencies.
183 183
184Submission Instructions and Templates 184Submission Instructions and Templates
185 185
186 186
187 187
188 188
189 189
1902. Which template should my agency use to fill out the annual and quarterly reports?  1902. Which set of questions should my agency fill out in the automated reporting tool? 
191 
192All Chief Financial Officer (CFO) Act agencies and agencies participating in the President's Management Agenda scorecard process (i.e., agencies with E-Government scorecards) should complete the annual report and submit quarterly updates to OMB. Quarterly updates are due to OMB by September 1, December 1, March 1, and June 1. All materials should be submitted to the OMB FISMA mailbox at fisma@omb.eop.gov 
193 191
194All other agencies should provide OMB only the annual report. Agencies should be prepared to provide information or submit quarterly reports to OMB upon request, however. Microagencies (i.e., agencies employing 100 or fewer FTEs) should use the abbreviated Excel spreadsheet (see Reporting Template for Microagencies attached) for their annual report.  192All agencies, except for microagencies, should complete the Chief Information (CIO), Inspector General (IG) and Senior Agency Official for Privacy (SAOP) questions in the automated reporting tool for submission to OMB no later than November 18, 2009. 
195 193
194Microagencies (i.e., agencies employing 100 or fewer FTEs) should answer the abbreviated questions (see Microagencies Questions attached) for their annual report. 
196 195
196Please note that only submissions through the automated reporting tool will be accepted by OMB. 
197 197
198 198
199 199
2003. When should program officials, SAOPs, CIOs, and IGs share the results of their reviews? 2003. When should program officials, SAOPs, CIOs, and IGs share the results of their reviews?
201 201
202While the goal of FISMA is stronger agency- and Government-wide security, information regarding an agency's information security program should be shared as it becomes available. This helps promote timely correction of weaknesses in the agency's information systems and resolution of issues. Waiting until the completion of a report or the year's end does not promote stronger information system security. 202While the goal of FISMA is stronger agency- and Government-wide security, information regarding an agency's information security program should be shared as it becomes available. This helps promote timely correction of weaknesses in the agency's information systems and resolution of issues. Waiting until the completion of a report or the year's end does not promote stronger information system security.
203 203
204 204
205 205
206 206
207 207
208 208
209 209
2104. Should agencies set an internal FISMA reporting cut-off date? 2104. Should agencies set an internal FISMA reporting cut-off date?
211 211
212Yes. OMB suggests agencies set an internal cut-off date for data collection and report preparation. A cut-off date should permit adequate time for meaningful internal review and comment and resolution of any disputes before finalizing the agency's report to OMB. With respect to an IG's review of the CIO's or SAOP's work product, such review does not in itself fulfill FISMA's requirement for IGs to independently evaluate an agency's program including testing the effectiveness of a representative subset of the agency's information systems. 212Yes. OMB suggests agencies set an internal cut-off date for data collection and report preparation. A cut-off date should permit adequate time for meaningful internal review and comment and resolution of any disputes before finalizing the agency's report to OMB. With respect to an IG's review of the CIO's or SAOP's work product, such review does not in itself fulfill FISMA's requirement for IGs to independently evaluate an agency's program including testing the effectiveness of a representative subset of the agency's information systems.
213 213
214Security Reporting 
215 214
216 215
217 216
218 217
219 218
2205. Does the FISMA quarterly report represent cumulative totals of security and privacy information or show just a snapshot of additions to the agency's inventory? 
221 219
222Agencies should report the cumulative total on each of their quarterly reports, taking into account new and retiring systems. For example, in Q1, an agency may report 497 systems containing Federal information in identifiable form. If the agency adds five systems during the following quarter, then the Q2 report would include 502 systems containing Federal information in identifiable form. Likewise, if the agency retires five systems during the following quarter, then the Q2 report would include 492 systems containing Federal information in an identifiable form.  2205. Is the use of the automated reporting tool mandatory? 
223 221
222Yes, OMB will only accept submissions through the automated reporting tool. Full instructions for the use of the tool will be available in August, 2009 along with a test version. 
224 223
224Security Reporting 
225 225
226 226
227 227
228 228
229 229
2306. Must agencies report at both an agency wide level and by individual component? 2306. Must agencies report at both an agency wide level and by individual component?
231 231
232Yes. Agencies must provide an overall agency view of their security and privacy program but most of the topic areas also require specific responses for each of the major components (e.g., bureaus or operating divisions). Thus, the agencies' and OMB's report can distinguish good performing components from poor performers and more accurately reflect the overall agency performance. 232Yes. Agencies must provide an overall agency view of their security and privacy program but most of the topic areas also require specific responses for each of the major components (e.g., bureaus or operating divisions). Thus, the agencies' and OMB's report can distinguish good performing components from poor performers and more accurately reflect the overall agency performance.
233 233
234For agencies with extensive field and regional offices, it is not necessary to report to OMB on the security performance of each of the field offices. Rather, agencies shall confirm the security program of the major component which operates the field offices is: 1) effectively overseeing and measuring field performance; 2) including any weaknesses in the agency-wide POA&M; and 3) developing, implementing, and maintaining system-level POA&Ms. 234For agencies with extensive field and regional offices, it is not necessary to report to OMB on the security performance of each of the field offices. Rather, agencies shall confirm the security program of the major component which operates the field offices is: 1) effectively overseeing and measuring field performance; 2) including any weaknesses in the agency-wide POA&M; and 3) developing, implementing, and maintaining system-level POA&Ms.
235 235
236 236
237 237
238 238
239 239
2407. Should all of my agency's information systems be included as part of our FISMA report? 2407. Should all of my agency's information systems be included as part of our FISMA report?
241 241
242Yes. Section 3544(a)(1)(A) states: "The head of each agency shall be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." Your agency's annual FISMA report therefore summarizes the performance of your agency's program to secure all of your agency's information and information systems, in any form or format, whether automated or manual. NIST Special Publication 800-37 provides guidance on establishing information system boundaries which can help you identify your systems. 242Yes. Section 3544(a)(1)(A) states: "The head of each agency shall be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." Your agency's annual FISMA report therefore summarizes the performance of your agency's program to secure all of your agency's information and information systems, in any form or format, whether automated or manual. NIST Special Publication 800-37 provides guidance on establishing information system boundaries which can help you identify your systems.
243 243
244 244
245 245
246 246
247 247
248 248
249 249
2508. Must the Department of Defense and the Director of National Intelligence (DNI) follow OMB policy and NIST guidance? 2508. Must the Department of Defense and the Director of National Intelligence (DNI) follow OMB policy and NIST guidance?
251 251
252Provided DoD and DNI internal security standards and policies are as stringent as OMB's policies and NIST's standards, they must only follow OMB's reporting policies. 252Provided DoD and DNI internal security standards and policies are as stringent as OMB's policies and NIST's standards, they must only follow OMB's reporting policies.
253 253
254 254
255 255
256 256
257 257
258 258
259 259
2609. What reporting is required for national security systems? 2609. What reporting is required for national security systems?
261 261
262FISMA requires annual reviews and reporting of all systems, including national security systems. Agencies can choose to provide responses to the questions in the template either in aggregate with or separate from their non-national security systems. 262FISMA requires annual reviews and reporting of all systems, including national security systems. Agencies can choose to provide responses to the questions in the template either in aggregate with or separate from their non-national security systems.
263 263
264Agencies shall describe how they are implementing the requirements of FISMA for national security systems. When management and internal control oversight of an agency's national security programs and systems are handled differently than non-national security programs, a description of and explanation for the differences is required. DoD and the Director of National Intelligence (DNI) shall report on compliance with their policies and guidance. Currently, NIST, DoD and the DNI are working on harmonizing system categorization and security control selection requirements. Once guidance is harmonized, less explanation of differences will be required. 264Agencies shall describe how they are implementing the requirements of FISMA for national security systems. When management and internal control oversight of an agency's national security programs and systems are handled differently than non-national security programs, a description of and explanation for the differences is required. DoD and the Director of National Intelligence (DNI) shall report on compliance with their policies and guidance. Currently, NIST, DoD and the DNI are working on harmonizing system categorization and security control selection requirements. Once guidance is harmonized, less explanation of differences will be required.
265 265
266The CIO for the (DNI) reports on systems processing or storing sensitive compartmentalized information (SCI) across the intelligence community and those other systems for which the DNI is the principal accrediting authority. Agencies shall follow the intelligence community reporting guidance for these systems. SCI systems shall only be reported via the intelligence community report. However, this separate reporting does not alter an agency head's responsibility for overseeing the security of all operations and assets of the agency or component. Therefore, copies of separate reporting must also be provided to the agency head for their use. 266The CIO for the (DNI) reports on systems processing or storing sensitive compartmentalized information (SCI) across the intelligence community and those other systems for which the DNI is the principal accrediting authority. Agencies shall follow the intelligence community reporting guidance for these systems. SCI systems shall only be reported via the intelligence community report. However, this separate reporting does not alter an agency head's responsibility for overseeing the security of all operations and assets of the agency or component. Therefore, copies of separate reporting must also be provided to the agency head for their use.
267 267
268To assist oversight by appropriate national security authorities, it is important to specify where practicable which portion of the agency report pertains to national security systems. 268To assist oversight by appropriate national security authorities, it is important to specify where practicable which portion of the agency report pertains to national security systems.
269 269
270NIST Guidance and Standards 270NIST Guidance and Standards
271 271
272 272
273 273
274 274
275 275
276 276
277 277
278 278
279 279
28010. Is use of National Institute of Standards and Technology (NIST) publications required? 28010. Is use of National Institute of Standards and Technology (NIST) publications required?
281 281
282Yes. For non-national security programs and information systems, agencies must follow NIST standards and guidance.  282Yes. For non-national security programs and information systems, agencies must follow NIST standards and guidance guidelines. For legacy information systems, agencies are expected to be in compliance with NIST standards and guidelines within one year of the publication date unless otherwise directed by OMB. The one year compliance date for revisions to NIST publications applies only to the new and/or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to be in compliance with the NIST publications immediately upon deployment of the information system. 
283 283
284 284
285 285
286 286
287 287
288 288
289 289
29011. Is NIST guidance flexible? 29011. Is NIST guidance flexible?
291 291
292Yes. While agencies are required to follow NIST standards and guidance in accordance with OMB policy, there is flexibility within NIST's guidance documents (specifically in the 800-series) in how agencies apply the guidance. However, NIST Federal Information Processing Standards (FIPS) are mandatory. Unless specified by additional implementing policy by OMB, guidance documents published by NIST generally allow agencies latitude in their application. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable and compliant with the guidance. 292Yes. While agencies are required to follow NIST standards and guidance in accordance with OMB policy, there is flexibility within NIST's guidance documents (specifically in the 800-series) in how agencies apply the guidance. However, NIST Federal Information Processing Standards (FIPS) are mandatory. Unless specified by additional implementing policy by OMB, guidance documents published by NIST generally allow agencies latitude in their application. Consequently, the application of NIST guidance by agencies can result in different security solutions that are equally acceptable and compliant with the guidance.
293 293
294General 294General
295 295
296 296
297 297
298 298
299 299
30012. Are the security requirements outlined in the Act limited to information in electronic form? 30012. Are the security requirements outlined in the Act limited to information in electronic form?
301 301
302No. Section 3541 of FISMA provides the Act's security requirements apply to "information and information systems" without distinguishing by form or format; therefore, the security requirements outlined in FISMA apply to Federal information in all forms and formats (including electronic, paper, audio, etc.). 302No. Section 3541 of FISMA provides the Act's security requirements apply to "information and information systems" without distinguishing by form or format; therefore, the security requirements outlined in FISMA apply to Federal information in all forms and formats (including electronic, paper, audio, etc.).
303 303
304 304
305 305
306 306
307 307
308 308
309 309
31013. Does OMB give equal weight to the assessments by the agency and the IG? What if the two parties disagree? 31013. Does OMB give equal weight to the assessments by the agency and the IG? What if the two parties disagree?
311 311
312OMB gives equal weight to both assessments. In asking different questions of each party, OMB seeks complementary and not conflicting reporting. While OMB guidance requires a single report from each agency, OMB expects the report to represent the consolidated views of the agency and not separate views of various reviewers. All disagreements should be resolved prior to reporting to OMB. If a CIO or SAOP disagrees with the IG's assessment, the view of the agency head will be taken as the authoritative determination, based on the agency head's decision after consultation with the IG.  312OMB gives equal weight to both assessments. In asking different questions of each party, OMB seeks complementary and not conflicting reporting. While OMB guidance requires a single report from each agency, OMB expects the report to represent the consolidated views of the agency and not separate views of various reviewers. 
313 313
314 314
315 315
316 316
317 317
318 318
319 319
32014. FISMA, OMB policy, and NIST guidance require agency security programs to be risk-based. Who is responsible for deciding the acceptable level of risk (e.g., the CIO, program officials and system owners, or the IG)? Are the IGs' independent evaluations also to be risk-based? What if they disagree? 32014. FISMA, OMB policy, and NIST guidance require agency security programs to be risk-based. Who is responsible for deciding the acceptable level of risk (e.g., the CIO, program officials and system owners, or the IG)? Are the IGs' independent evaluations also to be risk-based? What if they disagree?
