FISMA reporting must use automated tool

OMB requires agencies to use automated reporting tool, not spreadsheets, to submit FISMA data

Agencies must use an automated reporting tool to show their compliance with the Federal Information Security Management Act this year, Obama administration officials have said.

This year the Office of Management and Budget will only accept annual FISMA reports from agencies submitted with a new automated reporting tool that will allow manual data entry and an automated upload of data, OMB said in a memo to heads of departments and agencies. Previously, the agencies reported data by using spreadsheets.

“The reporting categories and questions are generally the same as last year, and the report will cover the same areas as in previous years,” Jeffrey Zients, OMB’s deputy director for management and Vivek Kundra, the federal CIO, said in the memo dated Aug. 20. “However, while the content of the report has changed little since 2008, the means of collection have changed substantially.”

The administration officials said CIOs, inspectors general and privacy officials – all officials who report data to OMB on FISMA compliance – will have to use the new tool. OMB said a test version of the tool will be available this month and that because of the new collection system, the reports will be due Nov. 18.

In a response letter dated June 23 included in a recent report on agencies’ information security from the Government Accountability Office, Kundra said OMB was planning to move FISMA reporting for fiscal 2009 to an Internet-enabled database.

Kundra called the current process is “both manual and cumbersome” and said the automation would allow for more evaluative metrics, such as performance metrics, to be collected.

Meanwhile, OMB also said agencies should use the automated reporting tool to submit separate documents showing how their policies for securing personally identifiable information and notifying people about data breaches have changed. Agencies should submit:

  • Any changes in data breach notification policy since last year’s report.
  • An update on their progress in eliminating the unnecessary use of Social Security numbers by the agency.
  • An update on the review and reduction of personally identifiable information held by the agency.

“Agency reports must reflect the agency head’s determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices,” the memo said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

Reader comments

Thu, Oct 29, 2009 Travis

Regarding civilian contractors who handle FISMA reporting on behalf of government agencies: 1. Will they be able to access and input data collection into the automated reporting tool? 2.If this tool is made available to 3rd parties who handle FISMA reporting for government agencies, how do they apply for access? 3. Will this tool also apply to financial institutions and or the health care industry who also comply with FISMA regulations?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above