321 321
322The agency head ultimately is responsible for deciding the acceptable level of risk for their agency. System owners, program officials, and CIOs provide input for this decision. Such decisions must reflect policies from OMB and standards and guidance from NIST (particularly FIPS 199 and FIPS 200). An information system's Authorizing Official takes responsibility for accepting any residual risk, thus they are held accountable for managing the security for that system. 322The agency head ultimately is responsible for deciding the acceptable level of risk for their agency. System owners, program officials, and CIOs provide input for this decision. Such decisions must reflect policies from OMB and standards and guidance from NIST (particularly FIPS 199 and FIPS 200). An information system's Authorizing Official takes responsibility for accepting any residual risk, thus they are held accountable for managing the security for that system.
323 323
324IG evaluations are intended to independently assess if the agency is applying a risk-based approach to their information security programs and the information systems that support the conduct of agency missions and business functions. When reviewing the Certification and Accreditation (C&A) of an individual system, for example, the IG would generally assess whether: 1) the C&A was performed in the manner prescribed in NIST guidance and agency policy; 2) controls are being implemented as stated in any planning documentation; and 3) continuous monitoring is adequate given the system impact level of the system and information. Any disagreements among various program officials, the CIO, and/or the IG would be an internal agency matter; however the view of the agency head will be taken as the authoritative determination, based on the agency head's decision after consultation with the IG.  324IG evaluations are intended to independently assess if the agency is applying a risk-based approach to their information security programs and the information systems that support the conduct of agency missions and business functions. When reviewing the Certification and Accreditation (C&A) of an individual system, for example, the IG would generally assess whether: 1) the C&A was performed in the manner prescribed in NIST guidance and agency policy; 2) controls are being implemented as stated in any planning documentation; and 3) continuous monitoring is adequate given the system impact level of the system and information. 
325 325
326 326
327 327
328 328
329 329
33015. Could you provide examples of high impact systems? 33015. Could you provide examples of high impact systems?
331 331
332In some respects, the answer to this question is unique to each agency depending on their mission requirements. At the same time, some examples are relatively obvious and common to all agencies. As a rebuttable presumption, all cyber critical infrastructure and key resources identified in an agency's Homeland Security Policy Directive – 7 (HSPD-7) plans are high impact, as are all systems identified as necessary to support agency continuity of operations. Systems necessary for continuity of operations purposes include, for example, telecommunications systems identified in agency reviews under OMB's June 30, 2005, memorandum M-05-16, "Regulation on Maintaining Telecommunications Service During Crisis or Emergency in Federally-owned Buildings," implementing Section 414 the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (Division H of Public Law 108-447). 332In some respects, the answer to this question is unique to each agency depending on their mission requirements. At the same time, some examples are relatively obvious and common to all agencies. As a rebuttable presumption, all cyber critical infrastructure and key resources identified in an agency's Homeland Security Policy Directive – 7 (HSPD-7) plans are high impact, as are all systems identified as necessary to support agency continuity of operations. Systems necessary for continuity of operations purposes include, for example, telecommunications systems identified in agency reviews under OMB's June 30, 2005, memorandum M-05-16, "Regulation on Maintaining Telecommunications Service During Crisis or Emergency in Federally-owned Buildings," implementing Section 414 the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005 (Division H of Public Law 108-447).
333 333
334Additionally, information systems used by agencies to provide services to other agencies such as under e-Government initiatives and lines of business, could also be high impact, but are at least moderate impact. The decision as to information system impact level in this circumstance must be agreed to by the provider and all of its customers. 334Additionally, information systems used by agencies to provide services to other agencies such as under e-Government initiatives and lines of business, could also be high impact, but are at least moderate impact. The decision as to information system impact level in this circumstance must be agreed to by the provider and all of its customers.
335 335
336 336
337 337
338 338
339 339
34016. My IG says the agency's inventory of major information systems is less than 96% complete. How do I reconcile the differing lists? 34016. My IG says the agency's inventory of major information systems is less than 96% complete. How do I reconcile the differing lists?
341 341
342OMB expects agency IGs to provide to the agency CIO and OMB the list of systems they've identified as not being part of the agency's inventory. 342OMB expects agency IGs to provide to the agency CIO and OMB the list of systems they've identified as not being part of the agency's inventory.
343 343
344 344
345 345
346 346
347 347
348 348
349 349
35017. When OMB asks if an agency has a process, are you also asking if the process is implemented and is effective? 35017. When OMB asks if an agency has a process, are you also asking if the process is implemented and is effective?
351 351
352Yes. OMB wants to know whether processes are working effectively to safeguard information and information systems. An ineffective process cannot be relied upon to achieve its information security and privacy objectives. To gauge the effectiveness of a particular IT security program process, we rely on responses to questions asked of the agency IG. 352Yes. OMB wants to know whether processes are working effectively to safeguard information and information systems. An ineffective process cannot be relied upon to achieve its information security and privacy objectives. To gauge the effectiveness of a particular IT security program process, we rely on responses to questions asked of the agency IG.
353 353
354 354
355 355
356 356
357 357
358 358
359 359
36018. We often find security weaknesses requiring additional and significant resources to correct such discoveries seldom coincide with the budget process; can we delay correction until the next budget cycle? 36018. We often find security weaknesses requiring additional and significant resources to correct such discoveries seldom coincide with the budget process; can we delay correction until the next budget cycle?
361 361
362No. Agencies must plan for security needs as they develop new and operate existing systems and as security weaknesses are identified. 362No. Agencies must plan for security needs as they develop new and operate existing systems and as security weaknesses are identified.
363 363
364OMB's policies regarding information security funding were articulated in OMB Memorandum M-00-07 dated February 28, 2000. They remain in effect, were repeated in OMB Memorandum M-06-19, and are included in OMB's budget preparation guidance, i.e., Circular A-11. In brief, agencies must do two specific things. First, they must integrate security into and fund it over the lifecycle of each system as it is developed. This requirement was codified in section 3544(b)(2)(C) of FISMA. Second, the operations of legacy (steady-state) systems must meet security requirements before funds are spent on new systems (development, modernization or enhancement). 364OMB's policies regarding information security funding were articulated in OMB Memorandum M-00-07 dated February 28, 2000. They remain in effect, were repeated in OMB Memorandum M-06-19, and are included in OMB's budget preparation guidance, i.e., Circular A-11. In brief, agencies must do two specific things. First, they must integrate security into and fund it over the lifecycle of each system as it is developed. This requirement was codified in section 3544(b)(2)(C) of FISMA. Second, the operations of legacy (steady-state) systems must meet security requirements before funds are spent on new systems (development, modernization or enhancement).
365 365
366As an example of this policy in practice, if an agency has a legacy system not currently certified and accredited, or for which a contingency plan has not been tested, these actions must be completed before spending funds on a new system. A simple way to accomplish this is to redirect the relatively modest costs of C&A or contingency plan testing from the funds intended for development, modernization or enhancement. 366As an example of this policy in practice, if an agency has a legacy system not currently certified and accredited, or for which a contingency plan has not been tested, these actions must be completed before spending funds on a new system. A simple way to accomplish this is to redirect the relatively modest costs of C&A or contingency plan testing from the funds intended for development, modernization or enhancement.
367 367
368OMB recognizes other unanticipated security needs may arise from time-to-time. In such cases, agencies should prioritize available resources to correct the most significant weaknesses. Correcting such weaknesses would still be required prior to spending funds on development on an interim basis, and NIST's Special Publication 800-53 "Recommended Security Controls for Federal Information Systems" provides guidance for using these compensating controls. 368OMB recognizes other unanticipated security needs may arise from time-to-time. In such cases, agencies should prioritize available resources to correct the most significant weaknesses. Correcting such weaknesses would still be required prior to spending funds on development on an interim basis, and NIST's Special Publication 800-53 "Recommended Security Controls for Federal Information Systems" provides guidance for using these compensating controls.
369 369
37019. You are no longer asking agencies to report significant deficiencies in the annual FISMA report. Don't we have to report them? 37019. You are no longer asking agencies to report significant deficiencies in the annual FISMA report. Don't we have to report them?
371 371
372Not in your annual FISMA report to OMB. However, agencies must maintain all documentation supporting a finding of a significant deficiency and make it available in a timely manner upon request by OMB or other oversight authorities. 372Not in your annual FISMA report to OMB. However, agencies must maintain all documentation supporting a finding of a significant deficiency and make it available in a timely manner upon request by OMB or other oversight authorities.
373 373
374FISMA requires agencies to report a significant deficiency as: 1) a material weakness under FMFIA, and 2) an instance of a lack of substantial compliance under FFMIA, if related to financial management systems. (See OMB Circular A-123 for further information on reporting significant deficiencies.) As you know, all security weaknesses must be included in and tracked on your plan of action and milestones. 374FISMA requires agencies to report a significant deficiency as: 1) a material weakness under FMFIA, and 2) an instance of a lack of substantial compliance under FFMIA, if related to financial management systems. (See OMB Circular A-123 for further information on reporting significant deficiencies.) As you know, all security weaknesses must be included in and tracked on your plan of action and milestones.
375 375
376A significant deficiency is defined as a weakness in an agency's overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken. 376A significant deficiency is defined as a weakness in an agency's overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.
377 377
378 378
379 379
38020. Should my agency's regulatory and information collection activities apply FISMA and privacy requirements? 38020. Should my agency's regulatory and information collection activities apply FISMA and privacy requirements?
381 381
382Yes and Federal regulatory and information collection activities depend upon quality information protected from unauthorized access, use, disclosure, disruption, modification, or destruction. 382Yes and Federal regulatory and information collection activities depend upon quality information protected from unauthorized access, use, disclosure, disruption, modification, or destruction.
383 383
384Federal regulatory and information collection activities often require Federal agencies, and entities (e.g., contractors, private companies, non-profit organizations) which operate on behalf of Federal agencies, to collect, create, process, or maintain Federal government information. When developing regulations, agencies must ensure information security and privacy law and policy are applied where appropriate. Your agency's information collection activities (subject to the Paperwork Reduction Act and OMB's rule providing implementing guidance found at 5 CFR 1320), including those activities conducted or sponsored by other entities on behalf of your agency, must also ensure procedures for adequately securing and safeguarding Federal information are consistent with existing law and policy. 384Federal regulatory and information collection activities often require Federal agencies, and entities (e.g., contractors, private companies, non-profit organizations) which operate on behalf of Federal agencies, to collect, create, process, or maintain Federal government information. When developing regulations, agencies must ensure information security and privacy law and policy are applied where appropriate. Your agency's information collection activities (subject to the Paperwork Reduction Act and OMB's rule providing implementing guidance found at 5 CFR 1320), including those activities conducted or sponsored by other entities on behalf of your agency, must also ensure procedures for adequately securing and safeguarding Federal information are consistent with existing law and policy.
385 385
386If your agency promulgates regulations requiring entities which operate on behalf of your agency to collect, create, process, or maintain Federal information, then procedures established by the regulation for adequately securing and safeguarding this information must be consistent with existing law and policy (e.g., FISMA, the Privacy Act, the E-Gov Act, OMB security and privacy policy, and NIST standards and guidance), regardless of whether the information is being held at the Agency or with the entity collecting, processing, or maintaining the information on behalf of the agency. 386If your agency promulgates regulations requiring entities which operate on behalf of your agency to collect, create, process, or maintain Federal information, then procedures established by the regulation for adequately securing and safeguarding this information must be consistent with existing law and policy (e.g., FISMA, the Privacy Act, the E-Gov Act, OMB security and privacy policy, and NIST standards and guidance), regardless of whether the information is being held at the Agency or with the entity collecting, processing, or maintaining the information on behalf of the agency.
387 387
388 388
389 389
39021. Are agencies allowed to utilize data services in the private sector, including "software as a service" and "software subscription" type solutions? 39021. Are agencies allowed to utilize data services in the private sector, including "software as a service" and "software subscription" type solutions?
391 391
392Yes. Agencies are permitted to utilize these types of agreements and arrangements, provided appropriate security controls are implemented, tested, and reviewed as part of your agency's information security program. We encourage agencies to seek out and utilize private sector, market-driven solutions resulting in cost savings and performance improvements - provided agency information is protected to the degree required by FISMA, FISMA implementing standards, and associated guidance. As with other contractor services and relationships, agencies should include these software solutions and subscriptions as they complete their annual security reviews. 392Yes. Agencies are permitted to utilize these types of agreements and arrangements, provided appropriate security controls are implemented, tested, and reviewed as part of your agency's information security program. We encourage agencies to seek out and utilize private sector, market-driven solutions resulting in cost savings and performance improvements - provided agency information is protected to the degree required by FISMA, FISMA implementing standards, and associated guidance. As with other contractor services and relationships, agencies should include these software solutions and subscriptions as they complete their annual security reviews.
393 393
394 394
395 395
396 396
397 397
398 398
399 399
40022. How do agencies ensure FISMA compliance for connections to non-agency systems? Do Statement of Auditing Standards No. 70 (SAS 70) audits meet the requirements of FISMA and implementing policies and guidance? 40022. How do agencies ensure FISMA compliance for connections to non-agency systems? Do Statement of Auditing Standards No. 70 (SAS 70) audits meet the requirements of FISMA and implementing policies and guidance?
401 401
402NIST Special Publication 800-47 "Security Guide for Interconnecting Information Technology Systems" (August 2002) provides a management approach for interconnecting IT systems, with an emphasis on security. The document recommends development of an Interconnection Security Agreement (ISA) and a Memorandum of Understanding (MOU). The ISA specifies the technical and security requirements of the interconnection, and the MOU defines the responsibilities of the participating organizations. The security guide recommends regular communications between the organizations throughout the life cycle of the interconnection. One or both organizations shall review the security controls for the interconnection at least annually or whenever a significant change occurs to ensure the controls are operating properly and are providing appropriate levels of protection. 402NIST Special Publication 800-47 "Security Guide for Interconnecting Information Technology Systems" (August 2002) provides a management approach for interconnecting IT systems, with an emphasis on security. The document recommends development of an Interconnection Security Agreement (ISA) and a Memorandum of Understanding (MOU). The ISA specifies the technical and security requirements of the interconnection, and the MOU defines the responsibilities of the participating organizations. The security guide recommends regular communications between the organizations throughout the life cycle of the interconnection. One or both organizations shall review the security controls for the interconnection at least annually or whenever a significant change occurs to ensure the controls are operating properly and are providing appropriate levels of protection.
403 403
404Security reviews may be conducted by designated audit authorities of one or both organizations, or by an independent third party. Both organizations shall agree on the rigor and frequency of reviews as well as a reporting process. 404Security reviews may be conducted by designated audit authorities of one or both organizations, or by an independent third party. Both organizations shall agree on the rigor and frequency of reviews as well as a reporting process.
405 405
406SAS 70 audits may or may not meet the requirements of FISMA. The private sector relies on Statement on Auditing Standards (SAS) No. 70, to ensure among other purposes compliance with Section 404 of the Sarbanes-Oxley Act of 2002, requiring management assessment of internal controls. While SAS 70 reports may be sufficient to determine contractor compliance with OMB Circular A-123 and financial statement audit requirements, it is not a pre-determined set of control objectives or control activities, and therefore is not in itself sufficient to meet FISMA requirements. In addition, it is not always clear the extent to which specific systems supporting the Government activity or contract are actually reviewed as part of a particular audit. In determining whether SAS 70 reports provide sufficient evidence of contractor system FISMA compliance, it is the agency's responsibility to ensure: 406SAS 70 audits may or may not meet the requirements of FISMA. The private sector relies on Statement on Auditing Standards (SAS) No. 70, to ensure among other purposes compliance with Section 404 of the Sarbanes-Oxley Act of 2002, requiring management assessment of internal controls. While SAS 70 reports may be sufficient to determine contractor compliance with OMB Circular A-123 and financial statement audit requirements, it is not a pre-determined set of control objectives or control activities, and therefore is not in itself sufficient to meet FISMA requirements. In addition, it is not always clear the extent to which specific systems supporting the Government activity or contract are actually reviewed as part of a particular audit. In determining whether SAS 70 reports provide sufficient evidence of contractor system FISMA compliance, it is the agency's responsibility to ensure:
407 407
408 • The scope of the SAS 70 audit was sufficient, and fully addressed the specific contractor system requiring FISMA review. 408 • The scope of the SAS 70 audit was sufficient, and fully addressed the specific contractor system requiring FISMA review.
409 • The audit encompassed all controls and requirements of law, OMB policy and NIST guidance. 409 • The audit encompassed all controls and requirements of law, OMB policy and NIST guidance.
410 410
411To reduce burden on agencies and service providers and increase efficiency, agencies and IGs should share with their counterparts at other agencies any assessment described above. 411To reduce burden on agencies and service providers and increase efficiency, agencies and IGs should share with their counterparts at other agencies any assessment described above.
412 412
413C&A 413C&A
414 414
415 415
416 416
417 417
418 418
419 419
42023. Why place such an emphasis on the C&A of agency information systems? 42023. Why place such an emphasis on the C&A of agency information systems?
421 421
422The C&A process when applied to agency information systems, provides a systematic approach for assessing security controls to determine their overall effectiveness; that is, the extent to which operational, technical, and managerial security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization's operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system. 422The C&A process when applied to agency information systems, provides a systematic approach for assessing security controls to determine their overall effectiveness; that is, the extent to which operational, technical, and managerial security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization's operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.
423 423
424Agencies are reminded the C&A process is more than just planning. The continuous monitoring phase of the C&A process (discussed in NIST Special Publications 800-37 and 800-53) must include an appropriate set of management, operational, and technical controls including controls over physical access to systems and information. Agency officials and IGs should be advised of the results of this monitoring as appropriate. OMB asks CIOs to present a quantitative assessment and the IGs a qualitative assessment of the C&A process. 424Agencies are reminded the C&A process is more than just planning. The continuous monitoring phase of the C&A process (discussed in NIST Special Publications 800-37 and 800-53) must include an appropriate set of management, operational, and technical controls including controls over physical access to systems and information. Agency officials and IGs should be advised of the results of this monitoring as appropriate. OMB asks CIOs to present a quantitative assessment and the IGs a qualitative assessment of the C&A process.
425 425
426 426
427 427
428 428
429 429
43024. Is C&A required for all information systems? OMB Circular A-130 requires authorization to process only for general support systems and major applications. 43024. Is C&A required for all information systems? OMB Circular A-130 requires authorization to process only for general support systems and major applications.
431 431
432Yes, C&A is required for all Federal information systems. Section 3544(b)(3) of FISMA refers to "subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems" and does not distinguish between major or other applications. Smaller "systems" and "applications" may be included as part of the assessment of a larger system-as allowable in NIST guidance and provided an appropriate risk assessment is completed and security controls are implemented. 432Yes, C&A is required for all Federal information systems. Section 3544(b)(3) of FISMA refers to "subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems" and does not distinguish between major or other applications. Smaller "systems" and "applications" may be included as part of the assessment of a larger system-as allowable in NIST guidance and provided an appropriate risk assessment is completed and security controls are implemented.
433 433
434 434
435 435
436 436
437 437
438 438
439 439
44025. Does OMB recognize interim authority to operate for C&A? 44025. Does OMB recognize interim authority to operate for C&A?
441 441
442No. The C&A process has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality Government-wide. Introducing additional inconsistency to the Government's security program would be counter to FISMA's goals. 442No. The C&A process has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality Government-wide. Introducing additional inconsistency to the Government's security program would be counter to FISMA's goals.
443 443
444Testing 444Testing
445 445
446 446
447 447
448 448
449 449
45026. Must all agency information systems be tested and evaluated annually? 45026. Must all agency information systems be tested and evaluated annually?
451 451
452Yes, all information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency must be tested at least annually. FISMA (section 3544(b)(5)) requires each agency to perform for all systems "periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually." This review shall include the testing of management, operational, and technical controls. 452Yes, all information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency must be tested at least annually. FISMA (section 3544(b)(5)) requires each agency to perform for all systems "periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually." This review shall include the testing of management, operational, and technical controls.
453 453
454 454
455 455
456 456
457 457
458 458
459 459
46027. How can agencies meet the annual testing and evaluation (review) requirement? 46027. How can agencies meet the annual testing and evaluation (review) requirement?
461 461
462To satisfy the annual FISMA assessment requirement, organizations can draw upon the security control assessment results from any of the following sources, including but not limited to: 462To satisfy the annual FISMA assessment requirement, organizations can draw upon the security control assessment results from any of the following sources, including but not limited to:
463 463
464 • security certifications conducted as part of an information system accreditation or re-accreditation process; 464 • security certifications conducted as part of an information system accreditation or re-accreditation process;
465 • continuous monitoring activities; or 465 • continuous monitoring activities; or
466 • testing and evaluation of the information system as part of the ongoing system development life cycle process (provided that the testing and evaluation results are current and relevant to the determination of security control effectiveness). 466 • testing and evaluation of the information system as part of the ongoing system development life cycle process (provided that the testing and evaluation results are current and relevant to the determination of security control effectiveness).
467 467
468Existing security assessment results can be reused to the extent that they are still valid and are supplemented with additional assessments as needed. Reuse of assessment information is critical in achieving a broad-based, cost-effective, and fully integrated security program capable of producing the needed evidence to determine the actual security status of the information system. 468Existing security assessment results can be reused to the extent that they are still valid and are supplemented with additional assessments as needed. Reuse of assessment information is critical in achieving a broad-based, cost-effective, and fully integrated security program capable of producing the needed evidence to determine the actual security status of the information system.
469 469
470FISMA does not require an annual assessment of all security controls employed in an organizational information system. In accordance with OMB policy, organizations must determine the necessary depth and breadth of an annual review and assess a subset of the security controls based on several factors, including: (i) the FIPS 199 security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; (iii) the relative comprehensiveness of the most recent past review, (iv) the adequacy and successful implementation of the plan of action and milestone (POA&M) for weaknesses in the system, (v) advice from IGs or US-CERT on threats and vulnerabilities at your agency, and (vi) the level of assurance (or confidence) that the organization must have in determining the effectiveness of the security controls in the information system, among others. 470FISMA does not require an annual assessment of all security controls employed in an organizational information system. In accordance with OMB policy, organizations must determine the necessary depth and breadth of an annual review and assess a subset of the security controls based on several factors, including: (i) the FIPS 199 security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; (iii) the relative comprehensiveness of the most recent past review, (iv) the adequacy and successful implementation of the plan of action and milestone (POA&M) for weaknesses in the system, (v) advice from IGs or US-CERT on threats and vulnerabilities at your agency, and (vi) the level of assurance (or confidence) that the organization must have in determining the effectiveness of the security controls in the information system, among others.
471 471
472It is expected agencies will assess all of the security controls in the information system during the three-year accreditation cycle, and agencies can use the current year's assessment results obtained during security certification to meet the annual FISMA assessment requirement. 472It is expected agencies will assess all of the security controls in the information system during the three-year accreditation cycle, and agencies can use the current year's assessment results obtained during security certification to meet the annual FISMA assessment requirement.
473 473
474 474
475 475
476 476
477 477
478 478
479 479
48028. What NIST guidance must agencies use for their annual testing and evaluations? 48028. What NIST guidance must agencies use for their annual testing and evaluations?
481 481
482Agencies are required to use FIPS 200/NIST Special Publication 800-53 for the specification of security controls and NIST Special Publications 800-37 and 800-53A for the assessment of security control effectiveness. DoD and DNI may use their internal policies, directives and guidance provided that they are as stringent as the NIST security standards. 482Agencies are required to use FIPS 200/NIST Special Publication 800-53 for the specification of security controls and NIST Special Publications 800-37 and 800-53A for the assessment of security control effectiveness. DoD and DNI may use their internal policies, directives and guidance provided that they are as stringent as the NIST security standards.
483 483
484 484
485 485
486 486
487 487
488 488
489 489
49029. Why should agencies conduct continuous monitoring of their security controls? 49029. Why should agencies conduct continuous monitoring of their security controls?
491 491
492Continuous monitoring of security controls is a cost-effective and important part of managing enterprise risk and maintaining an accurate understanding of the security risks confronting your agency's information systems. Continuous monitoring of security controls is required as part of the security C&A process to ensure controls remain effective over time (e.g., after the initial authorization or reauthorization of an information system) in the face of changing threats, missions, environments of operation, and technologies. 492Continuous monitoring of security controls is a cost-effective and important part of managing enterprise risk and maintaining an accurate understanding of the security risks confronting your agency's information systems. Continuous monitoring of security controls is required as part of the security C&A process to ensure controls remain effective over time (e.g., after the initial authorization or reauthorization of an information system) in the face of changing threats, missions, environments of operation, and technologies.
493 493
494Agencies should develop an enterprise-wide strategy for selecting subsets of their security controls to be monitored on an ongoing basis to ensure all controls are assessed during the three-year accreditation cycle. A robust and effective continuous monitoring program will ensure important procedures included in an agency's accreditation package (e.g., as described in system security plans, security assessment reports, and POAMs) are updated as appropriate and contain the necessary information for authorizing officials to make credible risk-based decisions regarding the security state of the information system on an ongoing basis. This will help make the C&A process more dynamic and responsive to today's federal missions and rapidly changing conditions. NIST Special Publications 800-37, 800-53, and 800-53A provide guidance on continuous monitoring programs. 494Agencies should develop an enterprise-wide strategy for selecting subsets of their security controls to be monitored on an ongoing basis to ensure all controls are assessed during the three-year accreditation cycle. A robust and effective continuous monitoring program will ensure important procedures included in an agency's accreditation package (e.g., as described in system security plans, security assessment reports, and POAMs) are updated as appropriate and contain the necessary information for authorizing officials to make credible risk-based decisions regarding the security state of the information system on an ongoing basis. This will help make the C&A process more dynamic and responsive to today's federal missions and rapidly changing conditions. NIST Special Publications 800-37, 800-53, and 800-53A provide guidance on continuous monitoring programs.
495 495
496 496
497 497
498 498
499 499
50030. Do agencies need to test and evaluate (review) security controls on low impact information systems? 50030. Do agencies need to test and evaluate (review) security controls on low impact information systems?
501 501
502Yes. While the depth and breadth of security controls testing and evaluation (review) will vary based on information system risk and system impact level, agencies are required to do annual testing and evaluation (review) of ALL systems. NIST Special Publications 800-37 and 800-53A provide guidance on assessment of security controls in low-impact information systems. 502Yes. While the depth and breadth of security controls testing and evaluation (review) will vary based on information system risk and system impact level, agencies are required to do annual testing and evaluation (review) of ALL systems. NIST Special Publications 800-37 and 800-53A provide guidance on assessment of security controls in low-impact information systems.
503 503
504Configuration Management 504Configuration Management
505 505
506 506
507 507
508 508
509 509
51031. What are minimally acceptable system configuration requirements? 51031. What are minimally acceptable system configuration requirements?
511 511
512FISMA (section 3544(b)(2)(D)(iii)) requires each agency to develop minimally acceptable system configuration requirements and ensure compliance with them. Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information. 512FISMA (section 3544(b)(2)(D)(iii)) requires each agency to develop minimally acceptable system configuration requirements and ensure compliance with them. Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information.
513 513
514Agencies are to cite the frequency by which they implement system configuration requirements. Security configuration checklists are now available for computer software widely used within the Federal Government, and they can be found on the NIST Computer Security Division web site (see: http://checklists.nist.gov) as well as the NSA System and Network Attack Center web site. Agencies must document and provide NIST with any deviations from the common security configurations (send documentation to checklists@nist.gov) and be prepared to justify why they are not using them. IGs should review such use. 514Agencies are to cite the frequency by which they implement system configuration requirements. Security configuration checklists are now available for computer software widely used within the Federal Government, and they can be found on the NIST Computer Security Division web site (see: http://checklists.nist.gov) as well as the NSA System and Network Attack Center web site. Agencies must document and provide NIST with any deviations from the common security configurations (send documentation to checklists@nist.gov) and be prepared to justify why they are not using them. IGs should review such use.
515 515
516In FY 2007, OMB issued policy for agencies to adopt security configurations for Windows XP and VISTA, as well as policy for ensuring new acquisitions include common security configurations. For more information, see OMB Memorandum M-07-11 "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems," at: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf, and OMB Memorandum M-07-18 "Ensuring New Acquisitions Include Common Security Configurations," at: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf, respectively. The acquisition language in OMB M-07-18 was published in the Federal Register, FAR 2007-004. For all contracts, the following language should be included, to encompass Federal Desktop Core Configurations: 516In FY 2007, OMB issued policy for agencies to adopt security configurations for Windows XP and VISTA, as well as policy for ensuring new acquisitions include common security configurations. For more information, see OMB Memorandum M-07-11 "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems," at: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf, and OMB Memorandum M-07-18 "Ensuring New Acquisitions Include Common Security Configurations," at: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf, respectively. The acquisition language in OMB M-07-18 was published in the Federal Register, FAR 2007-004. For all contracts, the following language should be included, to encompass Federal Desktop Core Configurations:
517 517
518 "(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology's website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated." 518 "(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology's website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated."
519 519
52032. Why must agencies explain their performance metrics in terms of FIPS 199 categories? 52032. Why must agencies explain their performance metrics in terms of FIPS 199 categories?
521 521
522FISMA directed NIST to develop a standard to categorize all information and information systems based upon the need to provide appropriate levels of information security according to a range of risk levels. "Federal Information Processing Standard 199: Standards for Security Categorization of Federal Information and Information Systems" (February 2004) defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These impact levels are: low, moderate and high. Agencies must categorize their information and information systems using one of these three categories in order to comply with the minimum security requirements described in FIPS 200 and to determine which security controls in NIST Special Publication 800-53 are required. While NIST guidance does not apply to national security systems nor DoD nor DNI, OMB expects all agencies to implement a reasonably similar process. 522FISMA directed NIST to develop a standard to categorize all information and information systems based upon the need to provide appropriate levels of information security according to a range of risk levels. "Federal Information Processing Standard 199: Standards for Security Categorization of Federal Information and Information Systems" (February 2004) defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These impact levels are: low, moderate and high. Agencies must categorize their information and information systems using one of these three categories in order to comply with the minimum security requirements described in FIPS 200 and to determine which security controls in NIST Special Publication 800-53 are required. While NIST guidance does not apply to national security systems nor DoD nor DNI, OMB expects all agencies to implement a reasonably similar process.
523 523
524POA&M 524POA&M
525 525
526 526
527 527
528 528
529 529
53033. What is required of agency POA&Ms? 53033. What is required of agency POA&Ms?
531 531
532As outlined in previous guidance (OMB M-04-25, "FY 2004 Reporting Instructions for the Federal Information Security Management Act") Agency POA&Ms must: 532As outlined in previous guidance (OMB M-04-25, "FY 2004 Reporting Instructions for the Federal Information Security Management Act") Agency POA&Ms must:
533 533
534 1) Be tied to the agency's budget submission through the unique project identifier of a system. This links the security costs for a system with the security performance of a system. 534 1) Be tied to the agency's budget submission through the unique project identifier of a system. This links the security costs for a system with the security performance of a system.
535 2) Include all security weaknesses found during any other review done by, for, or on behalf of the agency, including GAO audits, financial system audits, and critical infrastructure vulnerability assessments. These plans should be the authoritative agency-wide management tool, inclusive of all evaluations. 535 2) Include all security weaknesses found during any other review done by, for, or on behalf of the agency, including GAO audits, financial system audits, and critical infrastructure vulnerability assessments. These plans should be the authoritative agency-wide management tool, inclusive of all evaluations.
536 3) Be shared with the agency IG to ensure independent verification and validation of identified weaknesses and completed corrective actions. 536 3) Be shared with the agency IG to ensure independent verification and validation of identified weaknesses and completed corrective actions.
537 4) Be submitted to OMB upon request. 537 4) Be submitted to OMB upon request.
538 538
539While agencies are no longer required to follow the exact format prescribed in the POA&M examples in M-04-25, they must still include all of the associated data elements in their POA&Ms. To facilitate compliance with POA&M reporting requirements, agencies may choose to utilize the FISMA reporting services of a Shared Service Center as part of the Information Security Line of Business. 539While agencies are no longer required to follow the exact format prescribed in the POA&M examples in M-04-25, they must still include all of the associated data elements in their POA&Ms. To facilitate compliance with POA&M reporting requirements, agencies may choose to utilize the FISMA reporting services of a Shared Service Center as part of the Information Security Line of Business.
540 540
541 541
542 542
543 543
544 544
545 545
546 546
547 547
548 548
549 549
55034. Can a POA&M process be effective even when correcting identified weaknesses is untimely? 55034. Can a POA&M process be effective even when correcting identified weaknesses is untimely?
551 551
552Yes. The purpose of a POA&M is to identify and track security weaknesses in one location. A POA&M permits agency officials and oversight authorities to identify when documented corrective actions are both timely and untimely. In either circumstance, the POA&M has served its intended purpose. Agency managers can use the POA&M process to focus resources to resolve delays. 552Yes. The purpose of a POA&M is to identify and track security weaknesses in one location. A POA&M permits agency officials and oversight authorities to identify when documented corrective actions are both timely and untimely. In either circumstance, the POA&M has served its intended purpose. Agency managers can use the POA&M process to focus resources to resolve delays.
553 553
554Contractor Monitoring and Controls 554Contractor Monitoring and Controls
555 555
556 556
557 557
558 558
559 559
56035. Must Government contractors abide by FISMA requirements? 56035. Must Government contractors abide by FISMA requirements?
561 561
562Yes, and each agency must ensure their contractors are doing so. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including "information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." Section 3544(b) requires each agency to provide information security for the information and "information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source." This includes services which are either fully or partially provided, including agency hosted, outsourced, and software-as-a-service (SaaS) solutions. 562Yes, and each agency must ensure their contractors are doing so. Section 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including "information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency." Section 3544(b) requires each agency to provide information security for the information and "information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source." This includes services which are either fully or partially provided, including agency hosted, outsourced, and software-as-a-service (SaaS) solutions.
563 563
564Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whether automated or manual) – on behalf of a Federal agency. Such other organizations may include contractors, grantees, State and local Governments, industry partners, providers of software subscription services, etc. FISMA, therefore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems. 564Because FISMA applies to both information and information systems used by the agency, contractors, and other organizations and sources, it has somewhat broader applicability than prior security law. That is, agency information security programs apply to all organizations (sources) which possess or use Federal information – or which operate, use, or have access to Federal information systems (whether automated or manual) – on behalf of a Federal agency. Such other organizations may include contractors, grantees, State and local Governments, industry partners, providers of software subscription services, etc. FISMA, therefore, underscores longstanding OMB policy concerning sharing Government information and interconnecting systems.
565 565
566Therefore, Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls (see OMB Circular A-130, Appendix III). Agencies must develop policies for information security oversight of contractors and other users with privileged access to Federal data. Agencies must also review the security of other users with privileged access to Federal data and systems. 566Therefore, Federal security requirements continue to apply and the agency is responsible for ensuring appropriate security controls (see OMB Circular A-130, Appendix III). Agencies must develop policies for information security oversight of contractors and other users with privileged access to Federal data. Agencies must also review the security of other users with privileged access to Federal data and systems.
567 567
568Finally, because FISMA applies to Federal information and information systems, in certain limited circumstances its requirements also apply to a specific class of information technology to which Clinger-Cohen did not, i.e., "equipment that is acquired by a Federal contractor incidental to a Federal contract." Therefore, when Federal information is used within incidentally acquired equipment, the agency continues to be responsible and accountable for ensuring FISMA requirements are met. 568Finally, because FISMA applies to Federal information and information systems, in certain limited circumstances its requirements also apply to a specific class of information technology to which Clinger-Cohen did not, i.e., "equipment that is acquired by a Federal contractor incidental to a Federal contract." Therefore, when Federal information is used within incidentally acquired equipment, the agency continues to be responsible and accountable for ensuring FISMA requirements are met.
569 569
57036. Could you provide examples of "incidental" contractor equipment which is not subject to FISMA? 57036. Could you provide examples of "incidental" contractor equipment which is not subject to FISMA?
571 571
572In considering the answer to this question, it is essential to remember FISMA requires agencies to provide security protections "...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency." This includes services which are either fully or partially provided by another source, including agency hosted, outsourced, and SaaS solutions. 572In considering the answer to this question, it is essential to remember FISMA requires agencies to provide security protections "...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency." This includes services which are either fully or partially provided by another source, including agency hosted, outsourced, and SaaS solutions.
573 573
574A corporate human resource or financial management system acquired solely to assist managing corporate resources assigned to a Government contract could be incidental, provided the system does not use agency information or interconnect with an agency system. 574A corporate human resource or financial management system acquired solely to assist managing corporate resources assigned to a Government contract could be incidental, provided the system does not use agency information or interconnect with an agency system.
575 575
576 576
577 577
578 578
579 579
58037. Could you provide examples of agency security responsibilities concerning contractors and other sources? 58037. Could you provide examples of agency security responsibilities concerning contractors and other sources?
581 581
582FISMA requires agencies to provide security protections "...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency." This includes full or partial operations. 582FISMA requires agencies to provide security protections "...commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; and information systems used or operated by an agency or other organization on behalf of an agency." This includes full or partial operations.
583 583
584While we cannot anticipate all possible combinations and permutations, there are five primary categories of contractors as they relate to securing systems and information: 1) service providers, 2) contractor support, 3) Government Owned, Contractor Operated facilities (GOCO), 4) laboratories and research centers, and 5) management and operating contracts. 584While we cannot anticipate all possible combinations and permutations, there are five primary categories of contractors as they relate to securing systems and information: 1) service providers; 2) contractor support; 3) Government Owned, Contractor Operated facilities (GOCO); 4) laboratories and research centers; and 5) management and operating contracts.
585 585
586 1) Service providers -- this encompasses typical outsourcing of system or network operations, telecommunications services, or other managed services (including those provided by another agency and subscribing to software services). 586 1) Service providers -- this encompasses typical outsourcing of system or network operations, telecommunications services, or other managed services (including those provided by another agency and subscribing to software services).
587 587
588 Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed and such must be included in the terms of the contract. Agencies must ensure identical, not "equivalent," security procedures. For example, annual reviews, risk assessments, security plans, control testing, contingency planning, and C&A must, at a minimum, explicitly meet guidance from NIST. Additionally, IGs shall include some contractor systems in their "representative subset of agency systems," and not doing so presents an incomplete independent evaluation. 588 Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed and such must be included in the terms of the contract. Agencies must ensure identical, not "equivalent," security procedures. For example, annual reviews, risk assessments, security plans, control testing, contingency planning, and C&A must, at a minimum, explicitly meet guidance from NIST. Additionally, IGs shall include some contractor systems in their "representative subset of agency systems," and not doing so presents an incomplete independent evaluation.
589 589
590 Agencies and IGs should to the maximum extent practicable, consult with other agencies using the same service provider, share security review results, and avoid the unnecessary burden on the service provider and the agencies resulting from duplicative reviews and re-reviews. Additionally, provided they meet FISMA and policy requirements, agencies and IGs should accept all or part of the results of industry-specific security reviews performed by an independent auditor on the commercial service provider. 590 Agencies and IGs should to the maximum extent practicable, consult with other agencies using the same service provider, share security review results, and avoid the unnecessary burden on the service provider and the agencies resulting from duplicative reviews and re-reviews. Additionally, provided they meet FISMA and policy requirements, agencies and IGs should accept all or part of the results of industry-specific security reviews performed by an independent auditor on the commercial service provider.
591 591
592 In the case of agency service providers, they must work with their customer agencies to develop suitable arrangements for meeting all of FISMA's requirements, including any special requirements for one or more particular customer agencies. Any arrangements should also provide for an annual evaluation by the IG of one agency. Thereafter, the results of that IG evaluation would be shared with all customer agencies and their respective IGs. 592 In the case of agency service providers, they must work with their customer agencies to develop suitable arrangements for meeting all of FISMA's requirements, including any special requirements for one or more particular customer agencies. Any arrangements should also provide for an annual evaluation by the IG of one agency. Thereafter, the results of that IG evaluation would be shared with all customer agencies and their respective IGs.
593 593
594 2) Contractor support -- this encompasses on- or off-site contractor technical or other support staff. 594 2) Contractor support -- this encompasses on- or off-site contractor technical or other support staff.
595 595
596 Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed and such must be included in the terms of the contract. Agencies must ensure identical, not "equivalent," security procedures. Specifically, the agency is responsible for ensuring the contractor personnel receive appropriate training (i.e., user awareness training and training on agency policy and procedures). 596 Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed and such must be included in the terms of the contract. Agencies must ensure identical, not "equivalent," security procedures. Specifically, the agency is responsible for ensuring the contractor personnel receive appropriate training (i.e., user awareness training and training on agency policy and procedures).
597 597
598 3) Government Owned, Contractor Operated (GOCO) -- For the purposes of FISMA, GOCO facilities are agency components and their security requirements are identical to those of the managing Federal agency in all respects. Security requirements must be included in the terms of the contract. 598 3) Government Owned, Contractor Operated (GOCO) -- For the purposes of FISMA, GOCO facilities are agency components and their security requirements are identical to those of the managing Federal agency in all respects. Security requirements must be included in the terms of the contract.
599 599
600 4) Laboratories and research facilities -- For the purposes of FISMA, laboratories and research facilities are agency components and their security requirements are identical to those of the managing Federal agency in all respects. Security requirements must be included in the terms of the contract or other similar agreement. 600 4) Laboratories and research facilities -- For the purposes of FISMA, laboratories and research facilities are agency components and their security requirements are identical to those of the managing Federal agency in all respects. Security requirements must be included in the terms of the contract or other similar agreement.
601 601
602 5) Management and Operating Contracts – For the purposes of FISMA, management and operating contracts include contracts for the operation, maintenance, or support of a Government-owned or -controlled research, development, special production, or testing establishment. 602 5) Management and Operating Contracts – For the purposes of FISMA, management and operating contracts include contracts for the operation, maintenance, or support of a Government-owned or -controlled research, development, special production, or testing establishment.
603 603
604 604
605 605
606 606
607 607
608 608
609 609
61038. Should agencies include FISMA requirements in grants and contracts? 61038. Should agencies include FISMA requirements in grants and contracts?
611 611
612Yes, as with the Government Information Security Reform Act of 2000, agency contracts including but not limited to those for IT services must reflect FISMA requirements. 612Yes, as with the Government Information Security Reform Act of 2000, agency contracts including but not limited to those for IT services must reflect FISMA requirements.
613 613
614The Federal Acquisition Regulation, Subpart 7.1—Acquisition Plans, requires heads of agencies to ensure agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from NIST. 614The Federal Acquisition Regulation, Subpart 7.1—Acquisition Plans, requires heads of agencies to ensure agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from NIST.
615 615
616When applicable, agencies must also include FISMA's security requirements in the terms and conditions of grants. 616When applicable, agencies must also include FISMA's security requirements in the terms and conditions of grants.
617 617
618 618
619 619
62039. How deeply into contractor, state, or grantee systems must a FISMA review reach? To the application, to the interface between the application and their network, or into the corporate network/infrastructure? 62039. How deeply into contractor, state, or grantee systems must a FISMA review reach? To the application, to the interface between the application and their network, or into the corporate network/infrastructure?
621 621
622This question has a two-part answer. First, FISMA's requirements follow agency information into any system which uses it or processes it on behalf of the agency. That is, when the ultimate responsibility and accountability for control of the information continues to reside with the agency, FISMA applies. Second, with respect to system interconnections, as a general rule, OMB assumes agency responsibility and accountability extends to the interface between Government systems (or contractor systems performing functions on behalf of the agency) and corporate systems and networks. For example, a corporate network, human resource, or financial management system would not be covered by FISMA requirements, provided the agency has confirmed appropriate security of the interface between them and any system using Government information or those operating on behalf of the agency. See also the discussions concerning interconnection agreements and C&A boundaries. 622This question has a two-part answer. First, FISMA's requirements follow agency information into any system which uses it or processes it on behalf of the agency. That is, when the ultimate responsibility and accountability for control of the information continues to reside with the agency, FISMA applies. Second, with respect to system interconnections, as a general rule, OMB assumes agency responsibility and accountability extends to the interface between Government systems (or contractor systems performing functions on behalf of the agency) and corporate systems and networks. For example, a corporate network, human resource, or financial management system would not be covered by FISMA requirements, provided the agency has confirmed appropriate security of the interface between them and any system using Government information or those operating on behalf of the agency. See also the discussions concerning interconnection agreements and C&A boundaries.
623 623
624 624
625 625
626 626
627 627
628 628
629 629
63040. Are all information systems operated by a contractor on behalf of an agency subject to the same type of C&A process? 63040. Are all information systems operated by a contractor on behalf of an agency subject to the same type of C&A process?
631 631
632Yes, they must be addressed in the same way. As with agency-operated systems, the level of effort required for C&A depends on the impact level of the information contained on each system. C&A of a system with an impact level of low will be less rigorous and costly than a system with a higher impact level. More information on system security categorization is available in FIPS Pub 199 and NIST Special Publication 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories." 632Yes, they must be addressed in the same way. As with agency-operated systems, the level of effort required for C&A depends on the impact level of the information contained on each system. C&A of a system with an impact level of low will be less rigorous and costly than a system with a higher impact level. More information on system security categorization is available in FIPS Pub 199 and NIST Special Publication 800-60 "Guide for Mapping Types of Information and Information Systems to Security Categories."
633 633
634FISMA is unambiguous regarding the extent to which NIST C&A and annual IT security self-assessments apply. To the extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which the agency continues to be responsible for maintaining control), their security controls must be assessed against the same NIST criteria and standards as if they were a Government-owned or -operated system. The accreditation boundary for these systems must be carefully mapped to ensure that Federal information: (a) is adequately protected, (b) is segregated from the contractor, state or grantee corporate infrastructure, and (c) there is an interconnection security agreement in place to address connections from the contractor, state or grantee system containing the agency information to systems external to the accreditation boundary. 634FISMA is unambiguous regarding the extent to which NIST C&A and annual IT security self-assessments apply. To the extent that contractor, state, or grantee systems process, store, or house Federal Government information (for which the agency continues to be responsible for maintaining control), their security controls must be assessed against the same NIST criteria and standards as if they were a Government-owned or -operated system. The accreditation boundary for these systems must be carefully mapped to ensure that Federal information: (a) is adequately protected, (b) is segregated from the contractor, state or grantee corporate infrastructure, and (c) there is an interconnection security agreement in place to address connections from the contractor, state or grantee system containing the agency information to systems external to the accreditation boundary.
635 635
636 636
637 637
638 638
639 639
64041. Who is responsible for the POA&M process for contractor systems owned by the contractor? 64041. Who is responsible for the POA&M process for contractor systems owned by the contractor?
641 641
642The agency is responsible for ensuring the contractor corrects weaknesses discovered through self-assessments and independent assessments. Any weaknesses are to be reflected in the agency's POA&M. 642The agency is responsible for ensuring the contractor corrects weaknesses discovered through self-assessments and independent assessments. Any weaknesses are to be reflected in the agency's POA&M.
643 643
644Training 644Training
645 645
646 646
647 647
648 648
649 649
65042. Do employees who never access electronic information systems need annual security and privacy awareness training? 65042. Do employees who never access electronic information systems need annual security and privacy awareness training?
651 651
652Yes, FISMA and OMB policy (Memorandum M-07-17, Attachment I.A.2.d.) require all employees to receive annual security and privacy awareness training, and they must be included as part of your agency's training totals. When administering your security and privacy awareness training programs, it is important to remember: (i) all employees collect, process, access and/or maintain government information, in some form or format, to successfully perform their duties and support the agency's mission; and (ii) information is processed in various forms and formats, including paper and electronic, and information systems are a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. 652Yes, FISMA and OMB policy (Memorandum M-07-17, Attachment I.A.2.d.) require all employees to receive annual security and privacy awareness training, and they must be included as part of your agency's training totals. When administering your security and privacy awareness training programs, it is important to remember: (i) all employees collect, process, access and/or maintain government information, in some form or format, to successfully perform their duties and support the agency's mission; and (ii) information is processed in various forms and formats, including paper and electronic, and information systems are a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual.
653 653
654 654
655 655
656 656
657 657
658 658
659 659
66043. OMB asks agencies whether they have provided information security training and awareness to all employees, including contractors. Is it the agency's responsibility to ensure contractors have security training if they are hired to perform IT security functions? Wouldn't they already be trained by their companies to perform this work? 66043. OMB asks agencies whether they have provided information security training and awareness to all employees, including contractors. Is it the agency's responsibility to ensure contractors have security training if they are hired to perform IT security functions? Wouldn't they already be trained by their companies to perform this work?
661 661
662The agency should include in its contract the requirements for level of skill and experience. However, contractors must be trained on agency-specific security policies and procedures, including rules of behavior. Agencies may explain the type of awareness training they provide to contractors as part of the response to section B.6.c. 662The agency should include in its contract the requirements for level of skill and experience. However, contractors must be trained on agency-specific security policies and procedures, including rules of behavior. Agencies may explain the type of awareness training they provide to contractors as part of the response to section B.6.c.
663 663
664 664
665 665
666 666
667 667
668 668
669 669
67044. What resources are available to assist agencies in providing annual information security and privacy training to their employees? 67044. What resources are available to assist agencies in providing annual information security and privacy training to their employees?
671 671
672The Information System Security Line of Business (ISSLOB) has been working with agencies to develop a standardized curriculum, and, to select information security Shared Service Centers (SSC). The ISSLOB SSC's provide an efficient and cost-effective solution for agencies to procure general information security training for employees and contractors. For more information on this program, contact the ISSLOB program management office at the Department of Homeland Security. 672The Information System Security Line of Business (ISSLOB) has been working with agencies to develop a standardized curriculum, and, to select information security Shared Service Centers (SSC). The ISSLOB SSC's provide an efficient and cost-effective solution for agencies to procure general information security training for employees and contractors. For more information on this program, contact the ISSLOB program management office at the Department of Homeland Security.
673 673
674Privacy Reporting 674Privacy Reporting
675 675
676 676
677 677
678 678
679 679
68045. Which agency official should complete the privacy questions in this FISMA report? 68045. Which agency official should complete the privacy questions in this FISMA report?
681 681
682These questions shall be completed or supervised by the SAOP. Since privacy management may fall into areas of responsibility likely held by several program officials, e.g., the CIO, the Privacy Act Officer, etc., the SAOP shall consult with these officials when responding to these questions, and note (Section D, part IV) those who contributed and/or reviewed the responses to the questions. 682These questions shall be completed or supervised by the SAOP. Since privacy management may fall into areas of responsibility likely held by several program officials, e.g., the CIO, the Privacy Act Officer, etc., the SAOP shall consult with these officials when responding to these questions, and note (Section D, part IV) those who contributed and/or reviewed the responses to the questions.
683 683
684 684
685 685
686 686
687 687
688 688
689 689
69046. Why is OMB asking some of the same privacy questions posed by the annual E-Government Act Report? 69046. Why is OMB asking some of the same privacy questions posed by the annual E-Government Act Report?
691 691
692OMB is using the FISMA reporting vehicle to aggregate privacy reporting requirements and reduce burden on the agencies. Privacy reporting in Section D will satisfy agencies' privacy reporting obligations under the E-Government Act. OMB will not include privacy reporting in the E-Government Act reporting template. 692OMB is using the FISMA reporting vehicle to aggregate privacy reporting requirements and reduce burden on the agencies. Privacy reporting as shown in the SAOP Questions will satisfy agencies' privacy reporting obligations under the E-Government Act. OMB will not include privacy reporting in the E-Government Act reporting template.
693 693
694 694
695 695
696 696
697 697
698 698
699 699
70047. Why has OMB expanded the review of breaches of personally identifiable information, including Privacy Act violations, required by Circular A-130 to include incidents or instances of non-compliance with any of the requirements of the Act, even if they have not or will not result in civil or criminal action? Won't this result in "double counting?" 70047. Why has OMB expanded the review of breaches of personally identifiable information, including Privacy Act violations, required by Circular A-130 to include incidents or instances of non-compliance with any of the requirements of the Act, even if they have not or will not result in civil or criminal action? Won't this result in "double counting?"
701 701
702OMB is asking agencies to review all circumstances that might reveal weakness in the privacy program for which remedial action or additional training is required for an individual. Agencies should report incidents also reported elsewhere for security purposes. This reporting includes violations that are either physical or electronic, and regardless of whether the source was internal or external. While this reporting may result in double counting, it is important for agency managers and oversight authorities to understand the performance of agency privacy programs. 702OMB is asking agencies to review all circumstances that might reveal weakness in the privacy program for which remedial action or additional training is required for an individual. Agencies should report incidents also reported elsewhere for security purposes. This reporting includes violations that are either physical or electronic, and regardless of whether the source was internal or external. While this reporting may result in double counting, it is important for agency managers and oversight authorities to understand the performance of agency privacy programs.
703 703
704 704
705 705
706 706
707 707
708 708
709 709
71048. What does it mean for a system of records notice (SORN) to be "current"? 71048. What does it mean for a system of records notice (SORN) to be "current"?
711 711
712A SORN is "current" if that document satisfies the applicable requirements under the Privacy Act and there have been no subsequent substantive changes to the system which would necessitate republication of the notice in the Federal Register. 712A SORN is "current" if that document satisfies the applicable requirements under the Privacy Act and there have been no subsequent substantive changes to the system which would necessitate republication of the notice in the Federal Register.
713 713
714 714
715 715
716 716
717 717
718 718
719 719
72049. Must agencies publish a SORN for all systems? 72049. Must agencies publish a SORN for all systems?
721 721
722No. As required by the Privacy Act (5 U.S.C. 552a), agencies must publish a SORN for systems with records about individuals maintained in a system of records covered by the Privacy Act. 722No. As required by the Privacy Act (5 U.S.C. 552a), agencies must publish a SORN for systems with records about individuals maintained in a system of records covered by the Privacy Act.
723 723
724 724
725 725
726 726
727 727
728 728
729 729
73050. Are agencies required to conduct a privacy impact assessment (PIA) for information technology systems that contain or administer information in identifiable form strictly about Federal employees (including contractors)? 73050. Are agencies required to conduct a privacy impact assessment (PIA) for information technology systems that contain or administer information in identifiable form strictly about Federal employees (including contractors)?
731 731
732The legal and policy requirements addressing Federal agency computer security apply equally to Federal IT systems containing identifiable information about members of the public and to systems containing identifiable information solely about agency employees (or contractors). That is, as a practical matter, all systems containing information in identifiable form fall subject to the same technical, administrative and operational security controls. Although neither Section 208 of the E-Government Act, nor OMB's implementing guidance mandate agencies conduct PIAs on electronic systems containing information about Federal employees (including contractors), OMB encourages agencies to scrutinize their internal business processes and the handling of identifiable information about employees to the same extent they scrutinize processes and information handling procedures involving information collected from or about members of the public (OMB Memorandum M-03-22, Section II.B.3.a.). 732The legal and policy requirements addressing Federal agency computer security apply equally to Federal IT systems containing identifiable information about members of the public and to systems containing identifiable information solely about agency employees (or contractors). That is, as a practical matter, all systems containing information in identifiable form fall subject to the same technical, administrative and operational security controls. Although neither Section 208 of the E-Government Act, nor OMB's implementing guidance mandate agencies conduct PIAs on electronic systems containing information about Federal employees (including contractors), OMB encourages agencies to scrutinize their internal business processes and the handling of identifiable information about employees to the same extent they scrutinize processes and information handling procedures involving information collected from or about members of the public (OMB Memorandum M-03-22, Section II.B.3.a.).
733 733
734 734
735 735
736 736
737 737
738 738
739 739
74051. If an agency chooses to conduct a PIA on systems which only contain information about Federal employees (including contractors), should these be included in the total number of systems reported in section D.II.5.c.?  74051. If an agency chooses to conduct a PIA on systems which only contain information about Federal employees (including contractors), should these be included in the total number of systems reported? 
741 
742No, agencies should count only those systems which require a PIA under the E-Government Act. OMB recognizes some agencies choose to conduct a PIA on systems containing information about Federal employees (including contractors), or conduct a "threshold analysis" to determine whether a formal PIA is required for the system. While OMB applauds this level of dedication to privacy awareness and encourages agencies to continue pursuing these efforts, including these additional assessments inhibits meaningful evaluation of agency compliance with Section 208 of the E-Government Act of 2002. 
743 
744Electronic Authentication 
741 745
742No, when responding to section D.II.5.c., agencies should count only those systems which require a PIA under the E-Government Act. OMB recognizes some agencies choose to conduct a PIA on systems containing information about Federal employees (including contractors), or conduct a "threshold analysis" to determine whether a formal PIA is required for the system. While OMB applauds this level of dedication to privacy awareness and encourages agencies to continue pursuing these efforts, including these additional assessments inhibits meaningful evaluation of agency compliance with Section 208 of the E-Government Act of 2002. 
743 746
744 747
745 748
746 749
747 750
748 751
749 752
75052. What evidence are agencies required to provide to successfully demonstrate compliance with the privacy requirements on the quarterly report? 
751 753
752Agencies must provide the URL to a centrally located web page on the agency web site on which the agency lists working links to all of its PIAs and working links to all of its SORNs published in the Federal Register. Additionally, the agency CIO must certify in an email that, to the best of his or her knowledge, the quarterly report accounts for all of the agency's systems to which the privacy requirements of the E-Government Act and Privacy Act are applicable. 
753 754
754 755
755Electronic Authentication 
756 756
757 757
758 758
759 759
76053. What is Electronic Authentication (e-authentication)? 76052. What is Electronic Authentication (e-authentication)?
761 761
762In December 2003, OMB issued Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies", which requires agencies to review new and existing electronic transactions to ensure the authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Specifically, agencies are to determine assurance levels using the following steps: 762In December 2003, OMB issued Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies", which requires agencies to review new and existing electronic transactions to ensure the authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Specifically, agencies are to determine assurance levels using the following steps:
763 763
764 1. Conduct an e-authentication risk assessment of the e-government system. 764 1. Conduct an e-authentication risk assessment of the e-government system.
765 2. Map identified risks to the appropriate assurance level. 765 2. Map identified risks to the appropriate assurance level.
766 3. Select technology based on e-authentication technical guidance. 766 3. Select technology based on e-authentication technical guidance.
767 4. Validate that the implemented system has achieved the required assurance level. 767 4. Validate that the implemented system has achieved the required assurance level.
768 5. Periodically reassess the system to determine technology refresh requirements. 768 5. Periodically reassess the system to determine technology refresh requirements.
769 769
770An e-authentication application is an application that meets the following criteria: 770An e-authentication application is an application that meets the following criteria:
771 771
772 1. Is web-based; 772 1. Is web-based;
773 2. Requires authentication; and 773 2. Requires authentication; and
774 3. Extends beyond the borders of your enterprise (e.g. multi-agency, government-wide, or public facing) 774 3. Extends beyond the borders of your enterprise (e.g. multi-agency, government-wide, or public facing)
775 775
776For additional e-authentication requirements, please refer to NIST Special Publication 800-63, "Electronic Authentication Guidance" at http://csrc.nist.gov/publications. 776For additional e-authentication requirements, please refer to NIST Special Publication 800-63, "Electronic Authentication Guidance" at http://csrc.nist.gov/publications.
777 777
778 778
779 779
780 780
781 781
782 782
783 783
784 784
785 785
786 786
787 787
788 788
789 789
790 790
791 791
792 792
793 793
794 794
795 795
796 796
797 797
798 798
799 799
800Definitions 800Definitions
801 801
802Adequate Security (defined in OMB Circular A-130, Appendix III, (A)(2)(a)) 802Adequate Security (defined in OMB Circular A-130, Appendix III, (A)(2)(a))
803 803
804Security is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. 804Security is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.
805 805
806Capital Planning and Investment Control Process (as defined in OMB Circular A-130, (6)(c)) 806Capital Planning and Investment Control Process (as defined in OMB Circular A-130, (6)(c))
807 807
808A management process for ongoing identification, selection, control, and evaluation of investments in information resources. The process links budget formulation and execution, and is focused on agency missions and achieving specific program outcomes. 808A management process for ongoing identification, selection, control, and evaluation of investments in information resources. The process links budget formulation and execution, and is focused on agency missions and achieving specific program outcomes.
809 809
810Certification 810Certification
811 811
812A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. 812A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system.
813 813
814General Support System or System (defined in OMB Circular A-130, Appendix III, (A)(2)(c)) 814General Support System or System (defined in OMB Circular A-130, Appendix III, (A)(2)(c))
815 815
816An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO). 816An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO).
817 817
818Information Security (defined by FISMA, section 3542(b)(1)(A-C)) 818Information Security (defined by FISMA, section 3542(b)(1)(A-C))
819 819
820Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information. 820Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information.
821 821
822Information System (defined in OMB Circular A-130, (6)(q)) 822Information System (defined in OMB Circular A-130, (6)(q))
823 823
824The term "information system" means a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. 824The term "information system" means a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual.
825 825
826Information Technology (defined by the Clinger-Cohen Act of 1996, sections 5002, 5141 and 5142) 826Information Technology (defined by the Clinger-Cohen Act of 1996, sections 5002, 5141 and 5142)
827 827
828Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For purposes of this definition, equipment is used by an agency whether the agency uses the equipment directly or it is used by a contractor under a contract with the agency which (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract. 828Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For purposes of this definition, equipment is used by an agency whether the agency uses the equipment directly or it is used by a contractor under a contract with the agency which (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.
829 829
830Major Acquisition/Investment (defined in OMB Circular A-11, section 300) 830Major Acquisition/Investment (defined in OMB Circular A-11, section 300)
831 831
832Major acquisition/investment means a system or project requiring special management attention because of its importance to the mission or function of the agency, a component of the agency or another organization; is for financial management and obligates more than $500,000 annually; has significant program or policy implications; has high executive visibility; has high development, operating or maintenance costs or is defined as major by the agency's capital planning and investment control process. 832Major acquisition/investment means a system or project requiring special management attention because of its importance to the mission or function of the agency, a component of the agency or another organization; is for financial management and obligates more than $500,000 annually; has significant program or policy implications; has high executive visibility; has high development, operating or maintenance costs or is defined as major by the agency's capital planning and investment control process.
833 833
834Major Application (defined in OMB Circular A-130, (A)(2)(d)) 834Major Application (defined in OMB Circular A-130, (A)(2)(d))
835 835
836An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All Federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by the security of the systems in which they operate. 836An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All Federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by the security of the systems in which they operate.
837 837
838Major Information System (defined in OMB Circular A-130) 838Major Information System (defined in OMB Circular A-130)
839 839
840An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources. 840An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.
841 841
842National Security System (defined in FISMA, section 3542 (b)(2)(A-B)) 842National Security System (defined in FISMA, section 3542 (b)(2)(A-B))
843 843
844 (A) The term "national security system" means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- 844 (A) The term "national security system" means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency--
845  (i) the function, operation, or use of which-- 845  (i) the function, operation, or use of which--
846   (I) involves intelligence activities; 846   (I) involves intelligence activities;
847   (II) involves cryptologic activities related to national security; 847   (II) involves cryptologic activities related to national security;
848   (III) involves command and control of military forces; 848   (III) involves command and control of military forces;
849   (IV) involves equipment that is an integral part of a weapon or weapons system; or 849   (IV) involves equipment that is an integral part of a weapon or weapons system; or
850   (V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or 850   (V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or
851  (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. 851  (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
852 (B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). 852 (B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).
853 853
854Plan of Action and Milestone (defined in OMB Memorandum M-02-01) 854Plan of Action and Milestone (defined in OMB Memorandum M-02-01)
855 855
856A plan of action and milestones (POA&M), also referred to as a corrective action plan, is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. 856A plan of action and milestones (POA&M), also referred to as a corrective action plan, is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.
857 857
858Privacy Impact Assessment (PIA) (See OMB Memorandum M-03-22) 858Privacy Impact Assessment (PIA) (See OMB Memorandum M-03-22)
859 859
860A process for examining the risks and ramifications of using information technology to collect, maintain and disseminate information in identifiable form from or about members of the public, and for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting such information. 860A process for examining the risks and ramifications of using information technology to collect, maintain and disseminate information in identifiable form from or about members of the public, and for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting such information.
861 861
862Security Controls (defined in FIPS 199) 862Security Controls (defined in FIPS 199)
863 863
864The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. 864The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
865 865
866Security Program (defined by FISMA, Section 3544(b)(1-8) ) 866Security Program (defined by FISMA, Section 3544(b)(1-8) )
867 867
868Each agency shall develop, document, and implement an agency wide information security program, approved by the Director under section 3543(a)(5), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. 868Each agency shall develop, document, and implement an agency wide information security program, approved by the Director under section 3543(a)(5), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
869 869
870Significant Deficiency 870Significant Deficiency
871 871
872A significant deficiency is a weakness in an agency's overall information systems security program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken. 872A significant deficiency is a weakness in an agency's overall information systems security program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near-immediate corrective action must be taken.
873 873
874As required in FISMA (section 3544(c)(3)), agencies are to report any significant deficiency in policy, procedure, or practice as a material weakness in reporting under FMFIA and if relating to financial management systems, as an instance of a lack of substantial compliance under FFMIA. 874As required in FISMA (section 3544(c)(3)), agencies are to report any significant deficiency in policy, procedure, or practice as a material weakness in reporting under FMFIA and if relating to financial management systems, as an instance of a lack of substantial compliance under FFMIA.
875 875
876System of Records Notice (SORN) 876System of Records Notice (SORN)
877 877
878A statement providing to the public notice of the existence and character of a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. The Privacy Act of 1974 requires this notice to be published in the Federal Register upon establishment or substantive revision of the system, and establishes what information about the system must be included. 878A statement providing to the public notice of the existence and character of a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. The Privacy Act of 1974 requires this notice to be published in the Federal Register upon establishment or substantive revision of the system, and establishes what information about the system must be included.
879 
880 
881 
882 
883 
884 
885 
886 
887 
888 
889 
890 
891 
892 
893 
894 
895 
896 
897 
898 
899 
900Section B - Reporting Template for CIOs 
901 
902A reporting template tool will be posted at http://www.omb.gov. Below are the questions to be included in the template, in a narrative format. 
903 
904Questions in the Excel template require mostly numerical responses, and must follow the prescribed format provided. Please do not alter the questions or the reporting template. Comments and narrative to accompany quantitative answers should be provided in the comment area following each question, but, only if appropriate or necessary. 
905 
9061. FISMA Systems Inventory 
907 
908By component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized), identify the number of agency and contractor systems and the number of systems reviewed. Extend the worksheet onto subsequent pages if necessary to include all components/bureaus. 
909 
910Note: Agency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems. 
911 
912Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self-reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. 
913 
914FIPS 199, a Federal information processing standard, was published in February 2004. If there are systems which have not yet been categorized, or, if a system impact level was determined through another method, please explain below in item (d.). 
915 
916  a. Agency Systems 
917  - By Component/Bureau: number 
918  - By FIPS 199 system impact level (high, moderate, low, not categorized) 
919 
920  b. Contractor Systems 
921  - By Component/Bureau: number 
922  - By FIPS 199 system impact level (high, moderate, low, not categorized 
923 
924  c. Total Number of Systems (Agency and Contractor Systems) 
925  - By Component/Bureau: number 
926  - By FIPS 199 system impact level (high, moderate, low, not categorized) 
927 
928  d. If there are systems which have not yet been categorized by system impact level, or, if a system impact level was determined through another method, please explain. 
929 
9302. Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 
931 
932For the Total Number of Systems identified by Component/Bureau and FIPS system impact level in the Table for question 1, identify the number and percentage of systems which have: a current certification and accreditation2, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy. 
933 
934Contingency planning is a requirement for certification and accreditation, with annual contingency plan testing required thereafter. If the number of systems with full certification and accreditation is higher than the number of systems with a tested contingency plan, please explain in 2.d. 
935 
936  a. Number and percentage of systems certified and accredited 
937  - By Component/Bureau 
938  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
939 
940  b. Number and percentage of systems for which security controls have been tested and reviewed in the last year 
941  - By Component/Bureau 
942  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
943 
944  c. Number and percentage of systems for which contingency plans have been tested in accordance with policy 
945  - By Component/Bureau 
946  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
947 
948  d. If the number of systems with full certification and accreditation is higher than the number of systems with a tested contingency plan, please explain. 
949 
950  e. For all systems reported as not having a C&A (Question 2.a. percentage is less than 100%), please identify the system by Component/Bureau, the system impact level, and the Unique Project Identifier (UPI) associated with the system as presented in your Budget Year 2010 Exhibit 53. Extend the table as necessary to include all systems without a C&A. 
951 
952 
9532 Certification and accreditation requires documentation of security planning, including: risk assessments, contingency plans, incident response plans, security awareness and training plans, information systems rules of behavior, configuration management plans, security configuration checklists, privacy impact assessments, and system interconnection agreements. 
954 
9553. Implementation of Security Controls in NIST Special Publication 800-53 
956 
957Agencies must implement the appropriate security controls in NIST Special Publication 800-53. 
958 
959 a. Has the organization developed policies and corresponding procedures to cover all NIST SP 800-53 control families, and associated 800-53 security controls? Yes or No. 
960 
961 b. Please describe your annual testing and continuous monitoring process. 
962 
9634. Incident Detection, Monitoring, and Response Capabilities 
964 
965 a. What tools, techniques, technologies, etc., does the agency use for incident detection? 
966 
967 b. How many systems (or networks of systems) are protected using the tools, techniques and technologies described in 4 (a) above? 
968 
969 c. Does the agency log and monitor activities involving access to and modification of sensitive or critical information? Yes or No. 
970 
971 d. What percentage of systems maintain audit trails that provide a trace of user actions? 
972 
973 e. Does the agency maintain an incident handling and response capability? Yes or No. 
974 
975 f. If the answer to 4 (e) is yes, what percentage of systems are operated within the agency's incident handling and response capability? 
976 
977 g. What tools, techniques, technologies, etc. does the agency use for incident handling and response? 
978 
9795. Security Awareness Training 
980 
981 a. Has the agency ensured security awareness training of all employees, including contractors and those employees with significant information security responsibilities? Yes or No. 
982 
983Report the following to your agency: 
984 
985 b.1. Total number of employees (including contractors) 
986 
987 b.2. Number of employees and contractors that received information security awareness training during the past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program" (October 2003) 
988 
989 b.3. Number of employees and contractors that received information security awareness training using an Information Systems Security Line of Business (ISSLOB) shared service center. (breakout of total for 6.b.2. above) 
990 
991 b.4. Total number of employees with significant information security responsibilities 
992 
993 b.5. Number of employees with significant security responsibilities that received specialized training, as described in NIST Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model" (April 1998). 
994 
995 b.6. Total costs for providing information security training in the past fiscal year 
996 
997 c. Briefly describe the training provided in 5.b.2. and 5.b.5 and how you measure its effectiveness. 
998 
9996. Collaborative Web Technologies and Peer-to-Peer File Sharing 
1000 
1001Does the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in information security awareness training, ethics training, or any other agency-wide training? Yes or No. 
1002 
10037. Configuration Management 
1004 
1005 a. Is there an agency-wide security configuration policy? Yes or No. 
1006 
1007 b. Approximate the extent to which applicable systems implement common security configurations including use of common security configurations available from the National Institute of Standards and Technology's website at http://checklists.nist.gov
1008 
1009 Response categories: 
1010  - Rarely, for example, approximately 0-50% of the time 
1011  - Sometimes, for example, approximately 51-70% of the time 
1012  - Frequently, for example, approximately 71-80% of the time 
1013  - Mostly, for example, approximately 81-95% of the time 
1014  - Almost Always, for example, approximately 96-100% of the time 
1015 
1016 c. Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report: 
1017 
1018  c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or No. 
1019 
1020  c.2. New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology", is included in all contracts related to common security settings. Yes or No. 
1021 
1022  c.3. All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No. 
1023 
10248. Incident Reporting 
1025 
1026Indicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below. 
1027 
1028  a. The agency follows documented policies and procedures for identifying and reporting incidents internally. Yes or No. 
1029 
1030  b. The agency follows documented policies and procedures for external reporting to law enforcement authorities. Yes or No. 
1031 
1032  c. The agency follows documented policies and procedures for reporting to US-CERT. Yes or No. 
1033 
10349. New Technologies and Emerging Threats 
1035 
1036  a. Has the agency documented in its security policies special procedures for using emerging technologies (including but not limited to wireless and IPv6) and countering emerging threats (including but not limited to spyware, malware, etc.)? Yes or No. 
1037 
1038  b. If the answer to 9.a. is "Yes," briefly describe the documented procedures. These special procedures could include more frequent control tests and evaluations, specific configuration requirements, additional monitoring, or specialized training. 
1039 
104010. Performance Metrics for Security Policies and Procedures 
1041 
1042Please provide three (3) outcome/output-based performance metrics used by your agency to measure the effectiveness or efficiency of security policies and procedures. The metrics must be different than the ones used in these FISMA reporting instructions and can be tailored from NIST's Special Publication 800-55 "Performance Measurement Guide for Information Security." 
1043 
1044Section C – Reporting Template for IGs 
1045 
1046A reporting template tool will be posted at http://www.omb.gov. Below are the questions to be included in the template, in a narrative format. 
1047 
1048Questions in the Excel template require mostly numerical responses, and must follow the prescribed format provided. Please do not alter the questions or the reporting template. Comments and narrative to accompany quantitative answers should be provided in the comment area following each question, if appropriate or necessary. IGs may also submit additional narrative in an appendix to the report. 
1049 
10501. FISMA Systems Inventory 
1051 
1052As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. 
1053 
1054By component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized), identify the number of agency and contractor systems and the number of systems reviewed. Extend the worksheet onto subsequent pages if necessary to include all components/bureaus. 
1055 
1056Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self-reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. 
1057 
1058  a. Agency Systems 
1059  - By Component/Bureau: total number, number reviewed by IG 
1060  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
1061 
1062  b. Contractor Systems 
1063  - By Component/Bureau: total number, number reviewed by IG 
1064  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
1065 
1066  c. Total Number of Systems (Agency and Contractor Systems) 
1067  - By Component/Bureau: total number, number reviewed by IG 
1068  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
1069 
10702. Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 
1071 
1072For the Total Number of Systems identified by Component/Bureau and FIPS system impact level in the Table for question 1, identify the number and percentage of systems which have: a current certification and accreditation3, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy. 
1073 
1074  a. Number of systems certified and accredited 
1075  - By Component/Bureau 
1076  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
1077 
1078  b. Number of systems for which security controls have been tested and reviewed in the last year 
1079  - By Component/Bureau 
1080  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
1081 
1082  c. Number of systems for which contingency plans have been tested in accordance with policy 
1083  - By Component/Bureau 
1084  - By FIPS 199 system impact level (high, moderate, low, not categorized). 
1085 
10863. Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory 
1087 
1088  a. The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and agency policy. 
1089 
1090  Self-reporting of NIST Special Publication 800-53 requirements by a contractor or other organization is not sufficient; however, self-reporting by another Federal agency may be sufficient. 
1091 
1092  Response Categories: 
1093  - Rarely, for example, approximately 0-50% of the time 
1094  - Sometimes, for example, approximately 51-70% of the time 
1095  - Frequently, for example, approximately 71-80% of the time 
1096  - Mostly, for example, approximately 81-95% of the time 
1097  - Almost Always, for example, approximately 96-100% of the time 
1098 
1099  b. The agency has developed an inventory of major information systems (including major national security systems) used or operated by an agency or a contractor or other organization on behalf of the agency, including an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency. 
1100 
1101 
11023 Certification and accreditation requires documentation of security planning, including: risk assessments, contingency plans, incident response plans, security awareness and training plans, information systems rules of behavior, configuration management plans, security configuration checklists, privacy impact assessments, and system interconnection agreements. 
1103 
1104Response Categories: 
1105 - Approximately 0-50% complete 
1106 - Approximately 51-70% complete 
1107 - Approximately 71-80% complete 
1108 - Approximately 81-95% complete 
1109 - Approximately 96-100% complete 
1110 
1111 c. The IG generally agrees with the CIO on the number of agency owned systems. Yes or No. 
1112 
1113 d. The IG generally agrees with the CIO on the number of information systems used or operated by a contractor of the agency or other organization on behalf of the agency. Yes or No. 
1114 
1115 e. The agency inventory is maintained and updated at least annually. Yes or No 
1116 
1117 f. If the Agency IG does not evaluate the Agency's inventory as 96-100% complete, please list by system name, component/bureau, and Unique Project Identifier (UPI) (if known); and indicate if the system is an agency or contractor system. 
1118 
11194. Evaluation of A Plan of Action and Milestones (POA&M) process 
1120 
1121Assess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestone (POA&M) process. Evaluate the degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include comments in the area provided. 
1122 
1123For each statement in items 4.a. through 4.f., select the response category that best reflects the agency's status. 
1124 
1125 Response Categories: 
1126 
1127 - Rarely, for example, approximately 0-50% of the time 
1128 - Sometimes, for example, approximately 51-70% of the time 
1129 - Frequently, for example, approximately 71-80% of the time 
1130 - Mostly, for example, approximately 81-95% of the time 
1131 - Almost Always, for example, approximately 96-100% of the time 
1132 
1133 
1134 a. The POA&M is an agency-wide process, incorporating all known IT security weaknesses associated with information systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency. 
1135 
1136 b. When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop, implement, and manage POA&Ms for their system(s). 
1137 
1138 c. Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis (at least quarterly). 
1139 
1140 d. Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis. 
1141 
1142 e. IG/external audit findings are incorporated into the POA&M process. 
1143 
1144 f. POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a timely manner and receive appropriate resources. 
1145 
11465. IG Assessment of the Certification and Accreditation Process 
1147 
1148Provide a qualitative assessment of the agency's certification and accreditation process, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for certification and accreditation work initiated after May 2004. This includes use of the FIPS 199 (February 2004) ,"Standards for Security Categorization of Federal Information and Information Systems," to determine a system impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans. Provide narrative comments as appropriate. 
1149 
1150 a. The IG rates the overall quality of the Agency's certification and accreditation process as: 
1151 
1152 Response Categories: 
1153 - Excellent 
1154 - Good 
1155 - Satisfactory 
1156 - Poor 
1157 - Failing 
1158 
1159 b. The IG's quality rating included or considered the following aspects of the C&A process: (check all that apply) 
1160 
1161 - the security plan 
1162 - system impact level 
1163 - system test and evaluation 
1164 - security control testing 
1165 - incident handling 
1166 - security awareness training 
1167 - security configurations (including patch management) 
1168 - other: 
1169 
11706. IG Assessment of the Privacy Impact Assessment (PIA) Process 
1171 
1172Provide a qualitative assessment of the agency's PIA process as discussed in Section D Question number 5, including adherence to existing policy, guidance, and standards. 
1173 
1174Assess the overall quality of the Department's Privacy Impact Assessment policies 
1175 
1176 Response Categories: 
1177 - Excellent 
1178 - Good 
1179 - Satisfactory 
1180 - Poor 
1181 - Failing 
1182 Comments: Space for narrative comments. 
1183 
11847. IG Assessment of Progress of the Agency Privacy Program 
1185 
1186Provide a qualitative assessment of the agency's progress to date in implementing the provisions of M-07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information. 
1187 
1188Assess the overall progress of the Department's privacy program to date 
1189 
1190 Response Categories: 
1191 - Excellent 
1192 - Good 
1193 - Satisfactory 
1194 - Poor 
1195 - Failing 
1196 
1197Comments: Space for narrative comments. 
1198 
11998. Configuration Management 
1200 
1201 a. Is there an agency wide security configuration policy? Yes or No. 
1202 
1203 Space provided for narrative comments. 
1204 
1205 b. Approximate the extent to which applicable systems implement common security configurations, including use of common security configurations available from the National Institute of Standards and Technology's website at http://checklists.nist.gov
1206 
1207  - Rarely, for example, approximately 0-50% of the time 
1208  - Sometimes, for example, approximately 51-70% of the time 
1209  - Frequently, for example, approximately 71-80% of the time 
1210  - Mostly, for example, approximately 81-95% of the time 
1211  - Almost Always, for example, approximately 96-100% of the time 
1212 
1213 c. Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report: 
1214 
1215  c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or No. 
1216 
1217  c.2. New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology", is included in all contracts related to common security settings. Yes or No. 
1218 
1219  c.3. All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No. 
1220 
12219. Incident Reporting 
1222 
1223Indicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided. 
1224 
1225 a. The agency follows documented policies and procedures for identifying and reporting incidents internally. Yes or No. 
1226 
1227 b. The agency follows documented policies and procedures for external reporting to law enforcement authorities. Yes or No. 
1228 
1229 c. The agency follows defined procedures for reporting to the United States Computer Emergency Readiness Team (US-CERT). http://www.us-cert.gov Yes or No. 
1230 
123110. Security Awareness Training 
1232 
1233Has the agency ensured security awareness training of all employees, including contractors and those employees with significant IT security responsibilities? 
1234 
1235 - Rarely, or, approximately 0-50% of employees 
1236 - Sometimes, or approximately 51-70% of employees 
1237 - Frequently, or approximately 71-80% of employees 
1238 - Mostly, or approximately 81-95% of employees 
1239 - Almost Always, or approximately 96-100% of employees 
1240 
124111. Collaborative Web Technologies and Peer-to-Peer File Sharing 
1242 
1243Does the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in IT security awareness training, ethics training, or any other agency-wide training? Yes or No. 
1244 
124512. E-Authentication 
1246 
1247Has the agency identified all e-authentication applications and validated that the applications have operationally achieved the required assurance level in accordance with the NIST Special Publication 800-63, "Electronic Authentication Guidelines"? Yes or No. 
1248 
1249If the response is "No", then please identify the systems in which the agency has not implemented the e-authentication guidance and indicate if the agency has a planned date of remediation. 
1250 
1251Section D - Reporting Template for SAOPs 
1252 
1253A reporting template tool will be posted at http://www.omb.gov. Below are the questions to be included in the template, in a narrative format. This shall be completed by all agencies. 
1254 
12551. Inventory of Systems that Contain Federal Information in Identifiable Form which Require a PIA or SORN 
1256 
1257In column (a) of the table below, identify by component/bureau the number of agency and contractor information systems that contain Federal information in identifiable form. In column (b), identify the number of agency and contractor systems in (a) for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act. In column (c), identify the number of agency and contractor systems in (b) covered by an existing PIA. In column (d), identify the number of systems in (a) for which a system of records notice (SORN) is required under the Privacy Act. In column (e), identify the number of systems in (d) for which a current SORN has been published in the Federal Register. 
1258 
1259Extend the table as necessary to include all Components/Bureaus. 
1260 
1261For the purposes of this inventory, the number of systems covered by an existing PIA cannot exceed the number of systems for which a PIA is required under the E-Government Act, and the number of systems for which a current SORN has been published cannot exceed the number of systems for which a SORN is required under the Privacy Act. 
1262 
1263 a. By Component/Bureau: Number of systems that contain Federal information in identifiable form 
1264  - Agency Systems 
1265  - Contractor Systems 
1266  - Total number of systems 
1267 
1268 b. By Component/Bureau: Number of systems in (a.) for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act 
1269  - Agency Systems 
1270  - Contractor Systems 
1271  - Total number of systems 
1272 
1273  c. By Component/Bureau: Number of systems in (b.) covered by an existing PIA 
1274  - Agency Systems 
1275  - Contractor Systems 
1276  - Total number of systems 
1277  - Percentage of PIAs completed 
1278 
1279  d. By Component/Bureau: Number of systems in (a.) for which a SORN is required under the Privacy Act 
1280  - Agency Systems 
1281  - Contractor Systems 
1282  - Total number of systems 
1283 
1284  e. By Component/Bureau: Number of systems in (d.) for which a current SORN has been published in the Federal register 
1285 
1286  - Agency Systems 
1287  - Contractor Systems 
1288  - Total number of systems 
1289  - Percentage of SORNs completed 
1290 
12912. Links to PIAs and SORNs 
1292 
1293  a. Provide the URL (does not have to be a hyperlink) of the centrally located page on the agency web site listing working links to agency PIAs. 
1294 
1295  b. Provide the URL (does not have to be a hyperlink) of the centrally located page on the agency web site listing working links to the published SORNs: 
1296 
12973. Senior Agency Official for Privacy (SAOP) Responsibilities 
1298 
1299  a. Can your agency demonstrate through documentation that the privacy official participates in all agency information privacy compliance activities (i.e., privacy policy as well as IT information policy)? Yes or No. 
1300 
1301  b. Can your agency demonstrate through documentation that the privacy official participates in evaluating the ramifications for privacy of legislative, regulatory and other policy proposals, as well as testimony and comments under Circular A-19? Yes or No. 
1302 
1303  c. Can your agency demonstrate through documentation that the privacy official participates in assessing the impact of technology on the privacy of personal information? Yes or No. 
1304 
13054. Information Privacy Training and Awareness 
1306 
1307  a. Does your agency have a policy in place to ensure that all personnel (employees, contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure? Yes or No. 
1308 
1309  b. Does your agency have a program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities? Yes or No. 
1310 
13115. PIA and Web Privacy Policies and Processes 
1312 
1313Section 208 of the E-Government Act requires that agencies (a) conduct PIAs under appropriate circumstances, (b) post web privacy policies on their web sites, and (c) ensure machine-readability of web privacy policies. Does the agency have a written policy or process for each of the following? Indicate Yes or No for each item in the table below. 
1314 
1315  PIA Policies 
1316 
1317 a. Determining whether a PIA is needed 
1318 
1319 b. Conducting a PIA 
1320 
1321 c. Evaluating changes in business process or technology that the PIA indicates may be required 
1322 
1323 d. Ensuring that systems owners and privacy and information technology experts participate in conducting the PIA 
1324 
1325 e. Making PIAs available to the public in the required circumstances 
1326 
1327 f. Making PIAs available in other than required circumstances 
1328 
1329 Web Policies 
1330 
1331 g. Determining continued compliance with stated web policies 
1332 
1333 h. Requiring machine-readability of public-facing agency web sites (i.e. use of P3P) 
1334 
13356. Reviews Mandated by Privacy Act of 1974, the E-Government Act of 2002, and the Federal Agency Data Mining Reporting Act of 2007 
1336 
1337OMB Circular A-130 (Section 3, Appendix 1) requires agencies to conduct Privacy Act mandated reviews, and to be prepared to report to the Director of OMB on the results of those reviews. 
1338 
1339In the table provided, indicate which of the following reviews were conducted in the last year by component/bureau. For d, e, i, j, k, provide the number of reviews conducted during the last year. 
1340 
1341 
1342 a. Section M Contracts 
1343 b. Records Practices 
1344 c. Routine Uses 
1345 d. Exemptions 
1346 e. Matching Programs 
1347 f. Training 
1348 g. Violations: Civil Action 
1349 h. Violations: Remedial Action 
1350 i. Systems of Records 
1351 j. (e)(3) Statements 
1352 k. Privacy Impact Assessments and Updates 
1353 l. Data Mining Impact Assessment 
1354 
1355Extend the table as necessary to include all components/bureaus. 
1356 
13577. Written Privacy Complaints 
1358 
1359In the table provided, indicate the number of written complaints for each type of privacy issue allegation received by the SAOP, in addition to the number of complaints for each type each type of complaint. Written complaints do not include Freedom of Information Act requests or Privacy Act access requests. 
1360 
1361 a. Process and Procedural -- consent, collection, and appropriate notice) 
1362 
1363 b. Redress -- non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters 
1364 
1365 c. Operational -- inquiries regarding Privacy Act matters not including Privacy Act requests for access/ and/or correction 
1366 
1367 d. Referrals – complaints referred to another agency with jurisdiction 
1368 
13698. Policy Compliance Review 
1370 
1371  a. Does the agency have current documentation demonstrating review of compliance with information privacy laws, regulations, and policies? Yes or No. 
1372 
1373  b. Can the agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy deficiencies identified in compliance reviews? Yes or No. 
1374 
1375  c. Does the agency use technologies that enable continuous auditing of compliance with stated privacy policies and practices? Yes or No. 
1376 
1377  d. Does the agency coordinate with the agency's Inspector General on privacy program oversight? Yes or No. 
1378 
13799. Information About Advice Provided by the SAOP 
1380 
1381Please state "Yes" or "No" to indicate if the SAOP has provided formal written advice in each of the listed categories, and briefly describe the advice in the space provided. For descriptions of training, please provide the number of employees (or contractors) who participated in the training. 
1382 
1383  a. Agency policies, orders, directives, or guidance governing agency handling of personally identifiable information 
1384 
1385  b. Written Agreements (either Interagency or with Non-Federal Entities) 
1386 
1387  c. Reviews or feedback outside of the SORN and PIA process (e.g. formal written advice in the context of a budgetary or programmatic planning) 
1388 
1389  d. Privacy Training (either stand-alone or included with training on related issues) 
1390 
1391 
139210. Agency Use of Persistent Tracking Technology 
1393 
1394OMB policy stated in M-03-22 "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002," prohibits agencies from using persistent tracking technology on web sites, except in compelling circumstances as determined by the head of the agency (or designee reporting directly to the agency head). 
1395 
1396Indicate Yes or No for each item in the table below. 
1397 
1398  a. Does the agency use persistent tracking technology on any web site? 
1399 
1400  b. Does the agency annually review the use of persistent tracking? 
1401 
1402  c. Can the agency demonstrate through documentation the continued justification for, and approval to use, the persistent tracking technology? 
1403 
1404  d. Can the agency provide the notice language or citation for the web privacy policy that informs visitors about the persistent tracking? 
1405 
140611. Contact Information 
1407 
1408Please provide the names, phone numbers, and e-mail addresses of the following officials: 
1409 
1410Agency head: 
1411Chief Information Officer: 
1412Agency Inspector General: 
1413Chief Information Security Officer: 
1414Senior Agency Official for Privacy: 
1415Chief Privacy Officer: 
1416Privacy Advocate: 
1417Privacy Act Officer: 
1418Reviewing Official for PIAs: 
1419POC for URL links provided in question number 2: